HWTACACS Configuration Guide

HWTACACS Configuration Guide
Issue 01
Date 2019-06-29
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. i

HWTACACS Configuration Guide Contents
Contents
1 HWTACACS AAA........................................................................................................................ 1
1.1 Overview of HWTACACS............................................................................................................................................. 1
1.2 HWTACACS Packets..................................................................................................................................................... 2
1.3 HWTACACS Authentication, Authorization, and Accounting Process.......................................................................11
1.4 HWTACACS Attributes............................................................................................................................................... 13
2 Using HWTACACS to Perform Authentication, Authorization, and Accounting......... 20

2.1 Configuring an HWTACACS Server........................................................................................................................... 20
2.2 Configuring AAA Schemes..........................................................................................................................................21
2.3 Configuring an HWTACACS Server Template............................................................................................................24
2.4 (Optional) Configuring a Service Scheme....................................................................................................................26
2.5 Applying AAA Schemes to a Domain......................................................................................................................... 30
2.6 Verifying the HWTACACS AAA Configuration......................................................................................................... 34
Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. ii

HWTACACS Configuration Guide 1 HWTACACS AAA
1 HWTACACS AAA
1.1 Overview of HWTACACS

1.2 HWTACACS Packets
1.3 HWTACACS Authentication, Authorization, and Accounting Process
1.4 HWTACACS Attributes
1.1 Overview of HWTACACS

HWTACACS is a protocol that serves as an enhancement to TACACS (RFC 1492).
HWTACACS is used to perform authentication, authorization, and accounting for users

accessing the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up
Network (VPDN) and management users.
Both HWTACACS and RADIUS protocols can implement authentication, authorization, and
accounting. They are similar in that they both have the following characteristics:
l Client/Server model
l Share key used for encrypting user information
l Good flexibility and extensibility
HWTACACS is more reliable in transmission and encryption than RADIUS, and is more
suitable for security control. Table 1-1 lists the differences between HWTACACS and
RADIUS.
Table 1-1 Comparisons between HWTACACS and RADIUS
Item HWTACACS RADIUS
Data transmission Uses TCP, which is more Uses UDP, which is

reliable. more efficient.
Encryption Encrypts the entire packet, Encrypts only the

except the standard password field in the
HWTACACS header. packet.
Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 1

Item HWTACACS RADIUS
Authentication and Separates authentication from Combines

authorization authorization so that they can authentication and
be implemented on different authorization.
security servers.
Command line authorization Supported. The command line Not supported. The
use is restricted by both the commands that a user
command level and AAA. can use depend on
When a user enters a their user level. A user
command, the command is can only use the
executed only after being commands of the same
authorized by the level as or lower level
HWTACACS server. than their user level.
Application Security control. Accounting.
1.2 HWTACACS Packets

Unlike RADIUS packets, which all use the same format, HWTACACS packets (including
HWTACACS Authentication Packet Format, HWTACACS Authorization Packet
Format, and HWTACACS Accounting Packet Format) use different formats. Despite this,
HWTACACS packets all share the same HWTACACS Packet Header.
HWTACACS Packet Header

The length of the HWTACACS packet header is 12 bytes, as shown in Figure 1-1.
Figure 1-1 HWTACACS packet header
Table 1-2 Fields in HWTACACS packet header
Field Description
major version Major version of the HWTACACS protocol.

The current version is 0xc.

Field Description
minor version Minor version of the HWTACACS protocol.

The current version is 0x0.
type HWTACACS protocol packet type,

including authentication (0x01),
authorization (0x02), and accounting
(0x03).
seq_no Packet sequence number in a session,

ranging from 1 to 254.
flags Encryption flag on the packet body. This

field contains 8 bits, of which only the first
bit has a valid value. The value 0 indicates
that the packet body is encrypted, and the
value 1 indicates that the packet body is not
encrypted.
session_id Session ID, which is the unique identifier of

a session.
length Length of the HWTACACS packet body,

excluding the packet header.
HWTACACS Authentication Packet Format

There are three types of HWTACACS authentication packets:
l Authentication Start: When an authentication starts, the client sends this packet carrying
the authentication type, user name, and authentication data to the server.
l Authentication Continue: When receiving the Authentication Reply packet from the
server, the client returns this packet if the authentication process has not ended.
l Authentication Reply: When the server receives the Authentication Start or
Authentication Continue packet from the client, the server sends this packet to the client
to notify the client of the current authentication status.
HWTACACS Authentication Start packets.

Figure 1-2 HWTACACS Authentication Start packet format
Table 1-3 Fields in HWTACACS Authentication Start packet

Field Description
action Authentication action. Only the login authentication (0x01) action is

supported.
priv_lvl User privilege level.
authen_typ Authentication type, including:

e l CHAP(0x03)
l PAP(0x02)
l ASCII(0x01)
service Type of the service requesting authentication, which varies depending on the
user type:
l PPP users: PPP(0x03)
l Administrators: LOGIN(0x01)
l Other users: NONE(0x00)
user len Length of the user name entered by a login user.
port len Length of the port field.
rem_addr rem_addr field length.

len
data len Authentication data length.
user Name of the user requesting authentication. The maximum length is 129.

Field Description
port Name of the user interface requesting authentication. The maximum length is
47.
l For management users, this field indicates the user terminal interface,
such as console0 and vty1. For example, the authen_type of Telnet users
is ASCII, service is LOGIN, and port is vtyx.
l For other users, this field indicates the user access interface.
rem_addr IP address of the login user.
data Authentication data. Different data is encapsulated depending on the values

of action and authen_type. For example, when PAP authentication is used,
the value of this field is PAP plain-text password.
HWTACACS Authentication Continue packets.
Figure 1-3 HWTACACS Authentication Continue packet format
Table 1-4 Fields in HWTACACS Authentication Continue packet
Field Description
user_msg Length of the character string entered by a login user.

len
flags Authentication continue flag.

l 0: The authentication continues.
l 1: The authentication has ended.
user_msg Character string entered by the login user. This field carries the user login
password to respond to the server_msg field in the Authentication Reply
packet.
data Authentication data. Different data is encapsulated depending on the values

of action and authen_type. For example, when PAP authentication is used,
the value of this field is PAP plain-text password.

HWTACACS Authentication Reply packets.
Figure 1-4 HWTACACS Authentication Reply packet format
Table 1-5 Fields in HWTACACS Authentication Reply packet

Field Description
status Authentication status, including:

l PASS (0x01): Authentication is successful.
l FAIL (0x02): Authentication fails.
l GETDATA (0x03): Request user information.
l GETUSER (0x04): Request user name.
l GETPASS (0x05): Request password.
l RESTART (0x06): Request reauthentication.
l ERROR (0x07): The authentication packets received by the server have
errors.
l FOLLOW (0x21): The server requests reauthentication.
flags Indicates whether the client displays the password entered by user in plain
text. The value 1 indicates that the password is not displayed in plain text.
server_msg Length of the server_msg field.

len
server_msg Optional field. This field is sent by the server to the user to provide
additional information.
data Authentication data, providing information to client.
HWTACACS Authorization Packet Format

There are two types of HWTACACS authorization packets:
l Authorization Request: HWTACACS separates authentication from authorization.
Therefore, a user can be authenticated by HWTACACS, and authorized using another
protocol. If a user is authorized by HWTACACS, the client sends an Authorization
Request packet carrying authorization information to the server.

l Authorization Response: After receiving the Authorization Request packet, the server
sends this packet carrying the authorization result to the client.
HWTACACS Authorization Request packets.
Figure 1-5 HWTACACS Authorization Request packet format
NOTE
The meanings of the following fields in the Authorization Request packet are the same as those in the
Authentication Start packet, and are therefore not described here: priv_lvl, authen_type, authen_service,
user len, port len, rem_addr len, port, and rem_addr.
Table 1-6 Fields in HWTACACS Authorization Request packet

Field Description
authen_met Authentication method, including:

hod l No authentication method configured (0x00)
l None authentication (0x01)
l Local authentication (0x05)
l HWTACACS authentication (0x06)
l RADIUS authentication (0x10)

Field Description
authen_ser Type of the service requesting authentication, which varies depending on the
vice user type:
arg_cnt Number of attributes carried in the Authorization Request packet.
argN Attribute of the Authorization Request packet.
HWTACACS Authentication Reply packets.
Figure 1-6 HWTACACS Authorization Response packet format
NOTE
The meanings of the following fields are the same as those in HWTACACS Authentication Reply
packet, and are therefore not described here: server_msg len, data len, and server_msg.

Table 1-7 Fields in HWTACACS Authorization Response packet

Field Description
status Authorization status, including:

l Authorization is successful (0x01)
l The attributes in Authorization Request packets are modified by the
TACACS server (0x02)
l Authorization fails (0x10)
l An error occurs on the authorization server (0x11)
l An authorization server is respecified (0x21)
arg_cnt Number of attributes carried in the Authorization Response packet.
argN Authorization attribute delivered by the HWTACACS authorization server.
HWTACACS Accounting Packet Format

There are two types of HWTACACS accounting packets:
l Accounting Request: Contains authorization information.
l Accounting Response: After receiving and recording an Accounting Request packet, the
server returns this packet.
HWTACACS Accounting Request packets.
Figure 1-7 HWTACACS Accounting Request packet format

NOTE
The meanings of the following fields in the Accounting Request packet are the same as those in the
Authorization Request packet, and are therefore not described here: authen_method, priv_lvl,
authen_type, user len, port len, rem_addr len, port, and rem_addr.
Table 1-8 Fields in HWTACACS Accounting Request packet

Field Description
flags Accounting type:

l Start accounting (0x02)
l Stop accounting (0x04)
l Interim accounting (0x08)
authen_ser Type of the service requesting authentication, which varies depending on the
vice user type:
arg_cnt Number of attributes carried in the Accounting Request packet.
argN Attribute of the Accounting Request packet.
HWTACACS Accounting Response packets.
Figure 1-8 HWTACACS Accounting Response packet format
Table 1-9 Fields in HWTACACS Accounting Response packet

Field Description
server_msg Length of the server_msg field.

len
data len Length of the data field.

Field Description
status Accounting status:

l Accounting is successful (0x01)
l Accounting fails (0x02)
l No response (0x03)
l The server requests reaccounting (0x21)
server_msg Information sent by the accounting server to the client.
data Information sent by the accounting server to the administrator.
1.3 HWTACACS Authentication, Authorization, and

Accounting Process
This section describes how HWTACACS performs authentication, authorization, and
accounting for Telnet users. Figure 1-9 shows the message exchange process.

Figure 1-9 HWTACACS message interaction
The following describes the HWTACACS message exchange process shown in Figure 1-9:
1. A Telnet user sends a request packet.

2. After receiving the request packet, the HWTACACS client sends an Authentication Start
packet to the HWTACACS server.
3. The HWTACACS server sends an Authentication Response packet to request the user
name.
4. After receiving the Authentication Response packet, the HWTACACS client sends a
packet to query the user name.
5. The user enters the user name.
6. The HWTACACS client sends an Authentication Continue packet containing the user
name to the HWTACACS server.
7. The HWTACACS server sends an Authentication Response packet to request the
password.
8. After receiving the Authentication Response packet, the HWTACACS client queries the
password.

9. The user enters the password.

10. The HWTACACS client sends an Authentication Continue packet containing the
password to the HWTACACS server.
11. The HWTACACS server sends an Authentication Response packet, indicating that the
user has been authenticated.
12. The HWTACACS client sends an Authorization Request packet to the HWTACACS
server.
13. The HWTACACS server sends an Authorization Response packet, indicating that the
user has been authorized.
14. The HWTACACS client receives the Authorization Response packet and displays the
login page.
15. The HWTACACS client sends an Accounting Request (start) packet to the HWTACACS
server.
16. The HWTACACS server sends an Accounting Response packet.
17. The user requests to go offline.
18. The HWTACACS client sends an Accounting Request (stop) packet to the HWTACACS
server.
19. The HWTACACS server sends an Accounting Response packet.
NOTE
HWTACACS and TACACS+ protocols of other vendors can implement authentication, authorization,
and accounting. HWTACACS is compatible with other TACACS+ protocols because their
authentication procedures and implementations are the same.
1.4 HWTACACS Attributes

In the HWTACACS authorization or accounting packets, the argN field carries the
information exchanged between a server and a client in the form of HWTACACS. This
section describes the HWTACACS attributes in detail.
Overview of HWTACACS Attributes

Table 1-10 describes the HWTACACS attributes supported by the device. The device can
only parse the attributes included in the table.
Table 1-10 Common HWTACACS attributes
Attribute Description
Name
acl Authorization ACL ID.
addr User IP address.
autocmd Commands the system automatically execute after a user logs in.
bytes_in Traffic received by the device. K, M, and G represent KByte, MByte, and
GByte. No unit is displayed if byte is used.

Name
bytes_out Traffic sent by the device. K, M, and G represent KByte, MByte, and
GByte. No unit is displayed if byte is used.
callback- Information sent from the authentication server and to be displayed to a

line user, such as a mobile number.
cmd Commands executed by the system shell. The maximum length is 251
characters. The complete command is encapsulated when the command is
recorded and the first keyword is encapsulated when the command is
authorized.
cmd-arg Parameter in the command line to be authorized. The cmd-arg=<cr> is

added at the end of the command line.
disc_cause Reason for disconnection. Only accounting stop packets carry this attribute.
The reasons for disconnection include:
l A user requests to go offline (1)
l Data forwarding is interrupted (2)
l Service is interrupted (3)
l Idle timeout (4)
l Session timeout (5)
l The administrator requests to go offline (7)
l The NAS is faulty (9)
l The NAS requests to go offline (10)
l The port is suspended (12)
l User information is incorrect (17)
l A host requests to go offline (18)
disc_cause_ Extended reason for disconnection. Only accounting stop packets carry this
ext attribute. The extended reasons for disconnection include:
l Unknown reason (1022)
l The EXEC terminal tears down the connection (1020)
l An online Telnet user forcibly disconnects this user (1022)
l The user cannot be switched to the SLIP/PPP client due to no remote IP
address (1023)
l PPP PAP authentication fails (1042)
l PPP receives a Terminate packet from the remote end (1045)
l The upper-layer device requests the device to tear down the PPP
connection (1046)
l PPP handshake fails (1063)
l Session times out (1100)
dnaverage Downstream average rate, in bit/s.
dnpeak Downstream peak rate, in bit/s.

Name
dns-servers IP address of the primary DNS server.
elapsed_tim Online duration, in seconds.

e
ftpdir Initial directory of an FTP user.
gw- Tunnel password. The value is a string of 1 to 248 characters. If the value
password contains more than 248 characters, only the first 248 characters are valid.
idletime Idle session timeout period. If a user does not perform any operation within
this period, the system disconnects the user.
l2tp-hello- Interval for sending L2TP Hello packets. The device does not support this
interval attribute.
l2tp-hidden- The attribute value pair (AVP) of L2TP. The device does not support this
avp attribute.
l2tp- If no session exists within this period, the L2TP tunnel is torn down. The
nosession- device does not support this attribute.
timeout
l2tp-group- L2TP group number. Other L2TP attributes take effect only if this attribute
num is delivered. Otherwise, other L2TP attributes are ignored.
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect
l2tp-tunnel- Indicates whether the L2TP tunnel is authenticated:

authen l 0: not authenticated
l 1: authenticated
l2tp-udp- UPD packet checksum.

checksum
nocallback- No authentication is required for callback.

verify
nohangup Indicates whether the device automatically disconnects a user. This attribute
is valid only after the autocmd attribute is configured. It decides whether to
disconnect a user who has executed the autocmd command. The value can
be true or false:
l true: does not disconnect the user
l false: disconnects the user
paks_in Number of packets received by the device.
paks_out Number of packets sent by the device.
priv-lvl User level.

Name
protocol Protocol type. It belongs to service type, and is only valid for PPP and
connection services. The device supports four protocol types: pad, telnet, ip,
and vpdn. The protocol used depends on the service type:
l When the service type is connection, the protocol type can be pad or
telnet.
l When the service type is ppp, the protocol type can be ip or vpdn.
l For other service types, this attribute is not used.
task_id Task ID. The task IDs recorded when a task starts and ends must be the
same.
timezone Local time zone.
tunnel-id Local user name of the tunnel. The value is a string of 1 to 29 characters. If
the value contains more than 29 characters, only the first 29 characters are
valid.
tunnel-type Tunnel type. The device only supports the L2TP tunnel. The value of
tunnel-type is 3.
service Service type, which can be accounting or authorization.
source-ip Local IP address of the tunnel.
upaverage Upstream average rate, in bit/s.
uppeak Upstream peak rate, in bit/s.
HWTACACS Attributes Available in Packets

There are two types of HWTACACS authorization packets: Authorization Request packets
and Authorization Response packets. However, HWTACACS authorization packets can also
be classified into EXEC authorization packets, command line authorization packets, and
access user authorization packets, depending on the usage scenario. Different authorization
packets carry different attributes. For details, see Table 1-11. The following describes the use
of HWTACACS authorization packets for different usage scenarios:
l EXEC authorization packets: Used by the HWTACACS server to control rights of the
management users logging in through Telnet, console port, SSH, and FTP.
l Command line authorization packets: Used by the device to authorize each command
line executed by the user. Only authorized command lines can be executed.
l Access user authorization packets: Used by the HWTACACS server to control the rights
of NAC users such as 802.1X and Portal users.
Just as with HWTACACS authorization packets, there are two types of HWTACACS
accounting packets: Accounting Request packets and Accounting Response packets.
HWTACACS accounting packets can also be classified into network accounting packets,
connection accounting packets, EXEC accounting packets, system accounting packets, and
command accounting packets, depending on the connection type. Different accounting

packets carry different attributes. For details, see Table 1-12. The following describes the use
of HWTACACS accounting packets for different connection types:
l Network accounting packets: Used when networks are accessed by PPP users. For
example, when a PPP user connects to a network, the server sends an accounting start
packet; when the user is using network services, the server periodically sends interim
accounting packets; when the user goes offline, the server sends an accounting stop
packet.
l Connection accounting packets: Used when users log in to the server through Telnet or
FTP clients. When a user connects to the device, the user can run commands to access a
remote server and obtain files from the server. The device sends an accounting start
packet when the user connects to the remote server and an accounting stop packet when
the user disconnects from the remote server.
l EXEC accounting packets: Used when users log in to the device through Telnet or FTP.
When a user connects to a network, the server sends an accounting start packet; when the
user is using network services, the server periodically sends interim accounting packets;
when the user goes offline, the server sends an accounting stop packet.
l System accounting packets: Used during fault diagnosis. The server records the system-
level events to help administrators monitor the device and locate network faults.
l Command accounting packets: When an administrator runs any command on the device,
the device sends the command to the HWTACACS server through a command
accounting stop packet so that the server can record the operations performed by the
administrator.
NOTE
l Y: The packet supports this attribute.

l N: The packet does not support this attribute.
Table 1-11 HWTACACS attributes available in authorization packets
Attribute Command Line EXEC Access User

Authorization Authorization Authorization
Packet Response Packet Response
Packet
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y

Attribute Command Line EXEC Access User

Authorization Authorization Authorization
Packet Response Packet Response
Packet
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y
Table 1-12 HWTACACS attributes available in accounting packets

Attribute Net Net Net Con Con EXE EXE EXE Syst Com
wor wor wor necti necti C C C em man
k k k on on Acco Acco Inter Acco d
Acco Acco Inter Acco Acco unti unti im unti Line
unti unti im unti unti ng ng Acco ng Acco
ng ng Acco ng ng Start Stop unti Stop unti
Start Stop unti Start Stop Pack Pack ng Pack ng
Pack Pack ng Pack Pack et et Pack et Stop
et et Pack et et et Pack
et et
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_out N Y Y N Y N Y Y N N
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e

Attribute Net Net Net Con Con EXE EXE EXE Syst Com
wor wor wor necti necti C C C em man
k k k on on Acco Acco Inter Acco d
Acco Acco Inter Acco Acco unti unti im unti Line
unti unti im unti unti ng ng Acco ng Acco
ng ng Acco ng ng Start Stop unti Stop unti
Start Stop unti Start Stop Pack Pack ng Pack ng
Pack Pack ng Pack Pack et et Pack et Stop
et et Pack et et et Pack
et et
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ti N Y Y N Y N Y Y Y N
me
paks_in N Y Y N Y N Y Y N N
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezone Y Y Y Y Y Y Y Y Y Y
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type

HWTACACS Configuration Guide 2 Using HWTACACS to Perform Authentication,
HWTACACS Configuration Guide Authorization, and Accounting
2 Using HWTACACS to Perform

Authentication, Authorization, and Accounting
HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access
users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-line
authorization. HWTACACS is more reliable in transmission and encryption than RADIUS,
and is more suitable for security control.
2.1 Configuring an HWTACACS Server
2.2 Configuring AAA Schemes
2.3 Configuring an HWTACACS Server Template
2.4 (Optional) Configuring a Service Scheme
2.5 Applying AAA Schemes to a Domain
2.6 Verifying the HWTACACS AAA Configuration
2.1 Configuring an HWTACACS Server

If HWTACACS authentication and authorization are used, users' authentication,
authorization, and accounting information needs to be configured on the HWTACACS server.
If a user wants to establish a connection with the access device through a network to obtain
rights to access other networks and network resources, the access device transparently
transmits the user's authentication, authorization, and accounting information to the
HWTACACS server. The HWTACACS server determines whether the user can pass
authentication based on the configured information. If the user passes the authentication, the
RADIUS server sends an Access-Accept packet containing the user's authorization
information to the access device. The access device then allows the user to access the network
and grants rights to the user based on information in the Access-Accept packet.

2.2 Configuring AAA Schemes

Context
To use HWTACACS authentication, authorization, and accounting, set the authentication
mode in the authentication scheme, authorization mode in the authorization scheme, and
accounting mode in the accounting scheme to HWTACACS.
When configuring HWTACACS authentication, you can configure local authentication or

non-authentication as the backup. This allows local authentication to be implemented if
HWTACACS authentication fails. When configuring HWTACACS authorization, you can
configure local authorization or non-authorization as the backup.
NOTE
If non-authentication is configured using the authentication-mode command, users can pass the
authentication using any user name or password. To protect the device and improve network security,
you are advised to enable authentication to allow only authenticated users to access the device or
network.
Procedure
l Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme scheme-name
An authentication scheme is created and the authentication scheme view is
displayed, or the view of an existing authentication scheme is displayed.
By default, two authentication schemes named default and radius are available on
the device. These two authentication schemes can be modified but not deleted.
d. Run authentication-mode hwtacacs
The HWTACACS authentication mode is specified.
By default, local authentication is used. The names of local users are case-
insensitive.
To use local authentication as the backup, run the authentication-mode hwtacacs
[ local | local-case ] command.
e. (Optional) Run authentication-super { hwtacacs | radius | super } *[ none ]
The authentication mode for upgrading user levels is specified.
The default mode is super (local authentication).
f. Run quit
g. (Optional) Configure the account locking function.
i. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time
retry-time block-time block-time

The remote AAA authentication account locking function is enabled, and the
authentication retry interval, maximum number of consecutive authentication
failures, and account locking period are configured.
By default, the remote AAA account locking function is enabled, the
authentication retry interval is 50 minutes, the maximum number of
consecutive authentication failures is 30, and the account locking period is 5
minutes.
ii. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address }
&<1-32>
A user is configured to access the network using a specified IP address if the
user account is locked.
By default, a user cannot access the network if the user account is locked.
You can run the display aaa-quiet administrator except-list command to
query the specified IP addresses.
iii. Run remote-user authen-fail unblock { all | username username }
A remote AAA authentication account that has failed authentication is
unlocked.
h. (Optional) Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
i. (Optional) Run security-name-delimiter delimiter
A security string delimiter is set.
The default security string delimiter is * (asterisk).
j. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }
The direction in which the user name and domain name are parsed is specified.
By default, a domain name is parsed from left to right.
k. Run quit
l. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication duration is set.
By default, the bypass authentication function is disabled.
l Configure an authorization scheme.
a. Run system-view
b. Run aaa
c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed,
or the view of an existing authorization scheme is displayed.
By default, an authorization scheme named default is available on the device. The
default authorization scheme can be modified but not deleted.
d. Run authorization-mode hwtacacs [ local | local-case ] [ none ]
The authorization mode is specified.

By default, local authorization is used. The names of local users are case-
insensitive.
If HWTACACS authorization is configured, you must configure an HWTACACS
server template and apply the template to the corresponding user domain.
e. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users at a certain level.
If command-line authorization is enabled, you must configure an HWTACACS
server template and apply the template to the corresponding user domain.
f. Run quit
g. Run quit
h. (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization is disabled.
i. (Optional) Run aaa-author-cmd-bypass enable time time-value
The bypass command-line authorization duration is set.
By default, the bypass command-line authorization is disabled.
l Configure an accounting scheme.
a. Run system-view
b. Run aaa
c. Run accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed, or
the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the device. The
default accounting scheme can be modified but not deleted.
d. Run accounting-mode hwtacacs
The hwtacacs accounting mode is specified.
The default accounting mode is none.
e. (Optional) Run accounting start-fail { offline | online }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.
f. (Optional) Run accounting realtime interval
Real-time accounting is enabled and the accounting interval is set.
By default, real-time accounting is disabled. The device performs accounting for
users based on their online duration.
g. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }
The maximum number of real-time accounting failures is set, and a policy is
specified for the device if the maximum number of real-time accounting attempts
fail.

The default maximum number of real-time accounting failures is 3. The device will
keep the users online if three real-time accounting attempts fail.
----End
2.3 Configuring an HWTACACS Server Template

Context
When configuring an HWTACACS server template, you must specify the IP address, port
number, and shared key of a specified HWTACACS server. Other settings, such as the
HWTACACS user name format and traffic unit, have default values and can be modified
based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name format and
shared key must be the same as those on the HWTACACS server.
Procedure
Step 1 Run system-view
Step 2 Run hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
Step 3 Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
By default, no HWTACACS server template is configured on the device.
Step 4 Configure HWTACACS authentication, authorization, and accounting servers.
Configura Command Description

tion
Configure hwtacacs-server authentication By default, no HWTACACS

an ip-address [ port ] [ public-net | authentication server is configured.
HWTACA vpn-instance vpn-instance-name ]
CS [ secondary | third ]
authenticati
on server.
Configure hwtacacs-server authorization By default, no HWTACACS

an ip-address [ port ] [ public-net | authorization server is configured.
HWTACA vpn-instance vpn-instance-name ]
authorizati
on server.

Configura Command Description

tion
Configure hwtacacs-server accounting ip- By default, no HWTACACS

an address [ port ] [ public-net | vpn- accounting server is configured.
HWTACA instance vpn-instance-name ]
accounting
server.
Step 5 Set parameters for interconnection between the device and an HWTACACS server.
Procedure Command Description
Set the shared key hwtacacs-server shared-key By default, no shared key is set for
for the cipher key-string an HWTACACS server.
HWTACACS
server.
(Optional) l Configure the user name to By default, the device does not
Configure the contain the domain name: change the user name entered by
format of the user hwtacacs-server user-name the user when sending packets to
name in the domain-included the HWTACACS server.
packet sent by the l Configure the original user
device to the name: hwtacacs-server
HWTACACS user-name original
server.
l Configure the user name not
to contain the domain name:
undo hwtacacs-server user-
name domain-included
(Optional) Set the hwtacacs-server traffic-unit The default HWTACACS traffic

HWTACACS { byte | kbyte | mbyte | gbyte } unit on the device is bytes.
traffic unit.
(Optional) Set the hwtacacs-server source-ip By default, the device uses the IP
source IP address { ip-address | source-loopback address of the actual outbound
for interface- number } interface as the source IP address
communication encapsulated in HWTACACS
between the packets.
device and
HWTACACS
server.
Step 6 (Optional) Set the response timeout interval and activation interval for the HWTACACS
server.

Set the hwtacacs-server timer response- The default response timeout interval
response timeout interval for an HWTACACS server is 5
timeout seconds.
interval for If the device does not receive a
the response packet from an HWTACACS
HWTACA server within the response timeout
CS server. interval, it considers that the
HWTACACS server is unreachable
and then tries other authentication and
authorization methods.
Set the hwtacacs-server timer quiet The default interval for the primary
interval for interval HWTACACS server to restore to the
the primary active state is 5 minutes.
HWTACA
CS server
to restore
to the
active state.
Step 7 Run quit

Step 8 (Optional) Run hwtacacs-server accounting-stop-packet resend { disable | enable
number }
Retransmission of accounting-stop packets is enabled and the number of packets that can be
retransmitted each time is specified.
By default, retransmission of accounting-stop packets is enabled, and 100 account-stop
packets can be retransmitted each time.
Step 9 Run return
The user view is displayed.
Step 10 (Optional) Run hwtacacs-user change-password hwtacacs-server template-name
The password saved on the HWTACACS server is changed.
NOTE
To ensure device security, you are advised to frequently change the password.
----End
2.4 (Optional) Configuring a Service Scheme

Context
Users must obtain authorization information before going online. You can configure a service
scheme to manage authorization information about users.

NOTE
When the device is switched to the NAC common mode, only the administrator level, number of users
who can access the network using the same user name, and redirection ACL can be configured in the
service scheme.
Procedure
Step 2 Run aaa
Step 3 Run service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
Step 4 Run admin-user privilege level level
The user is configured as the administrator and the administrator level for login is specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Step 5 Configure server information.
Step Command Remarks
Configure dhcp-server group group-name By default, no DHCP server group is

a DHCP configured in a service scheme.
server
group.
Configure dns ip-address By default, no primary DNS server is

the IP configured in a service scheme.
address of
the primary
DNS
server.
Configure dns ip-address secondary By default, no secondary DNS server

the IP is configured in a service scheme.
address of
the
secondary
DNS
server.
Configure wins ip-address By default, no primary WINS server is

the primary configured in a service scheme.
WINS
server.

Step Command Remarks
Configure wins ip-address secondary By default, no secondary WINS server

the is configured in a service scheme.
secondary
WINS
server.
Step 6 Run ip-pool pool-name [ move-to new-position ]

An IP address pool is bound to the service scheme or an existing IP address pool is moved.
By default, no IP address pool is bound to a service scheme.
NOTE
Ensure that the IP address pool has been configured before running this command.
Step 7 Run policy-route next-hop-ip-address [ vlan-id ]

Policy-based routing (PBR) is configured in the service scheme.
By default, PBR is not configured in a service scheme.
Step 8 Run redirect-acl { acl-number | name acl-name }
The ACL used for redirection is configured in the service scheme.
By default, no ACL used for redirection is configured in a service scheme.
Step 9 Run idle-cut idle-time flow-value [ inbound | outbound ]
The idle-cut function is enabled for domain users and the idle-cut parameters are set.
By default, the idle-cut function is disabled for domain users.
NOTE
You can only run the idle-cut command in the service scheme view to enable the idle-cut function for
common users (wireless users). If you need to perform idle-cut for administrators, run the local-user
idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28
(Idle-Timeout) during the RADIUS authentication.
Step 10 Run access-limit user-name max-num number

The maximum number of users who are allowed to access the network using the same user
name is configured.
By default, the number of users who are allowed to access the network using the same user
name is not limited, and is determined by the maximum number of access users supported by
the device.
NOTE
Only users who are successfully authenticated support the configurations for limiting the number of
access users based on the same user name, and pre-connection users do not support such configurations.
Step 11 Run priority priority-value

The user priority is configured in the service scheme.
By default, the user priority is 0.

NOTE
This function takes effect only for wireless users.
Step 12 Configure network access control parameters in the service scheme.

l Run acl-id acl-number
An ACL is bound to the service scheme.
By default, no ACL is bound to a service scheme.
NOTE
Before running this command, ensure that an ACL has been created using the acl or acl name command
and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL
rule delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User
group delivered by the RADIUS server > User group configured on the local device > UCL group
delivered by the RADIUS server > UCL group configured on the local device
The RADIUS server delivers the ACL number, user group, and UCL group through the standard
attribute Filter-Id numbered 11.
l Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the user category
has been created and configured.
l Run user-vlan vlan-id
A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the vlan
command.
l Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
To make this configuration take effect, ensure that a VLAN has been specified as the
voice VLAN using the link command and the voice VLAN function has been enabled on
the interface.
l Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
Before running this command, ensure that a QoS profile has been configured. The
procedure for configuring a QoS profile is as follows:
NOTE
Among all parameters in the QoS profile bound to the service scheme, only the parameters configured
using the following commands take effect.
1. In the system view, run qos-profile name profile-name

A QoS profile is created and the QoS profile view is displayed.
2. Configure traffic policing and packet processing priority in the QoS profile view.

l Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound |
outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
l Run remark dscp dscp-value { inbound | outbound }
The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.
By default, the action of re-marking DSCP priorities of IP packets is not configured in a
QoS profile.
l Run remark 8021p 8021p-value
The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS
profile.
By default, the action of re-marking 802.1p priorities of VLAN packets is not configured
in a QoS profile.
l Run user-queue pir pir-value [ flow-queue-profile flow-queue-profile-name ] [ flow-
mapping-profile flow-mapping-profile-name ]
A user queue is created in the QoS profile to implement HQoS scheduling.
By default, no user queue is configured in a QoS profile.
----End
2.5 Applying AAA Schemes to a Domain

Context
The created authentication scheme, authorization scheme, accounting scheme, and
HWTACACS server template are in effect only when they are applied to a domain.
Procedure
Step 2 Run aaa
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing domain is
displayed.
The device has two default domains:
l default: Used by common access users

l default_admin: Used by administrators

NOTE
l If a user enters a user name that does not contain a domain name, the user is authenticated in the
default domain. In this case, you need to run the domain domain-name [ admin ] command and set
domain-name to configure a global default domain on the device.
l If a user enters a user name that contains a domain name during authentication, the user must enter
the correct value of domain-name.
Step 4 Apply AAA schemes to the domain.

Apply an authentication-scheme scheme- By default, the authentication scheme

authenticati name default is applied to the
on scheme default_admin domain, and the
to the authentication scheme named radius is
domain. applied to the default domain and
other domains.
Apply an authorization-scheme By default, no authorization scheme is

authorizati authorization-scheme-name applied to a domain.
on scheme
to the
domain.
Apply an accounting-scheme accounting- By default, the accounting scheme

accounting scheme-name default is applied to a domain. In this
scheme to accounting scheme, non-accounting is
the used and real-time accounting is
domain. disabled.
Step 5 Apply a service scheme and an HWTACACS server template to the domain.
(Optional) service-scheme service-scheme- By default, no service scheme is

Apply a name applied to a domain.
service
scheme to
the domain.
Apply an hwtacacs-server template-name By default, no HWTACACS server

HWTACA template is applied to a domain.
CS server
template to
the domain.
Step 6 (Optional) Configure other functions for the domain.

Specify the state { active | block [ time-range When a domain is in the blocking
domain time-name &<1–4> ] } state, users in this domain cannot log
state. in. By default, a created domain is in
the active state.
Apply a user-group group-name By default, no user group is applied to

user group a domain.
to the
domain.
Step 7 (Optional) Run statistic enable

Traffic statistics collection is enabled for users in the domain.
By default, traffic statistics collection is disabled for users in a domain.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured
in both the AAA view and authentication profile view, the device preferentially uses the
configuration in the authentication profile. The configuration in the authentication profile
applies only to wireless users.)
AAA Exit from the domain quit -

view view.
Specify the domain domainname-parse- The domain name can be

name parsing direction. direction { left-to-right | parsed from left to right,
right-to-left } or from right to left.
By default, the domain
name is parsed from left
to right.
Set the domain name domain-name-delimiter A domain name delimiter

delimiter. delimiter can be any of the
following: \ / : < > | @ '
%.
The default domain name
delimiter is @.
Specify the domain domain-location { after- The domain name can be

name location. delimiter | before- placed before or after the
delimiter } delimiter.
name is placed after the
domain name delimiter.
Set the security string security-name-delimiter The default security

delimiter. delimiter string delimiter is *
(asterisk).

Authen Exit from the AAA quit -

ticatio view.
n
profile Create an authentication-profile By default, the device has
view authentication profile name authentication- six built-in authentication
and enter the profile-name profiles:
authentication profile default_authen_profile,
view. dot1x_authen_profile,
mac_authen_profile,
portal_authen_profile,
dot1xmac_authen_profile
, and
multi_authen_profile.
Specify the domain domainname-parse- The domain name can be

name parsing direction. direction { left-to-right | parsed from left to right,
right-to-left } or from right to left.
name parsing direction is
not specified.
Set the domain name domain-name-delimiter A domain name delimiter

delimiter. delimiter can be any of the
following: \ / : < > | @ '
%.
By default, no domain
name delimiter is set.
Specify the domain domain-location { after- The domain name can be

name location. delimiter | before- placed before or after the
delimiter } delimiter.
name location is not
specified.
Set the security string security-name-delimiter By default, no security

delimiter. delimiter string delimiter is set.
Step 9 (Optional) Specify a permitted domain for wireless users. (This step applies only to wireless
users.)
Return to quit -
the system
view.

Create an authentication-profile name By default, the device has six built-in

authenticati authentication-profile-name authentication profiles:
on profile default_authen_profile,
and enter dot1x_authen_profile,
the mac_authen_profile,
authenticati portal_authen_profile,
on profile dot1xmac_authen_profile, and
view. multi_authen_profile.
Specify a permit-domain name domain- By default, no permitted domain is

permitted name &<1-4> specified for wireless users.
domain for After a permitted domain is specified
wireless in an authentication profile, only users
users. in the permitted domain can be subject
to authentication, authorization, and
accounting.
----End
2.6 Verifying the HWTACACS AAA Configuration

Procedure
l Run the display aaa configuration command to check the AAA summary.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
verify the authentication scheme configuration.
l Run the display authorization-scheme [ authorization-scheme-name ] command to
verify the authorization scheme configuration.
l Run the display accounting-scheme [ accounting-scheme-name ] command to verify the
accounting scheme configuration.
l Run the display recording-scheme [ recording-scheme-name ] command to verify the
recording scheme configuration.
l Run the display service-scheme [ name name ] command to verify the service scheme
configuration.
l Run the display hwtacacs-server template [ template-name ] command to verify the
HWTACACS server template configuration.
l Run the display hwtacacs-server template template-name verbose command to check
statistics about HWTACACS authentication, accounting, and authorization.
l Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-
address } command to verify information about accounting-stop packets of the
HWTACACS server.
l Run the display domain [ name domain-name ] command to verify the domain
configuration.
l Run the display aaa statistics access-type-authenreq command to display the number
of authentication requests.

l Run the display access-user user-name-table statistics { all | username username }

command to check statistics on users who are allowed to access the network using the
user name.

HWTACACS Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HWTACACS Configuration Guide

Uploaded by

Copyright:

Available Formats

HWTACACS Configuration Guide

HWTACACS Configuration Guide

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. i

2 Using HWTACACS to Perform Authentication, Authorization, and Accounting......... 20

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. ii

1.1 Overview of HWTACACS

1.1 Overview of HWTACACS

HWTACACS is used to perform authentication, authorization, and accounting for users

Table 1-1 Comparisons between HWTACACS and RADIUS

Item HWTACACS RADIUS

Data transmission Uses TCP, which is more Uses UDP, which is

Encryption Encrypts the entire packet, Encrypts only the

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 1

Item HWTACACS RADIUS

Authentication and Separates authentication from Combines

Application Security control. Accounting.

1.2 HWTACACS Packets

HWTACACS Packet Header

Figure 1-1 HWTACACS packet header

Table 1-2 Fields in HWTACACS packet header

major version Major version of the HWTACACS protocol.

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 2

minor version Minor version of the HWTACACS protocol.

type HWTACACS protocol packet type,

seq_no Packet sequence number in a session,

flags Encryption flag on the packet body. This

session_id Session ID, which is the unique identifier of

length Length of the HWTACACS packet body,

HWTACACS Authentication Packet Format

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 HWTACACS Authentication Start packet format

Table 1-3 Fields in HWTACACS Authentication Start packet

action Authentication action. Only the login authentication (0x01) action is

priv_lvl User privilege level.

authen_typ Authentication type, including:

user len Length of the user name entered by a login user.

port len Length of the port field.

rem_addr rem_addr field length.

data len Authentication data length.

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 4

rem_addr IP address of the login user.

data Authentication data. Different data is encapsulated depending on the values

HWTACACS Authentication Continue packets.

Figure 1-3 HWTACACS Authentication Continue packet format

Table 1-4 Fields in HWTACACS Authentication Continue packet

user_msg Length of the character string entered by a login user.

data len Authentication data length.

flags Authentication continue flag.

data Authentication data. Different data is encapsulated depending on the values

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 5

HWTACACS Authentication Reply packets.

Figure 1-4 HWTACACS Authentication Reply packet format

Table 1-5 Fields in HWTACACS Authentication Reply packet

status Authentication status, including:

server_msg Length of the server_msg field.

data len Authentication data length.

data Authentication data, providing information to client.

HWTACACS Authorization Packet Format

Issue 01 (2019-06-29) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-5 HWTACACS Authorization Request packet format

Table 1-6 Fields in HWTACACS Authorization Request packet