Introduction of AAA
AAA is the abbreviation of the three English words 验证
(Authentication), 授权
(Authorization) and 记账
(Accounting) is a server program that can handle user access requests. The main purpose is to manage user access to network servers and provide services for users with access rights.
Authentication: Which users can access the web server.
Authorization: What services and permissions are available to users with access rights.
Bookkeeping: How to audit users who are using network resources.
There are two types of AAA authentication methods for network equipment 本地身份验证
(Local) 远程身份验证
.
Local Authentication by 用户名
and 密码
create and verify a local
remote authentication server AAA by various manufacturers own to accomplish this need 设备
and AAA服务器
be off.
Huawei Firewall supports users to perform local and remote configuration, and only introduces local authentication.
Common management methods of Huawei firewall
Management method | description |
---|---|
console cable connection | It belongs to out-of-band management and does not occupy user bandwidth. It is suitable for the first configuration scenario of new devices. |
telnet connection | It belongs to in-band management, with simple configuration, low security, and low resource consumption. It is mainly applicable to scenarios with low security and poor device performance. |
Web interface login | Belonging to in-band management, it can be based on graphical management and is more suitable for novice configuration devices. |
ssh connection | It belongs to in-band management, with complex configuration, high security, and high resource consumption. It is mainly suitable for scenarios with high security requirements, such as remote management of company network equipment through the Internet. |
There will be 3 detailed configurations of in-band management below.
Telent management
Through configuration, the terminal Telnet
can log in to the device through the way to realize the configuration and management of the device. The experimental environment is shown in the figure below,
When building the topology shown in the figure above, eNSP
the client in cannot simulate Telnet, SSH, or Web management, so it is recommended to bridge the G0 / 0/0 port of the firewall to a real virtual machine and use it 虚拟机
as a client.
Cloud configuration
In addition, the default management account for Huawei devices is admin
and the password is Admin@123
. The other created accounts need to reset the password according to the prompt during the first overdub.
Please Press ENTER.
An initial password is required for the first login via the console.
Set a password and keep it safe. Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password: ##密码是:Admin@123
Confirm Password: ##重复密码
Warning: The authentication mode was changed to password authentication and the
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible.
*************************************************************************
* Copyright (C) 2014-2015 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
<USG6000V1>
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info en
Info: Information center is disabled.
[USG6000V1]
- Configure the IP address of the firewall IP interface and enable the telnet function
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.100.20 24
[USG6000V1-GigabitEthernet1/0/0]un sh
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]
[USG6000V1]telnet server enable
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet
- Configure the firewall to allow remote management, and add the firewall interface g1 / 0/0 to the security zone.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]service-manage enable
[USG6000V1-GigabitEthernet1/0/0]service-manage telnet permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]
3) Configure the firewall with inter-domain packet filtering to ensure that the basic network communication is normal. Because Telnet traffic belongs to the firewall itself, it is necessary to configure Trust
area-to- Local
area security policies.
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_telnet
[USG6000V1-policy-security-rule-allow_telnet]source-zone trust
[USG6000V1-policy-security-rule-allow_telnet]destination-zone local
[USG6000V1-policy-security-rule-allow_telnet]action permit
[USG6000V1-policy-security-rule-allow_telnet]q
[USG6000V1-policy-security]q
[USG6000V1]
- Configure authentication mode and local user information
[USG6000V1]user-interface vty 0 4 //进到用户界面视图
[USG6000V1-ui-vty0-4]authentication-mode aaa //开启aaa认证模式
Warning: The level of the user-interface(s) will be the default level of AAA use
rs, please check whether it is correct.
[USG6000V1-ui-vty0-4]protocol inbound telnet //允许 Telnet连接虚拟终端
[USG6000V1-ui-vty0-4]q
[USG6000V1]aaa //进到aaa认证模式
[USG6000V1-aaa]manager-user demo //配置本地用户demo
[USG6000V1-aaa-manager-user-demo]password cipher demo@123 //配置密码
Info: You are advised to config on man-machine mode.
[USG6000V1-aaa-manager-user-demo]service-type telnet //配置服务类型
Warning: The user access modes include Telnet or FTP, so security risks exist.
[USG6000V1-aaa-manager-user-demo]level 3 //配置用户权限级别
[USG6000V1-aaa-manager-user-demo]q
[USG6000V1-aaa]q
[USG6000V1]
5) Run CRT on the client and connect to the firewall
6) After connecting, change the password according to the prompt. After reconnecting, you can enter the user view and log in to the device.
web management
1) Open the http and https management of the interface
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]service-manage http permit //打开接口的http和https管理
[USG6000V1-GigabitEthernet1/0/0]service-manage https permit
2) Add the firewall interface g1 / 0/0 to the security zone, which has been done above, but it will not be done here
3) Configure the security policy
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_web
[USG6000V1-policy-security-rule-allow_web]source-zone trust
[USG6000V1-policy-security-rule-allow_web]destination-zone local
[USG6000V1-policy-security-rule-allow_web]action permit
[USG6000V1-policy-security-rule-allow_web]q
[USG6000V1-policy-security]q
[USG6000V1]
[USG6000V1]web-manager security enable //开启web管理策略
Info: Web security-server has been enabled.
4) Aaa user authentication mode
[USG6000V1]aaa
[USG6000V1-aaa]manager-user demo
[USG6000V1-aaa-manager-user-demo]service-type web
[USG6000V1-aaa-manager-user-demo]level 3
[USG6000V1-aaa-manager-user-demo]q
[USG6000V1-aaa]q
[USG6000V1]
Note:
- The web-manager security enable command can also be followed
自定义端口
, such as web-manager security enable port 2000. - Execute security parameters to enable
https
management, such as web-manager security enable; do not execute security parameters, to enablehttp
management, such as: web-manage enable. - It is not allowed to use the same port for https and http management, such configuration will cause port conflicts.
5) The https port opened by default in the firewall is 8443
: Visit https://192.168.100.20:8443 in the E browser of the client to open the authentication interface
Because the demo password was changed during telnet, log in with the new password
Configure SSH to log in to the device
Compared with Telnet, SSH is more secure, but more complicated than telnet. The following are the steps to configure SSH management.
1) Enter the interface, allow ssh connection, and join the trust zone (telnet has been done)
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]service-manage ssh permit
[USG6000V1-GigabitEthernet1/0/0]q
2) Configure security policy
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name allow_ssh
[USG6000V1-policy-security-rule-allow_ssh]source-zone trust
[USG6000V1-policy-security-rule-allow_ssh]destination-zone local
[USG6000V1-policy-security-rule-allow_ssh]action permit
[USG6000V1-policy-security-rule-allow_ssh]q
[USG6000V1-policy-security]q
[USG6000V1]
3) Create the key pair required for SSH
[USG6000V1]rsa local-key-pair create //创建SSH所需的密钥对
The key name will be: USG6000V1_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
.+++++
........................++
....++++
...........++
[USG6000V1]
4) Specify aaa authentication, and create ssh authentication users
[USG6000V1]user-interface vty 0 4
[USG6000V1-ui-vty0-4]authentication-mode aaa
Warning: The level of the user-interface(s) will be the default level of AAA use
rs, please check whether it is correct.
[USG6000V1-ui-vty0-4]protocol inbound ssh
[USG6000V1-ui-vty0-4]q
[USG6000V1]ssh user lzj //指定lzj为ssh用户
Info: Succeeded in adding a new SSH user.
[USG6000V1]ssh user lzj authentication-type password //配置认证方式
[USG6000V1]ssh user lzj service-type stelnet //配置服务类型
[USG6000V1]aaa
[USG6000V1-aaa]manager-user lzj //创建本地用户lzj
[USG6000V1-aaa-manager-user-lzj]password cipher Lzja@123 //指定密码
Info: You are advised to config on man-machine mode.
[USG6000V1-aaa-manager-user-lzj]service-type ssh
[USG6000V1-aaa-manager-user-lzj]level 3
[USG6000V1-aaa-manager-user-lzj]q
[USG6000V1-aaa]q
[USG6000V1]
[USG6000V1]stelnet server enable
Info: Succeeded in starting the Stelnet server.
[USG6000V1]
5) Connect the CRT software to the firewall on the client, the following frame pops up, click "Accept and Save".
A new login box will pop up, enter the user and password. The first time you log in, you will be prompted to change the password. After the change, you will automatically 新密码
log out and use the login.
下一篇:防火墙的NAT策略