AAA principle and configuration
AAA basic concept
• AAA is the abbreviation of Authentication, Authorization, and Accounting. It is a management mechanism for network security and provides three security functions: authentication, authorization, and accounting.
AAA common structure
The common AAA network architecture includes users, NAS (Network Access Server), and AAA server (AAA Server).
• NAS is responsible for centralized collection and management of user access requests.
• Multiple domains are created on the NAS to manage users. Different domains can be associated with different AAA schemes. AAA schemes include authentication schemes, authorization schemes, and accounting schemes.
• When receiving a request from a user to access the network, the NAS will determine the domain the user is in based on the user name, and manage and control the user according to the AAA scheme corresponding to the domain.
Authentication
The authentication modes supported by AAA include: no authentication, local authentication, and remote authentication.
Authorization
• The authorization modes supported by AAA include: no authorization, local authorization, and remote authorization.
• Authorization information includes: user group, VLAN, ACL number, etc.
Billing (Accouting)
• The accounting function is used to monitor the network behavior of authorized users and the usage of network resources.
• The billing methods supported by AAA include: no billing, remote billing.
AAA Implementation Protocol - RADIUS
• AAA can be implemented with multiple protocols, the most commonly used is the RADIUS protocol.
Common Application Scenarios
Provide AAA for Internet users through RADIUS
Local authentication and authorization of administrative users
AAA configuration
1. Enter AAA view
[Huawei] aaa
Enter the AAA view from the system view to configure
2. Create an authentication scheme
[Huawei-aaa] authentication-scheme authentication-scheme-name
Create an authentication scheme and enter the corresponding authentication scheme view
[Huawei-aaa-authentication-scheme-name] authentication-mode { hwtacacs | local | radius }
Configure the authentication mode. local specifies the authentication mode as local authentication. By default, the authentication mode is local authentication.
3. Create domain and bind authentication scheme
[Huawei-aaa] domain domain-name
Create a domain and enter the corresponding domain view
[Huawei-aaa-domain-name] authentication-scheme authentication-scheme-name
Bind the authentication scheme in the corresponding domain view
4. Create a user
[Huawei-aaa] local-user user-name password cipher password
Create a local user and configure the password of the local user:
• If the user name contains a domain name separator, such as @, the part before @ is regarded as the user name, and the part after it is the domain name
• If there is no @, the entire string is the user name , the domain is the default domain
5. Configure the user access type
[Huawei-aaa] local-user user-name service-type { { terminal | telnet | ftp | ssh | snmp | http } | ppp | none }
Set the access type of the local user. By default, all access types are disabled for local users.
6. Configure user level
[Huawei-aaa] local-user user-name privilege level level
Specifies the privilege level for local users.
AAA configuration example
• Configure a user password and level on device R1 so that host A can remotely
log in to the device through the configured user name and password.
[R1]aaa
[R1-aaa]local-user huawei password cipher huawei123
[R1-aaa]local-user huawei service-type telnet
[R1-aaa]local-user huawei privilege level 0
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
Configuration Verification
• In AAA, each domain is associated with the corresponding authentication authorization and accounting scheme, which is currently the default domain.
[R1]display domain name default_admin
Domain-name: default_admin
Domain-state: Active
Authentication-scheme-name: default
Accounting-scheme-name: default
Authorization-scheme-name: -
Service-scheme-name: -
RADIUS-server-template: -
HWTACACS-server-template: -
User-group:
• After the user logs in normally and goes offline, he can see the user's record information.
[R1]display aaa offline-record all
-------------------------------------------------------------------
User name: huawei
Domain name: default_admin
User MAC: 00e0-fc12-3456
User access type: telnet
User IP address: 10.1.1.2
User ID: 1
User login time: 2019/12/28 17:59:10
User offline time: 2019/12/28 18:00:04
User offline reason: user request to offline