H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101

HomeSupportQuick StartH3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101
Table of Contents
Related Documents
07-RBAC Quick Start Configuration Guide
Title Size Download
07-RBAC Quick Start Configuration Guide 95.69 KB

RBAC Quick Start Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Configuring RBAC for a local authentication user

Introduction

The following information uses an example to describe the basic procedure for configuring RBAC for a local authentication user.

Network configuration

As shown in Figure 1, configure the switch to meet the following requirements:

·     The switch performs local AAA authentication and authorization for the Telnet user.

·     The user account for the Telnet user is user1@bbb, which is assigned user role role1 with the following permissions:

¡     Execute the read commands of any feature.

¡     Access VLANs 10 to 20. Access to any other VLANs is denied.

Figure 1 Network diagram

 

Restrictions and guidelines

An ISP domain cannot be directly deleted when it is the default ISP domain. To delete the domain, you must first change it to a non-default ISP domain by using the undo domain default enable command.

You can configure user role rules to permit or deny the access of a user role to specific commands. If two rules conflict, the rule with the higher ID takes effect. For example, a user role can execute command B but not command A if the user role contains rules configured by using the following commands:

·     rule 1 permit command A

·     rule 2 permit command B

·     rule 3 deny command A

Procedure

# Set the name of the switch to Switch.

<H3C> system-view

[H3C] sysname Switch

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Enable the Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable local authentication and authorization for ISP domain bbb.

[Switch] domain bbb

[Switch-isp-bbb] authentication login local

[Switch-isp-bbb] authorization login local

[Switch-isp-bbb] quit

# Create a user role named role1 and enter its view.

[Switch] role name role1

# Configure rule 1 to permit the user role to execute the read commands of all features.

[Switch-role-role1] rule 1 permit read feature

# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.

[Switch-role-role1] rule 2 permit command system-view ; vlan *

# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.

[Switch-role-role1] vlan policy deny

[Switch-role-role1-vlanpolicy] permit vlan 10 to 20

[Switch-role-role1-vlanpolicy] quit

[Switch-role-role1] quit

# Create a device management user named user1 and enter local user view.

[Switch] local-user user1 class manage

# Set a plaintext password of 123456TESTplat&! for the user.

[Switch-luser-manage-user1] password simple 123456TESTplat&!

# Set the service type to Telnet.

[Switch-luser-manage-user1] service-type telnet

# Assign role1 to the user.

[Switch-luser-manage-user1] authorization-attribute user-role role1

# Remove the default user role (network-operator) in the user account. This operation ensures that the user has only the permissions of role1.

[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator

[Switch-luser-manage-user1] quit

Verifying the configuration

# Verify that you can successfully log in to the switch by entering username user1@bbb and password on the Telnet client.

C:\Documents and Settings\user> telnet 192.168.1.50

login: user1@bbb

Password:

******************************************************************************

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

<Switch>

# Verify that you can log in as role1 and execute the corresponding commands:

·     Verify that you can create VLANs 10 to 20. This example uses VLAN 10.

<Switch> system-view

[Switch] vlan 10

[Switch-vlan10] quit

·     Verify that you cannot create any VLAN other than VLANs 10 to 20. This example uses VLAN 30.

[Switch] vlan 30

Permission denied.

·     Verify that you can execute all read commands of any feature. This example uses the display clock command.

[Switch] display clock

09:31:56.258 UTC Sat 01/01/2017

[Switch] quit

·     Verify that you cannot execute the write or execute commands of any feature.

<Switch> debugging role all

Permission denied.

<Switch> ping 192.168.1.58

Permission denied.

Configuration files

#

 sysname Switch

#

 telnet server enable

#

vlan 2

#

interface Vlan-interface2

 ip address 192.168.1.50 255.255.255.0

#

line vty 0 63

 authentication-mode scheme

#

domain bbb

 authentication login local

 authorization login local

#

role name role1

 rule 1 permit read feature

 rule 2 permit command system-view ; vlan *

 vlan policy deny

 permit vlan 10 to 20

#

local-user user1 class manage

 password hash $h$6$3nDcf1enrif2H0W6$QUWsXcld9MjeCMWGlkU6qleuV3WqFFEE8i2TTSoFRL3

ENZ2ExkhXZZrRmOl3pblfbje6fim7vV+u5FbCif+SjA==

 service-type telnet

 authorization-attribute user-role role1

 undo authorization-attribute user-role network-operator

#

Related documentation

·     RBAC configuration in the fundamentals configuration guide for the device.

·     RBAC commands in the fundamentals command reference for the device.

 


Configuring RBAC temporary user role authorization

Introduction

The following information uses an example to describe the basic procedure for configuring RBAC temporary user role authorization.

Network configuration

As shown in Figure 2, configure the switch to meet the following requirements:

·     The switch performs local AAA authentication and authorization for the Telnet user.

·     The user account for the Telnet user is user1@bbb, which is assigned user role role1 with the following permissions:

¡     Execute all Layer 3 feature commands in predefined feature group L3.

¡     Execute all display commands.

¡     Execute all super commands.

¡     Access all interfaces, VLANs, and VPN instances.

·     The user role of the Telnet user can be temporarily changed to role2 or network-operator on the current login. User role role2 has the following permissions:

¡     Execute all Layer 2 feature commands in predefined feature group L2.

¡     Access all interfaces, VLANs, and VPN instances.

Figure 2 Network diagram

 

Restrictions and guidelines

An ISP domain cannot be directly deleted when it is the default ISP domain. To delete the domain, you must first change the domain to a non-default ISP domain by using the undo domain default enable command.

You can configure user role rules to permit or deny the access of a user role to specific commands. If two rules conflict, the rule with the higher ID takes effect. For example, a user role can execute command B but not command A if the user role contains rules configured by using the following commands:

·     rule 1 permit command A

·     rule 2 permit command B

·     rule 3 deny command A

Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.

Procedure

# Set the name of the switch to Switch.

<H3C> system-view

[H3C] sysname Switch

# Create VLAN 2 and assign GigabitEthernet 1/0/10 (the port connected to the Telnet user) to VLAN 2.

[Switch] vlan 2

[Switch-vlan2] quit

[Switch] interface GigabitEthernet1/0/10

[Switch-GigabitEthernet1/0/10] port access vlan 2

[Switch-GigabitEthernet1/0/10] quit

# Create VLAN-interface 2 and assign an IP address to the interface.

[Switch] interface Vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.50 24

# Enable the Telnet server.

[Switch] telnet server enable

# Enable the login authentication mode to scheme on user lines VTY 0 through VTY 63 for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable local authentication and authorization for ISP domain bbb.

[Switch] domain bbb

[Switch-isp-bbb] authentication login local

[Switch-isp-bbb] authorization login local

[Switch-isp-bbb] quit

# Create a user role named role1 and enter its view.

[Switch] role name role1

# Configure rule 1 to permit the user role to execute all Layer 3 feature commands in predefined feature group L3.

[Switch-role-role1] rule 1 permit execute read write feature-group L3

# Configure rule 2 to permit the user role to execute all display commands.

[Switch-role-role1] rule 2 permit command display *

# Configure rule 3 to permit the user role to execute all super commands.

[Switch-role-role1] rule 3 permit command super *

[Switch-role-role1] quit

# Create a user role named role2 and enter its view.

[Switch] role name role2

# Configure rule 1 to permit the user role to execute all Layer 2 feature commands in predefined feature group L2.

[Switch-role-role2] rule 1 permit execute read write feature-group L2

[Switch-role-role2] quit

# Create a device management user named telnetuser and enter local user view.

[Switch] local-user telnetuser class manage

# Set a plaintext password of aabbcc for the user.

[Switch-luser-manage-telnetuser] password simple aabbcc

# Set the service type to Telnet.

[Switch-luser-manage-telnetuser] service-type telnet

# Assign role1 to the user.

[Switch-luser-manage-telnetuser] authorization-attribute user-role role1

# Remove the default user role (network-operator) from the user. This operation ensures that the user has only the permissions of role1.

[Switch-luser-manage-telnetuser] undo authorization-attribute user-role network-operator

[Switch-luser-manage-telnetuser] quit

# Enable local authentication for temporary user role authorization. (The default authentication mode is local authentication.)

[Switch] super authentication-mode local

# Set the local authentication password to 123456TESTplat&! for user role role2.

[Switch] super password role role2 simple 123456TESTplat&!

# Set the local authentication password to 987654TESTplat&! for user role network-admin.

[Switch] super password role network-operator simple 987654TESTplat&!

Verifying the configuration

1.     Verify that you can execute the display role command to view user role information and execute the display role feature-group command to view feature group information.

# Display information about user role role1.

<Switch> display role name role1

Role: role1

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RWX   feature-group L3

  2       permit       command       display *

  3       permit       command       super *

  R:Read W:Write X:Execute

# Display information about user role role2.

<Switch> display role name role2

Role: role2

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RWX   feature-group L2

  R:Read W:Write X:Execute

# Display information about user role network-operator.

<Switch> display role name network-operator

Role: network-operator

  Description: Predefined network operator role has access to all read commands

on the device

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  sys-1   permit       command       display *

  sys-2   permit       command       xml

  sys-3   permit       command       system-view ; probe ; display *

  sys-4   deny         command       display history-command all

  sys-5   deny         command       display exception *

  sys-6   deny         command       display cpu-usage configuration

                                     *

  sys-7   deny         command       display kernel exception *

  sys-8   deny         command       display kernel deadloop *

  sys-9   deny         command       display kernel starvation *

  sys-10  deny         command       display kernel reboot *

  sys-13  permit       command       system-view ; local-user *

  sys-16  permit R--   web-menu      -

  sys-17  permit RW-   web-menu      m_device/m_maintenance/m_changep

                                     assword

  sys-18  permit R--   xml-element   -

  sys-19  deny         command       display security-logfile summary

  sys-20  deny         command       display security-logfile buffer

  sys-21  deny         command       system-view ; info-center securi

                                     ty-logfile directory *

  sys-22  deny         command       security-logfile save

  sys-23  deny         command       system-view ; local-user-import

                                     *

  sys-24  deny         command       system-view ; local-user-export

                                     *

  sys-25  permit R--   oid           1

  R:Read W:Write X:Execute

# Display the feature information of feature groups L2 and L3. (Details not shown.)

2.     Verify that you can log in to the switch.

# Verify that you can Telnet to the switch, and enter username telnetuser@bbb and password to log in to the switch.

C:\Documents and Settings\user> telnet 192.168.1.50

login: telnetuser@bbb

Password:

******************************************************************************

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

<Switch>

3.     Verify that you have access to the following commands before temporary user role authorization:

# Verify that you can execute all Layer 3 feature commands in predefined feature group L3. This example creates VPN instance vpn1.

<Switch> system-view

[Switch] ip vpn-instance vpn1

# Verify that you can execute all display commands. This example uses the display clock command.

<Switch> display clock

13:53:24.357 test Sat 01/01/2018

Time Zone : test add 05:00:00

Summer Time : PDT 06:00:00 08/01 06:00:00 09/01 01:00:00

4.     Verify temporary user role authorization:

# Verify that you can execute all super commands in user view. This example uses the super command to obtain user role role2.

<Switch> super role2

Password:

User privilege role is role2, and only those commands that authorized to the role can be used.

<Switch>

# Verify that you can execute all Layer 2 feature commands in predefined feature group L2. This example creates VLAN 10.

<Switch> system-view

[Switch] vlan 10

[Switch-vlan10] quit

[Switch] quit

# Verify that you cannot execute commands not in predefined feature group L2 with user role role2. This example uses the super command to obtain user role network-operator.

<Switch> super network-operator

Permission denied.

# Verify that you cannot execute the display commands with user role role2. This example uses the display clock command.

<Switch> display clock

Permission denied.

# Verify that you can execute all super commands after you log in to the switch again. This example uses the super command to obtain the user role network-operator.

C:\Documents and Settings\user> telnet 192.168.1.50

login: telnetuser@bbb

Password:

******************************************************************************

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

<Switch>

<Switch> super network-operator

Password:

User privilege role is network-operator, and only those commands that authorized

 to the role can be used.

<Switch>

The output shows that the configuration has taken effect.

Configuration files

#

 sysname Switch

#

 telnet server enable

#

vlan 2

#

interface Vlan-interface2

 ip address 192.168.1.50 255.255.255.0

#

interface GigabitEthernet1/0/10

port access vlan 2

#

line vty 0 63

 authentication-mode scheme

 user-role network-operator

#

 super password role role2 hash $h$6$D0kjHFktkktzgR5g$e673xFnIcKytCj6EDAw+pvwgh3

/ung3WNWHnrUTnXT862B+s7PaLfKTdil8ef71RBOvuJvPAZHjiLjrMPyWHQw==

 super password role network-operator hash $h$6$3s5KMmscn9hJ6gPx$IcxbNjUc8u4yxwR

m87b/Jki8BoPAxw/s5bEcPQjQj/cbbXwTVcnQGL91WOd7ssO2rX/wKzfyzAO5VhBTn9Q4zQ==

#

domain bbb

 authentication login local

 authorization login local

#

role name role1

 rule 1 permit read write execute feature-group L3

 rule 2 permit command display *

 rule 3 permit command super *

#

role name role2

 rule 1 permit read write execute feature-group L2

#

 local-user telnetuser class manage

 password hash $h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4

kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==

 service-type telnet

 authorization-attribute user-role role1

#

Related documentation

·     RBAC configuration in the fundamentals configuration guide for the device.

·     RBAC commands in the fundamentals command reference for the device.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网