- Table of Contents
-
- H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101
- 01-H3C Devices CLI Reference
- 02-Login Management Quick Start Configuration Guide
- 03-Configuration File Management Quick Start Configruation Guide
- 04-Software Upgrade Quick Start Configuration Guide
- 05-Device Management Quick Start Configuration Guide
- 06-NTP Quick Start Configuration Guide
- 07-RBAC Quick Start Configuration Guide
- 08-IRF Quick Start Configuration Guide
- 09-Ethernet Interface Quick Start Configuration Guide
- 10-VLAN Quick Start Configuration Guide
- 11-Port Isolation Quick Start Configuration Guide
- 12-Loop Detection Quick Start Configuration Guide
- 13-QinQ Quick Start Configuration Guide
- 14-MAC Address Table Quick Start Configuration Guide
- 15-Ethernet Link Aggregation Quick Start Configuration Guide
- 16-Spanning Tree Quick Start Configuration Guide
- 17-DHCP Quick Start Configuration Guide
- 18-OSPF Quick Start Configuration Guide
- 19-Static Routing Quick Start Configuration Guide
- 20-Basic RIP Quick Start Configuration Guide
- 21-PBR Quick Start Configuration Guide
- 22-IGMP Snooping Quick Start Configuration Guide
- 23-Packet Filtering Quick Start Configuration Guide
- 24-QoS Quick Start Configuration Guide
- 25-IP Source Guard Quick Start Configuration Guide
- 26-SSH Quick Start Configuration Guide
- 27-Port Security Quick Start Configuration Guide
- 28-VRRP Quick Start Configuration Guide
- 29-PoE Quick Start Configuration Guide
- 30-Mirroring Quick Start Configuration Guide
- 31-Information Center Quick Start Configuration Guide
- 32-SNMP Quick Start Configuration Guide
- 33-LAN Networks Quick Start Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
07-RBAC Quick Start Configuration Guide | 95.69 KB |
RBAC Quick Start Configuration Guide
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Configuring RBAC for a local authentication user
Configuring RBAC temporary user role authorization
Configuring RBAC for a local authentication user
Introduction
The following information uses an example to describe the basic procedure for configuring RBAC for a local authentication user.
Network configuration
As shown in Figure 1, configure the switch to meet the following requirements:
· The switch performs local AAA authentication and authorization for the Telnet user.
· The user account for the Telnet user is user1@bbb, which is assigned user role role1 with the following permissions:
¡ Execute the read commands of any feature.
¡ Access VLANs 10 to 20. Access to any other VLANs is denied.
Restrictions and guidelines
An ISP domain cannot be directly deleted when it is the default ISP domain. To delete the domain, you must first change it to a non-default ISP domain by using the undo domain default enable command.
You can configure user role rules to permit or deny the access of a user role to specific commands. If two rules conflict, the rule with the higher ID takes effect. For example, a user role can execute command B but not command A if the user role contains rules configured by using the following commands:
· rule 1 permit command A
· rule 2 permit command B
· rule 3 deny command A
Procedure
# Set the name of the switch to Switch.
<H3C> system-view
[H3C] sysname Switch
# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Enable the Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable local authentication and authorization for ISP domain bbb.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login local
[Switch-isp-bbb] quit
# Create a user role named role1 and enter its view.
[Switch] role name role1
# Configure rule 1 to permit the user role to execute the read commands of all features.
[Switch-role-role1] rule 1 permit read feature
# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.
[Switch-role-role1] rule 2 permit command system-view ; vlan *
# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.
[Switch-role-role1] vlan policy deny
[Switch-role-role1-vlanpolicy] permit vlan 10 to 20
[Switch-role-role1-vlanpolicy] quit
[Switch-role-role1] quit
# Create a device management user named user1 and enter local user view.
[Switch] local-user user1 class manage
# Set a plaintext password of 123456TESTplat&! for the user.
[Switch-luser-manage-user1] password simple 123456TESTplat&!
# Set the service type to Telnet.
[Switch-luser-manage-user1] service-type telnet
# Assign role1 to the user.
[Switch-luser-manage-user1] authorization-attribute user-role role1
# Remove the default user role (network-operator) in the user account. This operation ensures that the user has only the permissions of role1.
[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator
[Switch-luser-manage-user1] quit
Verifying the configuration
# Verify that you can successfully log in to the switch by entering username user1@bbb and password on the Telnet client.
C:\Documents and Settings\user> telnet 192.168.1.50
login: user1@bbb
Password:
******************************************************************************
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Switch>
# Verify that you can log in as role1 and execute the corresponding commands:
· Verify that you can create VLANs 10 to 20. This example uses VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
· Verify that you cannot create any VLAN other than VLANs 10 to 20. This example uses VLAN 30.
[Switch] vlan 30
Permission denied.
· Verify that you can execute all read commands of any feature. This example uses the display clock command.
[Switch] display clock
09:31:56.258 UTC Sat 01/01/2017
[Switch] quit
· Verify that you cannot execute the write or execute commands of any feature.
<Switch> debugging role all
Permission denied.
<Switch> ping 192.168.1.58
Permission denied.
Configuration files
#
sysname Switch
#
telnet server enable
#
vlan 2
#
interface Vlan-interface2
ip address 192.168.1.50 255.255.255.0
#
line vty 0 63
authentication-mode scheme
#
domain bbb
authentication login local
authorization login local
#
role name role1
rule 1 permit read feature
rule 2 permit command system-view ; vlan *
vlan policy deny
permit vlan 10 to 20
#
local-user user1 class manage
password hash $h$6$3nDcf1enrif2H0W6$QUWsXcld9MjeCMWGlkU6qleuV3WqFFEE8i2TTSoFRL3
ENZ2ExkhXZZrRmOl3pblfbje6fim7vV+u5FbCif+SjA==
service-type telnet
authorization-attribute user-role role1
undo authorization-attribute user-role network-operator
#
Related documentation
· RBAC configuration in the fundamentals configuration guide for the device.
· RBAC commands in the fundamentals command reference for the device.
Configuring RBAC temporary user role authorization
Introduction
The following information uses an example to describe the basic procedure for configuring RBAC temporary user role authorization.
Network configuration
As shown in Figure 2, configure the switch to meet the following requirements:
· The switch performs local AAA authentication and authorization for the Telnet user.
· The user account for the Telnet user is user1@bbb, which is assigned user role role1 with the following permissions:
¡ Execute all Layer 3 feature commands in predefined feature group L3.
¡ Execute all display commands.
¡ Execute all super commands.
¡ Access all interfaces, VLANs, and VPN instances.
· The user role of the Telnet user can be temporarily changed to role2 or network-operator on the current login. User role role2 has the following permissions:
¡ Execute all Layer 2 feature commands in predefined feature group L2.
¡ Access all interfaces, VLANs, and VPN instances.
Restrictions and guidelines
An ISP domain cannot be directly deleted when it is the default ISP domain. To delete the domain, you must first change the domain to a non-default ISP domain by using the undo domain default enable command.
You can configure user role rules to permit or deny the access of a user role to specific commands. If two rules conflict, the rule with the higher ID takes effect. For example, a user role can execute command B but not command A if the user role contains rules configured by using the following commands:
· rule 1 permit command A
· rule 2 permit command B
· rule 3 deny command A
Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.
Procedure
# Set the name of the switch to Switch.
<H3C> system-view
[H3C] sysname Switch
# Create VLAN 2 and assign GigabitEthernet 1/0/10 (the port connected to the Telnet user) to VLAN 2.
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface GigabitEthernet1/0/10
[Switch-GigabitEthernet1/0/10] port access vlan 2
[Switch-GigabitEthernet1/0/10] quit
# Create VLAN-interface 2 and assign an IP address to the interface.
[Switch] interface Vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.50 24
# Enable the Telnet server.
[Switch] telnet server enable
# Enable the login authentication mode to scheme on user lines VTY 0 through VTY 63 for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable local authentication and authorization for ISP domain bbb.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login local
[Switch-isp-bbb] quit
# Create a user role named role1 and enter its view.
[Switch] role name role1
# Configure rule 1 to permit the user role to execute all Layer 3 feature commands in predefined feature group L3.
[Switch-role-role1] rule 1 permit execute read write feature-group L3
# Configure rule 2 to permit the user role to execute all display commands.
[Switch-role-role1] rule 2 permit command display *
# Configure rule 3 to permit the user role to execute all super commands.
[Switch-role-role1] rule 3 permit command super *
[Switch-role-role1] quit
# Create a user role named role2 and enter its view.
[Switch] role name role2
# Configure rule 1 to permit the user role to execute all Layer 2 feature commands in predefined feature group L2.
[Switch-role-role2] rule 1 permit execute read write feature-group L2
[Switch-role-role2] quit
# Create a device management user named telnetuser and enter local user view.
[Switch] local-user telnetuser class manage
# Set a plaintext password of aabbcc for the user.
[Switch-luser-manage-telnetuser] password simple aabbcc
# Set the service type to Telnet.
[Switch-luser-manage-telnetuser] service-type telnet
# Assign role1 to the user.
[Switch-luser-manage-telnetuser] authorization-attribute user-role role1
# Remove the default user role (network-operator) from the user. This operation ensures that the user has only the permissions of role1.
[Switch-luser-manage-telnetuser] undo authorization-attribute user-role network-operator
[Switch-luser-manage-telnetuser] quit
# Enable local authentication for temporary user role authorization. (The default authentication mode is local authentication.)
[Switch] super authentication-mode local
# Set the local authentication password to 123456TESTplat&! for user role role2.
[Switch] super password role role2 simple 123456TESTplat&!
# Set the local authentication password to 987654TESTplat&! for user role network-admin.
[Switch] super password role network-operator simple 987654TESTplat&!
Verifying the configuration
1. Verify that you can execute the display role command to view user role information and execute the display role feature-group command to view feature group information.
# Display information about user role role1.
<Switch> display role name role1
Role: role1
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit RWX feature-group L3
2 permit command display *
3 permit command super *
R:Read W:Write X:Execute
# Display information about user role role2.
<Switch> display role name role2
Role: role2
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit RWX feature-group L2
R:Read W:Write X:Execute
# Display information about user role network-operator.
<Switch> display role name network-operator
Role: network-operator
Description: Predefined network operator role has access to all read commands
on the device
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
sys-1 permit command display *
sys-2 permit command xml
sys-3 permit command system-view ; probe ; display *
sys-4 deny command display history-command all
sys-5 deny command display exception *
sys-6 deny command display cpu-usage configuration
*
sys-7 deny command display kernel exception *
sys-8 deny command display kernel deadloop *
sys-9 deny command display kernel starvation *
sys-10 deny command display kernel reboot *
sys-13 permit command system-view ; local-user *
sys-16 permit R-- web-menu -
sys-17 permit RW- web-menu m_device/m_maintenance/m_changep
assword
sys-18 permit R-- xml-element -
sys-19 deny command display security-logfile summary
sys-20 deny command display security-logfile buffer
sys-21 deny command system-view ; info-center securi
ty-logfile directory *
sys-22 deny command security-logfile save
sys-23 deny command system-view ; local-user-import
*
sys-24 deny command system-view ; local-user-export
*
sys-25 permit R-- oid 1
R:Read W:Write X:Execute
# Display the feature information of feature groups L2 and L3. (Details not shown.)
2. Verify that you can log in to the switch.
# Verify that you can Telnet to the switch, and enter username telnetuser@bbb and password to log in to the switch.
C:\Documents and Settings\user> telnet 192.168.1.50
login: telnetuser@bbb
Password:
******************************************************************************
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Switch>
3. Verify that you have access to the following commands before temporary user role authorization:
# Verify that you can execute all Layer 3 feature commands in predefined feature group L3. This example creates VPN instance vpn1.
<Switch> system-view
[Switch] ip vpn-instance vpn1
# Verify that you can execute all display commands. This example uses the display clock command.
<Switch> display clock
13:53:24.357 test Sat 01/01/2018
Time Zone : test add 05:00:00
Summer Time : PDT 06:00:00 08/01 06:00:00 09/01 01:00:00
4. Verify temporary user role authorization:
# Verify that you can execute all super commands in user view. This example uses the super command to obtain user role role2.
<Switch> super role2
Password:
User privilege role is role2, and only those commands that authorized to the role can be used.
<Switch>
# Verify that you can execute all Layer 2 feature commands in predefined feature group L2. This example creates VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] quit
# Verify that you cannot execute commands not in predefined feature group L2 with user role role2. This example uses the super command to obtain user role network-operator.
<Switch> super network-operator
Permission denied.
# Verify that you cannot execute the display commands with user role role2. This example uses the display clock command.
<Switch> display clock
Permission denied.
# Verify that you can execute all super commands after you log in to the switch again. This example uses the super command to obtain the user role network-operator.
C:\Documents and Settings\user> telnet 192.168.1.50
login: telnetuser@bbb
Password:
******************************************************************************
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Switch>
<Switch> super network-operator
Password:
User privilege role is network-operator, and only those commands that authorized
to the role can be used.
<Switch>
The output shows that the configuration has taken effect.
Configuration files
#
sysname Switch
#
telnet server enable
#
vlan 2
#
interface Vlan-interface2
ip address 192.168.1.50 255.255.255.0
#
interface GigabitEthernet1/0/10
port access vlan 2
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
super password role role2 hash $h$6$D0kjHFktkktzgR5g$e673xFnIcKytCj6EDAw+pvwgh3
/ung3WNWHnrUTnXT862B+s7PaLfKTdil8ef71RBOvuJvPAZHjiLjrMPyWHQw==
super password role network-operator hash $h$6$3s5KMmscn9hJ6gPx$IcxbNjUc8u4yxwR
m87b/Jki8BoPAxw/s5bEcPQjQj/cbbXwTVcnQGL91WOd7ssO2rX/wKzfyzAO5VhBTn9Q4zQ==
#
domain bbb
authentication login local
authorization login local
#
role name role1
rule 1 permit read write execute feature-group L3
rule 2 permit command display *
rule 3 permit command super *
#
role name role2
rule 1 permit read write execute feature-group L2
#
local-user telnetuser class manage
password hash $h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4
kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==
service-type telnet
authorization-attribute user-role role1
#
Related documentation
· RBAC configuration in the fundamentals configuration guide for the device.
· RBAC commands in the fundamentals command reference for the device.