H3C SR6600&SR6600-X Routers
RBAC Configuration Examples

SR6600 Router Series

SR6600-X Router Series

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring Telnet user to have access to read and write commands of specific features· 1

Network requirements· 1

Requirements analysis· 1

Software version used· 2

Configuration restrictions and guidelines· 2

Configuration procedures· 2

Verifying the configuration· 3

Configuration files· 5

Example: Configuring temporary user role authorization· 5

Network requirements· 5

Requirements analysis· 6

Software version used· 6

Configuration restrictions and guidelines· 6

Configuration procedures· 6

Verifying the configuration· 8

Configuration files· 10

Related documentation· 11

 

Introduction

This document provides role-based access control (RBAC) examples to control access permissions of login users.

Prerequisites

This document is not restricted to specific software or hardware versions.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of RBAC.

Example: Configuring Telnet user to have access to read and write commands of specific features

Network requirements

As shown in Figure 1, configure the router to meet the following requirements:

·     The Telnet user is authenticated on the router in ISP domain bbb.

·     The Telnet user is allowed to execute the read and write commands of the ospf and filesystem features after the user passes authentication.

Add a user account named telnetuser on the router for the Telnet user, and set the user password to aabbcc.

Figure 1 Network diagram

 

Requirements analysis

To meet the network requirements, you must perform the following tasks:

·     Create a user role and configure rules for it. This allows the user role to have access permission to the required commands.

·     Assign the user role to the Telnet user, so the Telnet user can obtain the required access permissions.

·     Remove the default user role from the Telnet user, so the user can only have the access permissions of the configured user role.

Software version used

This configuration example was created and verified on R7607.

Configuration restrictions and guidelines

When you configure RBAC for local AAA users, follow these restrictions and guidelines:

·     An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

·     You can create multiple rules for a user role. Each rule is uniquely identified by the rule number. A user role can access all commands permitted by the user role rules.

·     If two user-defined rules conflict, the rule with the higher number takes effect. For example, the user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:

¡     rule 1 permit command ping

¡     rule 2 permit command tracert

¡     rule 3 deny command ping

Configuration procedures

1.     Assign an IP address to GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ip address 192.168.1.50 24

[Sysname-GigabitEthernet3/0/1] quit

2.     Configure the user login authentication method:

# Enable Telnet server.

[Sysname] telnet server enable

# Enable scheme authentication on user lines VTY 0 through VTY 63.

[Sysname] line vty 0 63

[Sysname-line-vty0-63] authentication-mode scheme

[Sysname-line-vty0-63] quit

3.     Configure the authentication domain:

# Create ISP domain bbb and enter ISP domain view.

[Sysname] domain bbb

# Configure the authentication and authorization methods as local for login users in the domain.

[Sysname-isp-bbb] authentication login local

[Sysname-isp-bbb] authorization login local

[Sysname-isp-bbb] quit

4.     Configure device management user telnetuser:

# Create device management user telnetuser and enter local user view.

[Sysname] local-user telnetuser class manage

# Set the user password to aabbcc in plain text.

[Sysname-luser-manage-telnetuser] password simple aabbcc

# Specify the service type as Telnet.

[Sysname-luser-manage-telnetuser] service-type telnet

[Sysname-luser-manage-telnetuser] quit

5.     Configure user role role1:

# Create user role role1 and enter user role view.

[Sysname] role name role1

# Configure rule 1 to permit the user role to access the read and write commands of the ospf feature.

[Sysname-role-role1] rule 1 permit read write feature ospf

# Configure rule 2 to permit the user role to access the read and write commands of the filesystem feature.

[Sysname-role-role1] rule 2 permit read write feature filesystem

[Sysname-role-role1] quit

6.     Assign user role role1 to device management user telnetuser:

# Enter the view of the device management user.

[Sysname] local-user telnetuser class manage

# Assign user role role1 to the user.

[Sysname-luser-manage-telnetuser] authorization-attribute user-role role1

# Remove the default user role network-operator from the user.

[Sysname-luser-manage-telnetuser] undo authorization-attribute user-role network-operator

[Sysname-luser-manage-telnetuser] quit

Verifying the configuration

1.     Display information about the user role role1.

[Sysname] display role name role1

Role: role1

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RW-   feature       ospf

  2       permit RW-   feature       filesystem

  R:Read W:Write X:Execute

2.     Verify that you can Telnet to the router.

C:\Documents and Settings\user> telnet 192.168.1.50

 

******************************************************************************

* Copyright (c) 2004-2017 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

login: telnetuser@bbb

Password:

<Sysname>

3.     Verify that you have the access permissions of user role role1:

# Verify that you can execute the write commands of the ospf feature. For example, configure OSPF.

<Sysname> system-view

[Sysname] ospf 1

[Sysname-ospf-1] area 0

[Sysname-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Sysname-ospf-1-area-0.0.0.0] quit

[Sysname-ospf-1] quit

# Verify that you can execute the read commands of the ospf feature.

[Sysname] display ospf

 

          OSPF Process 1 with Router ID 192.168.1.50

                  OSPF Protocol Information

 

 RouterID: 192.168.1.50   Router type:

 Route tag: 0

 Multi-VPN-Instance is not enabled

 Ext-community type: Domain ID 0x5, Route Type 0x306, Router ID 0x107

 Domain ID: 0.0.0.0

 Opaque capable

 ISPF is enabled

 SPF-schedule-interval: 5 50 200

 LSA generation interval: 5 50 200

 LSA arrival interval: 1000

 Transmit pacing: Interval: 20 Count: 3

 Default ASE parameters: Metric: 1 Tag: 1 Type: 2

 Route preference: 10

 ASE route preference: 150

 SPF calculation count: 0

 RFC 1583 compatible

 Graceful restart interval: 120

 SNMP trap rate limit interval: 10  Count: 7

 Area count: 0   NSSA area count: 0

 ExChange/Loading neighbors: 0

# Verify that you can execute the read and write commands of the filesystem feature. For example, specify the source IP address for outgoing FTP packets as 192.168.0.60.

[Sysname] ftp client source ip 192.168.0.60

[Sysname] quit

# Verify that you cannot use the execute commands of the filesystem feature. For example, enter FTP client view.

<Sysname> ftp

Permission denied.

Configuration files

#

 telnet server enable

#

interface GigabitEthernet3/0/1

 ip address 192.168.1.50 24

#

line vty 0 63

 authentication-mode scheme

 user-role network-operator

#

domain bbb

 authentication login local

 authorization login local

#

role name role1

 rule 1 permit read write feature ospf

 rule 2 permit read write feature filesystem

#

local-user telnetuser class manage

 password hash $h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4

kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==

 service-type telnet

 authorization-attribute user-role role1

#

Example: Configuring temporary user role authorization

Network requirements

As shown in Figure 2, the router performs local AAA authentication for the Telnet user. It assigns user role role1 to the Telnet user after the user passes authentication.

The router performs local-only authentication for the Telnet user to obtain the user role role2 or network-operator for temporary authorization.

User role role1 has the following access permissions:

·     Can execute all commands available in the L3 feature group.

·     Can execute all commands that start with the display keyword.

·     Can execute all commands that start with the super keyword.

·     Can access all interfaces, VLANs, and VPNs.

User role role2 has the following access permissions:

·     Can execute all commands available in the L2 feature group.

·     Can access all interfaces, VLANs, and VPNs.

Add a user account named telnetuser on the router for the Telnet user, set the password to aabbcc in plain text.

Figure 2 Network diagram

 

Requirements analysis

To meet the network requirements, you must perform the following tasks:

·     Create user roles role1 and role2, and configure user role rules and resource access policies, so the user roles can have the required access permissions.

·     Assign user role role1 to the Telnet user, so the user can obtain the user role after it passes authentication.

·     Configure user role authentication settings for role2 and network-operator, so the Telnet user can obtain the user roles for temporary authorization.

·     For security purposes, configure different authentication passwords for the user roles role2 and network-operator.

Software version used

This configuration example was created and verified on R7607.

Configuration restrictions and guidelines

When you configure temporary user role authorization, follow these restrictions and guidelines:

·     An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

·     You can create multiple rules for a user role. Each rule is uniquely identified by the rule number. A user role can access all commands permitted by the user role rules.

·     If two user-defined rules conflict, the rule with the higher number takes effect. For example, the user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:

¡     rule 1 permit command ping

¡     rule 2 permit command tracert

¡     rule 3 deny command ping

·     Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.

Configuration procedures

1.     Assign an IP address to GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ip address 192.168.1.50 24

[Sysname-GigabitEthernet3/0/1] quit

2.     Configure the user login authentication method:

# Enable Telnet server.

[Sysname] telnet server enable

# Enable scheme authentication on user lines VTY 0 through VTY 63.

[Sysname] line vty 0 63

[Sysname-line-vty0-63] authentication-mode scheme

[Sysname-line-vty0-63] quit

3.     Configure ISP domain bbb:

# Create ISP domain bbb and enter ISP domain view.

[Sysname] domain bbb

# Configure the authentication and authorization methods for the login users in the ISP domain.

[Sysname-isp-bbb] authentication login local

[Sysname-isp-bbb] authorization login local

[Sysname-isp-bbb] quit

4.     Configure device management user telnetuser:

# Create device management user telnetuser and enter local user view.

[Sysname] local-user telnetuser class manage

# Set the user password to aabbcc in plain text.

[Sysname-luser-manage-telnetuser] password simple aabbcc

# Specify the service type as Telnet.

[Sysname-luser-manage-telnetuser] service-type telnet

[Sysname-luser-manage-telnetuser] quit

5.     Configure user role role1:

# Create user role role1 and enter user role view.

[Sysname] role name role1

# Configure rule 1 to permit the user role to access all commands of the L3 feature group.

[Sysname-role-role1] rule 1 permit execute read write feature-group L3

# Configure rule 2 to permit the user role to access all commands that start with the display keyword.

[Sysname-role-role1] rule 2 permit command display *

# Configure rule 3 to permit the user role to access all commands that start with the super keyword.

[Sysname-role-role1] rule 3 permit command super *

[Sysname-role-role1] quit

6.     Configure user role role2:

# Create user role role2 and enter user role view.

[Sysname] role name role2

# Configure rule 1 to permit the user role to access all commands of the L2 feature group.

[Sysname-role-role2] rule 1 permit execute read write feature-group L2

[Sysname-role-role2] quit

7.     Authorize user role role1 to device management user telnetuser:

# Enter the view of the device management user.

[Sysname] local-user telnetuser class manage

# Authorize user role role1 to the user.

[Sysname-luser-manage-telnetuser] authorization-attribute user-role role1

# Remove the default user role network-operator from the user.

[Sysname-luser-manage-telnetuser] undo authorization-attribute user-role network-operator

[Sysname-luser-manage-telnetuser] quit

8.     Configure temporary user role authorization:

# Enable local-only authentication for temporary user role authorization.

[Sysname] super authentication-mode local

# Set the local authentication password to 123456TESTplat&! in plain text for user role role2.

[Sysname] super password role role2 simple 123456TESTplat&!

# Set the local authentication password to 987654TESTplat&! in plain text for user role network-operator.

[Sysname] super password role network-operator simple 987654TESTplat&!

Verifying the configuration

1.     Verify that the user roles are correctly configured:

# Display information about user role role1.

[Sysname] display role name role1

Role: role1

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RWX   feature-group L3

  2       permit       command       display *

  3       permit       command       super *

  R:Read W:Write X:Execute

# Display information about user role role2.

[Sysname] display role name role2

Role: role2

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RWX   feature-group L2

  R:Read W:Write X:Execute

# Display information about user role network-operator.

[Sysname] display role name network-operator

Role: network-operator

  Description: Predefined network operator role has access to all read commands

on the Sysname

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  sys-1   permit       command       display *

  sys-2   permit       command       xml

  sys-3   deny         command       display history-command all

  sys-4   deny         command       display exception *

  sys-5   deny         command       display cpu-usage configuration

                                     *

  sys-6   deny         command       display kernel exception *

  sys-7   deny         command       display kernel deadloop *

  sys-8   deny         command       display kernel starvation *

  sys-9   deny         command       display kernel reboot *

  sys-10  deny         command       display memory trace *

  sys-11  deny         command       display kernel memory *

  sys-12  permit       command       system-view ; local-user *

  sys-13  permit       command       system-view ; switchto mdc *

  sys-14  permit R--   xml-element   -

  sys-15  deny         command       display security-logfile summary

  sys-16  deny         command       system-view ; info-center securi

                                     ty-logfile directory *

  sys-17  deny         command       security-logfile save

  R:Read W:Write X:Execute

2.     Use the display role feature-group command to display the features in the L2 and L3 feature groups. (Details not shown.)

3.     Verify that you can Telnet to the router.

C:\Documents and Settings\user> telnet 192.168.1.50

 

******************************************************************************

* Copyright (c) 2004-2017 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

login: telnetuser@bbb

Password:

<Sysname>

4.     Verify that you have the access permissions of user role role1:

# Verify that you can access all commands in the L3 feature group. For example, create VPN vpn1.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] quit

# Verify that you can use all commands that start with the display keyword. For example, display the system time and date.

[Sysname] display clock

09:31:56 UTC Thu 01/01/2017

[Sysname] quit

5.     Verify that you can obtain the authorization of user role role2 without reconnecting to the router:

# Obtain the user role role2.

<Sysname> super role2

Password:

User privilege role is role2, and only those commands that authorized to the role can be used.

<Sysname>

# Verify that you can use all commands in the L2 feature group. For example, create VLAN 10.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] quit

[Sysname] quit

# Verify that you cannot use the commands of any features except the features in the L2 feature group. For example, obtain the user role network-operator for temporary authorization.

<Sysname> super network-operator

Permission denied.

# Verify that you cannot use the commands that start with the display keyword. For example, display the system date and time.

<Sysname> display clock

Permission denied.

6.     Disconnect from the router, and Telnet to the router again.

C:\Documents and Settings\user> telnet 192.168.1.50

 

******************************************************************************

* Copyright (c) 2004-2017 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

login: telnetuser@bbb

Password:

<Sysname>

7.     Verify that you can obtain the network-operator user role.

<Sysname> super network-operator

Password:

User privilege role is network-operator, and only those commands that authorized

 to the role can be used.

<Sysname>

Configuration files

#

 telnet server enable

#

interface GigabitEthernet3/0/1

 ip address 192.168.1.50 24

#

line vty 0 63

 authentication-mode scheme

 user-role network-operator

#

 super password role role2 hash $h$6$D0kjHFktkktzgR5g$e673xFnIcKytCj6EDAw+pvwgh3

/ung3WNWHnrUTnXT862B+s7PaLfKTdil8ef71RBOvuJvPAZHjiLjrMPyWHQw==

 super password role network-operator hash $h$6$3s5KMmscn9hJ6gPx$IcxbNjUc8u4yxwR

m87b/Jki8BoPAxw/s5bEcPQjQj/cbbXwTVcnQGL91WOd7ssO2rX/wKzfyzAO5VhBTn9Q4zQ==

#

domain bbb

 authentication login local

 authorization login local

#

role name role1

 rule 1 permit read write execute feature-group L3

 rule 2 permit command display *

 rule 3 permit command super *

#

role name role2

 rule 1 permit read write execute feature-group L2

#

 local-user telnetuser class manage

 password hash $h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4

kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==

 service-type telnet

 authorization-attribute user-role role1

#

Related documentation

·     H3C SR6600 SR6600-X Routers Fundamentals Command Reference-Release 7607

·     H3C SR6600 SR6600-X Routers Fundamentals Configuration Guide-Release 7607