H3C Routers

RBAC Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Prerequisites· 1

Example: Configuring read and write permissions for specific features· 1

Network configuration· 1

Analysis· 1

Software versions used· 1

Restrictions and guidelines· 2

Procedures· 2

Verifying the configuration· 3

Configuration files· 5

Software versions used· 5

Example: Configuring user permissions in specific VPNs· 6

Network configuration· 6

Analysis· 6

Software versions used· 6

Restrictions and guidelines· 6

Procedures· 7

Device Configuration· 7

Configuring the RADIUS server 8

Verifying the configuration· 8

Configuration files· 10

Software versions used· 10

Software versions used· 10

Software versions used· 11

Related documentation· 11

 

Overview

This document presents a typical example of using RBAC to control user authority on login devices.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of RBAC.

Example: Configuring read and write permissions for specific features

Network configuration

As shown in Figure 1, to enhance security of user logins, local AAA authentication is used to authenticate Telnet users on the device. Give Telnet users the following permissions:

·     Allow execution of all read and write type commands related to OSPF.

·     Allow execution of all read-write commands related to file system.

Figure 1 Network diagram

 

Analysis

·     For a Telnet user to have the permissions, create a local Telnet user and user role role1, then, grant the Telnet users with the user role.

·     Configure user role rules to limit Telnet users to execute read and write commands related to OSPF and file system.

·     To ensure that Telnet users only use the authorized user role, delete the default user role assigned to the user.

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Restrictions and guidelines

·     After configuring an ISP domain as the default one, you cannot delete the domain. To delete the domain, you must first use the undo domain default enable command to change the domain to a non-default domain.

·     One user role can create multiple rules, each identified by a unique number. Users authorized with this role can execute commands defined by the executable command union of these rules. If the permissions defined by two rules have conflicts, the rule with a higher number takes effect. For example, rule 1 allows executing command A, rule 2 allows executing command B, and rule 3 prohibits executing command A. Thus, rules 2 and 3 take effect, meaning command A is prohibited and command B is allowed.

Procedures

1.     Configure interfaces.

# Configure an IP address for interface GigabitEthernet2/0/1.

<Router> system-view

[Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ip address 192.168.1.50 24

[Router-GigabitEthernet2/0/1] quit

2.     Configure the authentication method for Telnet user login.

# Activate the Telnet server function on the device.

[Router] telnet server enable

# Configure Telnet user login with the AAA authentication method on VTY user lines numbered from 0 to 63.

[Router] line vty 0 63

[Router-line-vty0-63] authentication-mode scheme

The command is "quit" on line vty0-63 of the system.

3.     Configure the AAA method for an ISP domain.

# Create ISP domain bbb and authorize login users with local authentication and authorization.

[Router] domain bbb

[Router-isp-bbb] authentication login local

[Router-isp-bbb] authorization login local

[Router-isp-bbb] quit

4.     Configure the password and service type for local user telnetuser.

# Create a local device management user named telnetuser.

[Router] local-user telnetuser class manage

# Set a plaintext password 123456TESTplat&!.

[Router-luser-manage-telnetuser] password simple 123456TESTplat&!

# Specify the service type as Telnet.

[Router-luser-manage-telnetuser] service-type telnet

[Router-luser-manage-telnetuser] quit

5.     Create user role role1 and configure its rules.

# Create user role role1 and enter its view.

[Router] role name role1

# Configure user role rule 1 to allow executing all commands of the read-write type related to OSPF.

[Router-role-role1] rule 1 permit read write feature ospf

# Configure user role rule 2 to allow executing all commands of the read-write type related to file system.

[Router-role-role1] rule 2 permit read write feature filesystem

[Router-role-role1] quit

6.     Configure the authorized user role for the local user.

# Enter view of local user telnetuser.

[Router] local-user telnetuser class manage

# Authorize user telnetuser with role role1.

[Router-luser-manage-telnetuser] authorization-attribute user-role role1

# For the user to use only the authorized user role, delete the default user role network-operator.

[Router-luser-manage-telnetuser] undo authorization-attribute user-role network-operator

[Router-luser-manage-telnetuser] quit

[Router] quit

Verifying the configuration

1.     View user role information.

# Use the display role command to view the information about user role role1.

<Router> display role name role1

Role: role1

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: permit (default)

  Security zone policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RW-   feature       ospf

  2       permit RW-   feature       filesystem

  R:Read W:Write X:Execute

2.     Make the user log in to the device.

Make the user initiate a Telnet connection to the device and enter user name telnetuser@bbb and the correct password at the prompt. Verify that you can log in to the device.

C:\Documents and Settings\user> telnet 192.168.1.50

 

******************************************************************************

* Copyright (c) 2004-2023 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

login: telnetuser@bbb

Password:

<Router>

3.     Verify the user permissions.

After the Telnet user logs in to the device, perform the following tasks to verify the user permissions:

¡     Execute write commands of OSPF. (This section uses OSPF configuration as an example.)

[Router] ospf 1

[Router-ospf-1] area 0

[Router-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Router-ospf-1-area-0.0.0.0] quit

[Router-ospf-1] quit

¡     Execute read command of OSPF.

[Router] show ospf

 

          OSPF Process 1 with Router ID 192.168.1.50

                  OSPF Protocol Information

 

 RouterID: 192.168.1.50   Router type:

 Route tag: 0

 Multi-VPN-Instance is not enabled

 Ext-community type: Domain ID 0x5, Route Type 0x306, Router ID 0x107

 Domain ID: 0.0.0.0

 Opaque capable

 Isolation: Disabled

 ISPF is enabled

 SPF-schedule-interval: 5 50 200

 LSA generation interval: 5 50 200

 LSA arrival interval: 1000

 Transmit pacing: Interval: 20 Count: 3

 Default ASE parameters: Metric: 1 Tag: 1 Type: 2

 Route preference: 10

 ASE route preference: 150

 SPF calculation count: 0

 RFC 1583 compatible

 Fast-reroute: Remote-lfa Disabled

   Maximum-cost: 4294967295

 Node-Protecing Preference: 40

 Lowest-cost Preference: 20

 Graceful restart interval: 120

 SNMP trap rate limit interval: 10  Count: 7

 Area count: 1   NSSA area count: 0

 ExChange/Loading neighbors: 0

 MPLS segment routing: Disabled

   Segment routing adjacency   : Disabled

   Effective SRGB              : 16000  24000

   Segment routing local block : 15000  15999

   Segment routing tunnel count: 0

 

 Area: 0.0.0.0          (MPLS TE not enabled)

 Authentication type: None    Area flag: Normal

 SPF scheduled count: 0

 ExChange/Loading neighbors: 0

¡     Execute the read and write commands of file system. (This section configures the source IP address of FTP packets as an example.)

[Router] ftp client source ip 192.168.0.60

[Router] quit

¡     Verify that you cannot execute commands of the execution type related to filesystem. (This section attempts to enter FTP view as an example.)

<Router> ftp

Permission denied.

Configuration files

#

 telnet server enable

#

interface GigabitEthernet2/0/1

 ip address 192.168.1.50 24

#

line vty 0 63

 authentication-mode scheme

 user-role network-operator

#

domain bbb

 authentication login local

 authorization login local

#

role name role1

 rule 1 permit read write feature ospf

 rule 2 permit read write feature filesystem

#

local-user telnetuser class manage

 password hash $h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4

kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==

 service-type telnet

 authorization-attribute user-role role1

#

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Example: Configuring user permissions in specific VPNs

Network configuration

As shown in Figure 2, in order to enhance the security of user login, RADIUS server is used to authenticate and authorize Telnet users, granting them the following permissions:

·     Allow the execution of all commands related to predefined feature group L3 in the system.

·     Allow the execution of all commands starting with the display keyword.

·     Allow management only of specific VPN instances, for example, VPN instances vpn1, vpn2, and vpn3.

Figure 2 Network diagram

 

Analysis

·     To authorize Telnet users to execute requested commands, create user role role1 and configure the user role rules and resource control policies.

·     To grant Telnet users the permissions, authorize user role role1 on the RADIUS server.

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Restrictions and guidelines

1.     After configuring an ISP domain as the default one, you cannot delete the domain. To delete the domain, you must first use the undo domain default enable command to change the domain to a non-default domain.

2.     The authorization information from the RADIUS server is sent to the RADIUS client with the authentication response message. Make sure the authentication and authorization methods are the same.

3.     One user role can create multiple rules, each identified by a unique number. Users authorized with this role can execute commands defined by the executable command union of these rules. If the permissions defined by two rules have conflicts, the rule with a higher number takes effect. For example, rule 1 allows executing command A, rule 2 allows executing command B, and rule 3 prohibits executing command A. Thus, rules 2 and 3 take effect, meaning command A is prohibited and command B is allowed.

Procedures

Device Configuration

1.     Configure interfaces and routes.

# Configure an IP address for interface GigabitEthernet2/0/1.

<Router> system-view

[Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ip address 192.168.1.50 24

[Router-GigabitEthernet2/0/1] quit

# Configure an IP address for interface GigabitEthernet2/0/2.

[Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] ip address 10.1.1.2 24

[Router-GigabitEthernet2/0/2] quit

# Configure a default route for Telnet users to reach the RADIUS server.

[Router] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

2.     Configure the authentication method for Telnet user login.

# Activate the Telnet server function on the device.

[Router] telnet server enable

# Configure Telnet user login with the AAA authentication method on VTY user lines numbered from 0 to 63.

[Router] line vty 0 63

[Router-line-vty0-63] authentication-mode scheme

[Router-line-vty0-63] quit

3.     Configure the RADIUS scheme and authentication server.

# Create RADIUS scheme rad.

[Router] radius scheme rad

# Configure the IP address of the primary authentication/authorization server as 10.1.1.1 and the primary accounting server as 10.1.1.1.

[Router-radius-rad] primary authentication 10.1.1.1

[Router-radius-rad] primary accounting 10.1.1.1

# Set the shared key for interaction messages with the authentication/authorization server and the primary accounting server as plaintext aabbcc.

[Router-radius-rad] key authentication simple aabbcc

[Router-radius-rad] key accounting simple aabbcc

[Router-radius-rad] quit

4.     Configure the AAA method for an ISP domain.

# Create ISP domain bbb and configure login users to use the RADIUS authentication, RADIUS authorization, and RADIUS accounting AAA methods.

[Router] domain bbb

[Router-isp-bbb] authentication login radius-scheme rad

[Router-isp-bbb] authorization login radius-scheme rad

[Router-isp-bbb] accounting login radius-scheme rad

[Router-isp-bbb] quit

5.     Create user role role1 and configure rules and resource control policies for the user role.

# Create user role role1 and enter its view.

[Router] role name role1

# Configure user role rule 1 to allow users to execute all commands related to predefined feature group L3.

[Router-role-role1] rule 1 permit execute read write feature-group L3

# Configure user role rule 2 to allow users to execute all commands starting with the display keyword.

[Router-role-role1] rule 2 permit command display *

# Enter user role VPN policy view and authorize users with the permission to manage VPN instances vpn1, vpn2, and vpn3.

[Router-role-role1] vpn-instance policy deny

[Router-role-role1-vpnpolicy] permit vpn-instance vpn1 vpn2 vpn3

[Router-role-role1-vpnpolicy] quit

[Router-role-role1] quit

[Router] quit

Configuring the RADIUS server

NOTE: This section uses iMC PLAT 7.0 (E0202) and iMC UAM 7.0 (E0202) as an example to illustrate basic configuration of the RADIUS server.

 

1.     Add an access device.

Log in to the IMC management platform, click the User tab. In the left navigation pane, select User Access Policy > Access Device Management > Access Device. Click Add.

¡     Specify the authentication and accounting port numbers to 1812 and 1813, respectively.

¡     Set the shared key for authentication and accounting for AC interaction messages as aabbcc and confirm the shared key.

¡     Select Device Management Service as the service type.

¡     Select H3C (General) as the access device type.

¡     Select or manually add the device with IP address 10.1.1.2 as an access device.

¡     Retain the default settings in the other fields and then click OK.

2.     Add a device management user.

Click the User tab, and select Device User > Device User in the navigation pane. Click Add.

¡     Specify the user name, set the password, and confirm the password. In this example, the username is telnetuser@bbb.

¡     Select Telnet as the service type.

¡     Add user role role1.

¡     Add IP addresses of devices to be managed. In this example, the IP address range is 10.1.1.0 to 10.1.1.10.

¡     Click OK.

Verifying the configuration

1.     View user role and feature group information.

# Use the display role command to view user role information.

<Router> display role name role1

Role: role1

  Description:

  VLAN policy: permit (default)

  Interface policy: permit (default)

  VPN instance policy: deny

  Permitted VPN instances: vpn1, vpn2, vpn3

  Security zone policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  1       permit RWX   feature-group L3

  2       permit       command       display *

  R:Read W:Write X:Execute

Use the display role feature-group command to view feature information in feature group L3. (Details not shown.)

2.     Make the user log in to the device.

Make the user initiate a Telnet connection to the device and enter user name telnetuser@bbb and the correct password at the prompt. Verify that you can log in to the device.

C:\Documents and Settings\user> telnet 192.168.1.50

 

******************************************************************************

* Copyright (c) 2004-2023 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

login: telnetuser@bbb

Password:

<Router>

3.     Verify the user permissions.

After the Telnet user logs in to the device, perform the following tasks to verify the user permissions:

¡     Execute commands in the predefined feature group L3. (This section creates VPN instance vpn1 and set the RD to 22:1 as an example.)

<Router> system-view

[Router] ip vpn-instance vpn1

[Router-vpn-instance-vpn1] route-distinguisher 22:1

[Router-vpn-instance-vpn1] display this

#

ip vpn-instance vpn1

 route-distinguisher 22:1

#

return

[Router-vpn-instance-vpn1] quit

¡     Verify that you cannot manage other VPN instances. (This section uses VPN instance vpn5 as an example.)

[Router] ip vpn-instance vpn5

Permission denied.

Configuration files

#

 telnet server enable

#

interface GigabitEthernet2/0/1

 ip address 192.168.1.50 24

#

interface GigabitEthernet2/0/2

 ip address 10.1.1.2 24

#

line vty 0 63

 authentication-mode scheme

 user-role network-operator

#

ip route-static 0.0.0.0 0 10.1.1.1

#

radius scheme rad

 primary authentication 10.1.1.1

 primary accounting 10.1.1.1

 key authentication cipher $c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==

 key accounting cipher $c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==

#

domain bbb

 authentication login radius-scheme rad

 authorization login radius-scheme rad

 accounting login radius-scheme rad

#

role name role1

 rule 1 permit read write execute feature-group L3

 rule 2 permit command display *

 vpn-instance policy deny

  permit vpn-instance vpn1

  permit vpn-instance vpn2

  permit vpn-instance vpn3

#

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Software versions used

This configuration example was created and verified on R9141P16 of the SR6608-M device.

Related documentation

·     Fundamentals Configuration Guide in H3C SR6608-M Router Configuration Guides(V9)

·     Fundamentals Command Reference in H3C SR6608-M Router Command References(V9)