Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-AAA configuration | 130.36 KB |
Authentication, authorization, and accounting methods
Configuring attributes for device management users
Configuring user group attributes
Display and maintenance commands for local users and local user groups
Configuring AAA methods for an ISP domain
Configuring authentication methods for an ISP domain
Configuring authorization methods for an ISP domain
Configuring accounting methods for an ISP domain
Display and maintenance commands for ISP domains
Setting the maximum number of concurrent login users
Enabling password change prompt logging
Example: Configuring local authentication and authorization for SSH users
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions:
· Authentication—Identifies remote users and verifies their validity.
· Authorization—Grants different users different rights, and controls the users' access to resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.
· Accounting—Records network usage details of users, including the service type, start time, and traffic. This function enables time-based and traffic-based charging and user behavior auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server (NAS), which authenticates user identities and controls user access. The server maintains user information centrally.
To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The NAS transparently passes the user information to AAA servers and waits for the authentication, authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny the access request.
Authentication, authorization, and accounting methods
AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for whom no AAA methods are configured.
Authentication methods
The device supports the following authentication methods:
· No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.
· Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Authorization methods
The device supports the following authorization methods:
· No authorization—The NAS performs no authorization exchange. The following default authorization information applies after users pass authentication:
¡ Non-login users can access the network.
¡ Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
¡ The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
· Local authorization—The NAS performs authorization according to the user attributes locally configured for users.
Accounting methods
The device supports the following accounting methods:
· No accounting—The NAS does not perform accounting for the users.
· Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users that use the same local user account, but does not provide statistics for charging.
AAA extended functions
The device provides the following login services to enhance device security:
· Command authorization—Enables the NAS to let the authorization server determine whether a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. For more information about command authorization, see controlling user access to the device in Fundamentals Configuration Guide.
· Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see controlling user access to the device in Fundamentals Configuration Guide.
· User role authentication—Authenticates each user that wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.
Configuring local users
About local users
To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types:
· Device management user—User that logs in to the device for device management.
· Network access user—User that accesses network resources through the device.
The following shows the configurable local user attributes:
· Service type—Services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
· User state—Whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
· Upper limit of concurrent logins using the same user name—Maximum number of users that can concurrently access the device by using the same user name. When the number reaches the upper limit, no more local users can access the device by using the user name.
· User group—Each local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes.
· Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication.
· Authorization attributes—Authorization attributes indicate the user's rights after it passes local authentication.
Configure the authorization attributes based on the service type of local users.
You can configure an authorization attribute in user group view or local user view. The setting of an authorization attribute in local user view takes precedence over the attribute setting in user group view.
¡ The attribute configured in user group view takes effect on all local users in the user group.
¡ The attribute configured in local user view takes effect only on the local user.
Configuring attributes for device management users
Restrictions and guidelines
You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Procedure
1. Enter system view.
system-view
2. Add a device management user and enter device management user view.
local-user user-name [ class manage ]
3. Configure a password for the local user.
password [ { hash | simple } string ]
A non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each device management user.
4. Assign services to the local user.
service-type { ftp | { ssh | telnet | terminal } * }
By default, no services are authorized to a local user.
5. (Optional.) Set the status of the local user.
state { active | block }
By default, a local user is in active state and can request network services.
6. (Optional.) Set the upper limit of concurrent logins using the local user name.
access-limit max-user-number
By default, the number of concurrent logins is not limited for the local user.
This command takes effect only when local accounting is configured for the local user. This command does not apply to FTP, SFTP, or SCP users that do not support accounting.
7. (Optional.) Configure authorization attributes for the local user.
authorization-attribute { idle-cut minutes | user-role role-name | work-directory directory-name } *
The following default settings apply:
¡ The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
¡ The network-operator user role is assigned to local users that are created by a network-admin or level-15 user.
8. (Optional.) Configure password control attributes for the local user. Choose the following tasks as needed:
¡ Set the password aging time.
password-control aging aging-time
¡ Set the minimum password length.
password-control length length
¡ Configure the password composition policy.
password-control composition type-number type-number [ type-length type-length ]
¡ Configure the password complexity checking policy.
password-control complexity { same-character | user-name } check
¡ Configure the maximum login attempts and the action to take if there is a login failure.
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
By default, a local user uses password control attributes of the user group to which the local user belongs.
9. (Optional.) Assign the local user to a user group.
group group-name
By default, a local user belongs to user group system.
Configuring user group attributes
About this task
User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.
Procedure
1. Enter system view.
system-view
2. Create a user group and enter user group view.
user-group group-name
By default, a system-defined user group named system exists.
3. Configure authorization attributes for the user group.
authorization-attribute { idle-cut minutes | work-directory directory-name } *
By default, no authorization attributes are configured for a user group.
Display and maintenance commands for local users and local user groups
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the local user configuration and online user statistics. |
display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name class manage ] |
|
Display user group configuration. |
display user-group { all | identity-member | name group-name } |
Configuring AAA methods for an ISP domain
Configuring authentication methods for an ISP domain
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain name isp-name
3. (Optional.) Specify default authentication methods for all types of users.
authentication default { local [ none ] | none }
By default, the default authentication method is local.
4. Specify authentication methods for a user type or a service.
¡ Specify authentication methods for login users.
authentication login { local [ none ] | none }
By default, the default authentication methods are used for login users.
Configuring authorization methods for an ISP domain
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain name isp-name
3. (Optional.) Specify default authorization methods for all types of users.
authorization default { local [ none ] | none }
By default, the authorization method is local.
4. Specify authorization methods for a user type or a service.
¡ Specify authorization methods for login users.
authorization login { local [ none ] | none }
By default, the default authorization methods are used for login users.
Configuring accounting methods for an ISP domain
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain name isp-name
3. (Optional.) Specify default accounting methods for all types of users.
accounting default { local [ none ] | none }
By default, the accounting method is local.
4. Specify accounting methods for a user type.
¡ Specify accounting methods for login users.
accounting login { local [ none ] | none }
By default, the default accounting methods are used for login users.
Display and maintenance commands for ISP domains
Execute display commands in any view.
|
Task |
Command |
|
Display configuration information about an ISP domain or all ISP domains. |
display domain [ name isp-name ] |
Setting the maximum number of concurrent login users
About this task
Perform this task to set the maximum number of concurrent users that can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of concurrent login users.
aaa session-limit { ftp | ssh | telnet } max-sessions
By default, the maximum number of concurrent login users is 32 for each user type.
Enabling password change prompt logging
About this task
Use this feature to enhance the protection of passwords for Telnet, SSH, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.
This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.
A password is a weak password if it does not meet the following requirements:
· Password composition restriction configured by using the password-control composition command.
· Minimum password length restriction set by using the password-control length command.
· Password complexity checking policy configured by using the password-control complexity command.
For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:
· The current password of the user is the default password or has expired.
· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.
The device will no longer generate password change prompt logs for a user when one of the following conditions exists:
· The password change prompt logging feature is disabled.
· The user has changed the password and the new password meets the password control requirements.
· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.
· The password composition policy or the minimum password length has changed.
Restrictions and guidelines
You can use the display password-control command to display password control configuration. For more information about password control commands, see password control commands in Security Command Reference.
Procedure
3. Enter system view.
system-view
4. Enable password change prompt logging.
local-server log change-password-prompt
By default, password change prompt logging is enabled.
AAA configuration examples
Example: Configuring local authentication and authorization for SSH users
Network configuration
As shown in Figure 1, configure the router to meet the following requirements:
· Perform local authentication and authorization for SSH users.
· Assign the network-admin user role to SSH users after they pass authentication.
Prerequisites
# Configure IP addresses for interfaces, and make sure the network connections are available.
Procedure
# Create local RSA and DSA key pairs.
<Router> system-view
[Router] public-key local create rsa
[Router] public-key local create dsa
# Enable the Stelnet server.
[Router] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Create a device management user.
[Router] local-user ssh class manage
# Assign the SSH service to the local user.
[Router-luser-manage-ssh] service-type ssh
# Set the password to 123456TESTplat&! in plaintext form for the local user.
[Router-luser-manage-ssh] password simple 123456TESTplat&!
# Specify the user role for the user as network-admin.
[Router-luser-manage-ssh] authorization-attribute user-role network-admin
[Router-luser-manage-ssh] quit
# Create an ISP domain named bbb and configure the domain to use local authentication and authorization for login users.
[Router] domain name bbb
[Router-isp-bbb] authentication login local
[Router-isp-bbb] authorization login local
[Router-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the router, and enter username ssh@bbb and the correct password. The user logs in to the router. (Details not shown.)
# Verify that the user can use the commands permitted by the network-admin user role. (Details not shown.)
