Configuring Huawei Router to authenticate (also including authorization and accounting) to Tacacs+ server
10.10.10.10 – Tacacs+/ACS/ISE/AAA server#1
10.10.10.11 – Tacacs+/ACS/ISE/AAA server#2
20.20.20.2 – Loopback/source IP
- Configure the tacacs server profile or template
hwtacacs-server template <PROFILENAME>
hwtacacs-server authentication <TACACS IP#1>
hwtacacs-server authentication <TACACS IP#2> secondary
hwtacacs-server authorization <TACACS IP#1>
hwtacacs-server authorization <TACACS IP#2> secondary
hwtacacs-server accounting <TACACS IP#1>
hwtacacs-server accounting <TACACS IP#2> secondary
hwtacacs-server source-ip <SOURCE IP>
hwtacacs-server shared-key cipher <TACACS KEY>
hwtacacs-server user-name original
Sample Config:
hwtacacs-server template freenetworktutorials
hwtacacs-server authentication 10.10.10.10
hwtacacs-server authentication 10.10.10.11 secondary
hwtacacs-server authorization 10.10.10.10
hwtacacs-server authorization 10.10.10.11 secondary
hwtacacs-server accounting 10.10.10.10
hwtacacs-server accounting 10.10.10.11 secondary
hwtacacs-server source-ip 20.20.20.2
hwtacacs-server shared-key cipher %^%#;@A~ktB2)8`FLf~1/84h,}fnt;f>XY%^%#
hwtacacs-server user-name original
2. Configure AAA scheme. Set “local” as the backup authentication/authorization in case the tacacs+ server becomes unreachable
aaa
authentication-scheme <NAME>
authentication-mode hwtacacs localauthorization-scheme <NAME>
authorization-mode hwtacacs local
authorization-cmd <privilege level> hwtacacs localaccounting-scheme <NAME>
accounting-mode hwtacacs
accounting start-fail online
(Optional: “accounting start-fail online” command is to allow users to be online if starting accounting happens to fail)
Sample Config:
aaa
authentication-scheme freenetworktutorials
authentication-mode hwtacacs local
authorization-scheme freenetworktutorials
authorization-mode hwtacacs local
authorization-cmd 0 hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme freenetworktutorials
accounting-mode hwtacacs
3. Configure the local user as backup authentication if AAA server is unreachable
aaa
local-user <USER> password irreversible-cipher <password>
local-user <USER> service-type ssh
local-user <USER> level <value>
local-user <USER> state block fail-times 3 interval 5
Optional commands:
local-user <USER> privilege level 15
local-user <USER> state block fail-times 3 interval 5
Sample Config:
aaa
local-user freeuser password irreversible-cipher +\$GKCa6WJ!N4[QH.OY6(C6GCPt#U/’HIa@AoU>;R”Z8SfNT`
local-user freeuser service-type ssh
local-user freeuser level 3
local-user freeuser privilege level 15
local-user freeuser state block fail-times 3 interval 5
4. Configure the domain to associate the AAA scheme and tacacs server template
aaa
domain <domain name>
authentication-scheme <AAA scheme>
authorization-scheme <AAA scheme>
accounting-scheme <AAA scheme>
hwtacacs-server <AAA scheme>
Sample Config:
aaa
domain FNT
authentication-scheme freenetworktutorials
authorization-scheme freenetworktutorials
accounting-scheme freenetworktutorials
hwtacacs-server freenetworktutorials
5. Optional AAA configuration for event reporting
aaa
recording-scheme <AAA scheme>
recording-mode hwtacacs <AAA scheme>
system recording-scheme <AAA scheme>
outbound recording-scheme <AAA scheme>
cmd recording-scheme <AAA scheme>
Sample Config:
aaa
recording-scheme freenetworktutorials
recording-mode hwtacacs freenetworktutorials
system recording-scheme freenetworktutorials
outbound recording-scheme freenetworktutorials
cmd recording-scheme freenetworktutorials
[…] More detailed configuration –> TACACS (AAA) Configuration on Huawei Router […]