TACACS (AAA) Configuration on Huawei Router

Configuring Huawei Router to authenticate (also including authorization and accounting) to Tacacs+ server

10.10.10.10 – Tacacs+/ACS/ISE/AAA server#1
10.10.10.11 – Tacacs+/ACS/ISE/AAA server#2
20.20.20.2 –  Loopback/source IP

  1. Configure the tacacs server profile or template

hwtacacs-server template <PROFILENAME>
hwtacacs-server authentication <TACACS IP#1>
hwtacacs-server authentication <TACACS IP#2> secondary
hwtacacs-server authorization <TACACS IP#1>
hwtacacs-server authorization <TACACS IP#2> secondary
hwtacacs-server accounting <TACACS IP#1>
hwtacacs-server accounting <TACACS IP#2> secondary
hwtacacs-server source-ip <SOURCE IP>
hwtacacs-server shared-key cipher <TACACS KEY>
hwtacacs-server user-name original

Sample Config:
hwtacacs-server template freenetworktutorials
   hwtacacs-server authentication 10.10.10.10
   hwtacacs-server authentication 10.10.10.11 secondary
   hwtacacs-server authorization 10.10.10.10
   hwtacacs-server authorization 10.10.10.11 secondary
   hwtacacs-server accounting 10.10.10.10
   hwtacacs-server accounting 10.10.10.11 secondary
   hwtacacs-server source-ip 20.20.20.2
   hwtacacs-server shared-key cipher %^%#;@A~ktB2)8`FLf~1/84h,}fnt;f>XY%^%#
   hwtacacs-server user-name original

2. Configure AAA scheme. Set “local” as the backup authentication/authorization in case the tacacs+ server becomes unreachable

aaa
authentication-scheme <NAME>
authentication-mode hwtacacs local

authorization-scheme <NAME>
authorization-mode hwtacacs local
authorization-cmd <privilege level> hwtacacs local

accounting-scheme <NAME>
accounting-mode hwtacacs
accounting start-fail online

(Optional: “accounting start-fail online” command is to allow users to be online if starting accounting happens to fail)

Sample Config:
aaa
authentication-scheme freenetworktutorials

   authentication-mode hwtacacs local

authorization-scheme freenetworktutorials
  authorization-mode hwtacacs local
  authorization-cmd 0 hwtacacs local
  authorization-cmd 15 hwtacacs local

accounting-scheme freenetworktutorials
  accounting-mode hwtacacs

3. Configure the local user as backup authentication if AAA server is unreachable

aaa
local-user <USER> password irreversible-cipher <password>
local-user <USER> service-type ssh
local-user <USER> level <value>
local-user <USER> state block fail-times 3 interval 5

Optional commands:
local-user <USER> privilege level 15
local-user <USER> state block fail-times 3 interval 5

Sample  Config:
aaa
  local-user freeuser password irreversible-cipher +\$GKCa6WJ!N4[QH.OY6(C6GCPt#U/’HIa@AoU>;R”Z8SfNT`
  local-user freeuser service-type ssh
  local-user freeuser level 3
  local-user freeuser privilege level 15
  local-user freeuser state block fail-times 3 interval 5

4. Configure the domain to associate the AAA scheme and tacacs server template

aaa
domain <domain name>
authentication-scheme <AAA scheme>
authorization-scheme <AAA scheme>
accounting-scheme <AAA scheme>
hwtacacs-server <AAA scheme>

Sample  Config:
aaa
   domain FNT
   authentication-scheme freenetworktutorials
   authorization-scheme freenetworktutorials
   accounting-scheme freenetworktutorials
   hwtacacs-server freenetworktutorials

5. Optional AAA configuration for event reporting

aaa
recording-scheme <AAA scheme>
recording-mode hwtacacs <AAA scheme>
system recording-scheme <AAA scheme>
outbound recording-scheme <AAA scheme>
cmd recording-scheme <AAA scheme>

Sample  Config:
aaa
  recording-scheme freenetworktutorials
    recording-mode hwtacacs freenetworktutorials
system recording-scheme freenetworktutorials
outbound recording-scheme freenetworktutorials
cmd recording-scheme freenetworktutorials

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *