aaa
domain
isp1
authentication-scheme newscheme
accounting-scheme newscheme
radius-server
hwtacacs
quit
2.4.4 Configuring the Remote AAA (HWTACACS Protocol)
The MA5600T/MA5603T/MA5608T is interconnected with the HWTACACS server through
the HWTACACS protocol to implement authentication, authorization, and accounting.
Context
l
What is HWTACACS:
–
HWTACACS is a security protocol with enhanced functions on the base of TACACS
(RFC1492). Similar to the RADIUS protocol, HWTACACS implements multiple
subscriber AAA functions through communications with the HWTACACS server in
the client/server (C/S) mode.
–
HWTACACS is used for the authentication, authorization, and accounting for the 802.1
access users and management users.
l
Principle of HWTACACS:
Adopting the client/server architecture, HWTACACS is a protocol through which the NAS
(MA5600T/MA5603T/MA5608T) transmits the encrypted HWTACACS data packets to
communicate with the HWTACACS database of the security server. The working mode is
as follows:
–
HWTACACS authentication. When the remote user connects to the corresponding port
of the NAS, the NAS communicates with the daemon of the HWTACACS server, and
obtains the prompt of entering the user name from the daemon. Then, the NAS displays
the message to the user. When the remote user enters the user name, the NAS transmits
the user name to the daemon. Then, the NAS obtains the prompt of entering the
password, and displays the message to the user. After the remote user enters the
password, the NAS transmits the password to the daemon.
–
HWTACACS authorization. After being authenticated, the user can be authorized. The
NAS communicates with the daemon of the HWTACACS server, and then returns the
accept or reject response of the authorization.
NOTE
l
The HWTACACS configuration only defines the parameters used for data exchange between the
MA5600T/MA5603T/MA5608T and the HWTACACS server. To make these parameters take effect,
you need to use the HWTACACS server group in a domain.
l
The settings of an HWTACACS server template can be modified regardless of whether the template
is bound to a server or not.
Procedure
Step 1
Configure the AAA authentication scheme.
The authentication scheme specifies how all the users in an ISP domain are authenticated.
SmartAX MA5600T/MA5603T/MA5608T Multi-service
Access Module
Commissioning and Configuration Guide
2 Basic Configurations
Issue 01 (2014-04-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
240