Implement AAA authentication using ACS (HUAWEI + acs)

ACS introduction Cisco Secure Access Control Server (Cisco Secure Access Control Sever) is a highly scalable and high-performance Access Control Server that provides a comprehensive network solution for identity recognition, it is an important component of Cisco's identity-based Network Service (IBNS) architecture. Cisco Secure ACS enhances access security by combining authentication, user or administrator access, and policy control in a centralized identity identification networking framework. This enables enterprise networks to be more flexible and mobile, more secure, and more user productivity. Cisco Secure ACS supports a wide range of access connection types, including wired and wireless LAN, dial-up, broadband, content, storage, VoIP, firewall, and VPN. Cisco Secure ACS is a key component of Cisco network access control. Applicable scenarios: users are centrally controlled to log on to the network through a wired or wireless connection to set the permission record information for each network user, including security review or user accounting, setting access permissions and control commands for each configuration administrator for the virtual VSA used for Aironet key resetting, server permissions, and encryption simplify firewall access and unified control through dynamic port allocation user AAA service AAA introduction AAA system Abbreviation: authentication: authenticates the user's identity and network services that can be used; Authorization: opens the network service to the user based on the Authentication results; Accounting ): records users' usage of various network services and provides them to the billing system. In addition, there is also the Huawei Terminal Access Controller Access Control System Protocol. HWTACACS is a Protocol extended by Huawei to TACACS. HWTACACS is a security protocol that enhances the functionality of TACACS (RFC1492. This Protocol is similar to the RADIUS protocol. It communicates with the HWTACACS server in the "client-server" mode to implement AAA functions for multiple users. The differences between HWTACACS and RADIUS are: 1. RADIUS is based on UDP, while HWTACACS is based on TCP. 2. RADIUS authentication and authorization are bound together, while HWTACACS authentication and authorization are independent. 3. RADIUS only encrypts the user's password. HWTACACS can encrypt the entire message. Authentication Scheme and Authentication Mode AAA supports local authentication, non-authentication, RADIUS Authentication, and HWTACACS authentication, and can be used in combination. The combined Authentication mode is sequential. For example, authentication-mode radius local indicates that RADIUS authentication is used first, while RADIUS authentication does not respond and then local authentication is used. When the combined Authentication mode is used without authentication, the non-authentication (none) must be placed at the end. For example, authentication-mode radius local none. The authentication mode is configured in the authentication solution view. When a new authentication scheme is created, local authentication is used by default. Authorization scheme and authorization mode AAA supports local authorization, direct authorization, if-authenticated authorization, and HWTACACS authorization, and can be used in combination. The combination authorization mode is sequential. For example, authorization-mode hwtacacs local indicates that HWTACACS is used for authorization first, while HWTACACS does not respond before using local authorization. When the combination authorization mode uses direct authorization, the direct authorization must be at the end. For example, the authorization-mode hwtacacs local none authorization mode is configured in the authorization solution view. When you create an authorization scheme, local authorization is used by default. RADIUS authentication and authorization are bound together, so there is no RADIUS authorization mode. Billing method and billing mode AAA supports six billing modes: Local billing, no billing, RADIUS billing, HWTACACS billing, simultaneous RADIUS, local billing, simultaneous HWTACACS, and local billing. Lab 1:

Tutorial purpose: a company's internal network adopts unified management to send authentication tasks for accounts and passwords of all devices to the Radius server (ACS), which facilitates administrators to manage devices. We use telnet and dot1x respectively for verification.

Topology:

 

Tutorial steps:

 

1. Configure the Radius Authentication Server 1. Install ACS ServerNote that the JDK environment is required to install the ACS server.

Before installing acs, We need to install jdk first, find the jdk installation program, and click the default installation.

After JDK is installed, install acsand autorun.exe. The program management page after installation is shown in.

 

 

Because this program is private to cisco and the device we use is a Huawei device, we need to import the private properties of Huawei as follows: Compile h3c. INI file (The following is the file content) [User Defined Vendor] Name = login weiietf Code = 2011VSA 29 = hw_Exec_Privilege [primary] Type = INTEGERProfile = IN OUTEnums = hw_Exec_Privilege-Values [hw_Exec_Privilege-Values] 0 = Access1 = Monitor2 = Manager3 = Administrator will compile the Huawei configuration settings folder is admitted to the hard disk, find the bin folder in the installation directory of acs, copy the folder, and enter the command line. Enter the csutil.exe-addUDV 0 private attribute directory (c: \ h3c. ini), press ENTER

 

The private properties of Huawei are imported.

Configure the aaa Client

 

 

Configuration of AAA client and server is complete

 

 

Enter interface configuration

 

 

Click "group setup" to create a group for editing.

 

Users in this group can use the private attributes of Huawei, and each group member is an administrator. Create user click user setup to create a user named test1 and add group1

 

 

Configure radius Authentication on a Huawei switch:Radius scheme xxxprimary authentication 123456 accounting optionalserver-type standarduser-name-format without-example h3cradius-scheme xxxaccess-limit enable 10 accounting authorization radius-scheme xxxstate activequituser-interface vty 0 too many commands quota password simple 456 client telnet test:

Client dot1x test: