AAA 學習
三A 就是Authentication認證、 Authorization授權、Accounting計費三種安全功能。
AAA 可以通過多種協議來實現,目前華爲設備支持基於RADUUS和HWTACACS協議來實現AAA。
AAA 是一種提供認證、授權和計費的安全技術。改技術可以用於驗證用戶是否合法,授權用戶可以訪問的服務,且記錄用戶使用網絡資源的情況。
AAA服務器表示遠端的Radius或HWTACACS服務器,負責制定認證、授權和計費方案。
目前,ARG3系列路由器只支持配置認證和授權
認證:
AAA支持的認證方式有:不認證、本地認證、遠端認證。
本地認證:將本地用戶信息配置在NAS上。本地認證的有點事處理速度快、運營成本低;缺點是存儲信息量受設備硬件條件限制。
遠端認證:將用戶信息配置在認證服務器上。AAA支持通過RADIUS協議或HWTACACA協議進行遠端認證。NAS作爲客戶端,與RADIUS服務器或HWTACACS服務器進行通信。
授權:
AAA支持的授權方式有:不授權、本地授權、遠端授權。
本地授權:根據NAS上配置的本地用戶賬號的相關屬性進行授權。
遠端授權:HWTACACS授權,使用TACACS服務器用戶授權。授權和認證綁定在一起,不能單獨授權
計費:
AAA支持的計費方式有:不計費、遠端計費
AAA域
AAA可以通過域來對用戶進行管理,不同的域可以關聯不同的認證、授權和計費方案。
ARG3系列路由設備可以支持兩種缺省域:
1.default域爲普通用戶的缺省域。
2.default_admin域爲管理用戶的缺省域。
用戶可以修改但不能刪除這兩個缺省域。默認情況下,設備最多支持32個域,包括兩個缺省域。
AAA配置
##查看默認域配置
[AR2]dis domain
-------------------------------------------------------------------------
index DomainName
-------------------------------------------------------------------------
0 default
1 default_admin
-------------------------------------------------------------------------
Total: 2
##查看域的詳細信息
[AR2]dis domain name default_admin
Domain-name : default_admin
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
[AR2]dis domain name default
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
[AR2]
[AR2]disp authentication-scheme default
Authentication-scheme-name : default
Authentication-method : Local
Authentication-super method : Super
[AR2]disp authenr
[AR2]disp author
[AR2]disp authorization-scheme default
---------------------------------------------------------------------------
Authorization-scheme-name : default
Authorization-method : Local
Authorization-cmd level 0 : Disabled
Authorization-cmd level 1 : Disabled
Authorization-cmd level 2 : Disabled
Authorization-cmd level 3 : Disabled
Authorization-cmd level 4 : Disabled
Authorization-cmd level 5 : Disabled
Authorization-cmd level 6 : Disabled
Authorization-cmd level 7 : Disabled
Authorization-cmd level 8 : Disabled
Authorization-cmd level 9 : Disabled
Authorization-cmd level 10 : Disabled
Authorization-cmd level 11 : Disabled
Authorization-cmd level 12 : Disabled
Authorization-cmd level 13 : Disabled
Authorization-cmd level 14 : Disabled
Authorization-cmd level 15 : Disabled
Authorization-cmd no-response-policy : Online
---------------------------------------------------------------------------
[AR2]disp accounting-scheme default
Accounting-scheme-name : default
Accounting-method : None
Realtime-accounting-switch : Disabled
Realtime-accounting-interval(min) : -
Start-accounting-fail-policy : Offline
Realtime-accounting-fail-policy : Online
Realtime-accounting-failure-retries : 3
###創建一個域
[AR2-aaa]auth
[AR2-aaa]authentication-scheme auth-2
Info: Create a new authentication scheme.
[AR2-aaa-authen-auth-2]authentication-mode local
[AR2-aaa-authen-auth-2]q
[AR2-aaa]domain huayun
Info: Success to create a new domain.
[AR2-aaa-domain-huayun]q
[AR2-aaa]authorization-scheme auth-2
Info: Create a new authorization scheme.
[AR2-aaa-author-auth-2]authorization-mode local
[AR2-aaa-author-auth-2]q
[AR2-aaa-domain-huayun]authorization-scheme auth-2
[AR2-aaa-domain-huayun]authentication-scheme auth-1
<AR2>disp domain name huayun
Domain-name : huayun
Domain-state : Active
Authentication-scheme-name : auth-1
Accounting-scheme-name : default
Authorization-scheme-name : auth-2
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
<AR2>
return
###創建一個用戶
[AR2-aaa]local-user huayun password cipher huayun@123
Info: Add a new user.
[AR2-aaa]local-user huayun service-type telnet ssh
###虛擬接口 三A 授權
[AR2]user-interface vty 0 4
[AR2-ui-vty0-4]authentication-mode aaa
Enter system view, return user view with Ctrl+Z.
[AR2]aaa
[AR2-aaa]di th
[V200R003C00]
#
aaa
authentication-scheme default
authentication-scheme auth-1
authorization-scheme default
authorization-scheme auth-2
accounting-scheme default
domain default
domain default_admin
domain huayun
authentication-scheme auth-1
authorization-scheme auth-2
local-user admin password cipher %$%$K8m.Nt84DZ}e#<08bmE3Uw}%$%$
local-user admin service-type http
local-user huayun password cipher %$%$*qNuFAzy93$c%|~6\I@Q5U|C%$%$
local-user huayun service-type telnet ssh
#
return
[AR2-aaa]dis local-user username huayun
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : TS
Privilege level : -
Ftp-directory : -
Access-limit : -
Accessed-num : 1
Idle-timeout : -
User-group : -
##telnet 訪問沒有授權
<Huawei>telnet 172.16.10.2
Press CTRL_] to quit telnet mode
Trying 172.16.10.2 ...
Connected to 172.16.10.2 ...
Login authentication
Username:huayun
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 172.16.10.1
Time : 2020-07-03 10:32:07-08:00
-----------------------------------------------------------------------------
<AR2>display ?
l2tp-group PPP packet debugging functions
<AR2>display l
##增加權限
[AR2-aaa]local-user huayun privilege level 15
[AR2-aaa]dis local-user username huayun
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : TS
Privilege level : 15
Ftp-directory : -
Access-limit : -
Accessed-num : 0
Idle-timeout : -
User-group : -
[AR2-aaa]
###測試可以訪問,權限已經授權
<Huawei>telnet 172.16.10.2
Press CTRL_] to quit telnet mode
Trying 172.16.10.2 ...
Connected to 172.16.10.2 ...
Login authentication
Username:huayun
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 172.16.10.1
Time : 2020-07-03 10:29:31-08:00
-----------------------------------------------------------------------------
<AR2>di cu
[V200R003C00]