AAA 学习
三A 就是Authentication认证、 Authorization授权、Accounting计费三种安全功能。
AAA 可以通过多种协议来实现,目前华为设备支持基于RADUUS和HWTACACS协议来实现AAA。
AAA 是一种提供认证、授权和计费的安全技术。改技术可以用于验证用户是否合法,授权用户可以访问的服务,且记录用户使用网络资源的情况。
AAA服务器表示远端的Radius或HWTACACS服务器,负责制定认证、授权和计费方案。
目前,ARG3系列路由器只支持配置认证和授权
认证:
AAA支持的认证方式有:不认证、本地认证、远端认证。
本地认证:将本地用户信息配置在NAS上。本地认证的有点事处理速度快、运营成本低;缺点是存储信息量受设备硬件条件限制。
远端认证:将用户信息配置在认证服务器上。AAA支持通过RADIUS协议或HWTACACA协议进行远端认证。NAS作为客户端,与RADIUS服务器或HWTACACS服务器进行通信。
授权:
AAA支持的授权方式有:不授权、本地授权、远端授权。
本地授权:根据NAS上配置的本地用户账号的相关属性进行授权。
远端授权:HWTACACS授权,使用TACACS服务器用户授权。授权和认证绑定在一起,不能单独授权
计费:
AAA支持的计费方式有:不计费、远端计费
AAA域
AAA可以通过域来对用户进行管理,不同的域可以关联不同的认证、授权和计费方案。
ARG3系列路由设备可以支持两种缺省域:
1.default域为普通用户的缺省域。
2.default_admin域为管理用户的缺省域。
用户可以修改但不能删除这两个缺省域。默认情况下,设备最多支持32个域,包括两个缺省域。
AAA配置
##查看默认域配置
[AR2]dis domain
-------------------------------------------------------------------------
index DomainName
-------------------------------------------------------------------------
0 default
1 default_admin
-------------------------------------------------------------------------
Total: 2
##查看域的详细信息
[AR2]dis domain name default_admin
Domain-name : default_admin
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
[AR2]dis domain name default
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
[AR2]
[AR2]disp authentication-scheme default
Authentication-scheme-name : default
Authentication-method : Local
Authentication-super method : Super
[AR2]disp authenr
[AR2]disp author
[AR2]disp authorization-scheme default
---------------------------------------------------------------------------
Authorization-scheme-name : default
Authorization-method : Local
Authorization-cmd level 0 : Disabled
Authorization-cmd level 1 : Disabled
Authorization-cmd level 2 : Disabled
Authorization-cmd level 3 : Disabled
Authorization-cmd level 4 : Disabled
Authorization-cmd level 5 : Disabled
Authorization-cmd level 6 : Disabled
Authorization-cmd level 7 : Disabled
Authorization-cmd level 8 : Disabled
Authorization-cmd level 9 : Disabled
Authorization-cmd level 10 : Disabled
Authorization-cmd level 11 : Disabled
Authorization-cmd level 12 : Disabled
Authorization-cmd level 13 : Disabled
Authorization-cmd level 14 : Disabled
Authorization-cmd level 15 : Disabled
Authorization-cmd no-response-policy : Online
---------------------------------------------------------------------------
[AR2]disp accounting-scheme default
Accounting-scheme-name : default
Accounting-method : None
Realtime-accounting-switch : Disabled
Realtime-accounting-interval(min) : -
Start-accounting-fail-policy : Offline
Realtime-accounting-fail-policy : Online
Realtime-accounting-failure-retries : 3
###创建一个域
[AR2-aaa]auth
[AR2-aaa]authentication-scheme auth-2
Info: Create a new authentication scheme.
[AR2-aaa-authen-auth-2]authentication-mode local
[AR2-aaa-authen-auth-2]q
[AR2-aaa]domain huayun
Info: Success to create a new domain.
[AR2-aaa-domain-huayun]q
[AR2-aaa]authorization-scheme auth-2
Info: Create a new authorization scheme.
[AR2-aaa-author-auth-2]authorization-mode local
[AR2-aaa-author-auth-2]q
[AR2-aaa-domain-huayun]authorization-scheme auth-2
[AR2-aaa-domain-huayun]authentication-scheme auth-1
disp domain name huayun
Domain-name : huayun
Domain-state : Active
Authentication-scheme-name : auth-1
Accounting-scheme-name : default
Authorization-scheme-name : auth-2
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : -
User-group : -
return
###创建一个用户
[AR2-aaa]local-user huayun password cipher huayun@123
Info: Add a new user.
[AR2-aaa]local-user huayun service-type telnet ssh
###虚拟接口 三A 授权
[AR2]user-interface vty 0 4
[AR2-ui-vty0-4]authentication-mode aaa
Enter system view, return user view with Ctrl+Z.
[AR2]aaa
[AR2-aaa]di th
[V200R003C00]
#
aaa
authentication-scheme default
authentication-scheme auth-1
authorization-scheme default
authorization-scheme auth-2
accounting-scheme default
domain default
domain default_admin
domain huayun
authentication-scheme auth-1
authorization-scheme auth-2
local-user admin password cipher %$%$K8m.Nt84DZ}e#<08bmE3Uw}%$%$
local-user admin service-type http
local-user huayun password cipher %$%$*qNuFAzy93$c%|~6\I@Q5U|C%$%$
local-user huayun service-type telnet ssh
#
return
[AR2-aaa]dis local-user username huayun
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : TS
Privilege level : -
Ftp-directory : -
Access-limit : -
Accessed-num : 1
Idle-timeout : -
User-group : -
##telnet 访问没有授权
telnet 172.16.10.2
Press CTRL_] to quit telnet mode
Trying 172.16.10.2 ...
Connected to 172.16.10.2 ...
Login authentication
Username:huayun
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 172.16.10.1
Time : 2020-07-03 10:32:07-08:00
-----------------------------------------------------------------------------
display ?
-group PPP packet debugging functions
display l
##增加权限
[AR2-aaa]local-user huayun privilege level 15
[AR2-aaa]dis local-user username huayun
The contents of local user(s):
Password : ****************
State : active
Service-type-mask : TS
Privilege level : 15
Ftp-directory : -
Access-limit : -
Accessed-num : 0
Idle-timeout : -
User-group : -
[AR2-aaa]
###测试可以访问,权限已经授权
telnet 172.16.10.2
Press CTRL_] to quit telnet mode
Trying 172.16.10.2 ...
Connected to 172.16.10.2 ...
Login authentication
Username:huayun
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 172.16.10.1
Time : 2020-07-03 10:29:31-08:00
-----------------------------------------------------------------------------
di cu
[V200R003C00]