AAA学习-本地local

AAA 学习
三A 就是Authentication认证、 Authorization授权、Accounting计费三种安全功能。
AAA 可以通过多种协议来实现,目前华为设备支持基于RADUUS和HWTACACS协议来实现AAA。
AAA 是一种提供认证、授权和计费的安全技术。改技术可以用于验证用户是否合法,授权用户可以访问的服务,且记录用户使用网络资源的情况。
AAA服务器表示远端的Radius或HWTACACS服务器,负责制定认证、授权和计费方案。
目前,ARG3系列路由器只支持配置认证和授权


认证:
AAA支持的认证方式有:不认证、本地认证、远端认证。

本地认证:将本地用户信息配置在NAS上。本地认证的有点事处理速度快、运营成本低;缺点是存储信息量受设备硬件条件限制。
远端认证:将用户信息配置在认证服务器上。AAA支持通过RADIUS协议或HWTACACA协议进行远端认证。NAS作为客户端,与RADIUS服务器或HWTACACS服务器进行通信。

授权:
AAA支持的授权方式有:不授权、本地授权、远端授权。
本地授权:根据NAS上配置的本地用户账号的相关属性进行授权。
远端授权:HWTACACS授权,使用TACACS服务器用户授权。授权和认证绑定在一起,不能单独授权

计费:
AAA支持的计费方式有:不计费、远端计费

AAA域
AAA可以通过域来对用户进行管理,不同的域可以关联不同的认证、授权和计费方案。

ARG3系列路由设备可以支持两种缺省域:
1.default域为普通用户的缺省域。
2.default_admin域为管理用户的缺省域。
用户可以修改但不能删除这两个缺省域。默认情况下,设备最多支持32个域,包括两个缺省域。

AAA配置
##查看默认域配置

[AR2]dis domain
  -------------------------------------------------------------------------
  index    DomainName
  -------------------------------------------------------------------------
  0        default                                                         
  1        default_admin                                                   
  -------------------------------------------------------------------------
  Total: 2


##查看域的详细信息

[AR2]dis domain name default_admin

  Domain-name                     : default_admin                   
  Domain-state                    : Active
  Authentication-scheme-name      : default
  Accounting-scheme-name          : default
  Authorization-scheme-name       : -
  Service-scheme-name             : -
  RADIUS-server-template          : -
  HWTACACS-server-template        : -
  User-group                      : -

[AR2]dis domain name default

  Domain-name                     : default                         
  Domain-state                    : Active
  Authentication-scheme-name      : default
  Accounting-scheme-name          : default
  Authorization-scheme-name       : -
  Service-scheme-name             : -
  RADIUS-server-template          : -
  HWTACACS-server-template        : -
  User-group                      : -

[AR2]


[AR2]disp authentication-scheme default

  Authentication-scheme-name    : default
  Authentication-method         : Local
  Authentication-super method   : Super
[AR2]disp authenr    
[AR2]disp author    
[AR2]disp authorization-scheme default
---------------------------------------------------------------------------
 Authorization-scheme-name   : default
 Authorization-method        : Local
 Authorization-cmd level  0   : Disabled
 Authorization-cmd level  1   : Disabled
 Authorization-cmd level  2   : Disabled
 Authorization-cmd level  3   : Disabled
 Authorization-cmd level  4   : Disabled
 Authorization-cmd level  5   : Disabled
 Authorization-cmd level  6   : Disabled
 Authorization-cmd level  7   : Disabled
 Authorization-cmd level  8   : Disabled
 Authorization-cmd level  9   : Disabled
 Authorization-cmd level 10   : Disabled
 Authorization-cmd level 11   : Disabled
 Authorization-cmd level 12   : Disabled
 Authorization-cmd level 13   : Disabled
 Authorization-cmd level 14   : Disabled
 Authorization-cmd level 15   : Disabled
 Authorization-cmd no-response-policy    : Online
---------------------------------------------------------------------------

[AR2]disp accounting-scheme default

  Accounting-scheme-name                : default                         
  Accounting-method                     : None      
  Realtime-accounting-switch            : Disabled  
  Realtime-accounting-interval(min)     : -
  Start-accounting-fail-policy          : Offline             
  Realtime-accounting-fail-policy       : Online              
  Realtime-accounting-failure-retries   : 3


###创建一个域

[AR2-aaa]auth    
[AR2-aaa]authentication-scheme auth-2
Info: Create a new authentication scheme.
[AR2-aaa-authen-auth-2]authentication-mode local
[AR2-aaa-authen-auth-2]q
[AR2-aaa]domain huayun
Info: Success to create a new domain.
[AR2-aaa-domain-huayun]q
[AR2-aaa]authorization-scheme  auth-2
Info: Create a new authorization scheme.
[AR2-aaa-author-auth-2]authorization-mode local
[AR2-aaa-author-auth-2]q
[AR2-aaa-domain-huayun]authorization-scheme auth-2
[AR2-aaa-domain-huayun]authentication-scheme auth-1
disp domain name huayun

  Domain-name                     : huayun                          
  Domain-state                    : Active
  Authentication-scheme-name      : auth-1
  Accounting-scheme-name          : default
  Authorization-scheme-name       : auth-2
  Service-scheme-name             : -
  RADIUS-server-template          : -
  HWTACACS-server-template        : -
  User-group                      : -


return


###创建一个用户

[AR2-aaa]local-user huayun password cipher huayun@123
Info: Add a new user.    
[AR2-aaa]local-user huayun service-type telnet ssh


###虚拟接口 三A 授权

[AR2]user-interface vty 0 4
[AR2-ui-vty0-4]authentication-mode aaa
Enter system view, return user view with Ctrl+Z.
[AR2]aaa
[AR2-aaa]di th
[V200R003C00]
#
aaa
 authentication-scheme default
 authentication-scheme auth-1
 authorization-scheme default
 authorization-scheme auth-2
 accounting-scheme default
 domain default
 domain default_admin
 domain huayun  
  authentication-scheme auth-1
  authorization-scheme auth-2
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<08bmE3Uw}%$%$
 local-user admin service-type http
 local-user huayun password cipher %$%$*qNuFAzy93$c%|~6\I@Q5U|C%$%$
 local-user huayun service-type telnet ssh
#
return

[AR2-aaa]dis local-user username huayun
  The contents of local user(s):
  Password          : ****************
  State             : active    
  Service-type-mask : TS
  Privilege level   : -
  Ftp-directory     : -
  Access-limit      : -        
  Accessed-num      : 1   
  Idle-timeout      : -
  User-group        : -


 
##telnet 访问没有授权

telnet 172.16.10.2
  Press CTRL_] to quit telnet mode
  Trying 172.16.10.2 ...
  Connected to 172.16.10.2 ...

Login authentication


Username:huayun
Password:
  -----------------------------------------------------------------------------
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 172.16.10.1     
  Time       : 2020-07-03 10:32:07-08:00     
  -----------------------------------------------------------------------------

    
display ?
  -group  PPP packet debugging functions
display l    

##增加权限
 

[AR2-aaa]local-user huayun privilege level 15
[AR2-aaa]dis local-user username huayun
  The contents of local user(s):
  Password          : ****************
  State             : active    
  Service-type-mask : TS
  Privilege level   : 15
  Ftp-directory     : -
  Access-limit      : -        
  Accessed-num      : 0   
  Idle-timeout      : -
  User-group        : -
[AR2-aaa]

###测试可以访问,权限已经授权

telnet 172.16.10.2
  Press CTRL_] to quit telnet mode
  Trying 172.16.10.2 ...
  Connected to 172.16.10.2 ...

Login authentication


Username:huayun
Password:
  -----------------------------------------------------------------------------
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 172.16.10.1     
  Time       : 2020-07-03 10:29:31-08:00     
  -----------------------------------------------------------------------------
di cu
[V200R003C00]

 

你可能感兴趣的:(华为设备)