< Home

Creating an Administrator Account (Server Authentication)

This section describes how to create an administrator account for server authentication.

Procedure

  1. Set the authentication mode to AAA for the administrator UI.
    1. Run the system-view command to access the system view.
    2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access the administrator user interface view.
    3. Run the authentication-mode aaa command to set the authentication mode to AAA.
    4. Run the quit command to return to the system view.
  2. Set the administrator authentication mode to server authentication.

    By default, the authentication scheme is default, and the administrator authentication mode is local (local authentication).

    1. Configure an authentication scheme.

      1. Run the aaa command to access the AAA view.
      2. Run the authentication-scheme scheme-name command to create an authentication scheme and access the authentication scheme view.
      3. Run the authentication-mode { ad | hwtacacs | ldap | radius } * command to configure the authentication mode.
      4. Run the quit command to return to the AAA view.

    2. Configure an authorization scheme.

      1. Run the authorization-scheme scheme-name command to create an authorization scheme.
      2. Configure the authorization mode. The default mode is local, indicating local authorization.
        • Run the authorization-mode hwtacacs command to set the HWTACACS authorization mode for user name-based authorization.

          For the FW, HWTACACS authorization supports not only user-specific authorization, but also command-specific authorization. After command-specific authorization is enabled and an administrator of a specific level logs in to the FW, the commands that the administrator enters can be executed only after being authorized by the HWTACACS server. Configure command-specific authorization.

          1. Run the authorization-cmd privilege-level hwtacacs [ local ] command to configure the command-specific authorization for an administrator of a specific level.

            To enable the command-specific authorization, you must configure an HWTACACS server template on the FW, apply this template in the view of the domain to which the administrator of the specific level belongs, and perform the following configurations on the HWTACACS server:
            • Add administrator information on the HWTACACS server.
            • Specify the commands to be authorized on the HWTACACS server for the user group to which the administrator belongs.

            For how to create an administrator and configure the commands to be authorized by user group, refer to HWTACACS server documents.

            By default, the command-specific authorization is disabled. That is, an administrator of any level can execute only commands of or below its level after logging in to the FW.

            • HWTACACS command-specific authorization is independent from authorization modes (authorization-mode) and authentication modes (authentication-mode). That is, even if HWTACACS command-based authorization is implemented on an administrator, non-HWTACACS authentication and authorization modes can be implemented on this administrator as well.
            • HWTACACS command-specific authorization takes effect only for Telnet and STelnet logins. Commands executed in web login mode are authorized only by administrator level.

          2. Run the authorization-cmd no-response-policy { online | offline [ max-times max-times-value ] } command to configure a no response policy in case that the HWTACACS server is unavailable or in case of no administrator is configured on the FW.

            By default, administrator can remain online even though the command-specific authorization fails.

        • Run the authorization-mode local command to set the local authorization mode for user name-based authorization.

          The administrator level can be set through the command line. By default, the administrator level is 0 for Telnet and STelnet login. The administrator level is 1 for web login.

          1. Run the user privilege level level command to set the administrator level for Telnet and STelnet login. The default value is 0.
          2. Run the web-manager user privilege level privilege-level command to set the administrator level for web login. The default value is 1.
      3. Run the quit command to return to the AAA view.

    3. Configure the authentication server based on the authentication and authorization schemes.

      When an authentication server is used to authenticate administrator accounts, the FW acts as the proxy client for the authentication server and sends the user name and password to the server for authentication. For details, see Authentication Server.

    4. Optional: Configure an HWTACACS recording scheme.

      When HWTACACS authentication and authorization are used, you can configure a recording scheme to enable the HWTACACS server to record the commands executed by users for fault locating.

      1. Run the recording-scheme scheme-name command to create a recording scheme.
      2. Run the recording-mode hwtacacs template-name command to associate the HWTACACS server template with the recording scheme.
      3. Run the quit command to return to the AAA view.
      4. Run the cmd recording-scheme scheme-name command to configure a recording policy for the recording scheme.

      When configuring an HWTACACS record scheme, you must configure an accounting server in the HWTACACS server template so that the device can send commands executed by users to HWTACACS.

  3. Bind the authentication scheme for the administrator account or domain based on the server authentication mode and reference the server template.

    • Bind the authentication scheme for the administrator and reference the template based on the server authentication mode.

      If administrator domain authentication is not used, the administrator account must be created on the FW, and the password is saved on the authentication server. After an administrator is created, the administrator uses User Name/Password to log in to and manage the FW.

      • In the AAA view, run the manager-user user-name command to configure an administrator account and access the administrator view.

      • Run the service-type { api | ftp | ssh | telnet | terminal | web } * command to set the service type for the administrator account.

        By default, no service type is specified for an administrator created using the CLI.

        There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to configure the service type to be SSH.

        Interface access control, administrator service type, and enabled service on the device determine the login method. For example, if an administrator wants to log in using HTTPS through the management interface, the management interface must enable the HTTPS access control, the administrator account must support HTTPS, and the device must enable HTTPS. For detailed configuration process, see Configuration Examples for Administrator.

        If the service type of an administrator account is changed from API to FTP/SSH/Telnet/Terminal/Web or vice versa, an administrator that logs in using this account is forced out.

        If the service type of an administrator account is changed among FTP/SSH/Telnet/Terminal/Web, the service type of an administrator that already logs in using this account is not changed, and the service type of an administrator that newly logs in using this account is subject to the change.

        The service types of virtual system administrators can be Web, Telnet, and SSH only.

        The API service is mutually exclusive with other service types. If you specify the API service type, you cannot specify other service types. The API service administrator must be in Level 15.

      • Run the authentication-scheme scheme-name command to bind the authentication scheme for the administrator account.
      • Reference the server template.
        • Run the radius-server template-name command to reference the RADIUS server template.
        • Run the hwtacacs-server template-name command to reference the HWTACACS server template.
        • Run the ad-server template-name command to reference the AD server template.
        • Run the ldap-server template-name command to reference the LDAP server template.
    • Create an authentication domain.

      If administrator domain authentication is used, the administrator account and password must be created and saved on the authentication server. The FW does not have user information configured. After an administrator is created, the administrator uses User Name@Authentication Domain/Password to log in to and manage the FW.

      If the administrator does not exist on the FW, the administrator level is as follows:

      • If server authorization is configured, the server determines the administrator level.
      • If local authorization is configured, the VTY interface determines the level of the administrator logging in through the CLI (user privilege level), and the web UI determines the level of the administrator logging in through the web UI (web-manager user privilege level).

      The administrator with server domain authentication has all service types without additional configuration.

      • Create an administrator on the server. For details, see the server-related document.
      • Run the domain domain-name to create a domain (user group) and access the domain view.
      • Optional: Run the authorization-scheme scheme-name command to configure the authorization scheme for the domain.

        This authentication scheme must be the same as that configured in the AAA view.

      • Apply the server template based on the selected authentication server.

        • Run the radius-server template-name command to apply the RADIUS server template.
        • Run the ad-server template-name command to apply the AD server template.
        • Run the ldap-server template-name command to apply the LDAP server template.
        • Run the hwtacacs-server template-name command to apply the HWTACACS server template.
      • Run the service-type administrator-access command to allow administrators to access the authentication domain.

  4. Configure the permission and other attributes for the administrator account.

    If no authentication domain is planned for the administrator, the administrator account is created on the local device, and other functions can be configured for the administrator account as required.

    1. Control the administrator permission based on the administrator role or level.

      In the AAA view, run the bind manager-user manager-name role role-name command to bind the administrator account to a role.

      If the administrator account is not bound to any role, you can run the level level command in the administrator view to set the administrator level. The FW will determine the administrator role based on the administrator level according to the following mappings:

      • 1: Monitoring level corresponds to Configuration administrator (monitoring).
      • 2: Configuration level corresponds to Configuration administrator.
      • 3: Management level to the 15th level correspond to System administrator.
      • The administrator role is prior to the administrator level. If an administrator is bound to a role, the administrator level does not take effect.
      • If administrator permission levels are changed, the online administrators are forcibly logged out.

    2. Optional: Enable the function of locking out the administrators that fail the authentication.

      This function is invalid to the console administrators. After an administrator account is locked, using the account to log in fails even if the IP address is changed or another mode (except the console port mode) is used. The administrator account is unlocked only after the lockout duration expires.

      1. Run the lock-authentication enable command to enable the administrator account lockout function.
      2. Run the lock-authentication failed-count count command to set the limit of login authentication attempts.
      3. Run the lock-authentication timeout timeout command to set the lockout duration for administrator accounts.

    3. Optional: Configure attributes for the administrator account.

      Operation

      Command

      Set the maximum number of logged-in users with the same administrator account.

      access-limit max-number

      Specify the status of an administrator account.

      You can specify either of the following parameters:

      • active: The administrator account is available.
      • block: The administrator account is unavailable.

      state { active | block }

    4. Optional: Set the default directory for FTP administrators.

      1. Run the quit command to return to the AAA view.
      2. Run the quit command to return to the system view.
      3. Run the set default ftp-directory directory command to set the default directory for FTP administrators.

      Before an FTP administrator who adopts server authentication uses FTP to access the FW, you must run the set default ftp-directory directory command to specify an FTP directory for the administrator. Otherwise, the administrator cannot log in through FTP.

Parent Topic: Configuring an Administrator Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >