CLI: Example for Logging In to the CLI Using STelnet (HWTACACS Authentication and Authorization)

Networking Requirements

Figure 1 shows that the FW has a local administrator. The local administrator has some administrator permissions and can use STelnet to log in to the CLI only from a local PC for FW management and maintenance. HWTACACS server authentication takes precedence over local authentication. The FW implements local authentication on administrators only when the HWTACACS server does not respond.

Figure 1 Networking diagram of using STelnet to log in to the CLI (HWTACACS authentication)

Data Planning

Item		Data
FW	SSH account	sshadmin
	Authentication mode	Password
	Password	Mydevice@123
	Service type	STelnet
Administrator PC		SSH client software: PuTTY software. The PuTTY software includes the PuTTY client for the STelnet service and the SFTP client PSFTP.

Configuration Roadmap

Configure STelnet login on the FW: Set the authentication mode for accessing VTY user interfaces to AAA, enable STelnet, and configure the authentication mode and service type for SSH users.
Configure HWTACACS authentication on the FW: Create an HWTACACS server template, configure an AAA scheme, and enable command line authorization.
Configure an HWTACACS server.
Configure the administrator PC as the SSH client.

The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and security policies have been configured. The following example introduces content related only to the administrator.

Procedure

Configure firewall interfaces and security policies.

Configure the interface IP address and SSH access function.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] service-manage enable
[FW-GigabitEthernet0/0/3] service-manage ssh permit
[FW-GigabitEthernet0/0/3] quit
[FW]interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 172.16.0.1 255.255.255.0
[FW-GigabitEthernet0/0/2] quit

Add interfaces to security zones.

[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

Configure a security policy to allow the device to send authentication information to the HWTACACS server.

[FW] security-policy
[FW-policy-security] rule name rule1
[FW-policy-security-rule-rule1] source-zone local
[FW-policy-security-rule-rule1] destination-zone dmz
[FW-policy-security-rule-rule1] destination-address 172.16.0.2 32
[FW-policy-security-rule-rule1] action permit
[FW-policy-security-rule-rule1] quit
[FW-policy-security] quit

Configure STelnet login on the FW.

Generate a local key pair.

[FW] rsa local-key-pair create
The key name will be: FW_Host

The range of public key size is (2048 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
        it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
.+++++
........................++
....++++
...........++

Configure VTY administrator interfaces that support AAA.

[FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] protocol inbound ssh
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] quit

Enable the STelnet service.
```
[FW] stelnet server enable
```
Set the authentication mode of the SSH user to password authentication and service type to STelnet
```
[FW] ssh authentication-type default password
```

Configure HWTACACS authentication and authorization.

Configure an HWTACACS server template to implement communication between the device and the HWTACACS server.

[FW] hwtacacs-server template hwtacacs_server
[FW-hwtacacs-hwtacacs_server] hwtacacs-server authentication 172.16.0.2 49
[FW-hwtacacs-hwtacacs_server] hwtacacs-server authorization 172.16.0.2 49
[FW-hwtacacs-hwtacacs_server] hwtacacs-server shared-key cipher Admin@1234
[FW-hwtacacs-hwtacacs_server] test-aaa testname testpassword hwtacacs-template hwtacacs_server
[FW-hwtacacs-hwtacacs_server] quit

After an authentication scheme is configured, local authentication is performed only when the server is Down or does not respond.

[FW] aaa
[FW-aaa] authentication-scheme hwtacacs
[FW-aaa-authen-hwtacacs] authentication-mode hwtacacs local
[FW-aaa-authen-hwtacacs] quit

Configure an authorization scheme, set the authorization mode to HWTACACS authorization, and enable command-line authorization for level-3 users.

[FW] aaa
[FW-aaa] authorization-scheme admin_hwtacacs
[FW-aaa-author-admin_hwtacacs] authorization-mode hwtacacs
[FW-aaa-author-admin_hwtacacs] authorization-cmd 3 hwtacacs
[FW-aaa-author-admin_hwtacacs] quit

Bind the authentication scheme and authorization scheme to the administrator account or domain and reference the server template. Select one of them as required.
- Bind the authentication scheme and authorization scheme to the domain and reference the server template. The administrator account and password are created and saved on the domain authentication server. In this case, you do not need to configure user information on the firewall. After an administrator is created in the default domain, the administrator uses the username and password to log in to and manage the device.
```
[FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] authentication-scheme hwtacacs
[FW-aaa-domain-default] authorization-scheme admin_hwtacacs
[FW-aaa-domain-default] hwtacacs-server hwtacacs_server
[FW-aaa-domain-default] service-type administrator-access
[FW-aaa-domain-default] quit
[FW-aaa] quit
```
- Bind the authentication scheme and authorization scheme to the administrator and reference the server template. If administrator domain authentication is not used, the administrator account must be created on the device, and the password is saved on the authentication server. After an administrator is created, the administrator uses username/password to log in to and manage the device.
```
[FW] aaa
[FW-aaa] manager-user sshadmin
[FW-aaa-manager-user-sshadmin] password
Enter Password: 
Confirm Password:   
[FW-aaa-manager-user-sshadmin] service-type ssh
[FW-aaa-manager-user-sshadmin] authentication-scheme hwtacacs
[FW-aaa-manager-user-sshadmin] authorization-scheme admin_hwtacacs
[FW-aaa-manager-user-sshadmin] hwtacacs-server hwtacacs_server
[FW-aaa-manager-user-sshadmin] quit
[FW-aaa] quit
```

Configure the HWTACACS server. The following uses Secure ACS as an example.
The configuration procedure includes adding a device, adding a user, setting the user level to 3, and configuring command line authorization (the reset hwtacacs-server statistics all command is not allowed).
Configure the administrator PC as the SSH client.
1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
2. Install the PuTTY software. Details are omitted.
3. Use the PuTTY software to log in to the FW through STelnet. (The following example uses PuTTY0.60.)
  1. Double-click PuTTY.exe. The interface shown in Figure 2 is displayed. Enter the IP address of the SSH server in the Host Name (or IP address) text box.
    Figure 2 Entering the IP address of the SSH server
  2. Choose Connection > SSH in the left Category tree. The interface shown in Figure 3 is displayed. In Protocol options, set Preferred SSH protocol version to 2 and click Open.
    Figure 3 Setting SSH protocol version
  3. Dialog box shown in Figure 4 is displayed upon the first login. Click Yes.
    Figure 4 PuTTY security alert
  4. In the login page that is displayed, enter SSH administrator account sshadmin and press Enter. Enter the password Mydevice@123 and press Enter again. You can log in to FW.

Configuration Scripts

#         
interface GigabitEthernet0/0/2                                                  
 ip address 172.16.0.1 255.255.255.0                                           
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
 service-manage enable
 service-manage ssh permit
#
user-interface vty 0 4 
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
hwtacacs-server template hwtacacs_server
 hwtacacs-server authentication 172.16.0.2 49
 hwtacacs-server authorization 172.16.0.2 49
 hwtacacs-server shared-key cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
#  
aaa
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme admin_hwtacacs
  authorization-mode hwtacacs
  authorization-cmd 3 hwtacacs
 domain default                  //Method 1: In authentication domain mode, no administrator is created on the device.
  authentication-scheme hwtacacs
  authorization-scheme admin_hwtacacs
  hwtacacs-server hwtacacs_server
  service-type administrator-access
 manager-user sshadmin          //Method 2: Create an administrator with the same name as the HWTACACS server on the device.
  password cipher @%@%{kD2R62'},HC+d2\#5SC'z`9LZu'ZMekWC;a4K&YNWO>z`<'@%@%      
  service-type ssh                                                              
  authentication-scheme hwtacacs                                                
  authorization-scheme admin_hwtacacs 
  hwtacacs-server hwtacacs_server 
#
stelnet server enable
ssh authentication-type default password
#
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/3
#
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet0/0/2
#                                                                              
security-policy                                                                 
 rule name rule1                                                                
  source-zone local                                                             
  destination-zone dmz                                                          
  destination-address 172.16.0.2 32                                             
  action permit 
#  
return