< Home

AAA User Management

Overview

AAA, short for authentication, authorization, and accounting, provides the following types of security services:

  • Authentication: determines which users can access the network.

  • Authorization: authorizes users to access specific services.

  • Accounting: records network resource usage.

AAA is closely related to services and its configuration is flexible.

Depending on the location where user information (including the usernames, passwords, and attributes) is stored, AAA authentication is classified as either remote or local authentication.

  • Remote authentication: User information is configured on the remote authentication server. Remote authentication over Remote Authentication Dial-In User Service (RADIUS) or Huawei Terminal Access Controller Access Control System (HWTACACS) is supported. HWTACACS is an enhancement of TACACS (RFC 1492).
  • Local authentication: User information is configured on the local device, which functions as an authentication server and provides a global default domain for administrators. For example, if the username entered by an administrator for authentication during Telnet or SSH login does not contain a domain name, the device considers that the administrator belongs to the global default domain.

An attacker may attempt to obtain system administrator login rights by traversing key information, such as usernames and passwords.

Account locking can be configured to defend against such common username and password attacks and cracking attempts. Specifically, set the maximum number of consecutive authentication failures allowed to prevent unauthorized user logins. After account locking is configured, a user is blocked for a period of time after a specified number of consecutive login failures. This helps reduce the attempt success ratio of attackers and enhance device security.

In addition, to enhance administrator account security, you are advised to select an irreversible encryption algorithm when configuring the administrator password and configure a service type for each user to prevent incorrect use of administrator and common user accounts.

Account Security

  • Check whether any useless administrator accounts exist in the system. If yes, delete them to reduce attack surface.
  • Check whether account permissions have been minimized and whether accounts are prevented from accessing unnecessary resources to ensure information security.
  • Configure exclusive accounts for each administrator based on administrator roles.
  • Check and audit account login and operation logs.

Password Security

  • Change your passwords at an interval of a maximum of 90 days.
  • Appoint dedicated personnel to keep the device password safe.
  • Encrypt the password before transmission. Do not use email to transmit password.
  • Change the password before device transfer.

Impact on the System

None

Procedure

  1. Enter the system view.

    system-view

  2. Enter the AAA view.

    aaa

  3. Enable the system to lock administrator accounts that fail AAA authentication, maximum number of consecutive authentication failures allowed, and account lockout duration after authentication failure.

    lock-authentication enable
lock-authentication timeout timeout
lock-authentication failed-count count

    By default, the function to lock accounts that fail remote AAA authentication is enabled.

  4. Enable the administrator password change function. When an administrator password expires, the system prompts the administrator to change the password.

    manager-user password-modify enable
manager-user password valid-days days

    By default, the function to lock accounts that fail remote AAA authentication is enabled.

  5. Configure administrator roles and levels to control administrator permissions.

    • Bind a role to the administrator account.
      bind manager-user manager-name role role-name
    • If no role is bound to the administrator account, you can set the administrator level in the administrator view. The device changes the user level to a role based on the following mapping:
      • 1: Monitoring level corresponds to Configuration administrator (monitoring).
      • 2: Configuration level corresponds to Configuration administrator.
      • 3: Management level to level 15 correspond to System administrator.
      manager-user manager-name
level level
    • The administrator role has a higher priority than the administrator level, that is, if an administrator is bound to a role, its level no longer takes effect.
    • If the administrator permission is changed, the logged-in administrator will be forced to go offline.

Checking the Security Hardening Result

Run the display aaa configuration command. Check the Remote-user block retry-interval, Remote-user block retry-time, and Remote-user block time fields in the command output to view the authentication retry interval, maximum number of consecutive authentication failures allowed, and account lockout duration for remote users, respectively. Check the Local-user block retry-interval, Local-user block retry-time, and Local-user block time fields in the command output to view the authentication retry interval, maximum number of consecutive authentication failures allowed, and account lockout duration for local users, respectively.

Parent Topic: Access Authentication Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >