Configuration Example of the HWTACACS Authentication-HUAWEI

*******HWTACACS Authentication -GPON*******

  1. Configure an authentication scheme.Configure authentication scheme named newscheme (users are authenticated through HWTACACS).
    OLT(config-aaa)#authentication-scheme newscheme
    OLT(config-aaa-authen-newscheme)#authentication-mode hwtacacs
  2. Configure an authorization scheme.Configure authorization scheme named newscheme (users are authorized through HWTACACS).
    OLT(config-aaa)#authorization-scheme newscheme
    OLT(config-aaa-author-newscheme)#authorization-mode hwtacacs
  3. Configure the accounting scheme.Configure accounting scheme named newscheme (users are authenticated through HWTACACS). the interval is 10 minutes.
    OLT(config-aaa)#accounting-scheme newscheme
    OLT(config-aaa-accounting-newscheme)#accounting-mode hwtacacs
    OLT(config-aaa-accounting-newscheme)#accounting interim interval 10
  4. Configure the HWTACACS protocol.Create HWTACACS server template named hwtest with the HWTACACS server as the primary authentication, authorization and accounting server, and the HWTACACS server as the secondary authentication, authorization and accounting server.
    OLT(config)#hwtacacs-server template hwtest                                 
      Create a new HWTACACS-server template
    OLT(config-hwtacacs-radtest)#hwtacacs-server authentication
    OLT(config-hwtacacs-radtest)#hwtacacs-server authentication secondary
    OLT(config-hwtacacs-hwtest)#hwtacacs-server authorization
    OLT(config-hwtacacs-hwtest)#hwtacacs-server authorization secondary
    OLT(config-hwtacacs-radtest)#hwtacacs-server accounting 
    OLT(config-hwtacacs-radtest)#hwtacacs-server accounting secondary
  5. Configure the 802.1X authentication.
    1. Enable the 802.1X global switch. Enable the 802.1X authentication for ports 1, 2, and 3. The 802.1X needs to be triggered by DHCP. Therefore, the DHCP-trigger authentication must be enabled.
      OLT(config)#dot1x enable
      OLT(config)#dot1x service-port 1
      OLT(config)#dot1x service-port 2
      OLT(config)#dot1x service-port 3
      OLT(config)#dot1x dhcp-trigger enable
    2. Configure an 802.1X profile. In the local termination authentication, the 802.1X profile should be configured to be in the EAP termination mode. The count of allowed handshake failure is 1 and the handshake interval is 20s.
      OLT(config)#dot1x-template 3
      OLT(config-dot1x-template3)#keepalive retransmit 1 interval 20
       It will cause user offline. Are you sure to continue? (y/n)[n]y
  6. Create a domain.Create a domain named isp1.
    OLT(config-aaa)#domain isp1                                                  
      Info: Create a new domain
  7. Use the authentication scheme.You can use an authentication scheme in a domain only after the authentication scheme is created.
    OLT(config-aaa-domain-isp1)#authentication-scheme newscheme
  8. Use the authorization scheme.You can use an authorization scheme in a domain only after the authorization scheme is created.
    OLT(config-aaa-domain-isp1)#authorization-scheme newscheme
  9. Use the accounting scheme.You can use an accounting scheme in a domain only after the accounting scheme is created.
    OLT(config-aaa-domain-isp1)#accounting-scheme newscheme
  10. Bind the HWTACACS server template.You can use a HWTACACS server template in a domain only after the HWTACACS server template is created.
    OLT(config-aaa-domain-isp1)#hwtacacs-server hwtest
  11. Bind 802.1X template.You can use an 802.1X template in a domain only after the 802.1X template is created.
    OLT(config-aaa-domain-isp1)#dot1x-template 3


Be the first to comment

Leave a Reply

Your email address will not be published.


For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.