H3C_S7500E_AAA典型配置举例

Telnet user 192.168.57.1/24
Device
Internet
3.2 配置思路
• 为了使 HWTACACS 服务器能够识别合法的用户，在 HWTACACS 服务器上添加合法的 Telnet 用户名和密码。
• 为了使用户通过认证后可执行系统所有功能和资源的相关 display 命令，在 HWTACACS 服 务器上设置用户角色为 network-operator。
3 Telnet用户的HWTACACS认证和授权配置举例
3.1 组网需求
如 图 1 所示，通过在作为NAS的Device上配置远程HWTACACS认证、授权功能，实现Telnet用户 的安全登录。要求在Device上配置实现： • HWTACACS 服务器对登录 Device 的 Telnet 用户进行认证和授权，登录用户名为 user@bbb，
H3C S7500E AAA 典型配置举例
Copyright © 2015 杭州华三通信技术有限公司 版权所有，保留一切权利。 非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部， 并不得以任何形式传播。本文档中的信息可能变动，恕不另行通知。
目录
1 简介 ······················································································································································ 1 2 配置前提 ··············································································································································· 1 3 Telnet用户的HWTACACS认证和授权配置举例 ···················································································· 1
i
1 简介
本文档介绍了 Telnet、SSH 用户通过 AAA 服务器进行登录认证和授权的配置举例。
2 配置前提
本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的 缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的 配置不冲突。 本文假设您已了解 AAA 特性。
3.4.1 配置HWTACACS······················································································································· 2 3.4.2 配置Device ································································································································ 6 3.5 验证配置 ··············································································································································· 7 3.6 配置文件 ··············································································································································· 7 4 SSH用户的RADIUS认证和授权配置举例······························································································ 8 4.1 组网需求 ··············································································································································· 8 4.2 配置思路 ··············································································································································· 9 4.3 使用版本 ··············································································································································· 9 4.4 配置步骤 ··············································································································································· 9 4.4.1 配置RADIUS服务器 ··················································································································· 9 4.4.2 配置Device ······························································································································ 11 4.5 验证配置 ············································································································································· 13 4.6 配置文件 ············································································································································· 15 5 相关资料 ············································································································································· 15
3.4 配置步骤
3.4.1 配置HWTACACS
本文以 HWTACACS 服务器 ACS 4.0 为例，说明该例中 HWTACACS 的基本配置。 1. 增加设备管理用户 # 登录进入 HWTACACS 管理平台,点击左侧导航栏“User-Setup”增加设备管理用户。 • 在界面上输入用户名“user@bbb”； • 点击按钮“Add/Edit”进入用户编辑页面。
密码为 aabbcc； • 用户通过认证后可执行系统所有功能和资源的相关 display 命令。 图1 Telnet 用户的远端 HWTACACS 认证和授权配置组网图
HWTACACS server 10.1.1.1/24
Vlan-int2 192.168.57.12/24
Vlan-int3 10.1.1.2/24
“10.1.1.2”。 • “Key”一栏填பைடு நூலகம் HWTACACS 服务器和设备通信时的共享密钥“expert”，必须和 Device
上 HWTACACS 方案里配置的认证、授权和计费共享密钥相同。 • 在“Authenticate Using”的下拉框里选择“TACACS+ (Cisco IOS)”。 • 单击“Submit+Apply”按钮完成配置。
2
图2 用户创建界面
2. 配置设备管理用户 # 在用户编辑页面上配置设备管理用户。 • 配置用户密码“aabbcc”； • 为用户选择组“Group 1”； • 单击“Submit”完成操作。
3
图3 用户密码配置界面
3. 配置网络 # 点击左侧导航栏“Network Configuration”，在“AAA Client Hostname”处任意命名（本例为 “Device”）后开始配置网络。 • “AAA Client IP Address”一栏填写 Device 与 HWTACACS 服务器相连的接口的 IP 地址
4
图4 网络配置界面
4. 设置组 # 单击左侧导航栏“Group Setup”，选取“Group 1”（与配置设备管理用户时为用户选择的组一 致），单击“Edit Settings”进入编辑区。 • 在多选框中选择“Shell”（用户可以执行命令）； • 在多选框中选择“Custom attributes”，并在文本框中输入：roles=\”network-operator\”； • 单击“Submit”后完成操作。 图5 选择组界面
1
• 由于本例中用户登录 Device 要通过 AAA 处理，因此 Telnet 用户登录的用户界面认证方式配 置为 scheme。
• 为了实现通过 HWTACACS 来进行认证和授权，需要在 Device 上配置 HWTACACS 方案并 指定相应的认证和授权服务器，并将其应用于 Telnet 用户所属的 ISP 域。
3.1 组网需求 ··············································································································································· 1 3.2 配置思路 ··············································································································································· 1 3.3 使用版本 ··············································································································································· 2 3.4 配置步骤 ··············································································································································· 2
• 为了在 Device 和 HWTACACS 服务器之间安全地传输用户密码，并且能在 Device 上验证服 务器响应报文未被篡改，在 Device 和 HWTACACS 服务器上都要设置交互报文时所使用的 共享密钥。
3.3 使用版本
本举例是在 S7500E-CMW710-R7150 版本上进行配置和验证的。