Introduction· 1

Prerequisites 1

Example: Performing RADIUS authentication/authorization for SSH users 1

Network requirements 1

Requirements analysis 1

Software version used· 2

Configuration procedures 2

Configuring the RADIUS server 2

Configuring the switch· 3

Verifying the configuration· 4

Configuration file· 5

Example: Performing HWTACACS authentication and authorization for Telnet users 6

Network requirements 6

Requirements analysis 6

Software version used· 6

Configuration procedures 7

Configuring the HWTACACS server 7

Configuring the switch· 7

Verifying the configuration· 7

Configuration file· 7

Related documentation· 8

 

Introduction

This document provides AAA configuration examples for Telnet and SSH users.

AAA provides a uniform framework for configuring authentication, authorization, and accounting security functions to implement network security management.

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all the devices started with the factory default configuration. If you are working in a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of H3C AAA.

Example: Performing RADIUS authentication/authorization for SSH users

Network requirements

As shown in Figure 1, the RADIUS server runs on IMC.

Configure the switch to perform RADIUS authentication/authorization for SSH users. The username is in the format userid@bbb and password is aabbcc.

Figure 1 Network diagram

 

Requirements analysis

·     To identify valid users, configure usernames and passwords on the RADIUS server.

·     To perform AAA authentication for SSH users, set the authentication mode to scheme.

·     To secure RADIUS communication, configure the same shared key on the switch and the RADIUS server. With the shared key, the switch and the RADIUS server transfer passwords safely, and the switch can verify the integrity of the RADIUS response.

·     To use RADIUS authentication/authorization, create a RADIUS scheme, specify the authentication/authorization server, and applies the RADIUS scheme to the ISP domain to which the SSH users belong on the switch.

Software version used

This configuration example was created and verified on S12500-CMW520-R1825P01.

Configuration procedures

Configuring the RADIUS server

This example uses IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).

1.     Add the switch to IMC as an access device:

a.     Log in to IMC, click the Service tab, and select User Access Manager > User Access Manager from the navigation tree.

The Access Device page appears.

b.     Click Add to add an access device as follows:

-     Set the shared key to expert.

-     Specify the ports for authentication and accounting as 1812 and 1813, respectively.

-     Select Device Management Service as the service type.

-     Select H3C(General) as the access device type.

-     Specify the IP address of the switch as 10.1.1.2 on the Device List.

c.     Click OK.

Figure 2 Adding the switch as an access device

 

2.     Add a device management user account:

a.     Click the User tab and select Access User View > Device Mgmt User from the navigation tree.

The Device Management User page appears.

b.     Click Add to add a device management account as follows:

-     Enter hello@bbb as the account name.

-     Enter aabbcc as the password.

-     Select the service type SSH.

-     Enter 3 as the EXEC priority, which specifies the command level to which the SSH user can access after login.

-     Specify 10.1.1.0 to 10.1.1.255 as the IP address range of the hosts to be managed.

c.     Click OK.

Figure 3 Adding a device management user account

 

Configuring the switch

# Configure the IP address of VLAN-interface 2, through which the SSH user accesses the SSH server.

<Switch> system-view

[Switch] vlan 2

[Switch-vlan] port GigabitEthernet 2/0/2

[Switch-vlan] quit

[Switch] interface GigabitEthernet 2/0/2

[Switch-GigabitEthernet2/0/2] undo shutdown

[Switch-GigabitEthernet2/0/2] quit

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] undo shutdown

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Configure the IP address of VLAN-interface 3, through which the switch connects to the RADIUS server.

<Switch> system-view

[Switch] vlan 3

[Switch-vlan] port GigabitEthernet 2/0/3

[Switch-vlan] quit

[Switch] interface GigabitEthernet 2/0/3

[Switch-GigabitEthernet2/0/3] undo shutdown

[Switch-GigabitEthernet2/0/3] quit

[Switch] interface vlan-interface 3

[Switch-Vlan-interface3] undo shutdown

[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[Switch-Vlan-interface3] quit

# Generate RSA and DSA key pairs and enable the SSH server.

[Switch] public-key local create rsa

[Switch] public-key local create dsa

[Switch] ssh server enable

# Configure the switch to use AAA for SSH users.

[Switch] user-interface vty 0 15

[Switch-ui-vty0-15] authentication-mode scheme

# Configure the user interfaces to support SSH.

[Switch-ui-vty0-15] protocol inbound ssh

[Switch-ui-vty0-15] quit

# Configure the RADIUS scheme.

[Switch] radius scheme rad

[Switch-radius-rad] primary authentication 10.1.1.1 1812

[Switch-radius-rad] primary accounting 10.1.1.1 1813

[Switch-radius-rad] key authentication expert

[Switch-radius-rad] key accounting expert

[Switch-radius-rad] server-type extended

[Switch-radius-rad] quit

# Configure the AAA methods for the ISP domain bbb.

[Switch] domain bbb

[Switch-isp-bbb] authentication login radius-scheme rad

[Switch-isp-bbb] authorization login radius-scheme rad

[Switch-isp-bbb] accounting login radius-scheme rad

[Switch-isp-bbb] quit

Verifying the configuration

The SSH user can pass authentication by using the username hello@bbb and password aabbcc, and can access the commands at level 3 or lower.

Configuration file

#

vlan 2

#

vlan 3

#

interface Vlan-interface2

 ip address 192.168.1.70 255.255.255.0

#

interface Vlan-interface3

 ip address 10.1.1.2 255.255.255.0

#

radius scheme rad

primary authentication  10.1.1.1

 primary accounting 10.1.1.1

key authentication cipher $c$3$pbM+tCZB0KFMcBBhntpvngLYGV+wQFqI+g==

key accounting cipher $c$3$nE6Jts3YPpMFfWnqJzFa+4KlbQn16ouXtw==

#

domain test

 authentication login radius-scheme rad

 authorization login radius-scheme rad

 accounting login radius-scheme rad

access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

user-interface vty 0 15

 authentication-mode scheme

protocol inbound ssh

#

interface GigabitEthernet2/0/2

port access vlan 2

#

interface GigabitEthernet2/0/3

 port access vlan 3

#

Example: Performing HWTACACS authentication and authorization for Telnet users

Network requirements

As shown in Figure 4, configure the switch uses the HWTACACS server to provide authentication and authorization services for Telnet users. The username is in the format userid@bbb and password is aabbcc.

Figure 4 Network diagram

 

Requirements analysis

·     To identify valid users, configure the Telnet username and password on the HWTACACS server.

·     To perform AAA authentication for Telnet users, configure the authentication mode to scheme.

·     To secure HWTACACS communication, configure the same shared key on the switch and the HWTACACS server. With the shared key, the switch and the HWTACACS server transfer passwords safely, and the switch can verify the integrity of the HWTACACS response.

·     To use HWTACACS authentication and authorization, create an HWTACACS scheme, specify the authentication and authorization servers, and applies the HWTACACS scheme to the ISP domain to which the Telnet users belong on the switch.

Software version used

This configuration example was created and verified on S12500-CMW520-R1825P01.

Configuration procedures

Configuring the HWTACACS server

Configure the shared key for secure HWTACACS communication to expert, configure the Telnet username and password, and set the user privilege level to 3. (Details not shown.)

Configuring the switch

# Configure the IP addresses for interfaces. (Details not shown.)

# Enable the Telnet server feature.

<Switch> system-view

[Switch] telnet server enable

# Configure the switch to use AAA for Telnet users.

[Switch] user-interface vty 0 15

[Switch-ui-vty0-15] authentication-mode scheme

[Switch-ui-vty0-15] quit

# Configure HWTACACS scheme hwtac.

[Switch] hwtacacs scheme hwtac

[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49

[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49

[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49

[Switch-hwtacacs-hwtac] key authentication expert

[Switch-hwtacacs-hwtac] key authorization expert

[Switch-hwtacacs-hwtac] key accounting expert

[Switch-hwtacacs-hwtac] quit

# Configure the AAA methods for the ISP domain bbb.

[Switch] domain bbb

[Switch-isp-bbb] authentication login hwtacacs-scheme hwtac

[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac

[Switch-isp-bbb] accounting login hwtacacs-scheme hwtac

[Switch-isp-bbb] quit

Verifying the configuration

The Telnet user can pass authentication by using the username in the format userid@bbb and password aabbcc, and can access the commands at level 3 or lower.

Configuration file

#

hwtacacs scheme hwtac

 primary authentication 10.1.1.1

 primary authorization 10.1.1.1

 primary accounting 10.1.1.1

 key authentication cipher $c$3$pbM+tCZB0KFMcBBhntpvngLYGV+wQFqI+g==

 key authorization cipher $c$3$c4rjmlQu2fhJ7n6khYpaLIkTj8N6HT3/6A==

 key accounting cipher $c$3$nE6Jts3YPpMFfWnqJzFa+4KlbQn16ouXtw==

#  

  domain bbb

      authentication login hwtacacs-scheme hwtac       

      authorization login hwtacacs-scheme hwtac

      accounting login hwtacacs-scheme hwtac

#

Related documentation

·     H3C S12500 Routing Switch Series Security Configuration Guide

·     H3C S12500 Routing Switch Series Security Command Reference