Login
- Table of Contents
-
- 09-Security Configuration Examples
- 01-802.1X Configuration Examples
- 02-AAA Configuration Examples
- 03-ARP Attack Protection Configuration Examples
- 04-IP Source Guard Configuration Examples
- 05-MAC Authentication Configuration Examples
- 06-Portal Configuration Examples
- 07-SSH Configuration Examples
- 08-Attack Protection Configuration Examples
- 09-Port Security and AAA Configuration Examples
- 10-Port Security Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-AAA Configuration Examples | 1.27 MB |
Example: Configuring HWTACACS authentication and authorization for Telnet users (ACS server)
Applicable hardware and software versions
Example: Configuring RADIUS authentication and authorization in IMC for SSH users
Applicable hardware and software versions
Example: Configuring RADIUS authentication and authorization in ACS for SSH users
Applicable hardware and software versions
Example: Configuring HWTACACS authentication and authorization for SSH users (ACS server)
Applicable hardware and software versions
Introduction
This document provides AAA configuration examples for Telnet and SSH users.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of AAA.
Example: Configuring HWTACACS authentication and authorization for Telnet users (ACS server)
Network configuration
As shown in Figure 1, configure remote HWTACACS authentication and authorization on the NAS device to enable secure Telnet user login. Configure the following on the device:
· Use the HWTACACS server to authorize and authenticate Telnet users logging into the device. The login username is user@bbb and the password is aabbcc.
· Allow users to execute all the display commands related to system functions and resources.
Analysis
· For the HWTACACS server to identify users, add Telnet usernames and passwords on the server.
· For users to execute the display commands for all system functions and resources after authentication, set the user role to network-operator on the HWTACACS server.
· In this example, users must pass AAA authentication to log in to the device. You must set the authentication method for Telnet users to scheme.
· For the HWTACACS server to perform authorization and authentication, configure the HWTACACS scheme on the device and specify the servers for authorization and authentication. Apply the configuration to the ISP domain of Telnet users.
· To securely transmit user passwords between the device and HWTACACS server and to check the integrity of responses packets on the device, you must set the shared key for interaction messages on both the device and the HWTACACS server.
Applicable hardware and software versions
|
Product |
Software version |
|
S12500G-AF switch series |
Release 7639P01 and higher |
|
S10500X switch series |
Release 7639P01 and higher |
|
S10500 switch series |
Release 7639P01 and higher |
|
S7500E-X switch series |
Release 7639P01 and higher |
|
S7500E switch series |
Release 7639P01 and higher |
|
S7500X switch series |
Release 7639P01 and higher |
Procedures
Configuring HWTACACS
|
|
NOTE: This section uses HWTACACS server ACS 4.0 to illustrate basic configuration of HWTACACS. |
Adding a device management user
# Log in to the HWTACACS management platform. Click User-Setup in the left navigation pane.
· Enter username user@bbb.
· Click Add/Edit.
Figure 2 User creation interface
Configuring a device management user
# Edit a user.
· Set the user password to aabbcc.
· Select group Group 1 for the user.
· Click Submit.
Figure 3 User password configuration
Configuring the network
# In the left navigation pane, click Network Configuration. Specify a name in the AAA Client Hostname field. In this example, the name is Device.
· Specify the IP address of device interface that connects the device to the HWTACACS server as 10.1.1.2 in the AAA Client IP Address field.
· Enter the shared key expert in the Key field. Make sure the shared key is the same as the key configured for authentication, authorization, and accounting in the HWTACACS scheme on the device.
· Select TACACS+ (Cisco IOS) from the Authenticate Using field.
· Click Submit+Apply.
Figure 4 Network configuration interface
Setting up the group
# From the left navigation pane, click Group Setup. Select Group 1 (the same group selected for the device management user) and then click Edit Settings.
· Select Shell (exec).
· Select Custom attributes and enter roles="network-operator" in the text box.
· Click Submit.
Figure 5 Selecting the group
Figure 6 Group configuration interface
Configuring the device
# Create VLAN 2 and add Ten-GigabitEthernet 1/0/2 to VLAN 2.
<Device> system-view
[Device] vlan 2
[Device-vlan2] port ten-gigabitethernet 1/0/2
[Device-vlan2] quit
# Configure an IP address for VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] ip address 192.168.57.12 255.255.255.0
[Device-Vlan-interface2] quit
# Create VLAN 3. Assign Ten-GigabitEthernet 1/0/1 to VLAN 3.
[Device] vlan 3
[Device-vlan3] port ten-gigabitethernet 1/0/1
[Device-vlan3] quit
# Configure the IP address for VLAN-interface 3.
[Device] interface vlan-interface 3
[Device-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Device-Vlan-interface3] quit
# Enable Telnet server on the device.
[Device] telnet server enable
# Configure the Telnet user login interface to use the scheme method.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device-line-vty0-63] quit
# Create HWTACACS scheme hwtac.
[Device] hwtacacs scheme hwtac
# Set the IP address of the primary authentication, authorization, and accounting server to 10.1.1.1, and the port number to 49. The TCP port for HWTACACS authentication, authorization, and account is 49.
[Device-hwtacacs-hwtac] primary authentication 10.1.1.1 49
[Device-hwtacacs-hwtac] primary authorization 10.1.1.1 49
[Device-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the plaintext shared key for packet exchanging with the authorization, authorization, and accounting servers to expert.
[Device-hwtacacs-hwtac] key authentication simple expert
[Device-hwtacacs-hwtac] key authorization simple expert
[Device-hwtacacs-hwtac] key accounting simple expert
[Device-hwtacacs-hwtac] quit
# Create ISP domain bbb and configure login users to use the HWTACAS authentication, authorization, and accounting AAA methods.
[Device] domain bbb
[Device] domain default enable bbb
[Device-isp-bbb] authentication login hwtacacs-scheme hwtac
[Device-isp-bbb] authorization login hwtacacs-scheme hwtac
[Device-isp-bbb] accounting login hwtacacs-scheme hwtac
[Device-isp-bbb] quit
Verifying the configuration
Verify that Telnet users can pass authentication with username user@bbb and password aabbcc, and obtain user role network-operator after authentication. Verify that the users can execute display commands for all functions and resources of the system.
Configuration files
#
telnet server enable
#
vlan 2 to 3
#
interface Vlan-interface2
ip address 192.168.57.12 255.255.255.0
#
interface Vlan-interface3
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 3
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
hwtacacs scheme hwtac
primary authentication 10.1.1.1
primary authorization 10.1.1.1
primary accounting 10.1.1.1
key authentication cipher $c$3$X3oR/wjLFjDqIyjdAmvjwAhiuqewGABglQ==
key authorization cipher $c$3$5pmuq0RJ9UWMWDkRNNERX6HFM0aRv5txFg==
key accounting cipher $c$3$FSdSiBY1u+ZNkAYYlPw9YkGxJA4iR8MDjw==
#
domain bbb
domain default enable bbb
authentication login hwtacacs-scheme hwtac
authorization login hwtacacs-scheme hwtac
accounting login hwtacacs-scheme hwtac
#
Example: Configuring RADIUS authentication and authorization in IMC for SSH users
Network configuration
As shown in Figure 7, configure the device to meet the following requirements:
· The RADIUS servers are used to provide authentication and authorization services for SSH users. One server acts as the primary server and the other acts as the secondary server.
· Domain names are included in the usernames sent to the RADIUS servers.
· The authenticated users are permitted to use the display commands of all system features and resources.
The RADIUS servers run IMC. Add a user account with username hello@bbb and password aabbcc on each RADIUS server.
Analysis
To meet the network requirements, you must perform the following tasks:
· Configure the SSH username and password on the primary and secondary RADIUS servers to identify valid users.
· For SSH users to perform AAA, set the authentication mode to scheme on VTY user lines.
· Configure the same shared key on the device and the RADIUS servers to secure RADIUS communication. When the shared key is configured, the device and the RADIUS servers transfer passwords safely and the device can verify the integrity of each RADIUS response.
· Configure RADIUS authentication and authorization by performing the following tasks on the device:
¡ Create a RADIUS scheme.
¡ Specify the primary and secondary servers for authentication and authorization.
¡ Apply the RADIUS scheme to the ISP domain to which the SSH users belong.
· Configure the RADIUS servers to assign the network-operator user role to the users, so the users can use all display commands.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S12500G-AF switch series |
Release 7639P01 and higher |
|
S10500X switch series |
Release 7639P01 and higher |
|
S10500 switch series |
Release 7639P01 and higher |
|
S7500E-X switch series |
Release 7639P01 and higher |
|
S7500E switch series |
Release 7639P01 and higher |
|
S7500X switch series |
Release 7639P01 and higher |
Restrictions and guidelines
When you configure RADIUS authentication and authorization for SSH users, follow these restrictions and guidelines:
· The Stelnet server supports only 256-bit and 384-bit ECDSA key pairs.
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
Procedures
Configuring RADIUS servers
In this example, RADIUS servers run IMC PLAT 7.0 (E0102) and IMC UAM 7.0 (E0201). This example describes the configuration of the primary RADIUS server. Configure the secondary RADIUS server in the same way the primary RADIUS server is configured.
Adding the device to IMC as an access device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
The access device list appears.
3. Click Add.
4. On the Add Access Device page, configure the following parameters, as shown in Figure 8:
¡ Enter 1812 and 1813 in the Authentication Port and Accounting Port fields, respectively.
¡ Enter expert in the Shared Key and Confirm Shared Key fields.
¡ Select Device Management Service from the Service Type list.
¡ Select H3C(General) from the Access Device Type list.
¡ Use the default values for other parameters in the Access Configuration area.
¡ In the Device List area, click Select or Add Manually to add the device (10.1.1.2) to IMC as an access device.
Figure 8 Adding an access device
5. Click OK.
Adding a device management user
1. Click the User tab.
2. From the navigation tree, select Access User > Device User.
The device management user list appears.
3. Click Add.
4. On the Add Device User page, configure the following parameters, as shown in Figure 9:
¡ Enter hello@bbb in the Account Name field.
¡ Enter aabbcc in the User Password and Confirm Password fields.
¡ Select SSH from the Service Type list.
¡ Enter network-operator in the Role Name field.
The network-operator user role has access to the display commands of all system features and resources.
¡ In the IP Address List of Managed Devices area, click Add to specify an IP segment (from 10.1.1.0 to 10.1.1.255) for management. The IP segment must contain the IP address of the access device.
Figure 9 Adding a device management user
5. Click OK.
Configuring the device
# Create VLAN 2 and assign Ten-GigabitEthernet 1/0/2 to the VLAN.
<Device> system-view
[Device] vlan 2
[Device-vlan2] port ten-gigabitethernet 1/0/2
[Device-vlan2] quit
# Assign an IP address to VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Device-Vlan-interface2] quit
# Create VLAN 3 and assign Ten-GigabitEthernet 1/0/1 to the VLAN.
[Device] vlan 3
[Device-vlan3] port ten-gigabitethernet 1/0/1
[Device-vlan3] quit
# Assign an IP address to VLAN-interface 3.
[Device] interface vlan-interface 3
[Device-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Device-Vlan-interface3] quit
# Create a local RSA key pair.
[Device] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...........
Create the key pair successfully.
# Create a local DSA key pair.
[Device] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.......
Create the key pair successfully.
# Create a 256-bit ECDSA key pair.
[Device] public-key local create ecdsa secp256r1
Generating Keys...
Create the key pair successfully.
# Create a 384-bit ECDSA key pair.
[Device] public-key local create ecdsa secp384r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[Device] ssh server enable
# Enable scheme authentication on VTY user lines 0 through 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device-line-vty0-63] quit
# Create a RADIUS scheme named rad.
[Device] radius scheme rad
# Specify the primary authentication RADIUS server with the IP address 10.1.1.1 and port number 1812.
[Device-radius-rad] primary authentication 10.1.1.1 1812
# Specify the secondary authentication RADIUS server with the IP address 10.1.1.11 and port number 1812.
[Device-radius-rad] secondary authentication 10.1.1.11 1812
# Specify the primary accounting RADIUS server with the IP address 10.1.1.1 and port number 1813.
[Device-radius-rad] primary accounting 10.1.1.1 1813
# Specify the secondary accounting RADIUS server with the IP address 10.1.1.11 and port number 1813.
[Device-radius-rad] secondary accounting 10.1.1.11 1813
# Set the authentication and accounting shared keys to expert in plain text for secure communication between the device and the RADIUS server.
[Device-radius-rad] key authentication simple expert
[Device-radius-rad] key accounting simple expert
# Include domain names in the usernames sent to the RADIUS server.
[Device-radius-rad] user-name-format with-domain
[Device-radius-rad] quit
# Create an ISP domain named bbb, and configure the ISP domain to use the RADIUS scheme rad as the AAA methods of login users.
[Device] domain bbb
[Device] domain default enable bbb
[Device-isp-bbb] authentication login radius-scheme rad
[Device-isp-bbb] authorization login radius-scheme rad
[Device-isp-bbb] accounting login radius-scheme rad
[Device-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the device, and enter username hello@bbb and password aabbcc. The user logs into the device. (Details not shown.)
# Verify that the user can use the display commands of all system features and resources. (Details not shown.)
# Display RADIUS scheme configuration.
<Sysname> display radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: rad
Index: 0
Primary authentication server:
Host name: Not Configured
IP : 10.1.1.1 Port: 1812
VPN : Not configured
State: Active
Test profile: Not configured
Weight: 0
Primary accounting server:
Host name: Not Configured
IP : 10.1.1.1 Port: 1813
VPN : Not configured
State: Active
Weight: 0
Second authentication server:
Host name: Not Configured
IP : 10.1.1.11 Port: 1812
VPN : Not configured
State: Active
Test profile: Not configured
Weight: 0
Second accounting server:
Host name: Not Configured
IP : 10.1.1.11 Port: 1813
VPN : Not configured
State: Active
Weight: 0
Accounting-On function : Disabled
extended function : Disabled
retransmission times : 50
retransmission interval(seconds) : 3
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 720
Stop-accounting packets buffering : Enabled
Retransmission times : 500
NAS IP Address : Not configured
VPN : Not configured
User Name Format : with-domain
Data flow unit : Byte
Packet unit : One
Attribute 5 format : Default
Attribute 15 check-mode : Strict
Attribute 25 : Standard
Attribute 87 format : Default
Attribute Remanent-Volume unit : Kilo
server-load-sharing : Disabled
Attribute 30 format : hh:hh:hh:hh:hh:hh:SSID
Attribute 30 MAC format : hh:hh:hh:hh:hh:hh
Attribute 31 MAC format : HH-HH-HH-HH-HH-HH
Stop-accounting packets send-force : Disabled
Reauthentication server selection : Inherit
Attribute 218 of vendor ID 25506 : DHCP-Option 61
Format 1 (1-byte Type field)
The output shows that the primary RADIUS server is in Active state.
# Disconnect the device from the primary RADIUS server. (Details not shown.)
# Verify that the primary RADIUS server has changed to the Block state in the RADIUS scheme. (Details not shown.)
Configuration files
#
vlan 2 to 3
#
interface Vlan-interface2
ip address 192.168.1.70 255.255.255.0
#
interface Vlan-interface3
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 3
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
radius scheme rad
primary authentication 10.1.1.1
primary accounting 10.1.1.1
secondary authentication 10.1.1.11
secondary accounting 10.1.1.11
key authentication cipher $c$3$GBZ1jhslcGwSOpSejsESMnOr8Gb8SIT5ew==
key accounting cipher $c$3$nGb/DWK8pxbHaLXQVc+xsmbUr1etIZVd7Q==
#
domain bbb
domain default enable bbb
authentication login radius-scheme rad
authorization login radius-scheme rad
accounting login radius-scheme rad
#
Example: Configuring RADIUS authentication and authorization in ACS for SSH users
Network configuration
As shown in Figure 10, configure the device to meet the following requirements:
· Act as the Stelnet server to provide RADIUS-based authentication and authorization services for the SSH user.
· Assign the highest level of privilege to the SSH user after the user passes authentication.
The RADIUS server runs Cisco ACS. Add a user account with username manager@bbb and password 1234ab## on the RADIUS server.
The host runs Stelnet client software.
Analysis
To meet the network requirements, you must perform the following tasks:
· Configure the SSH username and password on the RADIUS server to identify valid users.
· For SSH users to perform AAA, set the authentication mode to scheme on VTY user lines.
· To support Stelnet clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the Stelnet server.
· Configure RADIUS authentication and authorization by performing the following tasks on the device:
¡ Create a RADIUS scheme.
¡ Specify the authentication and authorization servers.
¡ Apply the RADIUS scheme to the ISP domain to which the SSH users belong on the device.
· Enable the default user role feature and specify network-admin as the default user role, so the authenticated users can obtain the highest level of privilege.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Product |
Software version |
|
S12500G-AF switch series |
Release 7639P01 and higher |
|
S10500X switch series |
Release 7639P01 and higher |
|
S10500 switch series |
Release 7639P01 and higher |
|
S7500E-X switch series |
Release 7639P01 and higher |
|
S7500E switch series |
Release 7639P01 and higher |
|
S7500X switch series |
Release 7639P01 and higher |
Restrictions and guidelines
When you configure RADIUS authentication and authorization for SSH users, follow these restrictions and guidelines:
· The Stelnet server supports only 256-bit and 384-bit ECDSA key pairs.
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
Procedures
Configuring the RADIUS server
In this example, the server runs ACS 4.2. Before you perform the following tasks, make sure the host, the device, and the RADIUS server can reach each other.
1. Enter the username and password, and click Login, as shown in Figure 11.
2. Add the device to ACS as an AAA client:
a. In the navigation tree, click Network Configuration.
b. Click Add Entry, as shown in Figure 12.
Figure 12 Adding an AAA client
c. On the Add AAA Client page, configure the following parameters, as shown in Figure 13:
- Enter an AAA client hostname in the AAA Client Hostname field. This example uses Device.
- Enter 10.1.1.2 in the AAA Client IP Address field.
The IP address is the source IP address for outgoing RADIUS packets on the device.
- Enter expert in the Shared Secret field.
The shared secret must be the same as the authentication and accounting keys configured on the device for secure RADIUS communication.
- Select RADIUS (IETF) from the Authenticate Using list.
Figure 13 Configuring the AAA client
d. Click Submit + Apply.
3. Add a user:
a. In the navigation tree, click User Setup.
b. On the User Setup page, enter manager in the User field and click Add/Edit, as shown in Figure 14.
c. Configure parameters for the user, including the user password and user group, as shown in Figure 15.
This example uses the default user group.
Figure 15 Configuring the user manager
d. Click Submit.
Configuring the device
# Create VLAN 2 and assign Ten-GigabitEthernet 1/0/2 to the VLAN.
<Device> system-view
[Device] vlan 2
[Device-vlan2] port ten-gigabitethernet 1/0/2
[Device-vlan2] quit
# Assign an IP address to VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] ip address 192.168.1.65 255.255.255.0
[Device-Vlan-interface2] quit
# Create VLAN 3 and assign Ten-GigabitEthernet 1/0/1 to the VLAN.
[Device] vlan 3
[Device-vlan3] port ten-gigabitethernet 1/0/1
[Device-vlan3] quit
# Assign an IP address to VLAN-interface 3.
[Device] interface vlan-interface 3
[Device-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Device-Vlan-interface3] quit
# Create a local RSA key pair.
[Device] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...
Create the key pair successfully.
# Create a local DSA key pair.
[Device] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........
Create the key pair successfully.
# Create a local 256-bit ECDSA key pair.
[Device] public-key local create ecdsa secp256r1
Generating Keys...
Create the key pair successfully.
# Create a local 384-bit ECDSA key pair.
[Device] public-key local create ecdsa secp384r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[Device] ssh server enable
# Enable scheme authentication on VTY user lines 0 through 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device-line-vty0-63] quit
# Enable the default user role feature and specify network-admin as the default user role.
[Device] role default-role enable network-admin
# Create a RADIUS scheme named rad.
[Device] radius scheme rad
# Specify the primary RADIUS authentication server with the IP address 10.1.1.1 and port number 1812.
[Device-radius-rad] primary authentication 10.1.1.1 1812
# Specify the shared key as expert for secure RADIUS communication between the device and RADIUS server.
[Device-radius-rad] key authentication simple expert
# Remove the domain name from usernames sent to the RADIUS server.
[Device-radius-rad] user-name-format without-domain
[Device-radius-rad] quit
# Create an ISP domain named bbb, and specify the domain to use RADIUS scheme rad as the authentication and authorization methods of login users.
[Device] domain bbb
[Device] domain default enable bbb
[Device-isp-bbb] authentication login radius-scheme rad
[Device-isp-bbb] authorization login radius-scheme rad
[Device-isp-bbb] accounting login none
[Device-isp-bbb] quit
Verifying the configuration
Stelnet client software includes PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY 0.58.
To verify that you can log into the Stelnet server from the Stelnet client:
1. Launch PuTTY.
2. From the navigation tree, click Session.
The PuTTY Configuration page appears.
3. Configure the following parameters, as shown in Figure 16:
a. Enter 192.168.1.65 in the Host Name (or IP address) field.
b. Enter 22 in the Port field.
c. Select SSH for Protocol.
Figure 16 Specifying basic connection parameters
4. Click Open.
The system might display a security alert dialog box, as shown in Figure 17.
Figure 17 PuTTY Security Alert dialog box (1)
5. Click Yes or No to continue the connection.
The system might display another security alert dialog box, as shown in Figure 18.
Figure 18 PuTTY Security Alert dialog box (2)
6. Click Yes or No to continue the connection.
7. Enter username manager@bbb and password 1234ab## to log into the Stelnet server.
login as: manager@bbb
manager@[email protected]'s password:
******************************************************************************
* Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Device>
Configuration files
#
vlan 2 to 3
#
interface Vlan-interface2
ip address 192.168.1.65 255.255.255.0
#
interface Vlan-interface3
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 3
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
radius scheme rad
primary authentication 10.1.1.1
key authentication cipher $c$3$+zkawxNT2KQ1IhixdPDszSvNAH5b+yFMIQ==
user-name-format without-domain
#
domain bbb
domain default enable bbb
authentication login radius-scheme rad
authorization login radius-scheme rad
accounting login none
#
role default-role enable network-admin
#
Example: Configuring HWTACACS authentication and authorization for SSH users (ACS server)
Network configuration
As shown in Figure 19, remote access to the gateway device is required for system configuration and maintenance. To enhance the security of remote access, establish an SSH connection between the device and the administrator host. The specific requirements are as follows:
· The device uses a Cisco ACS server as the HWTACACS server to authenticate and authorize Stelnet clients.
· The administrator runs the Stelnet client on this host, accesses the device using username manager@bbb and password 1234ab##, and is granted with full configuration privileges upon login.
Analysis
· For the device to authenticate users with the ACS server, configure AAA client and user configurations on the ACS server.
· To require users to enter a username and password when logging in to the device through the user line, configure the scheme method for user line login authentication on the device.
· For the device to authenticate and authorize users, complete AAA configuration on the Device, including configuring the ISP domain and the TACACS scheme for interaction with the HWTACACS server.
· For administrator hosts that run Stelnet clients with different public key algorithms to establish SSH connections with the device, generate RSA, DSA, and ECDSA key pairs on the device.
· To grant Stelnet users the highest configuration privileges after they log in to the device, set the default user role to network-admin.
Applicable hardware and software versions
|
Product |
Software version |
|
S12500G-AF switch series |
Release 7639P01 and higher |
|
S10500X switch series |
Release 7639P01 and higher |
|
S10500 switch series |
Release 7639P01 and higher |
|
S7500E-X switch series |
Release 7639P01 and higher |
|
S7500E switch series |
Release 7639P01 and higher |
|
S7500X switch series |
Release 7639P01 and higher |
Restrictions and guidelines
The SSH server supports ECDSA key pairs of types secp256r1 and secp384r1.
The SSH server only supports local key pairs with a default name and does not support local key pairs with specified names.
Procedures
Configuring the HWTACACS server
|
|
NOTE: · This section uses ACSv4.2 as an example to explain the basic configuration of a TACACS server. · Before configuring the following settings, make sure the administrator host and the ACS server can reach each other. |
1. Log in to the ACS server.
# Enter the username and password on the Web login page, then click Login to access the ACS server.
Figure 20 Logging in to the ACS server
2. Add an access device.
# From the left navigation pane, select Network Configuration. Click Add Entry.
Figure 21 Adding an access device
# Configure the following settings:
¡ Enter the name of the access device, the IP address of the access device, and the shared key for TACACS message exchange.
¡ Select TACACS+ (Cisco IOS) as the authentication protocol type.
¡ Click Submit + Apply.
Figure 22 Configuring the access device
3. Add a login user.
# From the left navigation pane, select User Setup. Enter username manager in the text box, and click Add/Edit.
Figure 23 Adding a login user
# Enter the user information, configure the user login password, and select the user group. In this example, the default group is used.
Figure 24 Configuring login user information
Configuring the device
# Create VLAN 2 and add Ten-GigabitEthernet 1/0/2 to VLAN 2.
<Device> system-view
[Device] vlan 2
[Device-vlan2] port ten-gigabitethernet 1/0/2
[Device-vlan2] quit
# Configure an IP address for VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] ip address 192.168.1.65 255.255.255.0
[Device-Vlan-interface2] quit
# Create VLAN 3 and add Ten-GigabitEthernet 1/0/1 to VLAN 3.
[Device] vlan 3
[Device-vlan3] port ten-gigabitethernet 1/0/1
[Device-vlan3] quit
# Configure the IP address for VLAN-interface 3.
[Device] interface vlan-interface 3
[Device-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Device-Vlan-interface3] quit
# Generate a RSA key pair.
[Device] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...
Create the key pair successfully.
# Generate a DSA key pair.
[Device] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........
Create the key pair successfully.
# Generate an ECDSA key pair of type secp256r1.
[Device] public-key local create ecdsa secp256r1
Generating Keys...
Create the key pair successfully.
# Generate an ECDSA key pair of type secp384r1.
[Device] public-key local create ecdsa secp384r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SSH server feature.
[Device] ssh server enable
# Set the authentication mode to AAA (scheme) for the user lines.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device-line-vty0-63] quit
# Enable the authorization of the default user role to grant authenticated users the default user role of network-admin.
[Device] role default-role enable network-admin
# Create TACACS scheme rad.
[Device] hwtacacs scheme tac
# Configure the IP address of the primary authentication server as 10.1.1.1 and the port number as 49.
[Device-hwtacacs-tac] primary authentication 10.1.1.1 49
# Set the plaintext shared key for packet exchanging with the authentication server to expert.
[Device-hwtacacs-tac] key authentication simple expert
# Configure the IP address of the primary authorization server as 10.1.1.1 and the port number as 49.
[Device-hwtacacs-tac] primary authorization 10.1.1.1 49
# Set the plaintext shared key for packet exchanging with the authorization server to expert.
[Device-hwtacacs-tac] key authorization simple expert
# Configure the device to exclude domain names in usernames sent to the TACACS server.
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Create ISP domain bbb, configure TACACS authentication and authorization for login users, and configure not to perform accounting on login users.
[Device] domain bbb
[Device] domain default enable bbb
[Device-isp-bbb] authentication login hwtacacs-scheme tac
[Device-isp-bbb] authorization login hwtacacs-scheme tac
[Device-isp-bbb] accounting login none
[Device-isp-bbb] quit
Verifying the configuration
|
|
NOTE: Different types of Stelnet client software are available, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY 0.58. |
# Install PuTTY 0.58.
# Open the PuTTY.exe program, click the Session tab, and configure the following:
· Enter 192.168.1.40 in the Host Name (or IP address) field.
· Enter 22 in the Port field.
· Select SSH for Connection type.
# Click Open.
Figure 25 SSH client configuration interface
# If the PuTTY Security Alert dialog box opens, make a selection based on your actual situation. In this example, Yes is selected to trust this server.
Figure 26 PuTTY Security Alert dialog box
# If the PuTTY Security Alert dialog box opens, make a selection based on your actual situation. In this example, Yes is selected to trust the host key.
Figure 27 Stelnet client login interface (2)
# Enter username manager@bbb and password 1234ab## on the login screen to access the device.
login as: manager@bbb
manager@[email protected]'s password:
******************************************************************************
* Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Device>
Configuration files
#
vlan 2 to 3
#
interface Vlan-interface2
ip address 192.168.1.65 255.255.255.0
#
interface Vlan-interface3
ip address 10.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 3
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
hwtacacs scheme tac
primary authentication 10.1.1.1
primary authorization 10.1.1.1
key authentication cipher $c$3$/9bCuPjMxjOtUvBx8NjtN+AnAsuLT2SrNA==
key authorization cipher $c$3$QF/fFJNv9IyKyFlsNOpeBYnDXArNhOvOdQ==
user-name-format without-domain
#
domain bbb
domain default enable bbb
authentication login hwtacacs-scheme tac
authorization login hwtacacs-scheme tac
accounting login none
#
role default-role enable network-admin
#
