Table of Contents

Related Documents

03-AAA Configuration Examples

Title	Size	Download
03-AAA Configuration Examples	164.60 KB

H3C Routers

AAA Configuration Examples

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Overview

The following information provides examples for configuring an AAA server to authenticate and authorize Telnet and SSH users.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This assumes that you have basic knowledge of AAA.

Example: Configuring HWTACACS authentication and authorization for Telnet users

Network requirements

As shown in Figure 1, configure the following:

· Use the HWTACACS server to authorize and authenticate Telnet users logging into the device. The login username is user@bbb and the password is aabbcc.

· Allow users to execute all the display commands related to system functions and resources.

Figure 1 Network diagram

Analysis

· For the HWTACACS server to identify users, add Telnet usernames and passwords on the server.

· In this example, users must pass AAA authentication to log in to the device. You must set the authentication method for Telnet users to scheme.

· For the HWTACACS server to perform authorization and authentication, configure the HWTACACS scheme on the device and specify the servers for authorization and authentication. Apply the configuration to the ISP domain of Telnet users.

· To securely transmit user passwords between the device and HWTACACS server and to check the integrity of responses packets on the device, you must set the shared key for interaction messages on both the device and the HWTACACS server.

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 router.

Procedures

Configuring HWTACACS

This section uses HWTACACS server ACS 4.0 to illustrate basic configuration of HWTACACS.

Adding a device management user

# Log in to the HWTACACS management platform. Click User-Setup in the left navigation pane.

· Enter username user@bbb.

· Click Add/Edit.

Figure 2 User creation interface

Configuring a device management user

# Edit a user.

· Set the user password to aabbcc.

· Select group Group 1 for the user.

· Click Submit.

Figure 3 User password configuration

Configuring the network

# In the left navigation pane, click Network Configuration. Specify a name in the AAA Client Hostname field. In this example, the name is Device.

· Specify the IP address of device interface that connects the device to the HWTACACS server as 10.1.1.2 in the AAA Client IP Address field.

· Enter the shared key for communication between the HWTACACS server and the device as imc in the Key field. Make sure the key is the same as the keys configured for authentication and authorization in the HWTACACS scheme.

· Select TACACS+ (Cisco IOS) in the Authenticate Using field.

· Click Submit+Apply.

Figure 4 Network configuration interface

Setting up the group

# In the left navigation pane, click Group Setup. Select Group 1 (the same group selected for the device management user) and then click Edit Settings.

· Select Shell (exec).

· Select Custom attributes and enter roles="network-operator" in the text box for users to execute all the display commands related to system functions and resources.

· Click Submit.

Figure 5 Selecting the group

Figure 6 Group configuration interface

Configuring the device

# Configure an IP address for interface GigabitEthernet 0/0/2.

<Device> system-view

[Device] interface gigabitethernet 0/0/2

[Device-GigabitEthernet0/0/2] ip address 192.168.57.12 255.255.255.0

[Device-GigabitEthernet0/0/2] quit

# Configure an IP address for interface GigabitEthernet 0/0/1.

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] ip address 10.1.1.2 255.255.255.0

[Device-GigabitEthernet0/0/1] quit

# Enable Telnet server on the device.

[Device] telnet server enable

# Configure the Telnet user login interface to use the scheme method.

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

[Device-line-vty0-63] quit

# Configure HWTACACS scheme hwtac.

[Device] hwtacacs scheme hwtac

# Set the IP address of the primary authentication, authorization, and accounting server to 10.1.1.1, and the port number to 49. The TCP port for HWTACACS authentication, authorization, and account is 49.

[Device-hwtacacs-hwtac] primary authentication 10.1.1.1 49

[Device-hwtacacs-hwtac] primary authorization 10.1.1.1 49

[Device-hwtacacs-hwtac] primary accounting 10.1.1.1 49

# Set the plaintext shared key for packet exchanging with the authorization, accounting, and account servers to imc.

[Device-hwtacacs-hwtac] key authentication simple imc

[Device-hwtacacs-hwtac] key authorization simple imc

[Device-hwtacacs-hwtac] key accounting simple imc

[Device-hwtacacs-hwtac] quit

# Create ISP domain bbb and configure login users to use the HWTACAS authentication, authorization, and accounting AAA methods.

[Device] domain bbb

[Device-isp-bbb] authentication login hwtacacs-scheme hwtac

[Device-isp-bbb] authorization login hwtacacs-scheme hwtac

[Device-isp-bbb] accounting login hwtacacs-scheme hwtac

[Device-isp-bbb] quit

Verifying the configuration

Verify that Telnet users can pass authentication with username user@bbb and password aabbcc, and obtain user role network-operator after authentication. Verify that the users can execute display commands for all functions and resources of the system.

Configuration files

telnet server enable

interface GigabitEthernet0/0/2

port link-mode route

ip address 192.168.57.12 255.255.255.0

interface GigabitEthernet0/0/1

port link-mode route

ip address 10.1.1.2 255.255.255.0

line vty 0 63

authentication-mode scheme

user-role network-operator

hwtacacs scheme hwtac

primary authentication 10.1.1.1

primary authorization 10.1.1.1

primary accounting 10.1.1.1

key authentication cipher $c$3$6ps2/dT38b2K2MDCMCDGYxrvyJNR+/jiKw==

key authorization cipher $c$3$xEldxJraE8Yof3rHHlVIgyCIb/uLlrZbgg==

key accounting cipher $c$3$kySCJbNA8DSs+l3HCqxunl8SE4me3vue5g==

domain bbb

authentication login hwtacacs-scheme hwtac

authorization login hwtacacs-scheme hwtac

accounting login hwtacacs-scheme hwtac

Example: Configuring RADIUS authentication and authorization for SSH users

Network requirements

As shown in Figure 7, configure the following:

· Use the RADIUS server to authorize and authenticate Telnet users logging into the device. The login username is hello@bbb and the password is aabbcc.

· Configure usernames sent by the device to the RADIUS server to carry domain names. The server uses the domain names to differentiate services provided to users.

· Allow users to execute all the display commands related to system functions and resources.

Figure 7 Network diagram

Analysis

· For the RADIUS server to identify users, add usernames and passwords on the server.

· In this example, users must pass AAA authentication to log in to the device. You must set the authentication method for SSH users to scheme.

· For the RADIUS server to perform authorization and authentication, configure the RADIUS scheme on the device and specify the servers for authorization and authentication. Apply the configuration to the ISP domain of SSH users.

· To securely transmit user passwords between the device and RADIUS server and to check the integrity of responses packets on the device, you must set the shared key for interaction messages on both the device and the RADIUS server.

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 router.

Procedures

Configuring the RADIUS server

This document uses iMC PLAT 7.0 (E0102) and iMC EIA 7.0 (E0201) as an example to illustrate basic configuration of the in the example RADIUS server.

Adding an access device

Log in to the IMC management platform, click the User tab, and select User Access Policy > Access Device Management > Access Device in the left navigation pane. Then, click Add.

· Set the shared key for authentication and authorization interaction messages with the device as expert.

· Set the port numbers for authentication and accounting to 1812 (UDP port number of RADIUS server for authentication) and 1813 (UDP port number of RADIUS server for accounting).

· Select Device Management Service as the service type.

· Select H3C (General) as the access device type.

· Select or manually add the device with IP address 10.1.1.2 as an access device.

· Retain the default settings in the other fields and then click OK.

Adding a user

# Click the User tab, and select Device User > Device User in the navigation pane. Click Add.

· Entering the HDM username and password. In this example, the username is hello@bbb.

· Select SSH as the service type.

· Enter user role name network-operator.

· Add IP addresses of devices to be managed. In this example, the IP address range is 10.1.1.1 to 10.1.1.255.

· Click OK.

NOTE:

Make sure the IP address range includes the IP address of the access device.

Configuring the device

# Configure an IP address for interface GigabitEthernet 0/0/2.

<Device> system-view

[Device] interface gigabitethernet 0/0/2

[Device-GigabitEthernet0/0/2] ip address 192.168.1.70 255.255.255.0

[Device-GigabitEthernet0/0/2] quit

# Configure an IP address for interface GigabitEthernet 0/0/1.

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] ip address 10.1.1.2 255.255.255.0

[Device-GigabitEthernet0/0/1] quit

# Generate RSA and DSA key pairs.

[Device] public-key local create rsa

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

........................++++++

...................++++++

..++++++++

............++++++++

Create the key pair successfully.

[Device] public-key local create dsa

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

.++++++++++++++++++++++++++++++++++++++++++++++++++*

........+......+.....+......................................+

...+.................+..........+...+.

Create the key pair successfully.

# Enable the SSH server feature.

[Device] ssh server enable

# Configure SSH users to log in with the AAA authentication method.

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

[Device-line-vty0-63] quit

# Create RADIUS scheme rad.

[Device] radius scheme rad

# Configure the IP address of the primary authentication server as 10.1.1.1 and the port number as 1812.

[Device-radius-rad] primary authentication 10.1.1.1 1812

# Configure the IP address of the primary accounting server as 10.1.1.1 and the port number as 1813.

[Device-radius-rad] primary accounting 10.1.1.1 1813

# Set the plaintext shared key for packet exchanging with the accounting and account servers to expert.

[Device-radius-rad] key authentication simple expert

[Device-radius-rad] key accounting simple expert

# Configure the device to include domain names in usernames sent to the RADIUS server.

[Device-radius-rad] user-name-format with-domain

[Device-radius-rad] quit

# Create ISP domain bbb and configure login users to use the RADIUS authentication, authorization, and accounting AAA methods.

[Device] domain bbb

[Device-isp-bbb] authentication login radius-scheme rad

[Device-isp-bbb] authorization login radius-scheme rad

[Device-isp-bbb] accounting login radius-scheme rad

[Device-isp-bbb] quit

Verifying the configuration

Make a user send an SSH connection request to the device. Verify that the user can pass authentication with username hello@bbb and password aabbcc, and obtain user role network-operator after authentication. Verify that the users can execute display commands for all functions and resources of the system.

Configuration files

interface GigabitEthernet0/0/2

port link-mode route

ip address 192.168.1.70 255.255.255.0

interface GigabitEthernet0/0/1

port link-mode route

ip address 10.1.1.2 255.255.255.0

line vty 0 63

authentication-mode scheme

user-role network-operator

ssh server enable

radius scheme rad

primary authentication 10.1.1.1

primary accounting 10.1.1.1

key authentication cipher $c$3$63G7LzIQElGq4aFGTiYQafU+loQxS/cbLg==

key accounting cipher $c$3$tUIVlyGISJ5X/yiTFWrmh8nyjBIF+1LFzQ==

domain bbb

authentication login radius-scheme rad

authorization login radius-scheme rad

accounting login radius-scheme rad

H3C MSR1000[2600][3600] Routers Configuration Examples All-in-One-R9141-6W100

Prerequisites

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us