Figure 18 Network diagram
Configuration procedure
# Assign IP addresses to relevant interfaces and make sure the device and the HWTACACS server can
reach each other and the device and Host A can reach each other. (Details not shown.)
# Enable the Telnet server.
<Device> system-view
[Device] telnet server enable
# Enable scheme authentication for user lines VTY 0 through VTY 4.
[Device] line vty 0 4
[Device-line-vty0-4] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-4] command authorization
[Device-line-vty0-4] quit
# Configure an HWTACACS scheme that does the following:
•
Uses the HWTACACS server at 192.168.2.20:49 for authentication and authorization. In this
example, the HWTACACS server provides authentication and authorization services at port 49.
Uses the shared key expert.
•
Removes domain names from usernames sent to the HWTACACS server.
•
[Device] hwtacacs scheme tac
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49
[Device-hwtacacs-tac] primary authorization 192.168.2.20 49
[Device-hwtacacs-tac] key authentication expert
[Device-hwtacacs-tac] key authorization expert
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-predefined domain system to use the HWTACACS scheme tac for login user
authentication and command authorization and to use local authentication and local authorization as
the backup method.
[Device] domain system
[Device-isp-system] authentication login hwtacacs-scheme tac local
[Device-isp-system] authorization command hwtacacs-scheme tac local
[Device-isp-system] quit
# Create local user monitor, set the password to 123, assign the Telnet service, and set the default user
role to level- 1 .
[Device] local-user monitor
45