778
C
53: AAA/RADIUS/HWTACACS C
HAPTER
ONFIGURATION
[Switch-isp-1] accounting default hwtacacs-scheme hwtac
[Switch-isp-hwtacacs] accounting default hwtacacs-scheme hwtac
AAA for Telnet Users by
Network requirements
Separate Servers
As shown in Figure 234, configure the switch to provide local authentication,
HWTACACS authorization, and RADIUS accounting services to Telnet users. The
user name and the password for Telnet users are both telnet.
The HWTACACS server is used for authorization. Its IP address is 10.1.1.2. On the
switch, set the shared keys for packets exchanged with the TACACS server to
expert. Configure the switch to remove the domain name from a user name
before sending the user name to the HWTACACS server.
The RADIUS server is used for accounting. Its IP address is 10.1.1.1. On the switch,
set the shared keys for packets exchanged with the RADIUS server to expert.
Configure the switch to remove the domain name from a user name before
sending the user name to the HWTACACS server.
n
Configuration of separate AAA for other types of users is similar to that given in
this example. The only difference lies in the access type.
Network diagram
Figure 234 Configure AAA by separate servers for Telnet users
HWTACACS
RADIUS
authorization server
accounting server
10 .1 .1.2/24
10 .1.1.1/24
Internet
Telnet user
Switch
Configuration procedure
# Configure the IP addresses of various interfaces (omitted).
# Enable the Telnet server on the switch.
<Switch> system-view
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Configure the HWTACACS scheme.