AAA configuration examples
AAA for SSH users by an HWTACACS server
Network requirements
As shown in
•
Use the HWTACACS server for SSH user authentication, authorization, and accounting.
•
Assign the default user role network-operator to SSH users after they pass authentication.
•
Exclude domain names from the usernames sent to the HWTACACS server.
•
Use expert as the shared keys for secure HWTACACS communication.
Figure 9 Network diagram
Configuration procedure
1.
Configure the HWTACACS server:
# Set the shared keys for secure communication with the switch to expert. (Details not shown.)
# Add an account for the SSH user and specify the password. (Details not shown.)
2.
Configure the switch:
# Assign IP addresses to the interfaces. (Details not shown.)
# Create an HWTACACS scheme.
<Switch> system-view
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server.
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Specify the primary accounting server.
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the shared keys for secure HWTACACS communication to expert in plain text.
[Switch-hwtacacs-hwtac] key authentication simple expert
[Switch-hwtacacs-hwtac] key authorization simple expert
[Switch-hwtacacs-hwtac] key accounting simple expert
# Exclude domain names from the usernames sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit
Figure
9, configure the switch to meet the following requirements:
38