Authentication And Authorization For Ssh Users By A Radius Server - H3C S5830V2 Security Configuration Manual

# Enable scheme authentication for user interfaces VTY 0 through VTY 15.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Configure an HWTACACS scheme.
[Switch] hwtacacs scheme hwtac
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49
[Switch-hwtacacs-hwtac] key authorization simple expert
[Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit
# Configure a RADIUS scheme.
[Switch] radius scheme rd
[Switch-radius-rd] primary accounting 10.1.1.1 1813
[Switch-radius-rd] key accounting simple expert
[Switch-radius-rd] user-name-format without-domain
[Switch-radius-rd] quit
# Create a device management user.
[Switch] local-user hello class manage
# Assign the SSH service for the local user.
[Switch-luser-manage-hello] service-type ssh
# Set a password for the local user to hello in plain text.
[Switch-luser-manage-hello] password simple hello
[Switch-luser-manage-hello] quit
# Create ISP domain bbb and configure AAA methods for login users.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting login radius-scheme rd
[Switch-isp-bbb] quit
# Enable the default-user-role authorization function, so that an SSH user gets the default user role
network-operator after passing authentication.
[Switch] role default-role enable
Verifying the configuration
When the user initiates an SSH connection to the switch and enter the username hello@bbb and the
correct password, the user successfully logs in and can use the commands for the network-operator user
role.
Authentication and authorization for SSH users by a RADIUS
server
Network requirements
As shown in Figure 13, the RADIUS authentication and authorization server runs on IMC.
47