# Set the password to 123456TESTplat&! in plaintext form for the local user.
[Router-luser-manage-ssh] password simple 123456TESTplat&!
# Specify the user role for the user as network-admin.
[Router-luser-manage-ssh] authorization-attribute user-role network-admin
[Router-luser-manage-ssh] quit
# Create an ISP domain named bbb and configure the domain to use local authentication and
authorization for login users.
[Router] domain bbb
[Router-isp-bbb] authentication login local
[Router-isp-bbb] authorization login local
[Router-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the router, and enter username ssh@bbb and the correct password.
The user logs in to the router. (Details not shown.)
# Verify that the user can use the commands permitted by the network-admin user role. (Details not
shown.)
Example: Configuring AAA for SSH users by an HWTACACS
server
Network configuration
As shown in
•
Use the HWTACACS server for SSH user authentication, authorization, and accounting.
•
Assign the default user role network-operator to SSH users after they pass authentication.
•
Exclude domain names from the usernames sent to the HWTACACS server.
•
Use expert as the shared keys for secure HWTACACS communication.
Figure 16 Network diagram
Procedure
1.
Configure the HWTACACS server:
# Set the shared keys to expert for secure communication with the router. (Details not shown.)
# Add an account for the SSH user and specify the password. (Details not shown.)
2.
Configure the router:
# Configure IP addresses for interfaces. (Details not shown.)
# Create an HWTACACS scheme.
Figure
16, configure the router to meet the following requirements:
72