Table of Contents
Advertisement
Example: Configuring AAA for PPP users by an HWTACACS
server
Network configuration
As shown in
•
Router A uses the HWTACACS server to perform PAP authentication for users from Router B.
•
The HWTACACS server is also the authorization server and accounting server of Router B.
•
Router B does not provide authentication, authorization, or accounting for users from Router A.
Figure 22 Network diagram
Procedure
1.
Configure the HWTACACS server (details not shown):
a. Set the shared keys for secure communication with Router A to expert.
b. Add user account userb for the PPP users from Router B.
c. Specify the password as passb.
2.
Configure Router A:
# Configure IP addresses for interfaces. (Details not shown.)
# Create an HWTACACS scheme.
<RouterA> system-view
[RouterA] hwtacacs scheme hwtac
# Configure the primary HWTACACS server at 10.1.1.1. Set the authentication, authorization,
and accounting ports to 49. Configure the router to establish only one TCP connection with the
server.
[RouterA-hwtacacs-hwtac] primary authentication 10.1.1.1 49 single-connection
[RouterA-hwtacacs-hwtac] primary authorization 10.1.1.1 49 single-connection
[RouterA-hwtacacs-hwtac] primary accounting 10.1.1.1 49 single-connection
# Set the shared keys to expert in plaintext form for authentication, authorization, and
accounting.
[RouterA-hwtacacs-hwtac] key authentication simple expert
[RouterA-hwtacacs-hwtac] key authorization simple expert
[RouterA-hwtacacs-hwtac] key accounting simple expert
# Exclude domain names from the usernames sent to the HWTACACS server.
[RouterA-hwtacacs-hwtac] user-name-format without-domain
[RouterA-hwtacacs-hwtac] quit
# Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme
for authentication, authorization, and accounting for PPP users.
Figure
22:
78
Advertisement
Table of Contents
Troubleshooting
