Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users - HP 6125XLG Configuration Manual

[Switch-hwtacacs-hwtac] key accounting simple expert
# Remove domain names from the usernames sent to an HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit
# Create ISP domain bbb and configure AAA methods for login users.
[Switch] domain bbb
[Switch-isp-bbb] authentication login hwtacacs-scheme hwtac
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting login hwtacacs-scheme hwtac
[Switch-isp-bbb] quit
# Create local RSA and DSA key pairs.
[Switch] public-key local create rsa
[Switch] public-key local create dsa
# Enable the SSH service.
[Switch] ssh server enable
# Enable scheme authentication for user interfaces VTY 0 through VTY 15.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Enable the default-user-role authorization function, so that an SSH user gets the default user role
network-operator after passing authentication.
[Switch] role default-role enable
Verifying the configuration
When the user initiates an SSH connection to the switch and enter the correct username and password,
the user successfully logs in and can use the commands for the network-operator user role.
Local authentication, HWTACACS authorization, and RADIUS
accounting for SSH users
Network requirements
As shown in
HWTACACS server and RADIUS server for SSH user authorization and accounting respectively, and to
assign the default user role network-operator to SSH users after they pass authentication.
Configure an account with the username hello for the SSH user. Configure the shared keys for secure
communication with the HWTACACS server and RADIUS server to expert. Configure the switch to
remove domain names from usernames sent to the servers.
Figure 12, configure the switch to perform local authentication for SSH servers, use the
46