Tacacs Authentication, Authorization, And Accounting Of Telnet Users - H3C S7500 Series Operation Manual

Operation Manual – AAA & RADIUS & HWTACACS & EAD
H3C S7500 Series Ethernet Switches
1.7.3 TACACS Authentication, Authorization, and Accounting of Telnet
Users
I. Network requirements
The switch needs to be configured so that the Telnet users logging in to the TACACS
server are authenticated, authorized, and accounted.
A TACACS server with IP address 10.110.91.164 is connected to the switch. This
server will be used as the AAA server. On the switch, set the shared key that is used to
exchange packets with the AAA TACACS server as expert. Configure the switch to
strip off the domain name in the user name to be sent to the TACACS server.
Configure the shared key as expert on the TACACS server for exchanging packets
with the switch.
II. Network diagram
Telnet User
Figure 1-9 Remote TACACS authentication and authorization of Telnet user
III. Configuration procedure
# Add a Telnet user.
Omitted here
# Configure a HWTACACS scheme.
<H3C> system-view
[H3C] hwtacacs scheme hwtac
[H3C-hwtacacs-hwtac] primary accounting 10.110.91.164 49
[H3C-hwtacacs-hwtac] primary authentication 10.110.91.164 49
[H3C-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[H3C-hwtacacs-hwtac] key accounting expert
[H3C-hwtacacs-hwtac] key authentication expert
[H3C-hwtacacs-hwtac] key authorization expert
[H3C-hwtacacs-hwtac] user-name-format without-domain
[H3C-hwtacacs-hwtac] quit
# Configure the HWTACACS scheme hwtac to be referenced by the domain.
[H3C] domain hwtacacs
Authentication Serv ers
10.110.91.164
1-44
Chapter 1 AAA & RADIUS & HWTACACS
Internet
Configuration
s