Authentication/authorization for SSH/Telnet users by a RADIUS server
The configuration of authentication and authorization for SSH users is similar to that for Telnet users. The following example describes the configuration for SSH users.
Network requirements
As shown in Figure 12, configure the switch to use the RADIUS server for SSH user authentication and authorization, and to include the domain name in a username sent to the RADIUS server.
Configure IMC to act as the RADIUS server, add an account with the username hello@bbb on the RADIUS server, and configure the RADIUS server to assign the privilege level of 3 to the user after the user passes authentication.
Set the shared keys for secure RADIUS communication to expert.
Figure 12: Network diagram
Configuring the RADIUS server
This example assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).
Add the switch to IMC as an access device:
Log in to IMC, click the Service tab, and select User Access Manager > Access Device from the navigation tree.
Click Add.
Configure the following parameters:
Set the shared key for secure authentication and accounting communication to expert.
Specify the ports for authentication and accounting as 1812 and 1813, respectively.
Select Device Management Service as the service type.
Select HP as the access device type.
Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
Click OK.
NOTE:
The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch.
Click Add.
Configure the following parameters:
Enter hello@bbb as the username and set the password.
Select SSH as the service type.
Set the EXEC privilege level to 3. This value identifies the privilege level of the SSH user after login and defaults to 0.
Specify the IP address range of the hosts to be managed as 10.1.1.0 through 10.1.1.255.
Click OK.
Figure 13: Adding the switch to IMC as an access device
Add a user for device management:
Click the User tab, and select Device Management User from the navigation tree.
Click Add.
Configure the following parameters:
Enter hello@bbb as the username and set the password.
Select SSH as the service type.
Set the EXEC privilege level to 3. This value identifies the privilege level of the SSH user after login and defaults to 0.
Specify the IP address range of the hosts to be managed as 10.1.1.0 through 10.1.1.255.
Click OK.
Figure 14: Adding an account for device management
Configuring the switch
# Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch access the server.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit
# Generate RSA and DSA key pairs and enable the SSH server.
[Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable
# Configure the switch to use AAA for SSH users.
[Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme
# Configure the user interfaces to support SSH.
[Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit
# Create RADIUS scheme rad.
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key for secure authentication communication to expert.
[Switch-radius-rad] key authentication expert
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain
# Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.
[Switch-radius-rad] server-type extended [Switch-radius-rad] quit
# Configure the AAA methods for the domain.
[Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] quit
Verifying the configuration
After you complete the configuration, the SSH user should be able to use the configured account to access the user interface of the switch and can access the demands of level 0 through level 3. .
# Use the display connection command to view the connection information on the switch.
[Switch] display connection Index=1 ,Username=hello@bbb IP=192.168.1.58 IPv6=N/A Total 1 connection(s) matched.