Authentication and authorization for SSH users by a RADIUS server

As shown in Figure 12, configure the switch to meet the following requirements:

• Use the RADIUS server for SSH user authentication and authorization.

• Include domain names in the usernames sent to the RADIUS server.

• Assign the default user role network-operator to SSH users after they pass authentication.

The RADIUS server runs on IMC. Add an account with the username hello@bbb on the RADIUS server.

The RADIUS server and the switch use expert as the shared key for secure RADIUS communication. The ports for authentication and accounting are 1812 and 1813, respectively.

1. Configure the RADIUS server on IMC 5.0:

   	NOTE: This example assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).

   # Add the switch to the IMC Platform as an access device.

   Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows:

   1. Set the shared key for secure RADIUS communication to expert.

   2. Set the ports for authentication and accounting to 1812 and 1813, respectively.

   3. Select the service type Device Management Service.

   4. Select the access device type HP.

   5. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).

   6. Leave the default settings for other parameters and click OK.

   The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch. The source IP address is chosen in the following order on the switch:

   • IP address specified by the nas-ip command.

   • IP address specified by the radius nas-ip command.

   • IP address of the outbound interface (the default).

   Figure 13: Adding the switch as an access device

   

   # Add an account for device management.

   Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows:

   1. Enter the account name hello@bbb and specify the password.

   2. Select the service type SSH.

   3. Specify 10.1.1.0 to 10.1.1.255 as the IP address range of the hosts to be managed.

   4. Click OK.

      	NOTE: The IP address range must contain the IP address of the switch.

   Figure 14: Adding an account for device management

   

2. Configure the switch:

   # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch.

   <Switch> system-view
   [Switch] interface vlan-interface 2
   [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
   [Switch-Vlan-interface2] quit
   

   # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

   [Switch] interface vlan-interface 3
   [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
   [Switch-Vlan-interface3] quit
   

   # Create local RSA and DSA key pairs.

   [Switch] public-key local create rsa
   [Switch] public-key local create dsa
   

   # Enable the SSH service.

   [Switch] ssh server enable
   

   # Enable scheme authentication for user lines VTY 0 through VTY 63.

   [Switch] line vty 0 63
   [Switch-line-vty0-63] authentication-mode scheme
   [Switch-line-vty0-63] quit
   

   # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.

   [Switch] role default-role enable
   

   # Create a RADIUS scheme.

   [Switch] radius scheme rad
   

   # Specify the primary authentication server.

   [Switch-radius-rad] primary authentication 10.1.1.1 1812
   

   # Set the shared key for secure communication with the server to expert in plain text.

   [Switch-radius-rad] key authentication simple expert
   

   # Include domain names in the usernames sent to the RADIUS server.

   [Switch-radius-rad] user-name-format with-domain
   [Switch-radius-rad] quit
   

   # Create ISP domain bbb and configure authentication, authorization, and accounting methods for login users.

   [Switch] domain bbb
   [Switch-isp-bbb] authentication login radius-scheme rad
   [Switch-isp-bbb] authorization login radius-scheme rad
   [Switch-isp-bbb] accounting login none
   [Switch-isp-bbb] quit
   

# Initiate an SSH connection to the switch, and enter the username hello@bbb and the correct password. The user logs in to the switch. (Details not shown.)

# Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.)