[x]

AAA configuration examples > AAA for Telnet users by an HWTACACS server

 

 Next

AAA for Telnet users by an HWTACACS server

Network requirements

As shown in Figure 11, configure the switch to use the HWTACACS server for Telnet user authentication, authorization, and accounting.

Set the shared keys for secure communication with the HWTACACS server to expert. Configure the switch to remove the domain name from a username sent to the HWTACACS server.

Figure 11: Network diagram

Configuration procedure

  • Configure the HWTACACS server:

    • # On the HWTACACS server, set the shared keys for secure communication with the switch to expert, add an account for the Telnet user, and specify the password. (Details not shown.)

  • Configure the switch:

    • # Assign IP addresses to the interfaces. (Details not shown.)

    # Enable the Telnet server on the switch.

    <Switch> system-view
[Switch] telnet server enable

    # Configure the switch to use AAA for Telnet users.

    [Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit

    # Create HWTACACS scheme hwtac.

    [Switch] hwtacacs scheme hwtac

    # Specify the primary authentication server.

    [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49

    # Specify the primary authorization server.

    [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49

    # Specify the primary accounting server.

    [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49

    # Set the shared keys for secure authentication, authorization, and accounting communication to expert.

    [Switch-hwtacacs-hwtac] key authentication simple expert
[Switch-hwtacacs-hwtac] key authorization simple expert
[Switch-hwtacacs-hwtac] key accounting simple expert

    # Remove domain names from the usernames sent to the HWTACACS server.

    [Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit

    # Configure the AAA methods for the domain. 

    [Switch] domain bbb
[Switch-isp-bbb] authentication login hwtacacs-scheme hwtac
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting login hwtacacs-scheme hwtac
[Switch-isp-bbb] quit

  • Verify the configuration:

    • Telnet to the switch, and enter the correct username and password. You pass authentication and log in to the switch. Use the display connection command on the switch to see information about the user connection.

    prev

     

    up

     next

    AAA configuration examples 

    home

     Local authentication and authorization for Telnet users

    © Copyright 2016 Hewlett Packard Enterprise Development LP