Authentication/authorization for SSH/Telnet users by a RADIUS server
The authentication and authorization configuration for SSH users is similar to that for Telnet users. This example uses authentication and authorization configuration for SSH users.
Network requirements
As shown in Figure 13, configure the switch to use the RADIUS server for SSH user authentication and authorization, and to include the domain name in a username sent to the RADIUS server.
Configure IMC to provide the RADIUS server, add an account with the username hello@bbb on the RADIUS server, and configure the RADIUS server to assign the privilege level of 3 to the user after the user passes authentication.
Set the shared keys for secure RADIUS communication to expert.
Figure 13: Network diagram
Configuration procedure
Configure the RADIUS server (when the server runs on IMC PLAT 5.0):
NOTE: This section assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03). | ||
# Add the switch to the IMC Platform as an access device.
Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows:
Set the shared key for secure authentication and accounting communication to expert.
Set the ports for authentication and accounting to 1812 and 1813, respectively.
Select Device Management Service as the service type.
Select HP(A-Series) as the access device type.
Select the access device from the device list, or manually add the device with the IP address 10.1.1.2.
Click OK.
NOTE:
The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is chosen in the following order on the switch:
The IP address specified with the nas-ip command.
The IP address specified with the radius nas-ip command.
The IP address of the outbound interface (the default).
Figure 14: Adding the switch as an access device
# Add a user for device management.
From the navigation tree, click the User tab, and select Access User View > Device Mgmt User. Then, click Add to configure a device management user as follows:
Add a user named hello@bbb and specify the password.
Select SSH as the service type.
Set the EXEC privilege level to 3. This argument identifies the privilege level of the SSH user after login and defaults to 0.
Specify the IP address range of the hosts to be managed as 10.1.1.0 to 10.1.1.255.
Click OK.
Figure 15: Adding an account for device management
Configure the switch:
# Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch access the server.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit
# Generate RSA and DSA key pairs and enable the SSH server.
[Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable
# Configure the switch to use AAA for SSH users.
[Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme
# Configure the user interfaces to support SSH.
[Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit
# Create RADIUS scheme rad.
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key for secure authentication communication to expert.
[Switch-radius-rad] key authentication expert
# Include the domain names in usernames sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain
# Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.
[Switch-radius-rad] server-type extended [Switch-radius-rad] quit
# Configure the AAA methods for the domain.
[Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] quit
Verify the configuration:
After you complete the configuration, the SSH user should be able to use the configured account to access the user interface of the switch and can access the demands of level 0 through level 3.
# Use the display connection command to view the connection information on the switch.
[Switch] display connection Index=1 ,Username=hello@bbb IP=192.168.1.58 IPv6=N/A Total 1 connection(s) matched.