RADIUS authentication and authorization for Telnet users by a network device

Network requirements

As shown in Figure 18, configure Switch B as the RADIUS server to provide user authentication and authorization on port 1645.

Configure Switch A to use the RADIUS server for Telnet user authentication and authorization, and to remove the domain name in a username sent to the server.

Set the shared keys for secure communication between the NAS and the RADIUS server to abc.

Figure 18: Network diagram

Configuration procedure

  • Configure an IP address for each interface as shown in Figure 18. (Details not shown.)

  • Configure the NAS:

  • # Enable the Telnet server on Switch A.

    <SwitchA> system-view
    [SwitchA] telnet server enable
    

    # Configure Switch A to use AAA for Telnet users.

    [SwitchA] user-interface vty 0 4
    [SwitchA-ui-vty0-4] authentication-mode scheme
    [SwitchA-ui-vty0-4] quit
    

    # Create RADIUS scheme rad.

    [SwitchA] radius scheme rad
    

    # Specify the IP address for the primary authentication server as 10.1.1.2, the port for authentication as 1645, and the shared key for secure authentication communication as abc.

    [SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc
    

    # Remove domain names from the usernames sent to the RADIUS server.

    [SwitchA-radius-rad] user-name-format without-domain
    

    # Set the source IP address for RADIUS packets as 10.1.1.1.

    [SwitchA-radius-rad] nas-ip 10.1.1.1
    [SwitchA-radius-rad] quit
    

    # Create ISP domain bbb.

    [SwitchA] domain bbb
    

    # Specify the authentication method for Telnet users as rad.

    [SwitchA-isp-bbb] authentication login radius-scheme rad
    

    # Specify the authorization method for Telnet users as rad.

    [SwitchA-isp-bbb] authorization login radius-scheme rad
    

    # Specify the accounting method for Telnet users as none.

    [SwitchA-isp-bbb] accounting login none
    

    # Configure the RADIUS server type as standard. When a network device is configured to serve as a RADIUS server, the server type must be set to standard.

    [SwitchA-isp-bbb] server-type standard
    [SwitchA-isp-bbb] quit
    

    # Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain are used for the user.

    [SwitchA] domain default enable bbb
    
  • Configure the RADIUS server:

  • # Create RADIUS user aaa and enter its view.

    <SwitchB> system-view
    [SwitchB] radius-server user aaa
    

    # Configure a plaintext password aabbcc for user aaa.

    [SwitchB-rdsuser-aaa] password simple aabbcc
    [SwitchB-rdsuser-aaa] quit
    

    # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc.

    [SwitchB] radius-server client-ip 10.1.1.1 key simple abc
    
  • Verify the configuration:

  • After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A. Use the display connection command to view the connection information on Switch A.

    <SwitchA> display connection
    
    Index=1   ,Username=aaa@bbb
    IP=192.168.1.2
    IPv6=N/A
     Total 1 connection(s) matched.