RADIUS authentication and authorization for Telnet users by a network device
Network requirements
As shown in Figure 18, configure Switch B as the RADIUS server to provide user authentication and authorization on port 1645.
Configure Switch A to use the RADIUS server for Telnet user authentication and authorization, and to remove the domain name in a username sent to the server.
Set the shared keys for secure communication between the NAS and the RADIUS server to abc.
Figure 18: Network diagram
Configuration procedure
Configure an IP address for each interface as shown in Figure 18. (Details not shown.)
Configure the NAS:
# Enable the Telnet server on Switch A.
<SwitchA> system-view [SwitchA] telnet server enable
# Configure Switch A to use AAA for Telnet users.
[SwitchA] user-interface vty 0 4 [SwitchA-ui-vty0-4] authentication-mode scheme [SwitchA-ui-vty0-4] quit
# Create RADIUS scheme rad.
[SwitchA] radius scheme rad
# Specify the IP address for the primary authentication server as 10.1.1.2, the port for authentication as 1645, and the shared key for secure authentication communication as abc.
[SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc
# Remove domain names from the usernames sent to the RADIUS server.
[SwitchA-radius-rad] user-name-format without-domain
# Set the source IP address for RADIUS packets as 10.1.1.1.
[SwitchA-radius-rad] nas-ip 10.1.1.1 [SwitchA-radius-rad] quit
# Create ISP domain bbb.
[SwitchA] domain bbb
# Specify the authentication method for Telnet users as rad.
[SwitchA-isp-bbb] authentication login radius-scheme rad
# Specify the authorization method for Telnet users as rad.
[SwitchA-isp-bbb] authorization login radius-scheme rad
# Specify the accounting method for Telnet users as none.
[SwitchA-isp-bbb] accounting login none
# Configure the RADIUS server type as standard. When a network device is configured to serve as a RADIUS server, the server type must be set to standard.
[SwitchA-isp-bbb] server-type standard [SwitchA-isp-bbb] quit
# Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain are used for the user.
[SwitchA] domain default enable bbb
Configure the RADIUS server:
# Create RADIUS user aaa and enter its view.
<SwitchB> system-view [SwitchB] radius-server user aaa
# Configure a plaintext password aabbcc for user aaa.
[SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit
# Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc.
[SwitchB] radius-server client-ip 10.1.1.1 key simple abc
Verify the configuration:
After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A. Use the display connection command to view the connection information on Switch A.
<SwitchA> display connection Index=1 ,Username=aaa@bbb IP=192.168.1.2 IPv6=N/A Total 1 connection(s) matched.