Configuration example
Network requirements
As shown in Figure 17, Host A needs to log in to the device to manage the device.
Configure the device to perform the following operations:
Allow Host A to Telnet in after authentication.
Use the HWTACACS server to control the commands that the user can execute.
If the HWTACACS server is not available, use local authorization.
Figure 17: Network diagram
Configuration procedure
# Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other. (Details not shown.)
# Enable the Telnet server.
<Device> system-view [Device] telnet server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Device] line vty 0 63 [Device-line-vty0-63] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-63] command authorization [Device-line-vty0-63] quit
# Create HWTACACS scheme tac.
[Device] hwtacacs scheme tac
# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49 [Device-hwtacacs-tac] primary authorization 192.168.2.20 49
# Set the shared keys to expert.
[Device-hwtacacs-tac] key authentication simple expert [Device-hwtacacs-tac] key authorization simple expert
# Remove domain names from usernames sent to the HWTACACS server.
[Device-hwtacacs-tac] user-name-format without-domain [Device-hwtacacs-tac] quit
# Configure the system-defined domain (system).
[Device] domain system
# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.
[Device-isp-system] authentication login hwtacacs-scheme tac local [Device-isp-system] authorization command hwtacacs-scheme tac local [Device-isp-system] quit
# Create local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.
[Device] local-user monitor [Device-luser-manage-monitor] password simple 123 [Device-luser-manage-monitor] service-type telnet [Device-luser-manage-monitor] authorization-attribute user-role level-1