Network requirements, Network diagram, Configuration procedure – H3C Technologies H3C S3600 Series Switches User Manual
Page 548
2-32
This method is similar to the remote authentication method described in
Authentication of Telnet/SSH Users
. However, you need to:
z
Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1,
and 1645 respectively in the configuration step "Configure a RADIUS scheme" in
Authentication of Telnet/SSH Users
.
z
Enable the local RADIUS server function, set the IP address and shared key for the network
access server to 127.0.0.1 and aabbcc, respectively.
z
Configure local users.
HWTACACS Authentication and Authorization of Telnet Users
Network requirements
You are required to configure the switch so that the Telnet users logging into the switch are
authenticated and authorized by the TACACS server.
A TACACS server with IP address 10.110.91.164 is connected to the switch. This server will be used as
the authentication and authorization server. On the switch, set both authentication and authorization
shared keys that are used to exchange messages with the TACACS server to aabbcc. Configure the
switch to strip domain names off usernames before sending usernames to the TACACS server.
Configure the shared key to aabbcc on the TACACS server for exchanging messages with the switch.
Network diagram
Figure 2-4 Remote HWTACACS authentication and authorization of Telnet users
Internet
Telnet user
Authentication server
10.110.91.164/16
Configuration procedure
# Add a Telnet user.
(Omitted here)
# Configure a HWTACACS scheme.
[Sysname] hwtacacs scheme hwtac
[Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49
[Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[Sysname-hwtacacs-hwtac] key authentication aabbcc
[Sysname-hwtacacs-hwtac] key authorization aabbcc
[Sysname-hwtacacs-hwtac] user-name-format without-domain
[Sysname-hwtacacs-hwtac] quit