Logging In to the Device Through STelnet Based on RADIUS Authentication

CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Typical Configuration Examples (V100 and V200)

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Applicable Products and Versions

This example applies to CE12800, CE6800, and CE5800 series switches running V100R001C00 and later versions.

This example applies to CE16800 series switches running V200R005C20 and later versions.

This example applies to CE7800 series switches running V100R003C00 and later versions.

This example applies to CE8800 series switches running V100R006C00 and later versions.

This example applies to CE12800E series switches running V200R002C50 and later versions.

This example applies to CE9800 series switches running V200R020C00 and later versions.

For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Networking Requirements

The network administrator requires remote management and maintenance on the device and high network security for preventing the network from unauthorized access. In addition, the network administrator needs to configure STelnet login to the switch based on AAA local authentication when ensuring RADIUS server login. In this scenario, STelnet login based on RADIUS authentication and AAA local authentication can be configured to meet user requirements.

In Figure 2-10, the switch and RADIUS server are routable to each other. The IP address and port number of the RADIUS server are 10.7.66.66/24 and 1812 respectively.

Figure 2-10 Networking diagram of logging in to the device through STelnet based on RADIUS authentication

Precautions

When configuring STelnet login based on RADIUS authentication, pay attention to the following points:

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server group are configured correctly and are the same as those on the RADIUS server.
Ensure that at least one user has been configured on the RADIUS server. In this example, the user name is client001 and the password is Huawei@123.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the RADIUS protocol to implement RADIUS authentication.
Log in to the device through STelnet using the user name and password configured on the RADIUS server, ensuring login security.

Procedure

Configure RADIUS authentication.

Configure a RADIUS server group.

<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] radius enable   //Enable the RADIUS protocol.
[*Switch] radius server group shiva   //Create a RADIUS server group.
[*Switch-radius-shiva] radius server authentication 10.7.66.66 1812   //Configure the IP address and port number for the RADIUS server.
[*Switch-radius-shiva] radius server shared-key-cipher hello   //Configure the shared key for the RADIUS server.
[*Switch-radius-shiva] radius server retransmit 2   //Set the number of retransmission times to 2.
[*Switch-radius-shiva] quit

Create an AAA scheme auth and set the authentication method to RADIUS.

[*Switch] aaa
[*Switch-aaa] authentication-scheme auth   //Create an authentication scheme.
[*Switch-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS.
[*Switch-aaa-authen-auth] quit

Create the domain admin123 and bind the AAA scheme auth and RADIUS server group shiva to the domain.

[*Switch-aaa] domain admin123   //Create a domain.
[*Switch-aaa-domain-admin123] authentication-scheme auth   //Configure the authentication scheme for the domain.
[*Switch-aaa-domain-admin123] radius server group shiva   //Configure the RADIUS server group for the domain.
[*Switch-aaa-domain-admin123] quit
[*Switch-aaa] default-domain admin admin123
[*Switch-aaa] quit
[*Switch] commit

Configure local AAA authentication.

Generate a local key pair on the SSH server.

[~Switch] dsa local-key-pair create   //Generate a local DSA host key pair and a server key pair.
Info: The key name will be: Switch_Host_DSA 
Info: The key modulus can be any one of the following : 2048. 
Info: Key pair generation will take a short while. Info: Generating keys... 
Info: Succeeded in creating the DSA host keys. 
[*Switch] commit

Configure the VTY user interface.

[~Switch] user-interface vty 0 4   //Enter the user interface views of VTY 0 to VTY 4.
[~Switch-ui-vty0-4] user privilege level 3   //Set the user level to 3 for VTY 0 to VTY 4.
[*Switch-ui-vty0-4] authentication-mode aaa   //Set the authentication mode to AAA authentication for VTY 0 to VTY 4.
[*Switch-ui-vty0-4] protocol inbound ssh   //Configure VTY 0 to VTY 4 to support SSH.
[*Switch-ui-vty0-4] quit

Create an SSH user named client002.

[*Switch] aaa
[*Switch-aaa] domain adminabc
[*Switch-aaa-adminabc] quit
[*Switch-aaa] local-user client002@adminabc password irreversible-cipher Huawei@123   //Configure the local user name and password.
[*Switch-aaa] local-user client002@adminabc level 3   //Set the local user level to 3.
[*Switch-aaa] local-user client002@adminabc service-type ssh   //Set the service type of the local user to SSH.
[*Switch-aaa] quit

Configure STelnet login.

Configure password authentication as the default authentication mode for SSH users.

[*Switch] ssh authentication-type default password    //Configure password authentication as the default authentication mode for SSH users.

Enable the STelnet service on the SSH server.

[*Switch] stelnet server enable
[*Switch] commit

Verifying the Configuration

After the preceding configurations are complete, enter the user name client001 in the format of user name@admin123 and password Huawei@123 on the PC for authentication on the domain admin123. The login to the switch is successful.

Configuration Files

Switch configuration file (in versions excluding V200R002C50 and V200R003C00)

#
sysname Switch
#
radius enable
#
radius server group shiva
 radius server shared-key-cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%#
 radius server authentication 10.7.66.66 1812
 radius server retransmit 2
# 
aaa
 default-domain admin admin123
 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$  
 local-user client002@adminabc service-type ssh
 local-user client002@adminabc level 3
 #
 authentication-scheme auth
  authentication-mode radius
 #
 domain admin123
  authentication-scheme auth
  radius server group shiva
#
stelnet server enable
ssh authorization-type default aaa
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return

Switch configuration file (in V200R002C50 and V200R003C00)

#
sysname Switch
#
radius enable
#
radius server group shiva
 radius server shared-key-cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%#
 radius server authentication 10.7.66.66 1812
 radius server retransmit 2
# 
aaa
 default-domain admin admin123
 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$  
 local-user client002@adminabc service-type ssh
 local-user client002@adminabc level 3
 #
 authentication-scheme auth
  authentication-mode radius
 #
 domain admin123
  authentication-scheme auth
  radius server group shiva
#
stelnet ipv4 server enable
stelnet ipv6 server enable
ssh authorization-type default aaa
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return

Translation

Español Français 日本語 Русский 简体中文

Download

Updated: 2021-10-21

Document ID: EDOC1000039339

Downloads: 10364

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode