Logging In to the Device Through STelnet Based on RADIUS Authentication
Applicable Products and Versions
This example applies to CE12800, CE6800, and CE5800 series switches running V100R001C00 and later versions.
This example applies to CE16800 series switches running V200R005C20 and later versions.
This example applies to CE7800 series switches running V100R003C00 and later versions.
This example applies to CE8800 series switches running V100R006C00 and later versions.
This example applies to CE12800E series switches running V200R002C50 and later versions.
This example applies to CE9800 series switches running V200R020C00 and later versions.
For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Networking Requirements
The network administrator requires remote management and maintenance on the device and high network security for preventing the network from unauthorized access. In addition, the network administrator needs to configure STelnet login to the switch based on AAA local authentication when ensuring RADIUS server login. In this scenario, STelnet login based on RADIUS authentication and AAA local authentication can be configured to meet user requirements.
In Figure 2-10, the switch and RADIUS server are routable to each other. The IP address and port number of the RADIUS server are 10.7.66.66/24 and 1812 respectively.
Precautions
When configuring STelnet login based on RADIUS authentication, pay attention to the following points:
- Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server group are configured correctly and are the same as those on the RADIUS server.
Ensure that at least one user has been configured on the RADIUS server. In this example, the user name is client001 and the password is Huawei@123.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure the RADIUS protocol to implement RADIUS authentication.
- Log in to the device through STelnet using the user name and password configured on the RADIUS server, ensuring login security.
Procedure
- Configure RADIUS authentication.
Configure a RADIUS server group.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] radius enable //Enable the RADIUS protocol. [*Switch] radius server group shiva //Create a RADIUS server group. [*Switch-radius-shiva] radius server authentication 10.7.66.66 1812 //Configure the IP address and port number for the RADIUS server. [*Switch-radius-shiva] radius server shared-key-cipher hello //Configure the shared key for the RADIUS server. [*Switch-radius-shiva] radius server retransmit 2 //Set the number of retransmission times to 2. [*Switch-radius-shiva] quit
Create an AAA scheme auth and set the authentication method to RADIUS.
[*Switch] aaa [*Switch-aaa] authentication-scheme auth //Create an authentication scheme. [*Switch-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS. [*Switch-aaa-authen-auth] quit
Create the domain admin123 and bind the AAA scheme auth and RADIUS server group shiva to the domain.
[*Switch-aaa] domain admin123 //Create a domain. [*Switch-aaa-domain-admin123] authentication-scheme auth //Configure the authentication scheme for the domain. [*Switch-aaa-domain-admin123] radius server group shiva //Configure the RADIUS server group for the domain. [*Switch-aaa-domain-admin123] quit [*Switch-aaa] default-domain admin admin123 [*Switch-aaa] quit [*Switch] commit
- Configure local AAA authentication.
- Generate a local key pair on the SSH server.
[~Switch] dsa local-key-pair create //Generate a local DSA host key pair and a server key pair. Info: The key name will be: Switch_Host_DSA Info: The key modulus can be any one of the following : 2048. Info: Key pair generation will take a short while. Info: Generating keys... Info: Succeeded in creating the DSA host keys. [*Switch] commit
- Configure the VTY user interface.
[~Switch] user-interface vty 0 4 //Enter the user interface views of VTY 0 to VTY 4. [~Switch-ui-vty0-4] user privilege level 3 //Set the user level to 3 for VTY 0 to VTY 4. [*Switch-ui-vty0-4] authentication-mode aaa //Set the authentication mode to AAA authentication for VTY 0 to VTY 4. [*Switch-ui-vty0-4] protocol inbound ssh //Configure VTY 0 to VTY 4 to support SSH. [*Switch-ui-vty0-4] quit
- Create an SSH user named client002.
[*Switch] aaa [*Switch-aaa] domain adminabc [*Switch-aaa-adminabc] quit [*Switch-aaa] local-user client002@adminabc password irreversible-cipher Huawei@123 //Configure the local user name and password. [*Switch-aaa] local-user client002@adminabc level 3 //Set the local user level to 3. [*Switch-aaa] local-user client002@adminabc service-type ssh //Set the service type of the local user to SSH. [*Switch-aaa] quit
- Configure STelnet login.
- Configure password authentication as the default authentication mode for SSH users.
[*Switch] ssh authentication-type default password //Configure password authentication as the default authentication mode for SSH users.
- Enable the STelnet service on the SSH server.
[*Switch] stelnet server enable [*Switch] commit
Verifying the Configuration
After the preceding configurations are complete, enter the user name client001 in the format of user name@admin123 and password Huawei@123 on the PC for authentication on the domain admin123. The login to the switch is successful.
Configuration Files
Switch configuration file (in versions excluding V200R002C50 and V200R003C00)
# sysname Switch # radius enable # radius server group shiva radius server shared-key-cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%# radius server authentication 10.7.66.66 1812 radius server retransmit 2 # aaa default-domain admin admin123 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$ local-user client002@adminabc service-type ssh local-user client002@adminabc level 3 # authentication-scheme auth authentication-mode radius # domain admin123 authentication-scheme auth radius server group shiva # stelnet server enable ssh authorization-type default aaa # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh # return
# sysname Switch # radius enable # radius server group shiva radius server shared-key-cipher %^%#sFV!Arl}ZJJ9sOVpi(:=hP^.~@zCJ8v[dNM7kET6%^%# radius server authentication 10.7.66.66 1812 radius server retransmit 2 # aaa default-domain admin admin123 local-user client002@adminabc password irreversible-cipher $1c$+@;Z>3JE9%$BH8mKd;11&g>)o&[}pU0v%\S/>{8e'PzsV;;!`wD$ local-user client002@adminabc service-type ssh local-user client002@adminabc level 3 # authentication-scheme auth authentication-mode radius # domain admin123 authentication-scheme auth radius server group shiva # stelnet ipv4 server enable stelnet ipv6 server enable ssh authorization-type default aaa # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh # return