Configuring Data Center Network Management (RADIUS Authentication)
Networking Requirements
A data center network of an enterprise is complex. To ensure security and stability of the network, the enterprise needs to monitor the network in real time and restrict login rights of the administrator. A network management system can meet the preceding requirements.
As shown in Figure 2-38, the IP addresses have been configured for the network devices and there is a reachable route between the RADIUS server and NMS. Users are allowed to log in to the device only after passing the RADIUS authentication. The NMS monitors the entire network, and receives the traps and logs from each host.
Configuration Roadmap
- Configure the RADIUS protocol to implement RADIUS authentication. To log in to the device through STelnet, configure the RADIUS server to authenticate users using the user names and passwords, ensuring user security.
- Configure STelnet. The STelnet protocol implements secure logins on insecure networks, which ensures data integrity and reliability and guarantees secure data transmission.
- Configure the SNMP function. The authentication and encryption methods of SNMPv3 are used to ensure the security of connection between the device and NMS. The NMS can centrally manage all network devices.
- Configure the device to send logs and traps to the NMS through SNMP.
The following configurations are performed on SwitchA. The configurations on other devices are the same as the configurations on SwitchA.
Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server group are configured correctly and are the same as those on the RADIUS server.
Ensure that at least one user has been configured on the RADIUS server. In this example, the user name is admin@admin123 and the password is huawei@1234.
If multiple users are configured on the RADIUS server, you are advised to run the ssh authentication-type default password command to use the preset password authentication mode for local users to simplify the configuration.
Procedure
- Configure RADIUS.
- Configure STelnet.
- Configure the SNMP function.
- Configure the device to send logs and traps to the NMS through SNMP.
[~SwitchA] info-center source default channel 5 log state on [~SwitchA] commit
Verifying the Configuration
- You can successfully log in to the device through STelnet by using the user name and password configured on the RADIUS server.
- When you perform operations on the device through SNMP, the NMS can receive the logs and traps.
Configuration File
Configuration file of SwitchA
# sysname SwitchA # info-center source default channel 5 log state on # radius enable # radius server group shiva radius server shared-key-cipher %^%#L@71VU/>5>n/c$GKI>J!i:Uz~:!<.W'jc0X@nE4$%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. radius server authentication 10.7.66.66 1812 radius server retransmit 2 # aaa # authentication-scheme auth authentication-mode radius # domain admin123 authentication-scheme auth radius server group shiva # snmp-agent snmp-agent local-engineid 800007DB03306B20792201 # snmp-agent sys-info version v3 snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy # snmp-agent mib-view included iso-view iso snmp-agent usm-user v3 adminuser snmp-agent usm-user v3 adminuser group admingroup snmp-agent usm-user v3 adminuser authentication-mode sha cipher %^%#BQV1%E-zm5`pG^HCe.4-yi-EUx$iv=S(jiKO7tJN%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. snmp-agent usm-user v3 adminuser privacy-mode aes128 cipher %^%#4_o.,z8`_OmbfU4svg>8"[TxSo\9'R]d/[TXR3!&%^%# //The ciphertext format provided here is for example only. The format may vary depending on the system software version. # stelnet server enable ssh user admin@admin123 ssh user admin@admin123 authentication-type password ssh user admin@admin123 service-type stelnet ssh authorization-type default aaa //This command is supported since V100R005C10 # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh # return