AAA for PPP users by an HWTACACS server

As shown in Figure 22:

• Router A uses the HWTACACS server to perform PAP authentication for users from Router B.

• The HWTACACS server is also the authorization server and accounting server of Router B.

• Router B does not provide authentication, authorization, or accounting for users from Router A.

1. Configure the HWTACACS server (details not shown):

   1. Set the shared keys for secure communication with Router A to expert.

   2. Add a user account named userb for the PPP users from Router B.

   3. Specify the password as passb.

2. Configure Router A:

   # Create an HWTACACS scheme.

   <RouterA> system-view
   [RouterA] hwtacacs scheme hwtac
   

   # Configure the primary HWTACACS server at 10.1.1.1. Set the authentication, authorization, and accounting ports to 49. Configure the router to establish only one TCP connection with the server.

   [RouterA-hwtacacs-hwtac] primary authentication 10.1.1.1 49 single-connection
   [RouterA-hwtacacs-hwtac] primary authorization 10.1.1.1 49 single-connection
   [RouterA-hwtacacs-hwtac] primary accounting 10.1.1.1 49 single-connection
   

   # Set the shared keys to expert in plaintext form for authentication, authorization, and accounting.

   [RouterA-hwtacacs-hwtac] key authentication simple expert
   [RouterA-hwtacacs-hwtac] key authorization simple expert
   [RouterA-hwtacacs-hwtac] key accounting simple expert
   

   # Exclude domain names from the usernames sent to the HWTACACS server.

   [RouterA-hwtacacs-hwtac] user-name-format without-domain
   [RouterA-hwtacacs-hwtac] quit
   

   # Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting for PPP users.

   [RouterA] domain bbb
   [RouterA-isp-bbb] authentication ppp hwtacacs-scheme hwtac
   [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac
   [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac
   [RouterA-isp-bbb] quit
   

   # Enable PPP encapsulation on Serial 2/1/0.

   [RouterA] interface serial 2/1/0
   [RouterA-Serial2/1/0] link-protocol ppp
   

   # Configure interface Serial 2/1/0 to authenticate the peer by using PAP in authentication domain bbb.

   [RouterA-Serial2/1/0] ppp authentication-mode pap domain bbb
   

   # Configure the IP address of Serial 2/1/0.

   [RouterA-Serial2/1/0] ip address 200.1.1.1 24
   [RouterA-Serial2/1/0] quit
   

3. Configure Router B:

   # Enable PPP encapsulation on Serial 2/1/0.

   <RouterB> system-view
   [RouterB] interface serial 2/1/0
   [RouterB-Serial2/1/0] link-protocol ppp
   

   # Configure the local username and password for PAP authentication to userb and plaintext passb, respectively.

   [RouterB-Serial2/1/0] ppp pap local-user userb password simple passb
   

   # Configure the IP address of Serial 2/1/0.

   [RouterB-Serial2/1/0] ip address 200.1.1.2 24
   [RouterB-Serial2/1/0] quit
   

# Use the display interface serial command to display information for Serial 2/1/0. The PPP link is established if the output contains the following information:

• Both the physical layer and link layer are up.

• LCP and IPCP have entered the Opened state.

Router A and Router B can ping each other.