AAA for PPP users by an HWTACACS server
Network requirements
As shown in Figure 22:
Router A uses the HWTACACS server to perform PAP authentication for users from Router B.
The HWTACACS server is also the authorization server and accounting server of Router B.
Router B does not provide authentication, authorization, or accounting for users from Router A.
Figure 21: Network diagram
Configuration procedure
Configure the HWTACACS server (details not shown):
Set the shared keys for secure communication with Router A to expert.
Add a user account named userb for the PPP users from Router B.
Specify the password as passb.
Configure Router A:
# Create an HWTACACS scheme.
<RouterA> system-view [RouterA] hwtacacs scheme hwtac
# Configure the primary HWTACACS server at 10.1.1.1. Set the authentication, authorization, and accounting ports to 49. Configure the router to establish only one TCP connection with the server.
[RouterA-hwtacacs-hwtac] primary authentication 10.1.1.1 49 single-connection [RouterA-hwtacacs-hwtac] primary authorization 10.1.1.1 49 single-connection [RouterA-hwtacacs-hwtac] primary accounting 10.1.1.1 49 single-connection
# Set the shared keys to expert in plaintext form for authentication, authorization, and accounting.
[RouterA-hwtacacs-hwtac] key authentication simple expert [RouterA-hwtacacs-hwtac] key authorization simple expert [RouterA-hwtacacs-hwtac] key accounting simple expert
# Exclude domain names from the usernames sent to the HWTACACS server.
[RouterA-hwtacacs-hwtac] user-name-format without-domain [RouterA-hwtacacs-hwtac] quit
# Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting for PPP users.
[RouterA] domain bbb [RouterA-isp-bbb] authentication ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit
# Enable PPP encapsulation on Serial 2/1/0.
[RouterA] interface serial 2/1/0 [RouterA-Serial2/1/0] link-protocol ppp
# Configure interface Serial 2/1/0 to authenticate the peer by using PAP in authentication domain bbb.
[RouterA-Serial2/1/0] ppp authentication-mode pap domain bbb
# Configure the IP address of Serial 2/1/0.
[RouterA-Serial2/1/0] ip address 200.1.1.1 24 [RouterA-Serial2/1/0] quit
Configure Router B:
# Enable PPP encapsulation on Serial 2/1/0.
<RouterB> system-view [RouterB] interface serial 2/1/0 [RouterB-Serial2/1/0] link-protocol ppp
# Configure the local username and password for PAP authentication to userb and plaintext passb, respectively.
[RouterB-Serial2/1/0] ppp pap local-user userb password simple passb
# Configure the IP address of Serial 2/1/0.
[RouterB-Serial2/1/0] ip address 200.1.1.2 24 [RouterB-Serial2/1/0] quit
Verifying the configuration
# Use the display interface serial command to display information for Serial 2/1/0. The PPP link is established if the output contains the following information:
Both the physical layer and link layer are up.
LCP and IPCP have entered the Opened state.
Router A and Router B can ping each other.