Example: Configuring authentication and authorization for SSH users by a RADIUS server
Network configuration
As shown in Figure 13, configure the switch to meet the following requirements:
Use the RADIUS server for SSH user authentication and authorization.
Include domain names in the usernames sent to the RADIUS server.
Assign the default user role network-operator to SSH users after they pass authentication.
The RADIUS server runs on IMC. Add an account with username hello@bbb on the RADIUS server.
The RADIUS server and the switch use expert as the shared key for secure RADIUS communication. The ports for authentication and accounting are 1812 and 1813, respectively.
Figure 13: Network diagram
Procedure
Configure the RADIUS server on IMC 5.0:
![[NOTE: ]](images/note.png)
NOTE:
In this example, the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).
# Add the switch to the IMC Platform as an access device:
Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows:
Set the shared key to expert for secure RADIUS communication.
Set the ports for authentication and accounting to 1812 and 1813, respectively.
Select Device Management Service from the Service Type list.
Select HP from the Access Device Type list.
Select an access device from the device list or manually add an access device. In this example, the device IP address is 10.1.1.2.
Use the default values for other parameters and click OK.
The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch. The source IP address is chosen in the following order on the switch:
IP address specified by using the nas-ip command.
IP address specified by using the radius nas-ip command.
IP address of the outbound interface (the default).
Figure 14: Adding the switch as an access device
# Add an account for device management:
Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows:
Enter account name hello@bbb and specify the password.
Select SSH from the Service Type list.
Specify 10.1.1.0 to 10.1.1.255 as the IP address range of the hosts to be managed.
Click OK.
NOTE:
The IP address range must contain the IP address of the switch.
Figure 15: Adding an account for device management
Configure the switch:
# Configure IP addresses for interfaces. (Details not shown.)
# Create local RSA and DSA key pairs.
<Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa
# Enable the SSH service.
[Switch] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
[Switch] role default-role enable
# Create a RADIUS scheme.
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key to expert in plaintext form for secure communication with the server.
[Switch-radius-rad] key authentication simple expert
# Include domain names in the usernames sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit
# Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users.
[Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the switch, and enter username hello@bbb and the correct password. The user logs in to the switch. (Details not shown.)
# Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.)