参考:windows下ACS服务器的认证
路由器配置:
示意图:
telnet:
[Router]display version
Copyright Notice:
All rights reserved (Aug 15 2006).
Without the owner's prior written consent, no decompiling
or reverse-engineering shall be allowed.
Huawei Versatile Routing Platform Software
VRP (R) software, Version 1.74 Release 0119P02
Copyright(c) 2004-2006 by Huawei Technologies Co., Ltd.
Quidway R2621 uptime is 0 day 0 hour 32 minutes 45 seconds
System returned to ROM by power-on.
Quidway R2621 with 1 MPC 8240 Processor
Router serial number is 8040C5ED0A394C6C
32M bytes SDRAM
8192K bytes Flash Memory
0K bytes NVRAM
Config Register points to FLASH
Hardware Version is MTR 1.1
CPLD Version is CPLD 3.0
Bootrom Version is 7.08
[AUX ] AUX Hardware Version is 1.0, Driver Version is 1.0
[LAN ] 2FE Hardware Version is 2.0, Driver Version is 2.0
[WAN ] SAB Hardware Version is 1.0, Driver Version is 1.0
[Slot 0] 16AS Hardware Version is 2.1, Driver Version is 1.0
默认aaa enable 已开启
[Router]aaa authentication-scheme ?
login Specify login authentication scheme list
ppp Specify PPP authentication scheme list
[Router]aaa authentication-scheme login ?
default Default scheme list name
STRING<1-20> Named scheme list name
[Router]aaa authentication-scheme login default ?
local Use local database
none Succeed without authentication
radius Use radius server
template Use hwtacacs server template
[Router]aaa authentication-scheme login default radius
[Router]radius server ?
STRING<1-20> Host name of the RADIUS server
X.X.X.X IP address of the RADIUS server
[Router]radius server 192.168.101.22
[Router]radius shared-key ?
STRING<1-16> Key used to authentication and encryption
[Router]radius shared-key 123456
[Router]int e1
[Router-Ethernet1]ip add 192.168.101.11 24
[Router-Ethernet1]ping 192.168.101.22
PING 192.168.101.22: 56 data bytes, press CTRL_C to break
Reply from 192.168.101.22: bytes=56 Sequence=0 ttl=64 time = 2 ms
Reply from 192.168.101.22: bytes=56 Sequence=1 ttl=64 time = 1 ms
Reply from 192.168.101.22: bytes=56 Sequence=2 ttl=64 time = 2 ms
Reply from 192.168.101.22: bytes=56 Sequence=3 ttl=64 time = 1 ms
Reply from 192.168.101.22: bytes=56 Sequence=4 ttl=64 time = 1 ms
客户机测试:
问题:
登录成功后级别为0
改变成中文方式!
[Router]lang
Current Language : ENGLISH
Will you switch language mode ?(Y/N)y
You have changed the language mode
[Router]?
aaa 指定 AAA(认证,授权和记费)配置
aaa-enable 使能AAA(认证,授权和计费)
access-server 指定接入服务器监听端口信息
access-tty 指定接入客户端配置信息
查看个别信息
防火墙配置:
示意图:
telnet:
Username:gjp@gjp2
Password:
<H3C>?
User view commands:
boot Upgrade bootrom
cd Change current directory
clock Specify the system clock
copy Copy from one file to another
debugging Enable system debugging functions
级别为3 管理员级别(说明已引用ACS 上导入H3C的私有属性)
显示telnet的当前配置文档:
[H3C]dis cu
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
radius scheme gjp
server-type extended
primary authentication 192.168.101.22
key authentication 123456
user-name-format without-domain
#
domain gjp2
scheme radius-scheme gjp
access-limit enable 10
accounting optional
domain system
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.101.12 255.255.255.0
firewall zone local
set priority 100
#
firewall zone trust 默认
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
SSH:
[H3C]rsa local-key-pair ?
create Create new local key pairs
destroy Destroy the local key pairs
[H3C]rsa local-key-pair create
The key name will be: H3C_Host
% RSA keys defined for F4_Host already exist.
Confirm to replace them? [Y/N]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 1024]:
Generating keys...
........................................................................................++++++
...............................................++++++
............................++++++++
...++++++++
.................
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]protocol inbound ?
all All protocol
ssh SSH protocol
telnet Telnet protocol
[H3C-ui-vty0-4]protocol inbound all
[H3C-ui-vty0-4]authentication-mode ?
none Login without checking
password Use terminal interface password
scheme Authentication use AAA authorization authentication table
[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]quit
[H3C]ssh authentication-type default ?
all All authentication
password Password authentication
password-publickey Password and Publickey authentication
rsa RSA authentication
[H3C]ssh authentication-type default all
[H3C]radius scheme gjp
[H3C-radius-gjp]server-type ?
extended Server based on RADIUS extensions
standard Server based on RFC protocol(s)
ssh都可以登录,只是权限比较低!(前提该类型必须是standard)
选组1:
(在这里配置,注意是否提交)
本文转自 gjp0731 51CTO博客,原文链接:http://blog.51cto.com/guojiping/973742