AAA本地認證
AAA本地認證可以對用戶身份進行認證,用戶輸入正確的用戶名和密碼可以成功登錄設備。
- 優點:AAA本地認證將用戶信息配置在設備上,不需要網絡中部署其他認證服務器,速度快並且降低運營成本。
- 缺點:存儲信息量受設備硬件條件限制。
組網需求
如下圖所示,企業希望管理員能簡單方便並且安全地遠程管理設備,可以配置管理員通過telnet登錄設備時:
- 管理員輸入正確的用戶名和密碼才能通過telnet登錄設備。
- 管理員通過telnet登錄設備后,可以執行命令級別為0~3的所有命令行。
華為交換機配置
配置思路
- 使能telnet服務。
- 配置用戶通過telnet登錄的認證方式為AAA。
- 配置AAA本地認證:創建本地用戶、指定用戶的接入類型為telnet、配置用戶級別為15級。
配置拓撲
配置操作
- LSW1配置接口和IP地址
<Huawei>sys
[Huawei]sysname HW1
[HW1]vlan batch 10
Info: This operation may take a few seconds. Please wait for a moment...done.
[HW1]int Vlanif 10
[HW1-Vlanif10]ip add 10.1.1.1 24
[HW1-Vlanif10]q
[HW1]int GigabitEthernet 0/0/1
[HW1-GigabitEthernet0/0/1]port link-type access
[HW1-GigabitEthernet0/0/1]port default vlan 10
[HW1-GigabitEthernet0/0/1]q
- 使能telnet服務器功能
[HW1]telnet server enable
Info: The Telnet server has been enabled.
- 配置vty用戶界面的驗證方式為AAA
[HW1]user-interface maximum-vty 15
[HW1-ui-vty0-14]authentication-mode aaa
[HW1-ui-vty0-14]protocol inbound telnet
[HW1-ui-vty0-14]q
- 配置AAA本地認證
[HW1]aaa
[HW1-aaa]local-user user1 password cipher qaz@123
[HW1-aaa]local-user user1 service-type telnet
[HW1-aaa]local-user user1 privilege level 15
[HW1-aaa]q
- LSW2接口配置
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname HW2
[HW2]vlan batch 10
[HW2]int Vlanif 10
[HW2-Vlanif10]ip add 10.1.1.2
[HW2-Vlanif10]q
[HW2]int GigabitEthernet 0/0/1
[HW2-GigabitEthernet0/0/1]port link-type access
[HW2-GigabitEthernet0/0/1]port default vlan 10
[HW2-GigabitEthernet0/0/1]q
- 驗證,LSW2 telnet LSW1
<HW2>telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Login authentication
Username:user1
Password:
Info: The max number of VTY users is 15, and the number
of current VTY users on line is 1.
The current login time is 2021-08-24 13:22:59.
<HW1>
配置文件
LSW1配置
[HW1]dis cu
#
sysname HW1
#
vlan batch 10
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user user1 password cipher [JD(UTW1T15NZPO3JBXBHA!!
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
user-interface maximum-vty 15
user-interface con 0
user-interface vty 0 14
authentication-mode aaa
#
return
LSW2配置
[HW2]dis cur
#
sysname HW2
#
vlan batch 10
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return