拓扑图
配置/验证
1.本地AAA认证、授权,缺省域(telnet)
AR1 telnet AR2
配置
sysname AR1
#
interface GigabitEthernet0/0/0
ip address 10.1.12.1 255.255.255.0
#
sysname AR2
#
aaa
local-user hcie password cipher huawei@123
local-user hcie privilege level 3
local-user hcie service-type telnet
#
interface GigabitEthernet0/0/0
ip address 10.1.12.2 255.255.255.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
#
验证
可以成功telnet到AR2
2.本地AAA认证,通过自定义域(telnet)
AR1 telnet AR2
配置
aaa
authentication-scheme hcie
authentication-mode local
authorization-scheme hcie
authorization-mode local
domain hcie
authentication-scheme hcie
authorization-scheme hcie
local-user admin@hcie password cipher huawei@123
local-user admin@hcie privilege level 3
local-user admin@hcie service-type telnet
#
验证
可以成功telnet到AR2
3.远端AAA认证、授权、计费(家庭宽带场景-PPPoE)
AR2作为拨号客户端,AR3作为PPPoE服务端,使用radius认证
- 本机使用WinRadius软件作为服务器
- 桥接网卡到本机
配置
使用默认default域
radius-server template radius-1
radius-server shared-key cipher huawei@123
radius-server authentication 120.1.1.10 1812
radius-server accounting 120.1.1.10 1813
radius-server authorization 120.1.1.10 shared-key cipher huawei@123
#
aaa
authentication-scheme radius-1
authentication-mode radius
authorization-scheme author-1
accounting-scheme radius-1
accounting-mode radius
domain default
authentication-scheme radius-1
accounting-scheme radius-1
authorization-scheme author-1
radius-server radius-1
#
interface Virtual-Template1
ppp authentication-mode chap
remote address 100.1.1.2
ppp ipcp remote-address forced
ip address 100.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/0
pppoe-server bind Virtual-Template 1
#
interface GigabitEthernet0/0/1
ip address 120.1.1.254 255.255.255.0
#
interface Dialer1
link-protocol ppp
ppp chap user user1
ppp chap password cipher user@123
ip address ppp-negotiate
dialer user test
dialer bundle 1
#
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1
#
WinRadius配置
验证
AR3上test-aaa测试
查看拨号接口认证成功,获取到IP地址
使用自定义域
aaa
domain hcie
authentication-scheme radius-1
accounting-scheme radius-1
authorization-scheme author-1
radius-server radius-1
#
AR2上使用hcie域的用户进行拨号
interface Dialer1
undo ppp chap user
ppp chap user user@hcie
ppp chap password cipher admin@123
#
Winradius上配置hcie域的用户
验证
认证成功
4.远端AAA认证、授权(本地)(设备统一管理场景)
AR1 telnet AR3,使用radius认证
配置
ip route-static 0.0.0.0 0 10.1.12.2
#
acl 2000
rule permit
#
interface Dialer1
nat outbound 2000
#
telnet管理流量默认使用default_admin域
user-interface vty 0 4
authentication-mode aaa
#
aaa
domain default_admin
authentication-scheme radius-1
accounting-scheme radius-1
authorization-scheme author-1
radius-server radius-1
#
验证
分别使用default域和hcie域的用户进行telnet
默认域default_admin
hcie域
标签:AAA,hcie,authentication,telnet,认证,华为,radius,user,scheme From: https://blog.51cto.com/u_15109749/8476053