【原创】华为交换机HWTACACS认证配置

设置VTY，允许telnet登录

user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15
 protocol inbound telnet
1
2
3
4

设置TACACS服务器

hwtacacs-server template hwtacacs-server1
 hwtacacs-server authentication 192.168.250.6
 hwtacacs-server authorization 192.168.250.6
 hwtacacs-server accounting 192.168.250.6
 hwtacacs-server shared-key cipher Abc@123.com
 quit
1
2
3
4
5
6

认证

aaa
 authentication-scheme authentication-hwtacacs
  authentication-mode hwtacacs local
  authentication-super hwtacacs super
  quit
1
2
3
4
5

授权

aaa
 authorization-scheme authorization-hwtacacs
  authorization-mode hwtacacs local
  quit
1
2
3
4

计费

aaa
 accounting-scheme accounting-hwtacacs
  accounting-mode hwtacacs
  accounting realtime 3
  accounting start-fail online
  quit
1
2
3
4
5
6

设置认证域

aaa
 domain linux-hwtacacs
  authentication-scheme authentication-hwtacacs
  accounting-scheme accounting-hwtacacs
  authorization-scheme authorization-hwtacacs
  hwtacacs-server hwtacacs-server1
 quit
 quit
1
2
3
4
5
6
7
8

启用认证域

domain linux-hwtacacs admin
1

再添加一个本地用户，以防TACACS服务器掉线

aaa
local-user admin password irreversible-cipher Abc@123.com
 local-user admin privilege level 15
 local-user admin service-type telnet terminal http
1
2
3
4

查看域信息

display domain name linux-hwtacacs
1

调试

return
terminal monitor
terminal debugging
debugging hwtacacs all
1
2
3
4

华三V5配置

hwtacacs scheme hwtacacs-server1
 primary authentication 192.168.250.6
 primary authorization 192.168.250.6
 primary accounting 192.168.250.6
 key authentication simple Abc@123.com
 key authorization simple Abc@123.com
 key accounting simple Abc@123.com
 user-name-format without-domain

domain hwtacacs-aaa
 authentication login hwtacacs-scheme hwtacacs-server1 local
 authorization login hwtacacs-scheme hwtacacs-server1 local
 accounting login hwtacacs-scheme hwtacacs-server1  local
 domain default enable hwtacacs-aaa

super password simple Abc@123.com

user-interface vty 0 15
 authentication-mode scheme 

user-interface aux 0
 authentication-mode password
 user privilege level 15
 set authentication password simple Abc@123.com

user-interface con 0
 authentication-mode password
 user privilege level 15
 set authentication password cipher Abc@123.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

中兴 ZXR10_3228A 配置（未完成：enable密码不对）

enable secret level 15 5 Abc@123.com
username admin password Abc@123.com

tacacs enable
tacacs-server key Abc@123.com
tacacs-server host 192.168.250.6

aaa group-server tacacs+ hwtacacs-server1
server 192.168.250.6
exit

user-authentication-type tacacs+
aaa authentication enable default group hwtacacs-server1
aaa authentication login default group hwtacacs-server1

user-authorization-type tacacs+
aaa authorization exec default group hwtacacs-server1
aaa authorization commands 15 default group hwtacacs-server1

aaa accounting commands 15 default stop-only group hwtacacs-server1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

调试

terminal monitor
!debug all
1
2