64
RBAC temporary user role authorization configuration example
(HWTACACS authentication)
Network requirements
As shown in Figure 26, the switch uses local authentication for login users, including the Telnet user at
192.168.1.58. The Telnet user uses the username test@bbb and is assigned the user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch
uses the HWTACACS server to provide authentication for changing the user role among level-0 through
level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the
HWTACACS server does not respond, the switch performs local authentication.
Figure 26 Network diagram
Configuration procedure
1. Configure the switch:
# Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 3, the interface connected to the HWTACACS server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable remote-then-local authentication for temporary user role authorization.
[Switch] super authentication-mode scheme local
# Create the HWTACACS scheme hwtac and enter HWTACACS scheme view.
[Switch] hwtacacs scheme hwtac
To Next Page
Loading...
Need help?
General
