59 
Local authentication, HWTACACS authorization, and 
RADIUS accounting for SSH users 
Network requirements 
As shown in Figure 13, configure the switch to meet the following requirements: 
•  Perform local authentication for SSH servers. 
•  Use the HWTACACS server and RADIUS server for SSH user authorization and accounting, 
respectively. 
•  Exclude domain names from the usernames sent to the servers. 
•  Assign the default user role network-operator to SSH users after they pass authentication. 
Configure an account with the username hello for the SSH user. Configure the shared keys to 
expert for secure communication with the HWTACACS server and RADIUS server. 
Figure 13 Network diagram 
 
 
Configuration procedure 
1.  Configure the HWTACACS server. (Details not shown.) 
2.  Configure the RADIUS server. (Details not shown.) 
3.  Configure the switch: 
# Configure IP addresses for interfaces. (Details not shown.) 
# Create local RSA and DSA key pairs. 
<Switch> system-view 
[Switch] public-key local create rsa 
[Switch] public-key local create dsa 
# Enable the SSH service. 
[Switch] ssh server enable 
# Enable scheme authentication for user lines VTY 0 through VTY 63. 
[Switch] line vty 0 63 
[Switch-line-vty0-63] authentication-mode scheme 
[Switch-line-vty0-63] quit 
# Configure an HWTACACS scheme. 
[Switch] hwtacacs scheme hwtac 
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 
[Switch-hwtacacs-hwtac] key authorization simple expert 
[Switch-hwtacacs-hwtac] user-name-format without-domain 
[Switch-hwtacacs-hwtac] quit