Networking and description
In this case, the S3600 switch is used to deploy hwtacacs and link with IMC TAM to achieve the effect of security management equipment.
IMC version is PLAT 7.3 E0506P03
The S3600 version information is as follows:
H3C Comware Platform Software Comware Software, Version 5.20, Release 2112 Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved. H3C S3600V2-28TP-EI uptime is 0 week, 4 days, 21 hours, 25 minutes H3C S3600V2-28TP-EI with 1 Processor 256M bytes SDRAM 2M bytes Nor Flash Memory 128M bytes Nand Flash Memory Config Register points to Nand Flash Hardware Version is Ver.A CPLD Version is 001 BootRom Version is 133 [SubSlot 0] 24FE+4SFP+2Combo GE Hardware Version is Ver.A
Configuration steps
The key points of IMC TAM deployment are as follows:
- Authorization scenario conditions:
Equipment area management, equipment type management, authorization period policy management
- Authorization command configuration:
Shell profile configuration, command set configuration
- Equipment management:
Configure shared key, bound device area, bound device type
- Add user name and password
Switch deployment hwtacacs
Configure keys
Configure "authorization scenario conditions"
Add device area management
Set area name
Set device management type
increase
Set "authorization period policy management"
Add, set "authorization period policy name", "effective time" and "expiration time"
Set "authorization command configuration" - "shell profile configuration"
Set "shell profile name" - "authorization level"
Set command set configuration
Set command set name and default authorization method
Configure device management
Add device, set "shared key", "confirm shared key", bind "device area", "device type"
Configure authorization management
Bind "device area" - "device type" - "authorization period" - "shell profile" - "authorization command set"
Configure "user device grouping", set "group name" - "authorization policy"
Set device user management - all device users
Set "account name" - "login password" - "login password confirmation" - "device user group" - "user's authorization policy"
The configuration of S3600 hwtacacs is as follows:
hwtacacs scheme shebeiguanli primary authentication 10.190.8.7 primary authorization 10.190.8.7 primary accounting 10.190.8.7 key authentication nnhwtacacs key authorization nnhwtacacs key accounting nnhwtacacs user-name-format without-domain nas-ip 10.191.236.43 domain tamdm authentication login hwtacacs-scheme shebeiguanli local authorization login hwtacacs-scheme shebeiguanli local accounting login hwtacacs-scheme shebeiguanli local authorization command hwtacacs-scheme shebeiguanli local accounting optional quit local-user admin service-type terminal ssh quit user-interface vty 0 15 authentication-mode scheme command accounting command authorization quit domain default enable tamdm
To view the hwtacacs status:
dis hwtacacs HWTACACS scheme name : shebeiguanli Primary Authen Server: IP: 10.190.8.7 Port: 49 State: Active VPN instance : Not configured Encryption Key : Not configured Primary Author Server: IP: 10.190.8.7 Port: 49 State: Active VPN instance : Not configured Encryption Key : Not configured Primary Account Server: IP: 10.190.8.7 Port: 49 State: Active VPN instance : Not configured Encryption Key : Not configured NAS IP address : 10.191.236.43 Authentication key : ****** Authorization key : ****** Accounting key : ****** VPN instance : Not configured Quiet interval(min) : 5 Realtime accounting interval(min) : 12 Response timeout interval(sec) : 5 Retransmission times of stop-accounting packet : 100 Username format : without-domain Data flow unit : Byte Packet unit : one --------------------------------------------------------------------------- Total 1 HWTACACS scheme(s).
To view the status of a domain:
dis domain tamdm Domain: tamdm State: Active Access-limit: Disabled Accounting method: Optional Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Login authentication scheme : hwtacacs:shebeiguanli, local Login authorization scheme : hwtacacs:shebeiguanli, local Login accounting scheme : hwtacacs:shebeiguanli, local Command authorization scheme : hwtacacs:shebeiguanli, local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes:
So far, the typical networking configuration case of S3600 hwtacacs has been completed!
Reference link:
Technology: typical networking configuration case of S3600 hwtacacs https://mp.weixin.qq.com/s/5L2BCko8rUf8jNUFmEzYmw