組網及說明
本案例使用S3600交換機部署hwtacacs,與IMC TAM進行聯動,達到安全管理設備的效果。
IMC版本爲PLAT 7.3 E0506P03
S3600版本信息如下:
H3C Comware Platform Software
Comware Software, Version 5.20, Release 2112
Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.
H3C S3600V2-28TP-EI uptime is 0 week, 4 days, 21 hours, 25 minutes
H3C S3600V2-28TP-EI with 1 Processor
256M bytes SDRAM
2M bytes Nor Flash Memory
128M bytes Nand Flash Memory
Config Register points to Nand Flash
Hardware Version is Ver.A
CPLD Version is 001
BootRom Version is 133
[SubSlot 0] 24FE+4SFP+2Combo GE Hardware Version is Ver.A
配置步驟
IMC TAM部署有如下要點:
- 授權場景條件:
設備區域管理、設備類型管理、授權時段策略管理
- 授權命令配置:
Shell profile配置、命令集配置
- 設備管理:
配置共享密鑰、綁定設備區域、綁定設備類型
- 添加用戶名、密碼
交換機部署hwtacacs
配置關鍵點
配置“授權場景條件”
添加“設備區域管理”
設置“區域名稱”
設置“設備管理類型”
增加
設置“授權時段策略管理”
增加,設置“授權時段策略名稱”、“生效時間”、“失效時間”
設置“授權命令配置”-“shell profile配置”
設置“shell profile名稱”-“授權級別”
設置“命令集配置”
設置“命令集名稱”、“缺省授權方式”
配置“設備管理”
增加設備,設置“共享密鑰”、“確認共享密鑰”,綁定“設備區域”、“設備類型”
配置“授權管理”
綁定“設備區域”-“設備類型”-“授權時段”-“shell profile”-“授權命令集”
配置“用戶設備分組”,設置“分組名稱”-“授權策略”
設置“設備用戶管理”-“所有設備用戶”
設置“賬號名”-“登陸密碼”-“登陸密碼確認”-“設備用戶分組”-“用戶的授權策略”
S3600 hwtacacs配置如下:
hwtacacs scheme shebeiguanli
primary authentication 10.190.8.7
primary authorization 10.190.8.7
primary accounting 10.190.8.7
key authentication nnhwtacacs
key authorization nnhwtacacs
key accounting nnhwtacacs
user-name-format without-domain
nas-ip 10.191.236.43
domain tamdm
authentication login hwtacacs-scheme shebeiguanli local
authorization login hwtacacs-scheme shebeiguanli local
accounting login hwtacacs-scheme shebeiguanli local
authorization command hwtacacs-scheme shebeiguanli local
accounting optional
quit
local-user admin
service-type terminal ssh
quit
user-interface vty 0 15
authentication-mode scheme
command accounting
command authorization
quit
domain default enable tamdm
查看hwtacacs狀態:
dis hwtacacs
HWTACACS scheme name : shebeiguanli
Primary Authen Server:
IP: 10.190.8.7 Port: 49 State: Active
VPN instance : Not configured
Encryption Key : Not configured
Primary Author Server:
IP: 10.190.8.7 Port: 49 State: Active
VPN instance : Not configured
Encryption Key : Not configured
Primary Account Server:
IP: 10.190.8.7 Port: 49 State: Active
VPN instance : Not configured
Encryption Key : Not configured
NAS IP address : 10.191.236.43
Authentication key : ******
Authorization key : ******
Accounting key : ******
VPN instance : Not configured
Quiet interval(min) : 5
Realtime accounting interval(min) : 12
Response timeout interval(sec) : 5
Retransmission times of stop-accounting packet : 100
Username format : without-domain
Data flow unit : Byte
Packet unit : one
---------------------------------------------------------------------------
Total 1 HWTACACS scheme(s).
查看domain的狀態:
dis domain tamdm
Domain: tamdm
State: Active
Access-limit: Disabled
Accounting method: Optional
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Login authentication scheme : hwtacacs:shebeiguanli, local
Login authorization scheme : hwtacacs:shebeiguanli, local
Login accounting scheme : hwtacacs:shebeiguanli, local
Command authorization scheme : hwtacacs:shebeiguanli, local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes:
至此,S3600 hwtacacs典型組網配置案例已完成!
參考鏈接 :
技術 | S3600 hwtacacs典型組網配置案例https://mp.weixin.qq.com/s/5L2BCko8rUf8jNUFmEzYmw