TELNET
AR1
<Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]sys AR1
AR2
[AR2-aaa]local-user huawei password cipher huawei privilege level 15 idle-timeou t 300 //配置本地用户huawei的优先级为15、创建本地用户,用户名为huawei、密文密码为huawei、超时登出300秒。 [AR2-aaa]local-user huawei service-type telnet ssh //配置本地用户huawei的接入类型为telnet ssh [AR2]user-interface vty 0 4 [AR2-ui-vty0-4]authentication-mode aaa //配置VTY类型用户界面的验证方式为AAA
测试
<AR1>telnet 10.10.1.2 Press CTRL_] to quit telnet mode Trying 10.10.1.2 ... Connected to 10.10.1.2 ... Login authentication Username:huawei Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 10.10.1.1 Time : 2020-05-14 11:33:46-08:00 ----------------------------------------------------------------------------- <AR2>save The current configuration will be written to the device. Are you sure to continue? (y/n)[n]:y It will take several minutes to save configuration file, please wait....... Configuration file had been saved successfully Note: The configuration file will take effect after being activated <AR2>
STelnet
AR2生成本地密钥
[AR2]rsa local-key-pair create The key name will be: Host % RSA keys defined for Host already exist. Confirm to replace them? (y/n)[n]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]:2048 Generating keys... ........................+++ .......................................................................+++ .......++++++++ ..........................++++++++ [AR2]
AR2的配置
[AR2-GigabitEthernet0/0/0]dis thi [V200R003C00] # interface GigabitEthernet0/0/0 ip address 10.10.1.2 255.255.255.0 # return [AR2]aaa [AR2-aaa]dis this [V200R003C00] # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http local-user huawei password cipher %$%$!_Au~Up<cXOZQ@U)eX|O3[yh%$%$ idle-timeout 300 0 local-user huawei privilege level 15 local-user huawei service-type telnet ssh # return
[AR2]stelnet server enable [AR2]user-interface vty 0 4 [AR2-ui-vty0-4]protocol inbound ssh [AR2-ui-vty0-4]dis this [V200R003C00] # user-interface con 0 authentication-mode password user-interface vty 0 4 authentication-mode aaa protocol inbound ssh #配置vty类型用户界面支持SSH协议。 user-interface vty 16 20 # return
AR1的配置
[AR1]ssh client first-time enable
测试
[AR1]stelnet 10.10.1.2 Please input the username:huawei Trying 10.10.1.2 ... Press CTRL+K to abort Connected to 10.10.1.2 ... The server is not authenticated. Continue to access it? (y/n)[n]:y May 14 2020 12:18:42-08:00 AR1 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[4]:The server h ad not been authenticated in the process of exchanging keys. When deciding wheth er to continue, the user chose Y. [AR1] Save the server's public key? (y/n)[n]:y The server's public key will be saved with the name 10.10.1.2. Please wait... May 14 2020 12:18:45-08:00 AR1 %%01SSH/4/SAVE_PUBLICKEY(l)[5]:When deciding whet her to save the server's public key 10.10.1.2, the user chose Y. [AR1] Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Telnet IP-Address : 10.10.1.1 Time : 2020-05-14 11:53:18-08:00 ----------------------------------------------------------------------------- <AR2>
[AR1]stelnet 10.10.1.2 Please input the username:huawei Trying 10.10.1.2 ... Press CTRL+K to abort Connected to 10.10.1.2 ... Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: SSH IP-Address : 10.10.1.1 ssh Time : 2020-05-14 12:18:50-08:00 ----------------------------------------------------------------------------- <AR2>sys Enter system view, return user view with Ctrl+Z.
RADIUS
在SSH服务器端生成本地密钥对
[AR2]rsa local-key-pair create
SSH Server的不同版本的配置存在差异,请关注对应版本的配置
aaa user-interface vty 0 4 authentication-mode aaa protocol inbound ssh
[AR2-aaa]local-user huawei2 password cipher ****** idle-timeout 300 privilege le vel 15 [AR2-aaa]authentication-scheme newscheme //配置SSH服务器端认证方案newscheme [AR2-aaa-authen-newscheme]authentication-mode radius //指定newscheme的认证方法为RADIUS [AR2-aaa-authen-newscheme]domain ssh.com //配置SSH服务端的RADIUS域名为ssh.com [AR2-aaa-domain-ssh.com]authentication-scheme newscheme //在域下应用认证方案为newscheme radius-server ssh //指定域下RADIUS模板为ssh [AR2-aaa-domain-ssh.com]radius-server template ssh //指定服务器端的RADIUS模板为ssh [AR2-radius-ssh]radius-server shared-key cipher huawei2 //配置RADIUS服务器密钥为密文密码huawei2 [AR2-radius-ssh]radius-server authentication 10.10.1.2 1812 //配置RADIUS认证服务器的IP地址和端口号 [AR2]stelnet server enable //在SSH服务器端使能Stelnet服务器功能。
SSH客户端配置
[AR1]ssh client first-time enable //第一次登录,则需要在SSH客户端使能首次认证功能
测试
[AR1]stelnet 10.10.1.2 Please input the username:huawei2 Trying 10.10.1.2 ... Press CTRL+K to abort Connected to 10.10.1.2 ... Enter password: <AR2>sys [AR2] display ssh server session -------------------------------------------------------------------- Conn Ver Encry State Auth-type Username -------------------------------------------------------------------- VTY 0 2.0 AES run password huawei2 -------------------------------------------------------------------- [AR2]
以查看到SSH服务器端关于RADIUS服务器的配置,并且看到STelnet客户端采用RADIUS认证已经成功连接到SSH服务器。