3com S7906E 설치 설명서

 

5-2 

[Device-ui-vty0-4] authentication-mode scheme 

[Device-ui-vty0-4] quit 

# Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication 

server for the scheme. Ensure that the port number be consistent with that on the RADIUS server. Set 

the shared key for authentication packets to expert for the scheme and the RADIUS server type of the 

scheme to extended. Specify Device to remove the domain name in the username sent to the RADIUS 

server for the RADIUS scheme. 

[Device] radius scheme rad 

[Device-radius-rad] primary authentication 192.168.2.20 1812 

[Device-radius-rad] key authentication expert 

[Device-radius-rad] server-type extended 

[Device-radius-rad] user-name-format without-domain 

[Device-radius-rad] quit 

# Configure the default ISP domain system to use RADIUS authentication scheme rad for login users 

and use local authentication as the backup. 

[Device] domain system 

[Device-isp-system] authentication login radius-scheme rad local 

[Device-isp-system] authorization login radius-scheme rad local 

[Device-isp-system] quit 

# Add a local user named monitor, set the user password to 123, and specify to display the password in 

cipher text. Authorize user monitor to use the telnet service and specify the level of the user as 1, that 

is, the monitor level. 

[Device] local-user monitor 

[Device-luser-admin] password cipher 123 

[Device-luser-admin] service-type telnet 

[Device-luser-admin] authorization-attribute level 1 

As shown in 

, command levels should be configured for different users to secure Device: After 

a user logs in to Device, the commands the user enter must be authorized by the HWTACACS server 

first before being executed. If the HWTACACS server fails to authorize the commands, local 

authorization is used. 

Figure 5-2 Network diagram for configuring command authorization