说明:因为没有DHCP SERVER和WEB server,所以都是本地DHCP的,WEB SERVER用本地的,不过不影响大家学习,把地址改一下就行了。 1端口默认为web方式,可以接入web,RADIUS认证,地址段1721601/24 2端口fast认证,本地认证,地址段1721611/24 3端口绑定认证,本地认证,地址段1721621/24 4端口接入静态用户,本地认证,地址段1721631/24 5端口接入pppoe、dot1x用户,radius认证,地址段1721641/24(pppoe),1721651/24(1x) 6端口接入二层专线用户,本地认证,地址段1721661/24 7端口本来想接入三层专线的,后改到12端口了,这个端口的数据没用。 8端口接入PPPOE专线用户(但由于没有环境,所以数据没有配置完,这个就不要看了) 9端口接入PNP用户,RADIUS认证,地址段1721671/24 11端口接入***用户,RADIUS+LNS二次认证(只有数据,没有环境做测试),地址段1721681/24 12端口为三层用户接入端口,接入三层专线和三层WEB认证,地址段1721701/24(三层专线),地址段1721711/24(三层认证) [MA5200F]display cu # version 7123 sysname MA5200F # system language-mode english # FTP server enable # l2tp enable # radius-server group default radius-server group huawei radius-server authentication 1016447171 1812 radius-server accounting 1016447171 1813 radius-server group login # web-server directory flash:/web/ default-page /indexhtml # info-center timestamp debugging date undo trap-statistics 70f2000 undo trap-statistics 70f2001 undo trap-statistics 70f2002 undo trap-statistics 70f2003 undo trap-statistics 70f2004 undo trap-statistics 70f2005 undo trap-statistics 70f2008 undo trap-statistics 70f2009 undo trap-statistics 70f200c undo trap-statistics 70f200d undo trap-statistics 70f200e undo trap-statistics 70f200f undo trap-statistics 70f2017 undo trap-statistics 70f2018 undo trap-statistics 70f201a undo trap-statistics 70f201b undo trap-statistics 70f201c undo trap-statistics 70f201d undo trap-statistics 7032000 undo trap-statistics 7032001 undo trap-statistics 7032002 # login local-user aaa login local-user ma5200 password simple ma5200 login local-user ma5200 service-type ftp login local-user ma5200 ftp-directory flash:/ # interface Ethernet1
交换机具有性能价格比高、高度灵活、相对简单、易于实现等特点。所以,以太网技术已成为当今最重要的一种局域网组网技术,网络交换机也就成为了最普及的交换机。下面是我给大家整理的一些有关华为交换机aaa配置命令,希望对大家有帮助!
华为交换机aaa配置命令
[Huawei]aaa
[Huawei-aaa]authentication-scheme ren_zheng 配置AAA认证方案名为ren_zheng
[Huawei-aaa-authen-aaa]authentication-mode radius local 配置AAA认证模式为先Radius,如无响应则本地认证
[Huawei-aaa-authen-aaa]quit
[Huawei-aaa]accounting-scheme ji_fei 配置AAA计费方案名为ji_fei
[Huawei-aaa-accounting-ji_fei]accounting-mode radius 配置AAA计费模式为Radius服务器计费
[Huawei-aaa-accounting-ji_fei]accounting start-fail offline 配置当开始计费失败时,将用户离线
[Huawei-aaa-accounting-ji_fei]quit
二、配置Radius模板
[Huawei]radius-server template huawei_use 配置Raduis模板名为huawei_use
[Huawei-radius-huawei_use]radius-server authentication 1921681254 1812 主radius认证服务地址和端口
[Huawei-radius-huawei_use]radius-server authentication 1921681253 1812 secondary 备用认证服务器
[Huawei-radius-huawei_use]radius-server accounting 1921681253 1812 主radius计费服务地址和端口
[Huawei-radius-huawei_use]radius-server accounting 1921681253 1813 secondary 备用计费服务器
[Huawei-radius-huawei_use]radius-server shared-key cipher hello 配置设备与Radius通信的共享秘钥为hello
[Huawei-radius-huawei_use]radius-server retransmit 2 timeout 5 配置设备向Radius服务器发送请求报文的超时重传次数为2s,间隔为5s
[Huawei-radius-huawei_use]quit
三、在AAA用户域绑定要使用的AAA认证和Radius模板
[Huawei]aaa
[Huawei-aaa]domain huawei 配置AAA域,名称huawei
[Huawei-aaa-domain-huawei]authentication-scheme ren_zheng 在域中绑定AAA认证方案
[Huawei-aaa-domain-huawei]accounting-scheme ji_fei 在域中绑定AAA计费方案
[Huawei-aaa-domain-huawei]radius-server huawei_use 在域中绑定Radius模板
[Huawei-aaa-domain-huawei]quit
检查命令:
[Huawei]display radius-server configuration template huawei_use
------------------------------------------------------------------------------
Server-template-name : huawei_use
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : aaYOZ$V^P35NZPO3JBXBHA!!
Timeout-interval(in second) : 5
Primary-authentication-server : 1921681254 :1812 :-LoopBack:NULL Source-IP:0000
Primary-accounting-server : 1921681254 :1813 :-LoopBack:NULL Source-IP:0000
Secondary-authentication-server : 1921681253 :1812 :-LoopBack:NULL Source-IP:0000
Secondary-accounting-server : 1921681253 :1813 :-LoopBack:NULL Source-IP:0000
Retransmission : 2
Domain-included : YES
NAS-IP-Address : 0000
Calling-station-id MAC-format : xxxx-xxxx-xxxx
------------------------------------------------------------------------------
[Huawei]
[Huawei]display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : ren_zheng
Accounting-scheme-name : ji_fei
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : huawei_use
HWTACACS-server-template : -
[Huawei]
session 2 AAA+HWTACACS进行认证、授权、计费(默认所有使用TCP端口49)
拓扑不变
HWTACACS(Huawei Terminal Access Controller Access Control System)协议是华为对TACACS进行了扩展的协议
HWTACACS是在TACACS(RFC1492)基础上进行了功能增强的一种安全协议。该协议与RADIUS协议类似,主要是通过“客户端—服务器”模式与HWTACACS服务器通信来实现多种用户的AAA功能。
HWTACACS与RADIUS的不同在于:
l RADIUS基于UDP协议,而HWTACACS基于TCP协议。
l RADIUS的认证和授权绑定在一起,而HWTACACS的认证和授权是独立的。
l RADIUS只对用户的密码进行加密,HWTACACS可以对整个报文进行加密。
[Huawei]aaa
[Huawei-aaa]authentication-scheme ren_zheng 配置AAA认证方案名为ren_zheng
[Huawei-aaa-authen-aaa]authentication-mode hwtacacs local 配置AAA认证模式为先hwtacacs,如无响应则本地认证
[Huawei-aaa-authen-aaa]authentication-super hwtacacs super 接入用户进行提权时,先进行hwtacacs认证,如无响应再本地认证
[Huawei-aaa-authen-aaa]quit
[Huawei]aaa
[Huawei-aaa]authorization-scheme shou_quan 配置AAA授权方案名为ren_zheng
[Huawei-aaa-author-aaa]authorization-mode hwtacacs local 配置AAA授权模式为先hwtacacs,如无响应则本地授权
[Huawei-aaa-author-aaa]quit
[Huawei-aaa]accounting-scheme ji_fei 配置AAA计费方案名为ji_fei
[Huawei-aaa-accounting-ji_fei]accounting-mode hwtacacs 配置AAA计费模式为hwtacacs服务器计费
[Huawei-aaa-accounting-ji_fei]accounting start-fail offline 配置当开始计费失败时,将用户离线
[Huawei-aaa-accounting-ji_fei]accounting relaltime 3 配置对用户进行实时计费,计费间隔为3min
[Huawei-aaa-accounting-ji_fei]quit
二、配置hwtacacs模板
[Huawei]hwtacacs-server template huawei_use 配置hwtacacs模板名为huawei_use
[Huawei-hwtacacs-huawei_use]hwtacacs-server authentication 1921681254 49 主hwtacacs认证服务地址和端口
[Huawei-hwtacacs-huawei_use]hwtacacs-server authentication 1921681253 49 secondary 备用认证服务器
[Huawei-hwtacacs-huawei_use]hwtacacs-server authorization 1921681253 49 主hwtacacs授权服务地址和端口
[Huawei-hwtacacs-huawei_use]hwtacacs-server authorization 1921681253 49 secondary 备用授权服务器
[Huawei-hwtacacs-huawei_use]hwtacacs-server accounting 1921681253 49 主hwtacacs计费服务地址和端口
[Huawei-hwtacacs-huawei_use]hwtacacs-server accounting 1921681253 49 secondary 备用计费服务器
[Huawei-hwtacacs-huawei_use]hwtacacs-server shared-key cipher hello 配置设备与hwtacacs通信的共享秘钥为hello
[Huawei-hwtacacs-huawei_use]quit
三、在AAA用户域绑定要使用的AAA认证和hwtacacs模板
[Huawei]aaa
[Huawei-aaa]domain huawei 配置AAA域,名称huawei
[Huawei-aaa-domain-huawei]authentication-scheme ren_zheng 在域中绑定AAA认证方案
[Huawei-aaa-domain-huawei]authorization-scheme shou_quan 在域中绑定AAA认证方案
[Huawei-aaa-domain-huawei]accounting-scheme ji_fei 在域中绑定AAA计费方案
[Huawei-aaa-domain-huawei]hwtacacs-server huawei_use 在域中绑定hwtacacs模板
[Huawei-aaa-domain-huawei]quit
检查命令:
[Huawei]display hwtacacs-server template huawei_use
---------------------------------------------------------------------------
HWTACACS-server template name : huawei_use
Primary-authentication-server : 1921681254:49:-
Primary-authorization-server : 1921681254:49-
Primary-accounting-server : 1921681254:49:-
Secondary-authentication-server : 1921681253:49:-
Secondary-authorization-server : 1921681253:49:-
Secondary-accounting-server : 1921681253:49:-
Current-authentication-server : 1921681254:49:-
Current-authorization-server : 1921681254:49:-
Current-accounting-server : 1921681254:49:-
Source-IP-address : 0000
Shared-key : hello
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
---------------------------------------------------------------------------
Total 1,1 printed
[Huawei]
[Huawei]display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : ren_zheng
Accounting-scheme-name : ji_fei
Authorization-scheme-name : shou_quan
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : huawei_use
[Huawei]
参照3550的二层做数据就行。
<huawei2_0ES-7F00-S3552-1>dis
<huawei2_0ES-7F00-S3552-1>display cu
<huawei2_0ES-7F00-S3552-1>display current-configuration
sysname ES-7F00-S3552-1
super password level 3 simple cisco
radius scheme system
server-type huawei
primary authentication 127001 1645
primary accounting 127001 1646
user-name-format without-domain
domain shut
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
local-server nas-ip 127001 key huawei
info-center loghost 1921681501
info-center loghost 17216991
temperature-limit 0 20 80
vrrp ping-enable
dhcp server ip-pool 2
dhcp server ip-pool 8
network 13532890 mask 2552552550
gateway-list 13532891
dns-list XXXX
stp instance 0 priority 4096
stp enable
acl number 3998
rule 0 deny ip destination 1921681510 000255
rule 1 permit ip source 1921681510 000255
acl number 3999
rule 0 deny ip source 1921681510 000255
rule 1 permit ip destination 1921681510 000255
#
acl number 4000
rule 0 deny ingress 0009-5307-b400 0000-0000-0000 egress any
rule 10 permit ingress any egress any
#
vlan 1
#
vlan 2
description VLAN_for_6F_working_area
#
vlan 3
description VLAN_for_7F_OA_area
#
vlan 4
description VLAN_for_8F_working_area
#
vlan 54
description Layer3_interface_to_cisco_6509
#
vlan 60
description 7F-IN-A-MA5200F_SDC-F-ISG2000-02
#
vlan 203
description MANUFACTUE_area
#
interface Vlan-interface1
#
interface Vlan-interface2
description Gateway for 6F working area
ip address XXXX 255255255192
dhcp select interface
dhcp server dns-list XXXX
dhcp server expired day 0 hour 12
vrrp vrid 2 virtual-ip 1353287129
vrrp vrid 2 preempt-mode timer delay 4
#
interface Vlan-interface3
ip address XXXX 255255255128
dhcp select interface
dhcp server dns-list 10104123 10104121
dhcp server expired day 0 hour 12
vrrp vrid 3 virtual-ip 13532871
vrrp vrid 3 priority 150
vrrp vrid 3 preempt-mode timer delay 4
#
interface Vlan-interface4
description Gateway for 8F working area
ip address 1353287194 255255255192
ip address 13532891 2552552550 sub
dhcp select interface
dhcp server expired day 0 hour 12
vrrp vrid 4 virtual-ip 1353287193
vrrp vrid 4 priority 150
vrrp vrid 4 preempt-mode timer delay 4
#
interface Vlan-interface54
description Layer3_interface_to_cisco_6509
ip address 13532863 255255255128
#
interface Aux0/0
#
interface Ethernet1/1
stp instance 0 port priority 0
description TO 7F-IN-D-S3552F-01 E1/1 100M
port link-type trunk
port trunk permit vlan 1 to 5 54 60 203
#
interface Ethernet1/2
description TO 7F-IN-A-S2024C-01 E1/1 100M
port link-type trunk
port trunk permit vlan 1 3
#
interface Ethernet1/3
description TO 7F-IN-A-S2024C-02 E1/1 100M
port link-type trunk
port trunk permit vlan 1 3
shutdown
#
interface Ethernet1/4
description TO 7F-IN-A-S2024C-03 E1/1 100M
port link-type trunk
port trunk permit vlan 1 3 203
#
interface Ethernet1/5
description TO 7F-IN-A-S2024C-04 E1/1 100M
port link-type trunk
port trunk permit vlan 1 3 203
#
interface Ethernet3/1
description TO 6F-IN-A-S2024C-01 E2/1 100M
port link-type trunk
port trunk permit vlan 1 to 2
#
interface Ethernet3/2
description TO 6F-IN-A-S2024C-02 E2/1 100M
port link-type trunk
port trunk permit vlan 1 to 2
#
interface Ethernet4/1
stp disable
stp edged-port enable
mac-address max-mac-count 1
port access vlan 3
#
interface Ethernet4/2
stp disable
stp edged-port enable
mac-address max-mac-count 1
port access vlan 3
#
interface Ethernet6/6
stp disable
stp edged-port enable
mac-address max-mac-count 1
port access vlan 3
#
interface Ethernet6/7
stp disable
stp edged-port enable
mac-address max-mac-count 1
port access vlan 3
#
interface Ethernet6/8
stp disable
stp edged-port enable
mac-address max-mac-count 1
port access vlan 3
#
interface GigabitEthernet7/1
stp disable
stp instance 0 port priority 240
description TO_8F_C6509
duplex full
speed 1000
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 54 60
#
interface GigabitEthernet7/2
shutdown
#
interface GigabitEthernet7/3
shutdown
#
interface GigabitEthernet7/4
shutdown
#
interface NULL0
#
cluster
ip-pool 1921681511 2552552550
build huawei2
#
ip route-static 0000 0000 13532869 preference 60
ip route-static 103120 2552552550 13532861 preference 60
ip route-static 13533880 2552552550 13532861 preference 60
#
snmp-agent
snmp-agent local-engineid 800007DB000FE22B0BC06877
snmp-agent community read public@cm0
snmp-agent community write private@cm0
snmp-agent sys-info location BeiJing China
snmp-agent sys-info version all
snmp-agent trap enable standard
snmp-agent trap enable configuration
snmp-agent trap enable vrrp
snmp-agent trap enable ospf
snmp-agent trap enable bgp
snmp-agent trap source Vlan-interface1
#
user-interface aux 0
authentication-mode password
user privilege level 0
set authentication password cipher $T5=a0:!5
微信扫一扫
支付宝扫一扫
评论列表(0条)