V7防火墙和思科ACS 实现radius认证

ACS版本为5.3

防火墙侧关键配置如下：

#                                                                              

radius scheme radius                                                           

 primary authentication xx.xx.xx.xx                                            

 primary accounting xx.xx.xx.xx                                               

 key authentication cipher $c$3$kd0dGV7u/GaWnACIib940/kGLgJdmbCbeg==           

 key accounting cipher $c$3$YzwIejGtgqKC1vI0cyH2ePj+aehv5Tkx7Q==               

 user-name-format without-domain                                               

#                                                                              

domain radius                                                                   

 authentication login radius-scheme radius local                               

 authorization login radius-scheme radius local                                

 accounting login none                                                          

#               

domain default enable radius                                                  

#                      

ACS服务器侧配置：

System Administration>Configuration>Dictionaries>Protocols>RADIUS>RADIUS VSA页签下面创建h3c。

Vendor ID为25506。

System Administration>Configuration>Dictionaries>Protocols>RADIUS>RADIUS VSA>h3c下面增加属性User-Roles

ID为155，Type为String：

Network Resources>Network Devices and AAA Clients添加设备： 

Users and Identity Stores>Internal Identity Stores>Users增加用户ahnx

Policy Elements>Authorization and Permissions>Network Access>Authorization Profiles增加一个Profile

Name

Attributes选择之前创建的User-Roles：

shell:roles=network-admin

Access Policies>Access Services>Default Network Access>Authorization，Policy下面增加一个rule

配置location，Profile选择之前创建的h3c-role。

Save Changes 

ACS配置完成。

无