Using TACACS+ for Telnet Login Authentication

Using TACACS+ for Telnet Login Authentication

[Requirements]

To telnet to the router, you shall enter the correct user name h3c and password h3c123 to pass the authentication by the TACACS server.

[Configuration script]

Configuration script (RouterA)

# sysname Quidway # hwtacacs nas-ip 192.168.1.254         /Set TACACS+ source address/ # hwtacacs scheme test                  /Create the hwtacacs scheme test/ primary authentication 192.168.1.100  /Configure address for the primary authentication server/ primary authorization 192.168.1.100   /Configure address for the primary authorization server/ key authentication huawei             /Configure authentication key/ key authorization huawei              /Configure authorization key/ user-name-format without-domain       /Set the account format to without domain name/ # radius scheme system # domain system scheme hwtacacs-scheme test           /Apply the hwtacacs scheme test/ accounting optional                   /Enable accounting optional/ # interface Ethernet1/0/0 ip address 192.168.1.254 255.255.255.0 # interface NULL0 # user-interface con 0 user-interface vty 0 4 authentication-mode scheme            /Set scheme authentication/ # return

 

[Verification]

Enter the user name h3c and password h3c123 to telnet to the system, and successfully log in after the account and password pass the authentication on the TACACS server.

[Tip]

1. After creating the account and password h3c/h3c123 on the TACACS server, you can use the account to telnet to the router.

2. If the user-name-format without-domain command is not configured, the account sent by the router will contain the domain name h3c@system, and the authentication will fail.

3. Make sure that the key on the router is the same as that on the TACACS server.

4. In this mode, it is only necessary to authenticate the account with no need of accounting so that the parameters of the accounting server are not configured, and accounting optional is enabled.

Where there is no accounting server available or the communication with the accounting server fails, the user can keep using the network resources if the accounting optional command is configured; otherwise, the user will be cut off. This command is usually used in the case of authentication only (no accounting).

5. This configuration is interoperable with the CISCO ACS 3.1. Do not forget to authorize the account in the relevant group.