Creating a tacacs+ scheme, Creating a domain, Configuration example – H3C Technologies H3C Intelligent Management Center User Manual

12

Creating a TACACS+ scheme

A device cooperates with the TAM server to implement TACACS+ authentication according to the

configured TACACS+ scheme.
When you configure a TACACS+ scheme, follow these restrictions and guidelines:

•

The IP address specified for the AAA server in the TACACS+ scheme must be the IP address of the
TAM server.

•

The shared key, authentication, authorization, and accounting ports specified in the TACACS+
scheme must be the same as those configured on the TAM server.

•

If you specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the
nas-ip on TAM. If you do not specify the nas-ip in the TACACS+ scheme, configure the IP address

of the device as the IP address of the interface that connects the device to the TAM server on TAM.

Creating a domain

The scheme that is used in a domain for user logins, raising the right, and command-line authorization

must be the TACACS+ scheme that you created.

Configuring scheme authentication and enabling command-line authorization and accounting

Configure the scheme authentication on different interfaces for different login methods.
Enable command line authorization and accounting on different interfaces according to different login
methods.

Configuration example

This example can be used for an HP A-Series device or an H3C device. Use the following commands for

TACACS+ authentication and authorization:

<Device>system-view

[Device]hwtacacs scheme test

[Device-hwtacacs-test]primary authentication 192.168.0.96 49

[Device-hwtacacs-test]primary authorization 192.168.0.96 49

[Device-hwtacacs-test]primary accounting 192.168.0.96 49

[Device-hwtacacs-test]key authentication hello

[Device-hwtacacs-test]key authorization hello

[Device-hwtacacs-test]key accounting hello

[Device-hwtacacs-test]nas-ip 190.12.0.2

[Device-hwtacacs-test]user-name-format without-domain

[Device-hwtacacs-test]quit

[Device]domain tel

[Device-isp-tel]authentication login hwtacacs-scheme test

[Device-isp-tel]authentication super hwtacacs-scheme test

[Device-isp-tel]authorization login hwtacacs-scheme test

[Device-isp-tel]authorization command hwtacacs-scheme test

[Device-isp-tel]accounting login hwtacacs-scheme test

[Device-isp-tel]accounting command hwtacacs-scheme test

[Device-isp-tel]quit

[Device]domain default enable tel

[Device]user-interface vty 0 4

[Device-ui-vty0-4]authentication-mode scheme

[Device-ui-vty0-4]command authorization