H3C认证服务器radius 冗余备份

H3C认证服务器冗余备份

如图：client 1 、client 2分别是radius主备服务器，做认证服务器冗余备份。LSW1为H3C S3610 三层交换机

交换机S3610配置如下：

display current-configuration

#

version 5.20, Release 5309

#

sysname H3C

#

super password level 2 cipher 11X$V%+*7&'Q=^Q`MAF4<1!! //配置super 密码

super password level 3 cipher 11X$V%+*7&'Q=^Q`MAF4<1!!

#

domain default enable system

#

telnet server enable //开启telnet功能

#

vlan 1

#

radius scheme bluefox.com //创建bluefox.com radius服务器名称

primary authentication 192.168.1.2 //配置主备radius服务器地址

primary accounting 192.168.1.2

secondary authentication 192.168.1.5

secondary accounting 192.168.1.5

key authentication bluefox //配置radius服务器认证key

user-name-format without-domain //默认是without-domain

nas-ip 192.168.1.1

#

domain system

authentication login radius-scheme bluefox.com local //优先调用名为bluefox.com radius服务器，然后local

authorization login radius-scheme bluefox.com local

access-limit disable

state active

idle-cut disable

self-service-url disable

#

user-group system

#

local-user bluefox

password cipher 11X$V%+*7&'Q=^Q`MAF4<1!!

service-type ssh telnet terminal

#

interface NULL0

#

interface Vlan-interface1

ip address 192.168.1.1 255.255.255.0

#

interface Ethernet1/0/1

port link-mode bridge

#

user-interface aux 0

authentication-mode password

user privilege level 1

set authentication password cipher 11X$V%+*7&'Q=^Q`MAF4<1!!

user-interface vty 0 4

authentication-mode scheme //认证模式AAA 还有password模式，要使用set password命令

user privilege level 1 //配置user等级1

RADIUS 认证服务器配置：

上图为radius服务器

图为radius服务器key配置

认证过程思想：

用户→查询用户属于哪个group→得知domain→根据domain要求→ local、none

↓

Radius、hwtacacs

如下：

domain admin

access-limit disable

state active

idle-cut disable

self-service-url disable

domain system

authentication login radius-scheme bluefox.com local //使用radius服务器认证，然后再local认证

authorization login radius-scheme bluefox.com local

查询用户在哪个组使用dis local-user

[H3C]display local-user

The contents of local user admin:

State: Active

ServiceType: None

Access-limit: Disable Current AccessNum: 0

User-group: admin

Bind attributes:

Authorization attributes:

The contents of local user bluefox:

State: Active

ServiceType: ssh/telnet/terminal

Access-limit: Disable Current AccessNum: 0

User-group: admin

Bind attributes:

Authorization attributes:

The contents of local user ddd:

State: Active

ServiceType: None

Access-limit: Disable Current AccessNum: 0

User-group: system

Bind attributes:

Authorization attributes:

Total 3 local user(s) matched.

修改用户组：

[H3C]local-user admin

[H3C-luser-admin]group admin 将admin用户改到admin组（domain）