本地AAA认证「建议收藏」

大家好，又见面了，我是你们的朋友全栈君。

1.1 问题

1. 如图配置IP地址，通过AAA对远程登录用户进行控制
2. 配置R1的AAA为本地认证和授权，通过域huawei来管理用户
3. 配置R3的AAA为本地认证和授权，通过域 HCIE 来管理用户
4. 配置R1/3端的用户/密码为 Huawei/hcia，用户权限为0

1.2 方案

使用eNSP搭建实验环境，如图-1所示。

图-1

1.3 步骤

实现此案例需要按照如下步骤进行。

1）配置IP地址，确保设备互通

    <Huawei>undo terminal monitor
    [Huawei]sysname R1     
    [R1]interface GigabitEthernet 0/0/0
    [R1-GigabitEthernet0/0/0]ip add 119.84.111.1 24
    [R1-GigabitEthernet0/0/0]quit
    <Huawei>undo terminal monitor
    [Huawei]sysname R3     
    [R3]interface GigabitEthernet 0/0/0
    [R3-GigabitEthernet0/0/0]ip add 119.84.111.3 24
    [R3-GigabitEthernet0/0/0]quit

2）在R1上配置 AAA 功能

    [R1]aaa
    [R1-aaa]authentication-scheme auth1              //配置认证机制
    [R1-aaa-authen-auth1]authentication-mode local  //通过本地密码数据库进行认证
    [R1-aaa-authen-auth1]quit
    [R1-aaa]authorization-scheme auth2              //配置授权机制
    [R1-aaa-author-auth2]authorization-mode local   //通过本地密码数据库进行认证
    [R1-aaa-author-auth2]quit
    [R1]telnet server enable  //开启Telnet 服务器功能
    [R1]aaa
    [R1-aaa]domain Huawei                             //配置管理域
    [R1-aaa-domain-huawei]authentication-scheme auth1 
    [R1-aaa-domain-huawei]authorization-scheme  auth2
    [R1-aaa-domain-huawei]quit
    [R1-aaa]local-user Huawei@huawei password cipher hcia  //创建用户名和密码
    [R1-aaa]local-user Huawei@huawei service-type telnet   //指定服务类型为telnet
    [R1-aaa]local-user Huawei@huawei privilege level 0     //分配用户级别为 0 
    [R1]user-interface vty 0 4
    [R1-ui-vty0-4]authentication-mode aaa   //指定VTY的认证方式为 AAA
    [R1-ui-vty0-4]quit

3）R3远程登录 R1

    <R3>telnet 119.84.111.1
      Press CTRL_] to quit telnet mode
      Trying 119.84.111.1 ...
      Connected to 119.84.111.1 ...
    Login authentication
    Username:Huawei@huawei
    Password:
    <R1>system-view
        ^
    Error: Unrecognized command found at '^' position.

4）在R3上配置 AAA 功能

    [R3]aaa
    [R3-aaa]authentication-scheme auth1              //配置认证机制
    [R3-aaa-authen-auth1]authentication-mode local  //通过本地密码数据库进行认证
    [R3-aaa-authen-auth1]quit
    [R3-aaa]authorization-scheme auth2              //配置授权机制
    [R3-aaa-author-auth2]authorization-mode local  //通过本地密码数据库进行认证
    [R3-aaa-author-auth2]quit
    [R3]telnet server enable  //开启Telnet 服务器功能
    [R3]aaa
    [R3-aaa]domain HCIE                             //配置管理域
    [R3-aaa-domain-HCIE]authentication-scheme auth1 
    [R3-aaa-domain-HCIE]authorization-scheme auth2
    [R3-aaa-domain-HCIE]quit
    [R3-aaa]local-user Huawei@huawei password cipher hcia  //创建用户名和密码
    [R3-aaa]local-user Huawei@huawei service-type telnet   //指定服务类型为telnet
    [R3-aaa]local-user Huawei@huawei privilege level 0     //分配用户级别为 0
    [R3]user-interface vty 0 4
    [R3-ui-vty0-4]authentication-mode aaa   //指定VTY的认证方式为 AAA

5）R1远程登录R3

    <R1>telnet 119.84.111.3
      Press CTRL_] to quit telnet mode
      Trying 119.84.111.1 ...
      Connected to 119.84.111.1 ...
    Login authentication
    Username:Huawei@HCIE
    Password:
    <R3>system-view
        ^
    Error: Unrecognized command found at '^' position.