windows下ACS服务器的认证（h3c）【路由器、交换机】

参考：windows下ACS服务器的认证

路由器配置：

示意图：

telnet：

[Router]display version             
Copyright Notice:                   
All rights reserved (Aug 15 2006).                   
Without the owner's prior written consent, no decompiling                   
or reverse-engineering shall be allowed.                   
Huawei Versatile Routing Platform Software                         
VRP (R) software, Version 1.74 Release 0119P02                         
Copyright(c) 2004-2006 by Huawei Technologies Co., Ltd.                         
Quidway R2621 uptime is 0 day 0 hour 32 minutes 45 seconds                         
System returned to ROM by power-on.   
Quidway R2621 with 1 MPC 8240 Processor                 
Router serial number is 8040C5ED0A394C6C                 
32M     bytes SDRAM                 
8192K   bytes Flash Memory                 
0K      bytes NVRAM                 
Config Register points to FLASH
  Hardware Version is MTR 1.1                 
  CPLD Version is CPLD 3.0                 
  Bootrom Version is 7.08
  [AUX   ] AUX      Hardware Version is 1.0, Driver Version is 1.0
  [LAN   ] 2FE      Hardware Version is 2.0, Driver Version is 2.0
  [WAN   ] SAB      Hardware Version is 1.0, Driver Version is 1.0
  [Slot 0] 16AS     Hardware Version is 2.1, Driver Version is 1.0

默认aaa enable 已开启

[Router]aaa authentication-scheme ?
   login        Specify login authentication scheme list
    ppp          Specify PPP authentication scheme list

[Router]aaa authentication-scheme login ?
  default       Default scheme list name
  STRING<1-20>  Named scheme list name
[Router]aaa authentication-scheme login default ?
  local         Use local database
  none          Succeed without authentication
  radius        Use radius server
  template      Use hwtacacs server template
[Router]aaa authentication-scheme login default radius

[Router]radius server ?
  STRING<1-20>     Host name of the RADIUS server
  X.X.X.X          IP address of the RADIUS server
[Router]radius server 192.168.101.22
[Router]radius shared-key ?
  STRING<1-16>    Key used to authentication and encryption
[Router]radius shared-key 123456

[Router]int e1

[Router-Ethernet1]ip add 192.168.101.11 24

[Router-Ethernet1]ping 192.168.101.22
  PING 192.168.101.22: 56  data bytes, press CTRL_C to break
    Reply from 192.168.101.22: bytes=56 Sequence=0 ttl=64 time = 2 ms
    Reply from 192.168.101.22: bytes=56 Sequence=1 ttl=64 time = 1 ms
    Reply from 192.168.101.22: bytes=56 Sequence=2 ttl=64 time = 2 ms
    Reply from 192.168.101.22: bytes=56 Sequence=3 ttl=64 time = 1 ms
    Reply from 192.168.101.22: bytes=56 Sequence=4 ttl=64 time = 1 ms

客户机测试：

 

问题：

由于ACS服务器没有增加客户端

 

登录成功后级别为0

改变成中文方式！

[Router]lang
  Current Language : ENGLISH
  Will you switch language mode ?(Y/N)y
  You have changed the language mode

[Router]?
    aaa                 指定 AAA(认证,授权和记费)配置
    aaa-enable          使能AAA(认证，授权和计费)
    access-server       指定接入服务器监听端口信息
    access-tty          指定接入客户端配置信息

查看个别信息

防火墙配置：

示意图：

telnet：

Username:gjp@gjp2
Password:
<H3C>?
User view commands:
  boot           Upgrade bootrom
  cd             Change current directory
  clock          Specify the system clock
  copy           Copy from one file to another
  debugging      Enable system debugging functions

级别为3 管理员级别（说明已引用ACS 上导入H3C的私有属性）

显示telnet的当前配置文档：

[H3C]dis cu
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
radius scheme gjp
server-type extended
primary authentication 192.168.101.22
key authentication 123456
user-name-format without-domain
#
domain gjp2
scheme radius-scheme gjp
access-limit enable 10
accounting optional
domain system
#
interface Aux0                           
async mode flow
#
interface Ethernet0/0
ip address 192.168.101.12 255.255.255.0
firewall zone local
set priority 100
#
firewall zone trust     默认
add interface Ethernet0/0
set priority 85
#                                        
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme              
#
return

SSH：

[H3C]rsa local-key-pair ?
  create   Create new local key pairs
  destroy  Destroy the local key pairs

[H3C]rsa local-key-pair create
The key name will be: H3C_Host
% RSA keys defined for F4_Host already exist.
Confirm to replace them? [Y/N]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
       It will take a few minutes.
Input the bits in the modulus[default = 1024]:
Generating keys...
........................................................................................++++++
...............................................++++++
............................++++++++
...++++++++
.................
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]protocol inbound ?
  all     All protocol
  ssh     SSH protocol
  telnet  Telnet protocol

[H3C-ui-vty0-4]protocol inbound all 
[H3C-ui-vty0-4]authentication-mode ?
  none      Login without checking
  password  Use terminal interface password
  scheme    Authentication use AAA authorization authentication table

[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]quit

[H3C]ssh authentication-type default ?
  all                 All authentication
  password            Password authentication
  password-publickey  Password and Publickey authentication
  rsa                 RSA authentication

[H3C]ssh authentication-type default all

[H3C]radius scheme gjp                 
[H3C-radius-gjp]server-type ?       
  extended  Server based on RADIUS extensions
  standard  Server based on RFC protocol(s)

ssh都可以登录，只是权限比较低！（前提该类型必须是standard）

选组1：

（在这里配置，注意是否提交）