用户permissiondenied
permissiondenied 时间:2021-03-17 阅读:()
H3CS7500ERBAC典型配置举例Copyright2015杭州华三通信技术有限公司版权所有,保留一切权利.
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播.
本文档中的信息可能变动,恕不另行通知.
i目录1简介·······························································································································12配置前提·························································································································13配置用户具有特定特性中读写类型命令的执行权限举例····························································13.
1组网需求······················································································································13.
2配置思路······················································································································13.
3使用版本······················································································································23.
4配置注意事项················································································································23.
5配置步骤······················································································································23.
6验证配置······················································································································33.
7配置文件······················································································································53.
8Telnet用户的RADIUS用户角色授权计费配置举例·······························································53.
9组网需求······················································································································53.
10配置思路····················································································································63.
11使用版本····················································································································63.
12配置注意事项··············································································································63.
13配置步骤····················································································································73.
13.
1设备配置···········································································································73.
13.
2RADIUS服务器配置····························································································83.
14验证配置··················································································································103.
15配置文件··················································································································124配置用户在某些VPN中具有特定特性的执行权限举例····························································134.
1组网需求····················································································································134.
2配置思路····················································································································134.
3使用版本····················································································································134.
4配置注意事项··············································································································134.
5配置步骤····················································································································144.
5.
1设备配置···········································································································144.
5.
2RADIUS服务器配置····························································································154.
6验证配置····················································································································174.
7配置文件····················································································································185创建新用户角色并授权更改用户权限举例············································································195.
1组网需求····················································································································195.
2配置思路····················································································································20ii5.
3使用版本····················································································································205.
4配置注意事项··············································································································205.
5配置步骤····················································································································205.
6验证配置····················································································································235.
6.
1配置更改用户权限前的验证···················································································235.
6.
2配置更改用户权限后的验证···················································································245.
7配置文件····················································································································256配置用户具有切换用户角色权限举例··················································································266.
1组网需求····················································································································266.
2配置思路····················································································································276.
3使用版本····················································································································276.
4配置注意事项··············································································································276.
5配置步骤····················································································································276.
6验证配置····················································································································296.
7配置文件····················································································································327配置具有流量控制的执行权限举例·····················································································337.
1组网需求····················································································································337.
2配置思路····················································································································337.
3使用版本····················································································································347.
4配置注意事项··············································································································347.
5配置步骤····················································································································347.
5.
1设备配置···········································································································347.
5.
2RADIUS服务器配置····························································································367.
6验证配置····················································································································387.
7配置文件····················································································································418相关资料·······················································································································4211简介本文介绍了如何通过RBAC(RoleBasedAccessControl,基于角色的访问控制)来对登录用户的权限进行控制的典型配置举例.
2配置前提本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准.
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置.
如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突.
本文档假设您已了解RBAC的特性.
3配置用户具有特定特性中读写类型命令的执行权限举例3.
1组网需求如图1所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
具体需求如下:在本例中需要创建名称为bbb的ISP域,并要求Telnet用户通过ISP域bbb接入网络.
创建设备管理类本地用户telnetuser,并设置登录密码.
Telnet用户登录设备时,使用本地配置的用户名telnetuser@bbb以及密码进行认证.
Telnet用户telnetuser@bbb具有如下权限:允许执行特性ospf相关的所有读写类型命令.
允许执行特性filesystem相关的所有读写类型命令.
图1特定特性中读写类型命令的执行权限配置组网图3.
2配置思路为了使Telnet用户能够具备以上权限,需要创建Telnet本地用户和用户角色role1,并对Telnet用户授予用户角色role1.
通过配置用户角色规则,限定Telnet用户可以执行特性特性ospf和filesystem相关的读写类型命令.
2为了确保Telnet用户仅使用授权的用户角色role1,需要删除用户具有的缺省用户角色.
3.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
3.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
3.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser的密码和服务类型.
#创建设备管理类本地用户telnetuser.
[Sysname]local-usertelnetuserclassmanage3#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser]service-typetelnet[Sysname-luser-manage-telnetuser]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行特性ospf中所有写类型的命令.
[Sysname-role-role1]rule1permitreadwritefeatureospf#配置用户角色规则2,允许用户执行特性filesystem中所有读写类型的命令.
[Sysname-role-role1]rule2permitreadwritefeaturefilesystem[Sysname-role-role1]quit(7)为本地用户配置授权用户角色#进入设备管理类本地用户telnetuser视图.
[Sysname]local-usertelnetuserclassmanage#指定用户telnetuser的授权角色为role1.
[Sysname-luser-manage-telnetuser]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser]quit3.
6验证配置(1)查看用户角色信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRW-featureospf2permitRW-featurefilesystemR:ReadW:WriteX:Execute(2)用户登录设备4用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行特性ospf中所有写类型的命令.
[Sysname]ospf1[Sysname-ospf-1]area0[Sysname-ospf-1-area-0.
0.
0.
0]network1.
1.
1.
10.
0.
0.
0可执行特性ospf相关的读类型命令.
[Sysname]displayospfOSPFProcess1withRouterID192.
168.
1.
50OSPFProtocolInformationRouterID:192.
168.
1.
50Routertype:Routetag:0Multi-VPN-InstanceisnotenabledExt-communitytype:DomainID0x5,RouteType0x306,RouterID0x107DomainID:0.
0.
0.
0OpaquecapableISPFisenabledSPF-schedule-interval:550200LSAgenerationinterval:550200LSAarrivalinterval:1000Transmitpacing:Interval:20Count:3DefaultASEparameters:Metric:1Tag:1Type:2Routepreference:10ASEroutepreference:150SPFcalculationcount:0RFC1583compatibleGracefulrestartinterval:120SNMPtrapratelimitinterval:10Count:7Areacount:0NSSAareacount:0ExChange/Loadingneighbors:05可执行特性filesystem相关的所有读写类型命令.
(以配置设备发送FTP报文的源IP地址为192.
168.
0.
60为例)[Sysname-a]ftpclientsourceip192.
168.
0.
60[Sysname-a]quit不能执行特性filesystem相关的执行类型命令.
(以进入FTP视图为例)ftpPermissiondenied.
通过显示信息可以确认配置生效.
3.
7配置文件#telnetserverenable#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#domainbbbauthenticationloginlocalauthorizationloginlocal#rolenamerole1rule1permitreadwritefeatureospfrule2permitreadwritefeaturefilesystem#local-usertelnetuserclassmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole13.
8Telnet用户的RADIUS用户角色授权计费配置举例3.
9组网需求如图2所示,Telnet用户主机与设备相连,设备与一台RADIUS服务器相连,需要实现RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费,使得Telnet用户具有如下用户权限:允许用户执行ISP视图下的所有命令;允许用户执行ARP和RADIUS特性中读和写类型的命令;6允许用户执行创建VLAN以及进入VLAN视图后的相关命令,并只具有操作VLAN10~VLAN20的权限;允许用户执行进入接口视图以及接口视图下的相关命令,并具有操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3的权限.
图2Telnet用户RADIUS认证/授权/计费配置组网图3.
10配置思路为了使Telnet用户可以执行ARP和RADIUS特性的读写类型命令,可创建特性组feature-group1,配置包含ARP和RADIUS特性.
为了授权Telnet用户可以执行所要求权限的命令,需要配置对应的用户角色规则和资源控制策略.
为了使Telnet用户能够具备以上权限,需要在RADIUS服务器上对Telnet用户授权用户角色role1.
3.
11使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
3.
12配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
73.
13配置步骤3.
13.
1设备配置(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)创建VLAN3并将Switch连接RADIUSserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface3]ipadd10.
1.
1.
224(5)配置Telnet用户登录Switch的认证方式[Sysname]telnetserverenable#配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(6)配置RADIUS方案和认证服务器#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit(7)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
8[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(8)配置特性组#创建特性组fgroup1.
[Sysname]rolefeature-groupnamefgroup1#配置特性组fgroup1中包含特性ARP和RADIUS.
[Sysname-featuregrp-fgroup1]featurearp[Sysname-featuregrp-fgroup1]featureradius[Sysname-featuregrp-fgroup1]quit(9)在设备上创建用户角色role1,并配置用户角色规则和资源控制策略#创建用户角色role1.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行ISP视图下的所有命令.
[Sysname-role-role1]rule1permitcommandsystem-view;domain*#配置用户角色规则2,允许用户执行特性组fgroup1中所有特性的读和写类型的命令.
[Sysname-role-role1]rule2permitreadwritefeature-groupfgroup1#配置用户角色规则3,允许用户执行创建VLAN的命令.
[Sysname-role-role1]rule3permitcommandsystem-view;vlan*#配置用户角色规则4,允许用户执行进入接口视图以及接口视图下的相关命令.
[Sysname-role-role1]rule4permitcommandsystem-view;interface*#进入VLAN策略视图,允许用户具有操作VLAN10~VLAN20的权限.
[Sysname-role-role1]vlanpolicydeny[Sysname-role-role1-vlanpolicy]permitvlan10to20[Sysname-role-role1-vlanpolicy]quit#进入接口策略视图,允许用户具有操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3的权限.
[Sysname-role-role1]interfacepolicydeny[Sysname-role-role1-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3[Sysname-role-role1-ifpolicy]quit[Sysname-role-role1]quit3.
13.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
9#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理/接入设备管理/接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为10.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
图3增加接入设备#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"telnetuser@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"role1";添加所管理设备的IP地址,IP地址范围为"10.
1.
1.
0~10.
1.
1.
10";单击按钮完成操作.
10图4增加设备管理用户3.
14验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:denyPermittedVLANs:10to20Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3VPNinstancepolicy:permit(default)11RulePermTypeScopeEntity1permitcommandsystem-view;domain*2permitRW-feature-groupfgroup13permitcommandsystem-view;vlan*4permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行ISP视图下所有的命令.
system-view[Sysname]domainabc[Sysname-isp-abc]authenticationloginradius-schemeabc[Sysname-isp-abc]quit可执行RADIUS特性中读和写类型的命令.
(ARP特性同,此处不再举例)[Sysname]radiusschemerad[Sysname-radius-rad]primaryauthentication2.
2.
2.
2[Sysname-radius-rad]displayradiusschemerad可操作VLAN10~VLAN20.
(以创建VLAN10、VLAN30为例)[Sysname]vlan10[Sysname-vlan10]quit[Sysname]vlan30Permissiondenied.
可操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3.
[Sysname]interfaceTen-GigabitEthernet1/0/1[Sysname-Ten-GigabitEthernet1/0/1]speedauto[Sysname-Ten-GigabitEthernet1/0/1]quit不能操作其它接口.
(以进入Ten-GigabitEthernet1/0/6接口视图为例)[Sysname]interfaceTen-GigabitEthernet1/0/6Permissiondenied.
12通过显示信息可以确认配置生效.
3.
15配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress10.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolefeature-groupnamefgroup1featurearpfeatureradius#rolenamerole1rule1permitcommandsystem-view;domain*rule2permitreadwritefeature-groupfgroup1rule3permitcommandsystem-view;vlan*rule4permitcommandsystem-view;interface*vlanpolicydenypermitvlan10to20interfacepolicydeny13permitinterfaceTen-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3#4配置用户在某些VPN中具有特定特性的执行权限举例4.
1组网需求如图5所示,为了加强用户登录的安全性,采用RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费,使得Telnet用户有如下权限:允许执行系统预定义特性组L3相关的所有命令.
允许执行所有以display开头的命令.
只允许对特定VPN实例vpn1、vpn2和vpn3进行操作.
图5某些VPN中具有特定特性的执行权限配置组网图4.
2配置思路为了授权Telnet用户可以执行所要求权限的命令,需要创建用户角色role1并配置对应的用户角色规则和资源控制策略.
为了使Telnet用户能够具备以上权限,需要在RADIUS服务器上配置Telnet用户授权用户角色role1.
4.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
4.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
14一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
4.
5配置步骤4.
5.
1设备配置(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)创建VLAN3并将Switch连接RADIUSserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface2]ipadd10.
1.
1.
224(5)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(6)配置RADIUS方案和认证服务器#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
15[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit(7)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(8)在设备上创建用户角色role1,并配置用户角色规则和资源控制策略#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行预定义特性组L3相关的所有命令.
[Sysname-role-role1]rule1permitexecutereadwritefeature-groupL3#配置用户角色规则2,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule2permitcommanddisplay*#进入用户角色VPN策略视图,配置允许用户具有操作VPN实例vpn1、vpn2和vpn3的权限.
[Sysname-role-role1]vpnpolicydeny[Sysname-role-role1-vpnpolicy]permitvpn-instancevpn1vpn2vpn3[Sysname-role-role1-vpnpolicy]quit[Sysname-role-role1]quit4.
5.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理>接入设备管理>接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为10.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
16图6增加接入设备#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"telnetuser@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"role1";添加所管理设备的IP地址,IP地址范围为"10.
1.
1.
0~10.
1.
1.
10";单击按钮完成操作.
17图7增加设备管理用户4.
6验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:denyPermittedVPNinstances:vpn1,vpn2,vpn3RulePermTypeScopeEntity181permitRWXfeature-groupL32permitcommanddisplay*R:ReadW:WriteX:Execute通过displayrolefeature-group命令查看特性组L3中包括的特性信息,此处不详细介绍.
(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行系统预定义特性组L3中的所有命令.
(以创建VPN实例vpn1并配置其RD为22:1为例)system-view[Sysname]ipvpn-instancevpn1[Sysname-vpn-instance-vpn1]route-distinguisher22:1[Sysname-vpn-instance-vpn1]displaythis#ipvpn-instancevpn1route-distinguisher22:1#return[Sysname-vpn-instance-vpn1]quit不能操作其它VPN实例.
(以VPN实例vpn5为例)[Sysname]ipvpn-instancevpn5Permissiondenied.
通过显示信息可以确认配置生效.
4.
7配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface219ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress10.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolenamerole1rule1permitreadwriteexecutefeature-groupL3rule2permitcommanddisplay*vpn-instancepolicydenypermitvpn-instancevpn1permitvpn-instancevpn2permitvpn-instancevpn3#5创建新用户角色并授权更改用户权限举例5.
1组网需求如图8所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
Telnet用户telnetuser1和telnetuser2通过ISP域bbb接入网络,成功登录设备后,均被赋予用户角色role1,具有如下权限:允许执行所有以display开头的命令.
允许执行创建VLAN的命令.
只允许对VLAN10~VLAN15进行操作.
只允许对特定接口Ten-GigabitEthernet1/0/1进行操作.
20现要求为Telnet用户telnetuser1增加对设备的操作权限,具体需求如下:允许对VLAN16~VLAN20进行操作.
允许对特定接口Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3进行操作.
图8更改用户权限配置组网图5.
2配置思路为了使Telnet用户telnetuser1增加上述权限,并且不改变Telnet用户telnetuser2的权限,可以通过创建用户角色role2,并对Telnet用户telnetuser1授予用户角色role2.
为了增加Telnet用户telnetuser1可执行所要求权限的命令,需要配置用户角色规则和资源控制策略.
5.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
5.
4配置注意事项一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
用户可以同时被授权多个用户角色.
拥有多个用户角色的用户可获得这些角色中被允许执行的功能以及被允许操作的资源的集合.
对当前在线用户授权新的用户角色,待该用户重新上线后才能生效.
5.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit21[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/23]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
5024(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser1和telnetuser2的密码和服务类型#创建设备管理类本地用户telnetuser1.
[Sysname]local-usertelnetuser1classmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser1]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser1]service-typetelnet[Sysname-luser-manage-telnetuser1]quit#创建设备管理类本地用户telnetuser2.
[Sysname]local-usertelnetuser2classmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser2]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser2]service-typetelnet[Sysname-luser-manage-telnetuser2]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule1permitcommanddisplay*22#配置用户角色规则2,允许执行进入VLAN视图命令.
[Sysname-role-role1]rule2permitcommandsystem-view;vlan*#配置用户角色规则3,允许执行进入接口视图命令以及进入接口视图后的相关命令.
[Sysname-role-role1]rule3permitcommandsystem-view;interface*#进入用户角色VLAN策略视图,配置允许用户具有操作VLAN10~VLAN15的权限.
[Sysname-role-role1]vlanpolicydeny[Sysname-role-role1-vlanpolicy]permitvlan10to15[Sysname-role-role1-vlanpolicy]quit#进入用户角色接口策略视图,配置允许用户具有操作接口Ten-GigabitEthernet1/0/1的权限.
[Sysname-role-role1]interfacepolicydeny[Sysname-role-role1-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/1[Sysname-role-role1-ifpolicy]quit[Sysname-role-role1]quit(7)为本地用户telnetuser1和telnetuser2配置授权用户角色#进入设备管理类本地用户telnetuser1视图.
[Sysname]local-usertelnetuser1classmanage#指定用户telnetuser1的授权角色role1.
[Sysname-luser-manage-telnetuser1]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser1具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser1]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser1]quit#进入设备管理类本地用户telnetuser2视图.
[Sysname]local-usertelnetuser2classmanage#指定用户telnetuser2的授权角色role1.
[Sysname-luser-manage-telnetuser2]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser2具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser2]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser2]quit(8)创建用户角色role2,并配置用户角色规则#创建用户角色role2,进入用户角色视图.
[Sysname]rolenamerole2#配置用户角色规则1,允许执行进入接口视图命令以及进入接口视图后的相关命令.
[Sysname-role-role2]rule1permitcommandsystem-view;interface*(9)为用户角色role2配置VLAN资源控制策略#进入用户角色VLAN策略视图,配置允许用户具有操作VLAN16~VLAN20的权限.
[Sysname-role-role2]vlanpolicydeny[Sysname-role-role2-vlanpolicy]permitvlan16to20[Sysname-role-role2-vlanpolicy]quit23#进入用户角色接口策略视图,配置允许用户具有操作接口Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3的权限.
[Sysname-role-role2]interfacepolicydeny[Sysname-role-role2-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/2toTen-GigabitEthernet1/0/3[Sysname-role-role2-ifpolicy]quit[Sysname-role-role2]quit(10)为本地用户telnetuser1配置授权用户角色#进入设备管理类本地用户telnetuser1视图.
[Sysname]local-usertelnetuser1classmanage#指定用户telnetuser1的授权角色role2.
[Sysname-luser-manage-telnetuser1]authorization-attributeuser-rolerole2[Sysname-luser-manage-telnetuser1]quit5.
6验证配置5.
6.
1配置更改用户权限前的验证(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:denyPermittedVLANs:10to15Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/1VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitcommanddisplay*2permitcommandsystem-view;vlan*3permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser1@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*24login:telnetuser1@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:能够创建VLAN15.
[Sysname]vlan15[Sysname-vlan15]quit不能创建VLAN20.
[Sysname]vlan20Permissiondenied.
能够操作Ten-GigabitEthernet1/0/1接口.
[Sysname]interfaceTen-GigabitEthernet1/0/1[Sysname-Ten-GigabitEthernet1/0/1]speedauto[Sysname-Ten-GigabitEthernet1/0/1]quit通过显示信息可以确认配置生效.
5.
6.
2配置更改用户权限后的验证(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role2的信息.
#显示用户角色role2的信息.
displayrolenamerole2Role:role2Description:VLANpolicy:denyPermittedVLANs:16to20Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser1@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
*25*Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser1@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可创建VLAN16.
[Sysname]vlan16[Sysname-vlan16]quit能够操作Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3接口.
(以配置Ten-GigabitEthernet1/0/2接口速率为例).
[Sysname]interfaceTen-GigabitEthernet1/0/2[Sysname-Ten-GigabitEthernet1/0/2]speedauto[Sysname-Ten-GigabitEthernet1/0/2]quit不能操作其它接口.
(以进入Ten-GigabitEthernet1/0/5接口视图为例)[Sysname]interfaceTen-GigabitEthernet1/0/5Permissiondenied.
通过显示信息可以确认配置生效.
5.
7配置文件#telnetserverenable#vlan2#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan2#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#domainbbbauthenticationloginlocalauthorizationloginlocal#26rolenamerole1rule1permitcommanddisplay*rule2permitcommandsystem-view;vlan*rule3permitcommandsystem-view;interface*vlanpolicydenypermitvlan10to15interfacepolicydenypermitinterfaceTen-GigabitEthernet1/0/1#rolenamerole2rule1permitcommandsystem-view;interface*vlanpolicydenypermitvlan16to20interfacepolicydenypermitinterfaceTen-GigabitEthernet1/0/2toTen-GigabitEthernet1/0/3#local-usertelnetuser1classmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole1authorization-attributeuser-rolerole2#local-usertelnetuser2classmanagepasswordhashTPcgyTQJZShe$h$6$vaSj2xKc8yFiNdfQ$Jzb3PXo2lt4jkKSZqJUVhjP634Wol/Qx8TLU748IHoeui0w5n/XRzpNqbNnpxikym39gGJCwYw==service-typetelnetauthorization-attributeuser-rolerole1#6配置用户具有切换用户角色权限举例6.
1组网需求如图9所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
登录设备的Telnet用户能够进行用户角色的切换,即在不下线的情况下,临时改变自身对系统的操作权限.
当前Telnet用户被授权为用户角色role1,用户角色role1具有如下权限:允许执行系统预定义特性组L3相关的所有命令.
允许执行所有以display开头的命令.
允许执行所有以super开头的命令.
具有所有接口、VLAN和VPN实例资源的操作权限.
现要求,Telnet用户能够被切换到用户角色role2和network-operator,其中用户角色role2具有如下权限:允许执行系统预定义特性组L2相关的所有命令.
27具有所有接口、VLAN和VPN实例资源的操作权限.
图9切换用户角色权限配置组网图6.
2配置思路缺省情况下,用户角色切换的认证方式为local.
在本例中Telnet用户登录设备的认证方式为本地AAA认证,因此,配置用户角色切换时的认证方式为local.
为了使Telnet用户telnetuser能够进行切换用户角色,需要创建本地用户角色role1和role2,并配置相应的配置用户角色规则和资源控制策略.
为了保证操作的安全性,Telnet用户将用户角色切换到不同的用户角色时,需要配置相应切换密码.
6.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
6.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
切换后的用户角色只对当前登录生效,用户重新登录后,又会恢复到原有用户角色.
6.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
502428(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser的密码和服务类型#创建设备管理类本地用户telnetuser.
[Sysname]local-usertelnetuserclassmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser]service-typetelnet[Sysname-luser-manage-telnetuser]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行预定义特性组L3相关的所有命令.
[Sysname-role-role1]rule1permitexecutereadwritefeature-groupL3#配置用户角色规则2,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule2permitcommanddisplay*#配置用户角色规则3,允许用户执行所有以super开头的命令.
[Sysname-role-role1]rule3permitcommandsuper*[Sysname-role-role1]quit(7)创建用户角色role2,并配置用户角色规则#创建用户角色role2,进入用户角色视图.
[Sysname]rolenamerole2#配置用户角色规则1,允许用户执行预定义特性组L2相关的所有命令.
[Sysname-role-role2]rule1permitexecutereadwritefeature-groupL2[Sysname-role-role2]quit(8)为本地用户配置授权用户角色#进入设备管理类本地用户telnetuser视图.
[Sysname]local-usertelnetuserclassmanage29#指定用户telnetuser的授权角色为role1.
[Sysname-luser-manage-telnetuser]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser]quit(9)配置用户角色切换的方式及切换密码#配置Telnet用户切换用户角色时采用local认证方式(系统缺省值为local).
[Sysname]superauthentication-modelocal#配置Telnet用户将用户角色切换到role2时使用的密码为明文密码123456TESTplat&!
.
[Sysname]superpasswordrolerole2simple123456TESTplat&!
#配置Telnet用户将用户角色切换到network-operator时使用的密码为明文密码987654TESTplat&!
.
[Sysname]superpasswordrolenetwork-operatorsimple987654TESTplat&!
6.
6验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1、role2和network-operator的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRWXfeature-groupL32permitcommanddisplay*3permitcommandsuper*R:ReadW:WriteX:Execute#显示用户角色role2的信息.
displayrolenamerole2Role:role2Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRWXfeature-groupL2R:ReadW:WriteX:Execute30#显示用户角色network-operator的信息.
[Sysname]displayrolenamenetwork-operatorRole:network-operatorDescription:PredefinednetworkoperatorrolehasaccesstoallreadcommandsontheSysnameVLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntitysys-1permitcommanddisplay*sys-2permitcommandxmlsys-3denycommanddisplayhistory-commandallsys-4denycommanddisplayexception*sys-5denycommanddisplaycpu-usageconfiguration*sys-6denycommanddisplaykernelexception*sys-7denycommanddisplaykerneldeadloop*sys-8denycommanddisplaykernelstarvation*sys-9denycommanddisplaykernelreboot*sys-10denycommanddisplaymemorytrace*sys-11denycommanddisplaykernelmemory*sys-12permitcommandsystem-view;local-user*sys-13permitcommandsystem-view;switchtomdc*sys-14permitR--xml-element-sys-15denycommanddisplaysecurity-logfilesummarysys-16denycommandsystem-view;info-centersecurity-logfiledirectory*sys-17denycommandsecurity-logfilesaveR:ReadW:WriteX:Execute通过displayrolefeature-group命令查看特性组L2和L3中包括的特性信息,此处不详细介绍.
(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:31(3)验证切换用户角色前的用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行特性组L3中特性相关的所有命令.
(以创建VPN实例vpn1为例)system-view[Sysname]ipvpn-instancevpn1可执行所有以display开头的命令.
(以显示系统当前日期和时间为例)displayclock09:31:56UTCWed01/01/2015(4)验证切换用户角色Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:a.
在用户视图下使用super开头的命令.
(以切换到用户角色role2并输入相应的切换密码为例)superrole2Password:Userprivilegeroleisrole2,andonlythosecommandsthatauthorizedtotherolecanbeused.
b.
切换到用户角色role2后,可执行特性组L2中特性相关的所有命令.
(以创建VLAN10为例)system-view[Sysname]vlan10[Sysname-vlan10]quit[Sysname]quitc.
切换到用户角色role2后,不能执行非特性组L2中特性相关的命令.
(以切换到用户角色network-operator为例)supernetwork-operatorPermissiondenied.
d.
切换到用户角色role2后,不能执行以display开头的命令.
(以显示系统当前日期和时间为例)displayclockPermissiondenied.
e.
Telnet用户重新登录设备后,才能执行所有以super开头的命令.
(以切换到用户角色network-operator并输入相应的切换密码为例)C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:32supernetwork-operatorPassword:Userprivilegeroleisnetwork-operator,andonlythosecommandsthatauthorizedtotherolecanbeused.
通过显示信息可以确认配置生效.
6.
7配置文件#telnetserverenable#vlan2#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#superpasswordrolerole2hash$h$6$D0kjHFktkktzgR5g$e673xFnIcKytCj6EDAw+pvwgh3/ung3WNWHnrUTnXT862B+s7PaLfKTdil8ef71RBOvuJvPAZHjiLjrMPyWHQw==superpasswordrolenetwork-operatorhash$h$6$3s5KMmscn9hJ6gPx$IcxbNjUc8u4yxwRm87b/Jki8BoPAxw/s5bEcPQjQj/cbbXwTVcnQGL91WOd7ssO2rX/wKzfyzAO5VhBTn9Q4zQ==#domainbbbauthenticationloginlocalauthorizationloginlocal#rolenamerole1rule1permitreadwriteexecutefeature-groupL3rule2permitcommanddisplay*rule3permitcommandsuper*#rolenamerole2rule1permitreadwriteexecutefeature-groupL2#local-usertelnetuserclassmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole1#337配置具有流量控制的执行权限举例7.
1组网需求如图10所示,某企业内部为隔离部门A和部门B之间流量,将不同VLAN划分给各部门使用.
为了加强各部门网络管理员登录的安全性,采用RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费.
部门A和部门B的网络管理员通过Telnet登录设备时,分别使用RADIUS服务器上配置的用户名admin-departA和admin-departB以及对应的密码进行认证.
部门A网络管理员admin-departA有如下权限:具有流量控制策略相关功能的配置权限.
禁止操作所有的接口和VPN资源.
只允许操作VLAN100~VLAN199.
部门B网络管理员admin-departB有如下权限:具有流量控制策略相关功能的配置权限.
禁止操作所有的接口和VPN资源.
只允许操作VLAN200~VLAN299.
图10具有部署流量控制策略的执行权限配置组网图7.
2配置思路创建用户角色departA-resource,通过配置用户角色规则,使其具有QoS和ACL特性中所有命令的配置权限;通过配置资源控制策略,使其只具有VLAN100~VLAN199的操作权限,无法操作所有的接口和VPN资源.
34创建用户角色departB-resource,通过配置用户角色规则,使其具有QoS和ACL特性中所有命令的配置权限;通过配置资源控制策略,使其只具有VLAN200~VLAN299的操作权限,无法操作所有的接口和VPN资源.
在RADIUS服务器上配置对部门A网络管理员授权用户角色departA-resource;对部门B网络管理员授权用户角色departB-resouce.
7.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
7.
4配置注意事项由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
7.
5配置步骤7.
5.
1设备配置(1)创建VLAN2并将CoreSwitch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
5024(3)创建VLAN3并将CoreSwitch连接AAAserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface3]ipaddress20.
1.
1.
224(5)在设备上开启Telnet服务器功能,并配置RADIUS方案和ISP域#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty06335[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(6)在设备上配置用户角色departA-resource#创建用户角色departA-resource,配置用户角色规则,允许用户执行特性QoS和ACL中的所有命令.
[Sysname]rolenamedepartA-resource[Sysname-role-departA-resource]rule1permitreadwriteexecutefeatureqos[Sysname-role-departA-resource]rule2permitreadwriteexecutefeatureacl#配置VLAN资源控制策略,只具有VLAN100~VLAN199的操作权限.
[Sysname-role-departA-resource]vlanpolicydeny[Sysname-role-departA-resource-vlanpolicy]permitvlan100to199[Sysname-role-departA-resource-vlanpolicy]quit#配置接口和VPN资源访问策略,禁止访问所有接口和VPN资源.
[Sysname-role-departA-resource]interfacepolicydeny[Sysname-role-departA-resource-ifpolicy]quit[Sysname-role-departA-resource]vpnpolicydeny[Sysname-role-departA-resource-vpnpolicy]quit[Sysname-role-departA-resource]quit(7)在设备上配置用户角色departB-resource#创建用户角色departB-resource,配置用户角色规则,允许用户执行特性QoS和ACL中的所有命令.
[Sysname]rolenamedepartB-resource[Sysname-role-departB-resource]rule1permitreadwriteexecutefeatureqos[Sysname-role-departB-resource]rule2permitreadwriteexecutefeatureacl#配置VLAN资源控制策略,只具有VLAN200~VLAN299的操作权限.
[Sysname-role-departB-resource]vlanpolicydeny[Sysname-role-departB-resource-vlanpolicy]permitvlan200to29936[Sysname-role-departB-resource-vlanpolicy]quit#配置接口和VPN资源访问策略,禁止访问所有接口和VPN资源.
[Sysname-role-departB-resource]interfacepolicydeny[Sysname-role-departB-resource-ifpolicy]quit[Sysname-role-departB-resource]vpnpolicydeny[Sysname-role-departB-resource-vpnpolicy]quit[Sysname-role-departB-resource]quit7.
5.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理/接入设备管理/接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为20.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
图11增加接入设备37#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"admin-departA@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"departA-resource";添加所管理设备的IP地址,IP地址范围为"20.
1.
1.
0~20.
1.
1.
10";单击按钮完成操作.
图12增加设备管理用户#继续在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"admin-departB@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"departB-resource";38添加所管理设备的IP地址,IP地址范围为"20.
1.
1.
0~20.
1.
1.
10";单击按钮完成操作.
图13增加设备管理用户7.
6验证配置(1)查看用户角色信息通过displayrole命令查看用户角色departA-resource和departB-resource的信息.
#显示用户角色departA-resource的信息.
displayrolenamedepartA-resourceRole:departA-resourceDescription:VLANpolicy:denyPermittedVLANs:100to199Interfacepolicy:denyVPNinstancepolicy:deny39RulePermTypeScopeEntity1permitRWXfeatureqos2permitRWXfeatureaclR:ReadW:WriteX:Execute#显示用户角色departB-resource的信息.
displayrolenamedepartB-resourceRole:departB-resourceDescription:VLANpolicy:denyPermittedVLANs:200to299Interfacepolicy:denyVPNinstancepolicy:denyRulePermTypeScopeEntity1permitRWXfeatureqos2permitRWXfeatureaclR:ReadW:WriteX:Execute(2)用户登录设备以部门A网络管理员登录设备为例进行验证.
#部门A网络管理员向设备发起Telnet连接,在Telnet客户端按照提示输入用户名admin-departA@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:admin-departA@bbbPassword:(3)验证用户权限部门A网络管理员admin-departA@bbb成功登录设备后,可通过如下步骤验证用户的权限:可执行特性QoS和ACL中所有的命令.
(以创建高级ACL、流分类、流行为和QoS策略,并关联流分类和流行为为例)#创建高级ACL,编号为3000.
system-view[Sysname]aclnumber3000#配置ACL的匹配规则为匹配所有FTP数据流量.
[Sysname-acl-adv-3000]rulepermittcpdestination-porteqftp-data[Sysname-acl-adv-3000]quit40#创建流分类1,匹配规则为匹配ACL3000.
[Sysname]trafficclassifier1[Sysname-classifier-1]if-matchacl3000[Sysname-classifier-1]quit#创建流分类1,流行为为流量监管,限速值为2000kbps.
[Sysname]trafficbehavior1[Sysname-behavior-1]carcir2000[Sysname-behavior-1]quit#创建QoS策略1,将流分类1和流行为1进行关联.
[Sysname]qospolicy1[Sysname-qospolicy-1]classifier1behavior1[Sysname-qospolicy-1]quit可操作VLAN100~VLAN199.
(以将QoS策略1应用到VLAN100~VLAN107的入方向为例)#将QoS策略1应用到VLAN100~VLAN107的入方向,即对所有主机的上行流量进行限速.
[Sysname]qosvlan-policy1vlan100to107inbound不能操作其它VLAN.
(以将QoS策略1应用到VLAN200~VLAN207的入方向为例)#将QoS策略1应用到VLAN200~VLAN207的入方向,即对所有主机的上行流量进行限速.
[Sysname]qosvlan-policy1vlan200to207inboundPermissiondenied.
通过显示信息可以确认配置生效.
部门B网络管理员admin-departB@bbb成功登录设备后,可通过如下步骤验证用户的权限:可执行特性QoS和ACL中所有的命令.
(以创建高级ACL、流分类、流行为和QoS策略,并关联流分类和流行为为例)#创建高级ACL,编号为3001.
[Sysname]aclnumber3001#配置ACL的匹配规则为匹配所有FTP数据流量.
[Sysname-acl-adv-3001]rulepermittcpdestination-porteqftp-data[Sysname-acl-adv-3001]quit#创建流分类2,匹配规则为匹配ACL3001.
[Sysname]trafficclassifier2[Sysname-classifier-2]if-matchacl3001[Sysname-classifier-2]quit#创建流分类2,流行为为流量监管,限速值为2000kbps.
[Sysname]trafficbehavior2[Sysname-behavior-2]carcir2000[Sysname-behavior-2]quit#创建QoS策略2,将流分类2和流行为2进行关联.
[Sysname]qospolicy2[Sysname-qospolicy-2]classifier1behavior2[Sysname-qospolicy-2]quit41可操作VLAN200~VLAN299.
(以将QoS策略2应用到VLAN200~VLAN207的入方向为例)[Sysname]qosvlan-policy2vlan200to207inbound不能操作其它VLAN.
(以将QoS策略2应用到VLAN100~VLAN107的入方向为例)[Sysname]qosvlan-policy2vlan100to107inboundPermissiondenied.
通过显示信息可以确认配置生效.
7.
7配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress20.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolenamedepartA-resourcerule1permitreadwriteexecutefeatureqosrule2permitreadwriteexecutefeatureaclvlanpolicydenypermitvlan100to19942interfacepolicydenyvpn-instancepolicydeny#rolenamedepartB-resourcerule1permitreadwriteexecutefeatureqosrule2permitreadwriteexecutefeatureaclvlanpolicydenypermitvlan200to299interfacepolicydenyvpn-instancepolicydeny#8相关资料H3CS7500E系列交换机基础配置指导-ReleaseR7150H3CS7500E系列交换机基础配置命令参考-ReleaseR7150
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播.
本文档中的信息可能变动,恕不另行通知.
i目录1简介·······························································································································12配置前提·························································································································13配置用户具有特定特性中读写类型命令的执行权限举例····························································13.
1组网需求······················································································································13.
2配置思路······················································································································13.
3使用版本······················································································································23.
4配置注意事项················································································································23.
5配置步骤······················································································································23.
6验证配置······················································································································33.
7配置文件······················································································································53.
8Telnet用户的RADIUS用户角色授权计费配置举例·······························································53.
9组网需求······················································································································53.
10配置思路····················································································································63.
11使用版本····················································································································63.
12配置注意事项··············································································································63.
13配置步骤····················································································································73.
13.
1设备配置···········································································································73.
13.
2RADIUS服务器配置····························································································83.
14验证配置··················································································································103.
15配置文件··················································································································124配置用户在某些VPN中具有特定特性的执行权限举例····························································134.
1组网需求····················································································································134.
2配置思路····················································································································134.
3使用版本····················································································································134.
4配置注意事项··············································································································134.
5配置步骤····················································································································144.
5.
1设备配置···········································································································144.
5.
2RADIUS服务器配置····························································································154.
6验证配置····················································································································174.
7配置文件····················································································································185创建新用户角色并授权更改用户权限举例············································································195.
1组网需求····················································································································195.
2配置思路····················································································································20ii5.
3使用版本····················································································································205.
4配置注意事项··············································································································205.
5配置步骤····················································································································205.
6验证配置····················································································································235.
6.
1配置更改用户权限前的验证···················································································235.
6.
2配置更改用户权限后的验证···················································································245.
7配置文件····················································································································256配置用户具有切换用户角色权限举例··················································································266.
1组网需求····················································································································266.
2配置思路····················································································································276.
3使用版本····················································································································276.
4配置注意事项··············································································································276.
5配置步骤····················································································································276.
6验证配置····················································································································296.
7配置文件····················································································································327配置具有流量控制的执行权限举例·····················································································337.
1组网需求····················································································································337.
2配置思路····················································································································337.
3使用版本····················································································································347.
4配置注意事项··············································································································347.
5配置步骤····················································································································347.
5.
1设备配置···········································································································347.
5.
2RADIUS服务器配置····························································································367.
6验证配置····················································································································387.
7配置文件····················································································································418相关资料·······················································································································4211简介本文介绍了如何通过RBAC(RoleBasedAccessControl,基于角色的访问控制)来对登录用户的权限进行控制的典型配置举例.
2配置前提本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准.
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置.
如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突.
本文档假设您已了解RBAC的特性.
3配置用户具有特定特性中读写类型命令的执行权限举例3.
1组网需求如图1所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
具体需求如下:在本例中需要创建名称为bbb的ISP域,并要求Telnet用户通过ISP域bbb接入网络.
创建设备管理类本地用户telnetuser,并设置登录密码.
Telnet用户登录设备时,使用本地配置的用户名telnetuser@bbb以及密码进行认证.
Telnet用户telnetuser@bbb具有如下权限:允许执行特性ospf相关的所有读写类型命令.
允许执行特性filesystem相关的所有读写类型命令.
图1特定特性中读写类型命令的执行权限配置组网图3.
2配置思路为了使Telnet用户能够具备以上权限,需要创建Telnet本地用户和用户角色role1,并对Telnet用户授予用户角色role1.
通过配置用户角色规则,限定Telnet用户可以执行特性特性ospf和filesystem相关的读写类型命令.
2为了确保Telnet用户仅使用授权的用户角色role1,需要删除用户具有的缺省用户角色.
3.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
3.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
3.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser的密码和服务类型.
#创建设备管理类本地用户telnetuser.
[Sysname]local-usertelnetuserclassmanage3#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser]service-typetelnet[Sysname-luser-manage-telnetuser]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行特性ospf中所有写类型的命令.
[Sysname-role-role1]rule1permitreadwritefeatureospf#配置用户角色规则2,允许用户执行特性filesystem中所有读写类型的命令.
[Sysname-role-role1]rule2permitreadwritefeaturefilesystem[Sysname-role-role1]quit(7)为本地用户配置授权用户角色#进入设备管理类本地用户telnetuser视图.
[Sysname]local-usertelnetuserclassmanage#指定用户telnetuser的授权角色为role1.
[Sysname-luser-manage-telnetuser]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser]quit3.
6验证配置(1)查看用户角色信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRW-featureospf2permitRW-featurefilesystemR:ReadW:WriteX:Execute(2)用户登录设备4用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行特性ospf中所有写类型的命令.
[Sysname]ospf1[Sysname-ospf-1]area0[Sysname-ospf-1-area-0.
0.
0.
0]network1.
1.
1.
10.
0.
0.
0可执行特性ospf相关的读类型命令.
[Sysname]displayospfOSPFProcess1withRouterID192.
168.
1.
50OSPFProtocolInformationRouterID:192.
168.
1.
50Routertype:Routetag:0Multi-VPN-InstanceisnotenabledExt-communitytype:DomainID0x5,RouteType0x306,RouterID0x107DomainID:0.
0.
0.
0OpaquecapableISPFisenabledSPF-schedule-interval:550200LSAgenerationinterval:550200LSAarrivalinterval:1000Transmitpacing:Interval:20Count:3DefaultASEparameters:Metric:1Tag:1Type:2Routepreference:10ASEroutepreference:150SPFcalculationcount:0RFC1583compatibleGracefulrestartinterval:120SNMPtrapratelimitinterval:10Count:7Areacount:0NSSAareacount:0ExChange/Loadingneighbors:05可执行特性filesystem相关的所有读写类型命令.
(以配置设备发送FTP报文的源IP地址为192.
168.
0.
60为例)[Sysname-a]ftpclientsourceip192.
168.
0.
60[Sysname-a]quit不能执行特性filesystem相关的执行类型命令.
(以进入FTP视图为例)ftpPermissiondenied.
通过显示信息可以确认配置生效.
3.
7配置文件#telnetserverenable#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#domainbbbauthenticationloginlocalauthorizationloginlocal#rolenamerole1rule1permitreadwritefeatureospfrule2permitreadwritefeaturefilesystem#local-usertelnetuserclassmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole13.
8Telnet用户的RADIUS用户角色授权计费配置举例3.
9组网需求如图2所示,Telnet用户主机与设备相连,设备与一台RADIUS服务器相连,需要实现RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费,使得Telnet用户具有如下用户权限:允许用户执行ISP视图下的所有命令;允许用户执行ARP和RADIUS特性中读和写类型的命令;6允许用户执行创建VLAN以及进入VLAN视图后的相关命令,并只具有操作VLAN10~VLAN20的权限;允许用户执行进入接口视图以及接口视图下的相关命令,并具有操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3的权限.
图2Telnet用户RADIUS认证/授权/计费配置组网图3.
10配置思路为了使Telnet用户可以执行ARP和RADIUS特性的读写类型命令,可创建特性组feature-group1,配置包含ARP和RADIUS特性.
为了授权Telnet用户可以执行所要求权限的命令,需要配置对应的用户角色规则和资源控制策略.
为了使Telnet用户能够具备以上权限,需要在RADIUS服务器上对Telnet用户授权用户角色role1.
3.
11使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
3.
12配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
73.
13配置步骤3.
13.
1设备配置(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)创建VLAN3并将Switch连接RADIUSserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface3]ipadd10.
1.
1.
224(5)配置Telnet用户登录Switch的认证方式[Sysname]telnetserverenable#配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(6)配置RADIUS方案和认证服务器#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit(7)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
8[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(8)配置特性组#创建特性组fgroup1.
[Sysname]rolefeature-groupnamefgroup1#配置特性组fgroup1中包含特性ARP和RADIUS.
[Sysname-featuregrp-fgroup1]featurearp[Sysname-featuregrp-fgroup1]featureradius[Sysname-featuregrp-fgroup1]quit(9)在设备上创建用户角色role1,并配置用户角色规则和资源控制策略#创建用户角色role1.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行ISP视图下的所有命令.
[Sysname-role-role1]rule1permitcommandsystem-view;domain*#配置用户角色规则2,允许用户执行特性组fgroup1中所有特性的读和写类型的命令.
[Sysname-role-role1]rule2permitreadwritefeature-groupfgroup1#配置用户角色规则3,允许用户执行创建VLAN的命令.
[Sysname-role-role1]rule3permitcommandsystem-view;vlan*#配置用户角色规则4,允许用户执行进入接口视图以及接口视图下的相关命令.
[Sysname-role-role1]rule4permitcommandsystem-view;interface*#进入VLAN策略视图,允许用户具有操作VLAN10~VLAN20的权限.
[Sysname-role-role1]vlanpolicydeny[Sysname-role-role1-vlanpolicy]permitvlan10to20[Sysname-role-role1-vlanpolicy]quit#进入接口策略视图,允许用户具有操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3的权限.
[Sysname-role-role1]interfacepolicydeny[Sysname-role-role1-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3[Sysname-role-role1-ifpolicy]quit[Sysname-role-role1]quit3.
13.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
9#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理/接入设备管理/接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为10.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
图3增加接入设备#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"telnetuser@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"role1";添加所管理设备的IP地址,IP地址范围为"10.
1.
1.
0~10.
1.
1.
10";单击按钮完成操作.
10图4增加设备管理用户3.
14验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:denyPermittedVLANs:10to20Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3VPNinstancepolicy:permit(default)11RulePermTypeScopeEntity1permitcommandsystem-view;domain*2permitRW-feature-groupfgroup13permitcommandsystem-view;vlan*4permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行ISP视图下所有的命令.
system-view[Sysname]domainabc[Sysname-isp-abc]authenticationloginradius-schemeabc[Sysname-isp-abc]quit可执行RADIUS特性中读和写类型的命令.
(ARP特性同,此处不再举例)[Sysname]radiusschemerad[Sysname-radius-rad]primaryauthentication2.
2.
2.
2[Sysname-radius-rad]displayradiusschemerad可操作VLAN10~VLAN20.
(以创建VLAN10、VLAN30为例)[Sysname]vlan10[Sysname-vlan10]quit[Sysname]vlan30Permissiondenied.
可操作接口Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3.
[Sysname]interfaceTen-GigabitEthernet1/0/1[Sysname-Ten-GigabitEthernet1/0/1]speedauto[Sysname-Ten-GigabitEthernet1/0/1]quit不能操作其它接口.
(以进入Ten-GigabitEthernet1/0/6接口视图为例)[Sysname]interfaceTen-GigabitEthernet1/0/6Permissiondenied.
12通过显示信息可以确认配置生效.
3.
15配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress10.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolefeature-groupnamefgroup1featurearpfeatureradius#rolenamerole1rule1permitcommandsystem-view;domain*rule2permitreadwritefeature-groupfgroup1rule3permitcommandsystem-view;vlan*rule4permitcommandsystem-view;interface*vlanpolicydenypermitvlan10to20interfacepolicydeny13permitinterfaceTen-GigabitEthernet1/0/1toTen-GigabitEthernet1/0/3#4配置用户在某些VPN中具有特定特性的执行权限举例4.
1组网需求如图5所示,为了加强用户登录的安全性,采用RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费,使得Telnet用户有如下权限:允许执行系统预定义特性组L3相关的所有命令.
允许执行所有以display开头的命令.
只允许对特定VPN实例vpn1、vpn2和vpn3进行操作.
图5某些VPN中具有特定特性的执行权限配置组网图4.
2配置思路为了授权Telnet用户可以执行所要求权限的命令,需要创建用户角色role1并配置对应的用户角色规则和资源控制策略.
为了使Telnet用户能够具备以上权限,需要在RADIUS服务器上配置Telnet用户授权用户角色role1.
4.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
4.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
14一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
4.
5配置步骤4.
5.
1设备配置(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipadd192.
168.
1.
5024(3)创建VLAN3并将Switch连接RADIUSserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface2]ipadd10.
1.
1.
224(5)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(6)配置RADIUS方案和认证服务器#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
15[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit(7)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(8)在设备上创建用户角色role1,并配置用户角色规则和资源控制策略#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行预定义特性组L3相关的所有命令.
[Sysname-role-role1]rule1permitexecutereadwritefeature-groupL3#配置用户角色规则2,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule2permitcommanddisplay*#进入用户角色VPN策略视图,配置允许用户具有操作VPN实例vpn1、vpn2和vpn3的权限.
[Sysname-role-role1]vpnpolicydeny[Sysname-role-role1-vpnpolicy]permitvpn-instancevpn1vpn2vpn3[Sysname-role-role1-vpnpolicy]quit[Sysname-role-role1]quit4.
5.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理>接入设备管理>接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为10.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
16图6增加接入设备#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"telnetuser@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"role1";添加所管理设备的IP地址,IP地址范围为"10.
1.
1.
0~10.
1.
1.
10";单击按钮完成操作.
17图7增加设备管理用户4.
6验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:denyPermittedVPNinstances:vpn1,vpn2,vpn3RulePermTypeScopeEntity181permitRWXfeature-groupL32permitcommanddisplay*R:ReadW:WriteX:Execute通过displayrolefeature-group命令查看特性组L3中包括的特性信息,此处不详细介绍.
(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行系统预定义特性组L3中的所有命令.
(以创建VPN实例vpn1并配置其RD为22:1为例)system-view[Sysname]ipvpn-instancevpn1[Sysname-vpn-instance-vpn1]route-distinguisher22:1[Sysname-vpn-instance-vpn1]displaythis#ipvpn-instancevpn1route-distinguisher22:1#return[Sysname-vpn-instance-vpn1]quit不能操作其它VPN实例.
(以VPN实例vpn5为例)[Sysname]ipvpn-instancevpn5Permissiondenied.
通过显示信息可以确认配置生效.
4.
7配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface219ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress10.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolenamerole1rule1permitreadwriteexecutefeature-groupL3rule2permitcommanddisplay*vpn-instancepolicydenypermitvpn-instancevpn1permitvpn-instancevpn2permitvpn-instancevpn3#5创建新用户角色并授权更改用户权限举例5.
1组网需求如图8所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
Telnet用户telnetuser1和telnetuser2通过ISP域bbb接入网络,成功登录设备后,均被赋予用户角色role1,具有如下权限:允许执行所有以display开头的命令.
允许执行创建VLAN的命令.
只允许对VLAN10~VLAN15进行操作.
只允许对特定接口Ten-GigabitEthernet1/0/1进行操作.
20现要求为Telnet用户telnetuser1增加对设备的操作权限,具体需求如下:允许对VLAN16~VLAN20进行操作.
允许对特定接口Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3进行操作.
图8更改用户权限配置组网图5.
2配置思路为了使Telnet用户telnetuser1增加上述权限,并且不改变Telnet用户telnetuser2的权限,可以通过创建用户角色role2,并对Telnet用户telnetuser1授予用户角色role2.
为了增加Telnet用户telnetuser1可执行所要求权限的命令,需要配置用户角色规则和资源控制策略.
5.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
5.
4配置注意事项一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
用户可以同时被授权多个用户角色.
拥有多个用户角色的用户可获得这些角色中被允许执行的功能以及被允许操作的资源的集合.
对当前在线用户授权新的用户角色,待该用户重新上线后才能生效.
5.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit21[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/23]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
5024(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser1和telnetuser2的密码和服务类型#创建设备管理类本地用户telnetuser1.
[Sysname]local-usertelnetuser1classmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser1]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser1]service-typetelnet[Sysname-luser-manage-telnetuser1]quit#创建设备管理类本地用户telnetuser2.
[Sysname]local-usertelnetuser2classmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser2]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser2]service-typetelnet[Sysname-luser-manage-telnetuser2]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule1permitcommanddisplay*22#配置用户角色规则2,允许执行进入VLAN视图命令.
[Sysname-role-role1]rule2permitcommandsystem-view;vlan*#配置用户角色规则3,允许执行进入接口视图命令以及进入接口视图后的相关命令.
[Sysname-role-role1]rule3permitcommandsystem-view;interface*#进入用户角色VLAN策略视图,配置允许用户具有操作VLAN10~VLAN15的权限.
[Sysname-role-role1]vlanpolicydeny[Sysname-role-role1-vlanpolicy]permitvlan10to15[Sysname-role-role1-vlanpolicy]quit#进入用户角色接口策略视图,配置允许用户具有操作接口Ten-GigabitEthernet1/0/1的权限.
[Sysname-role-role1]interfacepolicydeny[Sysname-role-role1-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/1[Sysname-role-role1-ifpolicy]quit[Sysname-role-role1]quit(7)为本地用户telnetuser1和telnetuser2配置授权用户角色#进入设备管理类本地用户telnetuser1视图.
[Sysname]local-usertelnetuser1classmanage#指定用户telnetuser1的授权角色role1.
[Sysname-luser-manage-telnetuser1]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser1具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser1]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser1]quit#进入设备管理类本地用户telnetuser2视图.
[Sysname]local-usertelnetuser2classmanage#指定用户telnetuser2的授权角色role1.
[Sysname-luser-manage-telnetuser2]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser2具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser2]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser2]quit(8)创建用户角色role2,并配置用户角色规则#创建用户角色role2,进入用户角色视图.
[Sysname]rolenamerole2#配置用户角色规则1,允许执行进入接口视图命令以及进入接口视图后的相关命令.
[Sysname-role-role2]rule1permitcommandsystem-view;interface*(9)为用户角色role2配置VLAN资源控制策略#进入用户角色VLAN策略视图,配置允许用户具有操作VLAN16~VLAN20的权限.
[Sysname-role-role2]vlanpolicydeny[Sysname-role-role2-vlanpolicy]permitvlan16to20[Sysname-role-role2-vlanpolicy]quit23#进入用户角色接口策略视图,配置允许用户具有操作接口Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3的权限.
[Sysname-role-role2]interfacepolicydeny[Sysname-role-role2-ifpolicy]permitinterfaceTen-GigabitEthernet1/0/2toTen-GigabitEthernet1/0/3[Sysname-role-role2-ifpolicy]quit[Sysname-role-role2]quit(10)为本地用户telnetuser1配置授权用户角色#进入设备管理类本地用户telnetuser1视图.
[Sysname]local-usertelnetuser1classmanage#指定用户telnetuser1的授权角色role2.
[Sysname-luser-manage-telnetuser1]authorization-attributeuser-rolerole2[Sysname-luser-manage-telnetuser1]quit5.
6验证配置5.
6.
1配置更改用户权限前的验证(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:denyPermittedVLANs:10to15Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/1VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitcommanddisplay*2permitcommandsystem-view;vlan*3permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser1@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*24login:telnetuser1@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:能够创建VLAN15.
[Sysname]vlan15[Sysname-vlan15]quit不能创建VLAN20.
[Sysname]vlan20Permissiondenied.
能够操作Ten-GigabitEthernet1/0/1接口.
[Sysname]interfaceTen-GigabitEthernet1/0/1[Sysname-Ten-GigabitEthernet1/0/1]speedauto[Sysname-Ten-GigabitEthernet1/0/1]quit通过显示信息可以确认配置生效.
5.
6.
2配置更改用户权限后的验证(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role2的信息.
#显示用户角色role2的信息.
displayrolenamerole2Role:role2Description:VLANpolicy:denyPermittedVLANs:16to20Interfacepolicy:denyPermittedinterfaces:Ten-GigabitEthernet1/0/2~Ten-GigabitEthernet1/0/3VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitcommandsystem-view;interface*R:ReadW:WriteX:Execute(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser1@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
*25*Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser1@bbbPassword:(3)验证用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可创建VLAN16.
[Sysname]vlan16[Sysname-vlan16]quit能够操作Ten-GigabitEthernet1/0/1~Ten-GigabitEthernet1/0/3接口.
(以配置Ten-GigabitEthernet1/0/2接口速率为例).
[Sysname]interfaceTen-GigabitEthernet1/0/2[Sysname-Ten-GigabitEthernet1/0/2]speedauto[Sysname-Ten-GigabitEthernet1/0/2]quit不能操作其它接口.
(以进入Ten-GigabitEthernet1/0/5接口视图为例)[Sysname]interfaceTen-GigabitEthernet1/0/5Permissiondenied.
通过显示信息可以确认配置生效.
5.
7配置文件#telnetserverenable#vlan2#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan2#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#domainbbbauthenticationloginlocalauthorizationloginlocal#26rolenamerole1rule1permitcommanddisplay*rule2permitcommandsystem-view;vlan*rule3permitcommandsystem-view;interface*vlanpolicydenypermitvlan10to15interfacepolicydenypermitinterfaceTen-GigabitEthernet1/0/1#rolenamerole2rule1permitcommandsystem-view;interface*vlanpolicydenypermitvlan16to20interfacepolicydenypermitinterfaceTen-GigabitEthernet1/0/2toTen-GigabitEthernet1/0/3#local-usertelnetuser1classmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole1authorization-attributeuser-rolerole2#local-usertelnetuser2classmanagepasswordhashTPcgyTQJZShe$h$6$vaSj2xKc8yFiNdfQ$Jzb3PXo2lt4jkKSZqJUVhjP634Wol/Qx8TLU748IHoeui0w5n/XRzpNqbNnpxikym39gGJCwYw==service-typetelnetauthorization-attributeuser-rolerole1#6配置用户具有切换用户角色权限举例6.
1组网需求如图9所示,为了加强用户登录的安全性,采用本地AAA认证对登录设备的Telnet用户进行认证.
登录设备的Telnet用户能够进行用户角色的切换,即在不下线的情况下,临时改变自身对系统的操作权限.
当前Telnet用户被授权为用户角色role1,用户角色role1具有如下权限:允许执行系统预定义特性组L3相关的所有命令.
允许执行所有以display开头的命令.
允许执行所有以super开头的命令.
具有所有接口、VLAN和VPN实例资源的操作权限.
现要求,Telnet用户能够被切换到用户角色role2和network-operator,其中用户角色role2具有如下权限:允许执行系统预定义特性组L2相关的所有命令.
27具有所有接口、VLAN和VPN实例资源的操作权限.
图9切换用户角色权限配置组网图6.
2配置思路缺省情况下,用户角色切换的认证方式为local.
在本例中Telnet用户登录设备的认证方式为本地AAA认证,因此,配置用户角色切换时的认证方式为local.
为了使Telnet用户telnetuser能够进行切换用户角色,需要创建本地用户角色role1和role2,并配置相应的配置用户角色规则和资源控制策略.
为了保证操作的安全性,Telnet用户将用户角色切换到不同的用户角色时,需要配置相应切换密码.
6.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
6.
4配置注意事项一个ISP域被配置为缺省的ISP域后将不能够被删除,必须首先使用命令undodomaindefaultenable将其修改为非缺省ISP域,然后才可以被删除.
一个用户角色中允许创建多条规则,各规则以创建时指定的编号为唯一标识,被授权该角色的用户可以执行的命令为这些规则定义的可执行命令的并集.
若这些规则定义的权限内容有冲突,则规则编号大的有效.
例如,规则1允许执行命令A,规则2允许执行命令B,规则3禁止执行命令A,则最终规则2和规则3生效,即禁止执行命令A,允许执行命令B.
切换后的用户角色只对当前登录生效,用户重新登录后,又会恢复到原有用户角色.
6.
5配置步骤(1)创建VLAN2并将Switch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
502428(3)配置Telnet用户登录设备的认证方式#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty063[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit(4)配置ISP域bbb的AAA方法#创建ISP域bbb,为login用户配置的AAA方法为本地认证、本地授权.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginlocal[Sysname-isp-bbb]authorizationloginlocal[Sysname-isp-bbb]quit(5)配置设备管理类本地用户telnetuser的密码和服务类型#创建设备管理类本地用户telnetuser.
[Sysname]local-usertelnetuserclassmanage#配置用户的密码是明文的aabbcc.
[Sysname-luser-manage-telnetuser]passwordsimpleaabbcc#指定用户的服务类型是Telnet.
[Sysname-luser-manage-telnetuser]service-typetelnet[Sysname-luser-manage-telnetuser]quit(6)创建用户角色role1,并配置用户角色规则#创建用户角色role1,进入用户角色视图.
[Sysname]rolenamerole1#配置用户角色规则1,允许用户执行预定义特性组L3相关的所有命令.
[Sysname-role-role1]rule1permitexecutereadwritefeature-groupL3#配置用户角色规则2,允许用户执行所有以display开头的命令.
[Sysname-role-role1]rule2permitcommanddisplay*#配置用户角色规则3,允许用户执行所有以super开头的命令.
[Sysname-role-role1]rule3permitcommandsuper*[Sysname-role-role1]quit(7)创建用户角色role2,并配置用户角色规则#创建用户角色role2,进入用户角色视图.
[Sysname]rolenamerole2#配置用户角色规则1,允许用户执行预定义特性组L2相关的所有命令.
[Sysname-role-role2]rule1permitexecutereadwritefeature-groupL2[Sysname-role-role2]quit(8)为本地用户配置授权用户角色#进入设备管理类本地用户telnetuser视图.
[Sysname]local-usertelnetuserclassmanage29#指定用户telnetuser的授权角色为role1.
[Sysname-luser-manage-telnetuser]authorization-attributeuser-rolerole1#为保证用户仅使用授权的用户角色role1,删除用户telnetuser具有的缺省用户角色network-operator.
[Sysname-luser-manage-telnetuser]undoauthorization-attributeuser-rolenetwork-operator[Sysname-luser-manage-telnetuser]quit(9)配置用户角色切换的方式及切换密码#配置Telnet用户切换用户角色时采用local认证方式(系统缺省值为local).
[Sysname]superauthentication-modelocal#配置Telnet用户将用户角色切换到role2时使用的密码为明文密码123456TESTplat&!
.
[Sysname]superpasswordrolerole2simple123456TESTplat&!
#配置Telnet用户将用户角色切换到network-operator时使用的密码为明文密码987654TESTplat&!
.
[Sysname]superpasswordrolenetwork-operatorsimple987654TESTplat&!
6.
6验证配置(1)查看用户角色和特性组信息通过displayrole命令查看用户角色role1、role2和network-operator的信息.
#显示用户角色role1的信息.
displayrolenamerole1Role:role1Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRWXfeature-groupL32permitcommanddisplay*3permitcommandsuper*R:ReadW:WriteX:Execute#显示用户角色role2的信息.
displayrolenamerole2Role:role2Description:VLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntity1permitRWXfeature-groupL2R:ReadW:WriteX:Execute30#显示用户角色network-operator的信息.
[Sysname]displayrolenamenetwork-operatorRole:network-operatorDescription:PredefinednetworkoperatorrolehasaccesstoallreadcommandsontheSysnameVLANpolicy:permit(default)Interfacepolicy:permit(default)VPNinstancepolicy:permit(default)RulePermTypeScopeEntitysys-1permitcommanddisplay*sys-2permitcommandxmlsys-3denycommanddisplayhistory-commandallsys-4denycommanddisplayexception*sys-5denycommanddisplaycpu-usageconfiguration*sys-6denycommanddisplaykernelexception*sys-7denycommanddisplaykerneldeadloop*sys-8denycommanddisplaykernelstarvation*sys-9denycommanddisplaykernelreboot*sys-10denycommanddisplaymemorytrace*sys-11denycommanddisplaykernelmemory*sys-12permitcommandsystem-view;local-user*sys-13permitcommandsystem-view;switchtomdc*sys-14permitR--xml-element-sys-15denycommanddisplaysecurity-logfilesummarysys-16denycommandsystem-view;info-centersecurity-logfiledirectory*sys-17denycommandsecurity-logfilesaveR:ReadW:WriteX:Execute通过displayrolefeature-group命令查看特性组L2和L3中包括的特性信息,此处不详细介绍.
(2)用户登录设备用户向设备发起Telnet连接,在Telnet客户端按照提示输入用户名telnetuser@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:31(3)验证切换用户角色前的用户权限Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:可执行特性组L3中特性相关的所有命令.
(以创建VPN实例vpn1为例)system-view[Sysname]ipvpn-instancevpn1可执行所有以display开头的命令.
(以显示系统当前日期和时间为例)displayclock09:31:56UTCWed01/01/2015(4)验证切换用户角色Telnet用户成功登录设备后,可通过如下步骤验证用户的权限:a.
在用户视图下使用super开头的命令.
(以切换到用户角色role2并输入相应的切换密码为例)superrole2Password:Userprivilegeroleisrole2,andonlythosecommandsthatauthorizedtotherolecanbeused.
b.
切换到用户角色role2后,可执行特性组L2中特性相关的所有命令.
(以创建VLAN10为例)system-view[Sysname]vlan10[Sysname-vlan10]quit[Sysname]quitc.
切换到用户角色role2后,不能执行非特性组L2中特性相关的命令.
(以切换到用户角色network-operator为例)supernetwork-operatorPermissiondenied.
d.
切换到用户角色role2后,不能执行以display开头的命令.
(以显示系统当前日期和时间为例)displayclockPermissiondenied.
e.
Telnet用户重新登录设备后,才能执行所有以super开头的命令.
(以切换到用户角色network-operator并输入相应的切换密码为例)C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:telnetuser@bbbPassword:32supernetwork-operatorPassword:Userprivilegeroleisnetwork-operator,andonlythosecommandsthatauthorizedtotherolecanbeused.
通过显示信息可以确认配置生效.
6.
7配置文件#telnetserverenable#vlan2#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#superpasswordrolerole2hash$h$6$D0kjHFktkktzgR5g$e673xFnIcKytCj6EDAw+pvwgh3/ung3WNWHnrUTnXT862B+s7PaLfKTdil8ef71RBOvuJvPAZHjiLjrMPyWHQw==superpasswordrolenetwork-operatorhash$h$6$3s5KMmscn9hJ6gPx$IcxbNjUc8u4yxwRm87b/Jki8BoPAxw/s5bEcPQjQj/cbbXwTVcnQGL91WOd7ssO2rX/wKzfyzAO5VhBTn9Q4zQ==#domainbbbauthenticationloginlocalauthorizationloginlocal#rolenamerole1rule1permitreadwriteexecutefeature-groupL3rule2permitcommanddisplay*rule3permitcommandsuper*#rolenamerole2rule1permitreadwriteexecutefeature-groupL2#local-usertelnetuserclassmanagepasswordhash$h$6$kZw1rKFsAY4lhgUz$+teVLy8gmKN4Mr00VWgXQTB8ai94gKHlrys5OkytGf4kT+nz5X1ZGASjc282CYAR6A1upH2jbmRoTcfDzZ9Gmw==service-typetelnetauthorization-attributeuser-rolerole1#337配置具有流量控制的执行权限举例7.
1组网需求如图10所示,某企业内部为隔离部门A和部门B之间流量,将不同VLAN划分给各部门使用.
为了加强各部门网络管理员登录的安全性,采用RADIUS服务器对登录设备的Telnet用户进行认证、授权和计费.
部门A和部门B的网络管理员通过Telnet登录设备时,分别使用RADIUS服务器上配置的用户名admin-departA和admin-departB以及对应的密码进行认证.
部门A网络管理员admin-departA有如下权限:具有流量控制策略相关功能的配置权限.
禁止操作所有的接口和VPN资源.
只允许操作VLAN100~VLAN199.
部门B网络管理员admin-departB有如下权限:具有流量控制策略相关功能的配置权限.
禁止操作所有的接口和VPN资源.
只允许操作VLAN200~VLAN299.
图10具有部署流量控制策略的执行权限配置组网图7.
2配置思路创建用户角色departA-resource,通过配置用户角色规则,使其具有QoS和ACL特性中所有命令的配置权限;通过配置资源控制策略,使其只具有VLAN100~VLAN199的操作权限,无法操作所有的接口和VPN资源.
34创建用户角色departB-resource,通过配置用户角色规则,使其具有QoS和ACL特性中所有命令的配置权限;通过配置资源控制策略,使其只具有VLAN200~VLAN299的操作权限,无法操作所有的接口和VPN资源.
在RADIUS服务器上配置对部门A网络管理员授权用户角色departA-resource;对部门B网络管理员授权用户角色departB-resouce.
7.
3使用版本本举例是在S7500E-CMW710-R7150版本上进行配置和验证的.
7.
4配置注意事项由于RADIUS服务器的授权信息是随认证应答报文发给RADIUS客户端的,所以必须保证认证和授权方法相同.
7.
5配置步骤7.
5.
1设备配置(1)创建VLAN2并将CoreSwitch连接Telnetuser的端口划分到VLAN2中.
system-view[Sysname]vlan2[Sysname-vlan2]quit[Sysname]interfaceTen-GigabitEthernet1/0/24[Sysname-Ten-GigabitEthernet1/0/24]portaccessvlan2[Sysname-Ten-GigabitEthernet1/0/24]quit(2)创建VLAN接口2并配置IP地址.
[Sysname]interfaceVlan-interface2[Sysname-Vlan-interface2]ipaddress192.
168.
1.
5024(3)创建VLAN3并将CoreSwitch连接AAAserver的端口划分到VLAN3中.
system-view[Sysname]vlan3[Sysname-vlan3]quit[Sysname]interfaceTen-GigabitEthernet1/0/23[Sysname-Ten-GigabitEthernet1/0/23]portaccessvlan3[Sysname-Ten-GigabitEthernet1/0/23]quit(4)创建VLAN接口3并配置IP地址.
[Sysname]interfaceVlan-interface3[Sysname-Vlan-interface3]ipaddress20.
1.
1.
224(5)在设备上开启Telnet服务器功能,并配置RADIUS方案和ISP域#开启设备的Telnet服务器功能.
[Sysname]telnetserverenable#在编号为0~63的VTY用户线下,配置Telnet用户登录采用AAA认证方式.
[Sysname]linevty06335[Sysname-line-vty0-63]authentication-modescheme[Sysname-line-vty0-63]quit#创建RADIUS方案rad.
[Sysname]radiusschemerad#配置主认证/授权服务器的IP地址为10.
1.
1.
1,主计费服务器的IP地址为10.
1.
1.
1.
[Sysname-radius-rad]primaryauthentication10.
1.
1.
1[Sysname-radius-rad]primaryaccounting10.
1.
1.
1#配置与认证/授权服务器、主计费服务器交互报文时的共享密钥为明文aabbcc.
[Sysname-radius-rad]keyauthenticationsimpleaabbcc[Sysname-radius-rad]keyaccountingsimpleaabbcc[Sysname-radius-rad]quit#创建ISP域bbb,为login用户配置的AAA认证方法为RADIUS认证、RADIUS授权、RADIUS计费.
[Sysname]domainbbb[Sysname-isp-bbb]authenticationloginradius-schemerad[Sysname-isp-bbb]authorizationloginradius-schemerad[Sysname-isp-bbb]accountingloginradius-schemerad[Sysname-isp-bbb]quit(6)在设备上配置用户角色departA-resource#创建用户角色departA-resource,配置用户角色规则,允许用户执行特性QoS和ACL中的所有命令.
[Sysname]rolenamedepartA-resource[Sysname-role-departA-resource]rule1permitreadwriteexecutefeatureqos[Sysname-role-departA-resource]rule2permitreadwriteexecutefeatureacl#配置VLAN资源控制策略,只具有VLAN100~VLAN199的操作权限.
[Sysname-role-departA-resource]vlanpolicydeny[Sysname-role-departA-resource-vlanpolicy]permitvlan100to199[Sysname-role-departA-resource-vlanpolicy]quit#配置接口和VPN资源访问策略,禁止访问所有接口和VPN资源.
[Sysname-role-departA-resource]interfacepolicydeny[Sysname-role-departA-resource-ifpolicy]quit[Sysname-role-departA-resource]vpnpolicydeny[Sysname-role-departA-resource-vpnpolicy]quit[Sysname-role-departA-resource]quit(7)在设备上配置用户角色departB-resource#创建用户角色departB-resource,配置用户角色规则,允许用户执行特性QoS和ACL中的所有命令.
[Sysname]rolenamedepartB-resource[Sysname-role-departB-resource]rule1permitreadwriteexecutefeatureqos[Sysname-role-departB-resource]rule2permitreadwriteexecutefeatureacl#配置VLAN资源控制策略,只具有VLAN200~VLAN299的操作权限.
[Sysname-role-departB-resource]vlanpolicydeny[Sysname-role-departB-resource-vlanpolicy]permitvlan200to29936[Sysname-role-departB-resource-vlanpolicy]quit#配置接口和VPN资源访问策略,禁止访问所有接口和VPN资源.
[Sysname-role-departB-resource]interfacepolicydeny[Sysname-role-departB-resource-ifpolicy]quit[Sysname-role-departB-resource]vpnpolicydeny[Sysname-role-departB-resource-vpnpolicy]quit[Sysname-role-departB-resource]quit7.
5.
2RADIUS服务器配置下面以iMC为例(使用iMC版本为:iMCPLAT7.
0(E0202)、iMCUAM7.
0(E0202)),说明RADIUS服务器的基本配置.
#增加接入设备.
登录进入iMC管理平台,选择"用户"页签,单击导航树中的[接入策略管理/接入设备管理/接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面.
设置认证及计费的端口号分别为"1812"和"1813";设置与AC交互报文时使用的认证、计费共享密钥和确认共享密钥为"aabbcc";选择业务类型为"设备管理业务";选择接入设备类型为"H3C";选择或手工增加接入设备,添加IP地址为20.
1.
1.
2的接入设备;其它参数采用缺省值,并单击按钮完成操作.
图11增加接入设备37#增加设备管理用户.
选择"用户"页签,单击导航树中的[接入用户管理/设备管理用户]菜单项,进入设备管理用户列表页面,在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"admin-departA@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"departA-resource";添加所管理设备的IP地址,IP地址范围为"20.
1.
1.
0~20.
1.
1.
10";单击按钮完成操作.
图12增加设备管理用户#继续在该页面中单击按钮,进入增加设备管理用户页面.
创建用户名,这里输入"admin-departB@bbb",并配置密码和确认密码;选择服务类型为"Telnet";添加用户角色名"departB-resource";38添加所管理设备的IP地址,IP地址范围为"20.
1.
1.
0~20.
1.
1.
10";单击按钮完成操作.
图13增加设备管理用户7.
6验证配置(1)查看用户角色信息通过displayrole命令查看用户角色departA-resource和departB-resource的信息.
#显示用户角色departA-resource的信息.
displayrolenamedepartA-resourceRole:departA-resourceDescription:VLANpolicy:denyPermittedVLANs:100to199Interfacepolicy:denyVPNinstancepolicy:deny39RulePermTypeScopeEntity1permitRWXfeatureqos2permitRWXfeatureaclR:ReadW:WriteX:Execute#显示用户角色departB-resource的信息.
displayrolenamedepartB-resourceRole:departB-resourceDescription:VLANpolicy:denyPermittedVLANs:200to299Interfacepolicy:denyVPNinstancepolicy:denyRulePermTypeScopeEntity1permitRWXfeatureqos2permitRWXfeatureaclR:ReadW:WriteX:Execute(2)用户登录设备以部门A网络管理员登录设备为例进行验证.
#部门A网络管理员向设备发起Telnet连接,在Telnet客户端按照提示输入用户名admin-departA@bbb及正确的密码后,成功登录设备.
C:\DocumentsandSettings\user>telnet192.
168.
1.
50*Copyright(c)2004-2015HangzhouH3CTech.
Co.
,Ltd.
Allrightsreserved.
**Withouttheowner'spriorwrittenconsent,**nodecompilingorreverse-engineeringshallbeallowed.
*login:admin-departA@bbbPassword:(3)验证用户权限部门A网络管理员admin-departA@bbb成功登录设备后,可通过如下步骤验证用户的权限:可执行特性QoS和ACL中所有的命令.
(以创建高级ACL、流分类、流行为和QoS策略,并关联流分类和流行为为例)#创建高级ACL,编号为3000.
system-view[Sysname]aclnumber3000#配置ACL的匹配规则为匹配所有FTP数据流量.
[Sysname-acl-adv-3000]rulepermittcpdestination-porteqftp-data[Sysname-acl-adv-3000]quit40#创建流分类1,匹配规则为匹配ACL3000.
[Sysname]trafficclassifier1[Sysname-classifier-1]if-matchacl3000[Sysname-classifier-1]quit#创建流分类1,流行为为流量监管,限速值为2000kbps.
[Sysname]trafficbehavior1[Sysname-behavior-1]carcir2000[Sysname-behavior-1]quit#创建QoS策略1,将流分类1和流行为1进行关联.
[Sysname]qospolicy1[Sysname-qospolicy-1]classifier1behavior1[Sysname-qospolicy-1]quit可操作VLAN100~VLAN199.
(以将QoS策略1应用到VLAN100~VLAN107的入方向为例)#将QoS策略1应用到VLAN100~VLAN107的入方向,即对所有主机的上行流量进行限速.
[Sysname]qosvlan-policy1vlan100to107inbound不能操作其它VLAN.
(以将QoS策略1应用到VLAN200~VLAN207的入方向为例)#将QoS策略1应用到VLAN200~VLAN207的入方向,即对所有主机的上行流量进行限速.
[Sysname]qosvlan-policy1vlan200to207inboundPermissiondenied.
通过显示信息可以确认配置生效.
部门B网络管理员admin-departB@bbb成功登录设备后,可通过如下步骤验证用户的权限:可执行特性QoS和ACL中所有的命令.
(以创建高级ACL、流分类、流行为和QoS策略,并关联流分类和流行为为例)#创建高级ACL,编号为3001.
[Sysname]aclnumber3001#配置ACL的匹配规则为匹配所有FTP数据流量.
[Sysname-acl-adv-3001]rulepermittcpdestination-porteqftp-data[Sysname-acl-adv-3001]quit#创建流分类2,匹配规则为匹配ACL3001.
[Sysname]trafficclassifier2[Sysname-classifier-2]if-matchacl3001[Sysname-classifier-2]quit#创建流分类2,流行为为流量监管,限速值为2000kbps.
[Sysname]trafficbehavior2[Sysname-behavior-2]carcir2000[Sysname-behavior-2]quit#创建QoS策略2,将流分类2和流行为2进行关联.
[Sysname]qospolicy2[Sysname-qospolicy-2]classifier1behavior2[Sysname-qospolicy-2]quit41可操作VLAN200~VLAN299.
(以将QoS策略2应用到VLAN200~VLAN207的入方向为例)[Sysname]qosvlan-policy2vlan200to207inbound不能操作其它VLAN.
(以将QoS策略2应用到VLAN100~VLAN107的入方向为例)[Sysname]qosvlan-policy2vlan100to107inboundPermissiondenied.
通过显示信息可以确认配置生效.
7.
7配置文件#telnetserverenable#vlan2to3#interfaceVlan-interface2ipaddress192.
168.
1.
50255.
255.
255.
0#interfaceVlan-interface3ipaddress20.
1.
1.
2255.
255.
255.
0#interfaceTen-GigabitEthernet1/0/23portaccessvlan3#interfaceTen-GigabitEthernet1/0/24portaccessvlan2#linevty063authentication-modeschemeuser-rolenetwork-operator#radiusschemeradprimaryauthentication10.
1.
1.
1primaryaccounting10.
1.
1.
1keyauthenticationcipher$c$3$JzDegvL0G5KZIcJhzscTHLA4WasBVh0UOw==keyaccountingcipher$c$3$CdejNYYxvjW0Y+Zydi4rZgBwjYb4h6LKmg==#domainbbbauthenticationloginradius-schemeradauthorizationloginradius-schemeradaccountingloginradius-schemerad#rolenamedepartA-resourcerule1permitreadwriteexecutefeatureqosrule2permitreadwriteexecutefeatureaclvlanpolicydenypermitvlan100to19942interfacepolicydenyvpn-instancepolicydeny#rolenamedepartB-resourcerule1permitreadwriteexecutefeatureqosrule2permitreadwriteexecutefeatureaclvlanpolicydenypermitvlan200to299interfacepolicydenyvpn-instancepolicydeny#8相关资料H3CS7500E系列交换机基础配置指导-ReleaseR7150H3CS7500E系列交换机基础配置命令参考-ReleaseR7150
- 用户permissiondenied相关文档
- 协商permissiondenied
- 4.permissiondenied
- termpermissiondenied
- providingpermissiondenied
- Settingpermissiondenied
- 5.permissiondenied
特网云(198元/月),高质量云虚拟主机低至0.16元/天,裸金属服务器仅需10.5元/天
特网云为您提供高速、稳定、安全、弹性的云计算服务计算、存储、监控、安全,完善的云产品满足您的一切所需,深耕云计算领域10余年;我们拥有前沿的核心技术,始终致力于为政府机构、企业组织和个人开发者提供稳定、安全、可靠、高性价比的云计算产品与服务。官方网站:https://www.56dr.com/ 10年老品牌 值得信赖 有需要的请联系======================特网云推出多IP云主机...
香港云服务器最便宜价格是多少钱一个月、一年?
香港云服务器最便宜价格是多少钱一个月/一年?无论香港云服务器推出什么类型的配置和活动,价格都会一直吸引我们,那么就来说说香港最便宜的云服务器类型和香港最低的云服务器价格吧。香港云服务器最便宜最低价的价格是多少?香港云服务器只是服务器中最受欢迎的产品。香港云服务器有多种配置类型,如1核1G、2核2G、2核4G、8到16核32G等。这些配置可以满足大多数用户的需求,无论是电商站、视频还是游戏、小说等。...
可抵御99%的攻击中国单域版cdn:9元/月7T防御 cloudsecre
官方网站:点击访问CDN客服QQ:123008公司名:贵州青辞赋文化传媒有限公司域名和IP被墙封了怎么办?用cloudsecre.com网站被攻击了怎么办?用cloudsecre.com问:黑客为什么要找网站来攻击?答:黑客需要找肉鸡。问:什么是肉鸡?答:被控的服务器和电脑主机就是肉鸡。问:肉鸡有什么作用?答:肉鸡的作用非常多,可以用来干违法的事情,通常的行为有:VPN拨号,流量P2P,攻击傀儡,...
permissiondenied为你推荐
-
丑福晋大福晋比正福晋大么同ip域名什么是同主机域名www.haole012.com阜阳有什么好的正规的招聘网站?8090lu.com8090向前冲电影 8090向前冲清晰版 8090向前冲在线观看 8090向前冲播放 8090向前冲视频下载地址??www.765.com哪里有免费的电影网站www.bbb551.com100bbb网站怎样上不去了www.bbb551.comHUNTA551第一个第二个妹子是谁呀??sesehu.com68lolita com是真的吗javlibrary.comImage Library Sell Photos Digital Photos Photo Sharing Photo Restoration Digital Photos Photo Albumssodu.tw给个看免费小说的网站