4000 Router Series Security Configuration Guide

[Router] role default-role enable

# Create a RADIUS scheme.

[Router] radius scheme rad

# Specify the primary authentication server.

[Router-radius-rad] primary authentication 10.1.1.1 1812

# Set the shared key for secure communication with the server to expert in plain text.

[Router-radius-rad] key authentication simple expert

# Include the domain names in usernames sent to the RADIUS server.

[Router-radius-rad] user-name-format with-domain

[Router-radius-rad] quit

# Create ISP domain bbb and configure authentication/authorization methods for login users.

NOTE:

Because RADIUS user authorization information is piggybacked in authentication responses, the

authentication and authorization methods must use the same RADIUS scheme.

[Router] domain bbb

[Router-isp-bbb] authentication login radius-scheme rad

[Router-isp-bbb] authorization login radius-scheme rad

[Router-isp-bbb] quit

Verifying the configuration

When the user initiates an SSH connection to the router and enter the username hello@bbb and the

correct password, the user successfully logs in and can use the commands for the network-operator user

role.

Local authentication and authorization for SSH

users

Network requirements

As shown in Figure 13, configure the router to perform local authentication and authorization for SSH

users and assign the network-admin user role to SSH users after they pass authentication.

Figure 13 Network diagram

Configuration procedure

# Assign an IP address to interface Ethernet 1/1, the SSH user access interface.