4000 Router Series Security Configuration Guide

<Router> system-view

[Router] interface ethernet 1/1

[Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0

[Router-Ethernet1/1] quit

# Create local RSA and DSA key pairs.

[Router] public-key local create rsa

[Router] public-key local create dsa

# Enable the SSH service.

[Router] ssh server enable

# Enable scheme authentication for user lines VTY 0 through VTY 63.

[Router] line vty 0 63

[Router-line-vty0-63] authentication-mode scheme

[Router-line-vty0-63] quit

# Create a device management user.

[Router] local-user ssh class manage

# Assign the SSH service for the local user.

[Router-luser-manage-ssh] service-type ssh

# Set a password for the local user to 123456TESTplat&! in plain text. In FIPS mode, you must set the

password in interactive mode.

[Router-luser-manage-ssh] password simple 123456TESTplat&!

# Specify the user role for the user as network-admin.

[Router-luser-manage-ssh] authorization-attribute user-role network-admin

[Router-luser-manage-ssh] quit

# Create ISP domain bbb and configure the domain to use local authentication and authorization for

[Router] domain bbb

[Router-isp-bbb] authentication login local

[Router-isp-bbb] authorization login local

[Router-isp-bbb] quit

Verifying the configuration

When the user initiates an SSH connection to the router and enter the username ssh@bbb and the

correct password, the user successfully logs in and can use the commands for the network-admin user

role.

AAA for SSH users by an HWTACACS server

Network requirements

As shown in Figure 14, configure the router to use the HWTACACS server for SSH user authentication,

authorization, and accounting, and to assign the default user role network-operator to SSH users after

they pass authentication.