R0106-HP MSR Router Series Security Configuration Guide(V7)
58
[Router] ssh server enable
# Enable the default user role function to assign authenticated SSH users the default user role
network-operator.
[Router] role default-role enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Assign an IP address to interface GigabitEthernet 2/1/1, the SSH user access interface.
[Router] interface gigabitethernet 2/1/1
[Router-GigabitEthernet2/1/1] ip address 192.168.1.70 255.255.255.0
[Router-GigabitEthernet2/1/1] quit
# Assign an IP address to interface GigabitEthernet 2/1/2, through which the router is connected
to the server.
[Router] interface gigabitethernet 2/1/2
[Router-GigabitEthernet2/1/2] ip address 10.1.1.2 255.255.255.0
[Router-GigabitEthernet2/1/2] quit
Verifying the configuration
# Initiate an SSH connection to the router, and enter the correct username and password. (Details not
shown.) The user logs in to the router.
# Verify that the user can use the commands permitted by the network-operator user role. (Details not
shown.)
Authentication for SSH users by an LDAP server
Network requirements
As shown in Figure 16, an LDAP server is located at 10.1.1.1/24 and uses the domain name ldap.com.
Configure the router to meet the following requirements:
• Use the LDAP server to authenticate SSH users.
• Assign the default user role network-operator to SSH users after they pass authentication.
On the LDAP server, set the administrator password to admin!123456, add user aaa, and set the user
password to ldap!123456.
Figure 16 Network diagram