3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
58 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
[secblade] firewall zone trust
[secblade-zone-trust] add interface GigabitEthernet 0/0.1
[secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust
[secblade-zone-untrust] add interface GigabitEthernet 0/0.2
[secblade-zone-untrust] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the Telnet user to use AAA authentication.
[secblade] user-interface vty 0 4
[secblade-ui-vty0-4] authentication-mode scheme
# Create the local user telnet.
[secblade] local-user telnet@system
[secblade-luser-telnet@system] service-type telnet
[secblade-luser-telnet@system] password simple 3com
[secblade-luser-telnet@system] quit
[secblade] domain system
[secblade-isp-system] scheme local
[secblade-isp-system] quit
Telnet users use usernames in the userid@system format to log onto the network
and are to be authenticated as system domain users.
# Quit the Firewall module configuration view.
[secblade] quit
<secblade> quit
[SW8800]
Enabling the TACACS
Server to Employ
One-Time
Authentication
/Accounting on Telnet
Users
Network requirements
In the network environment as shown in the following figure, make proper
configuration to enable the TACACS server to employ one-time password
authentication /accounting on Telnet users.
One TACACS server host, serving as both authentication server and accounting
server, is connected to a module. The IP address of the server host is 10.0.0.1/24.
Set the shared keys both for packet exchange with the authentication server and
with the accounting server as "expert". The TACACS server provides one-time
password authentication, and the module does not remove the domain name
from the user name but sends them together to the TACACS server, so the user
name you add on the TACACS server should be "test@tacacs".