VRP (R) Software, Version 5.70 (S2300 V100R005C01SPC100)
For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- RADIUS communication key: RADIUS_KEY
- Name of the RADIUS server template: RADIUS_TEMP
- Name of the authentication scheme: NV_AUTH
- Name of the accounting scheme: NV_ACC
- Name of the TACACS+ server template: NV_TACACS
- Communication key for TACACS+ server: TAC+_KEY
- Name of the TACACS+ authentication scheme: NV_TAC_AUTHEN
- Name of the TACACS+ authorization scheme: NV_TAC_AUTHOR
- SNMP v2 password: SNMP_SECRET
- SNMP v3 password: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- Switch management interface: VLAN-interfaceX
Run the following commands to define a RADIUS server template:
<Quidway>system-view
[Quidway]radius-server template RADIUS_TEMP
[Quidway-radius-nacview]radius-server authentication NACVIEW_SERV 1812
[Quidway-radius-nacview]radius-server accounting NACVIEW_SERV 1813
[Quidway-radius-nacview]radius-server shared-key cipher RADIUS_KEY
[Quidway-radius-nacview]undo radius-server user-name domain-included
[Quidway-radius-nacview]quit
Run the following commands to define authentication and accounting schemes:
[Quidway]aaa
[Quidway-aaa]authentication-scheme NV_AUTH
[Quidway-aaa-authen-nacview]authentication-mode radius
[Quidway-aaa-authen-nacview]quit
[Quidway-aaa]accounting-scheme NV_ACC
[Quidway-aaa-accounting-nacview]accounting-mode radius
[Quidway-aaa-accounting-nacview]quit
Execute the following commands to assign the authentication and accounting schemes to the default domain and link it to the RADIUS server:
[Quidway-aaa]domain default
[Quidway-aaa-domain-default]authentication-scheme NV_AUTH
[Quidway-aaa-domain-default]accounting-scheme NV_ACC
[Quidway-aaa-domain-default]radius-server RADIUS_TEMP
[Quidway-aaa-domain-default]quit
[Quidway]hwtacacs-server template NV_TACACS
[Quidway-hwtacacs-nvtacacs]hwtacacs-server authentication NACVIEW_SERV 49
[Quidway-hwtacacs-nvtacacs]hwtacacs-server authorization NACVIEW_SERV 49
[Quidway-hwtacacs-nvtacacs]hwtacacs-server shared-key simple TAC+_KEY
[Quidway-hwtacacs-nvtacacs]undo hwtacacs-server user-name domain-included
[Quidway]aaa
[Quidway-aaa]authentication-scheme NV_TAC_AUTHEN
[Quidway-aaa-authen-nvtacacs]authentication-mode hwtacacs local
[Quidway-aaa-authen-nvtacacs]quit
[Quidway-aaa]authorization-scheme NV_TAC_AUTHOR
[Quidway-aaa-author-nvtacacs]authorization-mode hwtacacs local
[Quidway-aaa-author-nvtacacs]quit
[Quidway-aaa]domain default_admin
[Quidway-aaa-domain-default_admin]hwtacacs-server NV_TACACS
[Quidway-aaa-domain-default_admin]authentication-scheme hwtacacs
[Quidway-aaa-domain-default_admin]authorization-scheme hwtacacs
[Quidway-aaa-domain-default_admin]quit
[Quidway-aaa]quit
[quidway]domain default_admin admin
[Quidway]ssh authentication-type default password
[Quidway]dot1x enable
[Quidway]dot1x authentication-method eap
[Quidway]dot1x quiet-period
[Quidway]dot1x timer tx-period 120
[Quidway]mac-authen
[Quidway]mac-authen timer reauthenticate-period 3600
[Quidway]mac-authen timer offline-detect 60
[Quidway]interface Ethernet 0/0/2
[Quidway-Ethernet0/0/2]dot1x enable
[Quidway-Ethernet0/0/2]dot1x port-control auto
[Quidway-Ethernet0/0/2]dot1x port-method mac
[Quidway-Ethernet0/0/3]mac-authen
[Quidway-Ethernet0/0/3]mac-authen max-user 1
Remark: MAB authorization ports must be set to access mode. Additionally, the switch must have a properly configured VLAN to which users will be directed after the authorization.
<Quidway>system-view
[Quidway]snmp-agent
[Quidway]snmp-agent sys-info version v2c
[Quidway]snmp-agent community write cipher SNMP_SECRET mib-view nacview_view
[Quidway]snmp-agent target-host trap address udp-domain NACVIEW_SERV params securityname SNMP_SECRET v2c
Before configuring a device to send traps, confirm that the information center has been enabled.
If the information center is not enabled, run the info-center enable command to enable it.
<Quidway>system-view
[Quidway]snmp-agent sys-info version v3
[Quidway]snmp-agent usm-user v3 SNMP_USER SNMP_GROUP authentication-mode sha Nacview24 privacy-mode des56 Nacview24
[Quidway]snmp-agent mib-view included NACVIEW_VIEW 1
[Quidway]snmp-agent group v3 SNMP_GROUP privacy read-view NACVIEW_VIEW write-view NACVIEW_VIEW notify-view NACVIEW_VIEW
[Quidway]snmp-agent trap enable
[Quidway]snmp-agent target-host trap address udp-domain 10.16.120.10 params securityname SNMP_USER v3 privacy
<Quidway>system-view
[Quidway]info-center enable
[Quidway]info-center loghost source VLAN-interfaceX
Remark: for the correct display of logs in the NACVIEW system, it is crucial to set the correct system time and date.