在这里说下 华三除了那些很新的交换机Exec_Privilege是H3C-Exec-Privilege外,其它华为和华三老点的交换机都是使用的Huawei-Exec-Privilege,这一点在网上没有说明,所以一般情况下华为华三交换机都只要使用Huawei-Exec-Privilege就可以得到权限控制
另外 交换机的话 raddius认证模板里service-type设置一定要设置为huawei或者是extended,在华为华三都是同一个公司时期,如Version 3.10版本的交换机就只有huawei的tpye设置,Version 5.20 就可以设置为extended,但Version 5.70 以后好像就不用设置了,默认就支持标准和私有的
1.在freeradius上添加好client信息
文件在/etc/raddb/client.conf
client 192.168.0.0/16 {
secret = Clifford-Group
shortname = Layer-2-Switch
}
client 10.0.0.0/8 {
secret = Clifford-Group
shortname = Layer-2-Switch
}
client 172.16.0.0/12 {
secret = Clifford-Group
shortname = Layer-2-Switch
}
以上就添加了所有私网地址来认证时的共享密码是Clifford-Group,shortname 可以随便写
2.在数据库里修改表
![~@CN]DO]{U1M(NL1487_G_U.png](http://upload-images.jianshu.io/upload_images/2701907-41aa3b19c7457e09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
radcheck就是telnet进行认证时的用户名和密码保存表
radreply就是你telnet后所要回复的相关操作,如要什么权限等
![CCCW9JX9}T]O@TOYGD74]$5.png](http://upload-images.jianshu.io/upload_images/2701907-38c0fdfca85ed5ef.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
华为华三交换机一定要在radreply表添加如上信息才能登录并获取最高权限
可以打开交换机的DEBUGING模式来查看
*16.3833032462 Admin-3F-B-255.224 RDS/8/DEBUG:Receive Raw Packet is:
*16.3833032462 Admin-3F-B-255.224 RDS/8/DEBUG:
02 11 00 2c 8b cf af 85 c6 ad e8 66 8f b3 aa 1b
a0 63 51 03 1a 0c 00 00 07 db 1d 06 00 00 00 03
06 06 00 00 00 01 0f 06 00 00 00 00
*16.3833032472 Admin-3F-B-255.224 RDS/8/DEBUG:Receive:IP=[192.168.99.23],Code=[2],Length=[44]
*16.3833032472 Admin-3F-B-255.224 RDS/8/DEBUG:
[hw-29 Exec_Privilege ] [6 ] [3]
[6 Service-Type ] [6 ] [1]
[15 Login-Service ] [6 ] [0]
%Sep 1 13:49:12 2016 Admin-3F-B-255.224 SHELL/5/LOGIN: test@isc login from 192.168.99.23
*16.3833032512 Admin-3F-B-255.224 RDS/8/DEBUG:Recv MSG,[MsgType=Leaving request Index = 188, ulParam3=0]
radius服务器也可以看到相关日志
[sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay
++[sql_log] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 23 to 10.255.255.93 port 1024
Huawei-Exec-Privilege := 3
Service-Type := Login-User
Login-Service := Telnet
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 3 ID 23 with timestamp +39
Ready to process requests.
Version 3.10 admin@system
radius scheme clifford
server-type huawei
primary authentication 192.168.99.23 1812
accounting optional
key authentication Clifford-Group
user-name-format without-domain
quit
domain isc
radius-scheme clifford
quit
domain default enable isc
quit
Version 5.20 H3C S5500-28C-SI
Version 5.20.99 H3C S2626 admin@system
radius scheme clifford
server-type extended
primary authentication 192.168.99.23
primary accounting 192.168.99.23
key authentication Clifford-Group
user-name-format without-domain
quit
domain isc
authentication login radius-scheme clifford
authorization login radius-scheme clifford
accounting login none
quit
domain default enable isc
Version 5.70 Quidway S2326TP-SI Quidway S2700-52P-EI-AC
Version 5.110
radius-server template radius-temp
radius-server shared-key simple Clifford-Group
radius-server authentication 192.168.99.23 1812
radius-server accounting 192.168.99.23 1813
radius-server retransmit 2
undo radius-server user-name domain-included
aaa
authentication-scheme default
authentication-mode none
authentication-scheme auth
authentication-mode radius local
accounting-scheme acc
accounting-mode radius
accounting start-fail online
domain isc
authentication-scheme auth
accounting-scheme acc
radius-server radius-temp
quit
quit
domain isc