No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Data Center Network Management (RADIUS Authentication)

Configuring Data Center Network Management (RADIUS Authentication)

Applicable Products and Versions

This example applies to all models and versions.

Networking Requirements

A data center network of an enterprise is complex. To ensure security and stability of the network, the enterprise needs to monitor the network in real time and restrict login rights of the administrator. A network management system can meet the preceding requirements.

As shown in Figure 2-40, the IP addresses have been configured for the network devices and there is a reachable route between the RADIUS server and NMS. Users are allowed to log in to the device only after passing the RADIUS authentication. The NMS monitors the entire network, and receives the traps and logs from each host.

Figure 2-40 Configuring data center network management (RADIUS authentication)

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure the RADIUS protocol to implement RADIUS authentication. To log in to the device through STelnet, configure the RADIUS server to authenticate users using the user names and passwords, ensuring user security.
  2. Configure STelnet. The STelnet protocol implements secure logins on insecure networks, which ensures data integrity and reliability and guarantees secure data transmission.
  3. Configure the SNMP function. The authentication and encryption methods of SNMPv3 are used to ensure the security of connection between the device and NMS. The NMS can centrally manage all network devices.
  4. Configure the device to send logs and traps to the NMS through SNMP.
NOTE:

The following configurations are performed on SwitchA. The configurations on other devices are the same as the configurations on SwitchA.

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server group are configured correctly and are the same as those on the RADIUS server.

Ensure that at least one user has been configured on the RADIUS server. In this example, the user name is admin@admin123 and the password is huawei@1234.

If multiple users are configured on the RADIUS server, you are advised to run the ssh authentication-type default password command to use the default password authentication mode for local users to simplify the configuration.

Procedure

  1. Configure RADIUS.
    1. Configures a RADIUS server group.

      <HUAWEI> system-view
      [~HUAWEI] sysname SwitchA
      [~HUAWEI] commit
      [~SwitchA] radius enable
      [~SwitchA] radius server group shiva
      [~SwitchA-radius-shiva] radius server authentication 10.7.66.66 1812          //Configure the IP address and port number of the RADIUS server.
      [~SwitchA-radius-shiva] radius server shared-key-cipher hello                  //Configure the shared key of the RADIUS server.
      [~SwitchA-radius-shiva] radius server retransmit 2                              //Set the retransmission times to 2.
      [~SwitchA-radius-shiva] quit

    2. Create an AAA scheme auth and set the authentication method to RADIUS.

      [~SwitchA] aaa
      [~SwitchA-aaa] authentication-scheme auth
      [~SwitchA-aaa-authen-auth] authentication-mode radius
      [~SwitchA-aaa-authen-auth] quit

    3. Create the domain admin123 and bind the AAA scheme auth and RADIUS server group shiva to the domain.

      [~SwitchA-aaa] domain admin123
      [~SwitchA-aaa-domain-admin123] authentication-scheme auth
      [~SwitchA-aaa-domain-admin123] radius server group shiva
      [~SwitchA-aaa-domain-admin123] quit
      [~SwitchA-aaa] quit
      [~SwitchA] commit

  2. Configure STelnet.
    1. Configure the device to support STelnet.

      [~SwitchA] rsa local-key-pair create
      The key name will be: SwitchA_Host                                
      The range of public key size is (512 ~ 2048).                                   
      NOTE: If the key modulus is greater than 512,                                   
            it will take a few minutes.                                               
      Input the bits in the modulus [default = 2048] : 2048  //You are advised to set the size of the key pairs to 2048 to improve device security. In V200R001C00 and later versions, the switch supports only 2048-bit key pairs. You do not need to enter the value.
      [~SwitchA] stelnet server enable

    2. Configure the SSH user login interface.

      [~SwitchA] user-interface vty 0 4
      [~SwitchA-ui-vty0-4] authentication-mode aaa
      [~SwitchA-ui-vty0-4] protocol inbound ssh
      [~SwitchA-ui-vty0-4] user privilege level 3
      [~SwitchA-ui-vty0-4] quit

    3. Configure the SSH user admin@admin123.

      [~SwitchA] ssh user admin@admin123 authentication-type password
      [~SwitchA] ssh user admin@admin123 service-type stelnet
      [~SwitchA] commit

  3. Configure the SNMP function.
    1. Connect the SNMP agent to the NMS.

      [~SwitchA] snmp-agent sys-info version v3
      [~SwitchA] snmp-agent mib-view included iso-view iso
      [~SwitchA] snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view
      [~SwitchA] snmp-agent usm-user v3 adminuser admingroup authentication-mode sha Admin@1234 privacy-mode aes128 Helloworld@6789   //Authentication methods include MD5 and SHA. SHA has higher security and MD5 has higher speed. In this example, MD5 is used as an example. Encryption methods include 3DES168, AES128, AES192, AES256, and DES56. ASE has a higher security. In this example, AES128 is used.

    2. Configure the trap host.

      [~SwitchA] snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy  //The security level of trap host must be the same as or higher than the user security level. In this example, the level is set to privacy (authentication and encryption).
      [~SwitchA] commit

  4. Configure the device to send logs and traps to the NMS through SNMP.

    [~SwitchA] info-center source default channel 5 log state on
    [~SwitchA] commit

Verifying the Configuration

The configuration is successful if the following conditions are met:
  • You can successfully log in to the device through STelnet by using the user name and password configured on the RADIUS server.
  • When you perform operations on the device through SNMP, the NMS can receive the logs and traps.

Configuration File

Configuration file of SwitchA

#
sysname SwitchA 
# 
info-center source default channel 5 log state on
#
radius enable  
#
radius server group shiva
 radius server shared-key-cipher %^%#L@71VU/>5>n/c$GKI>J!i:Uz~:!<.W'jc0X@nE4$%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
 radius server authentication 10.7.66.66 1812
 radius server retransmit 2  
#
aaa
 #
 authentication-scheme auth
  authentication-mode radius
 #
 domain admin123
  authentication-scheme auth
  radius server group shiva
#
snmp-agent
snmp-agent local-engineid 800007DB03306B20792201
#
snmp-agent sys-info version v3
snmp-agent group v3 admingroup privacy write-view iso-view notify-view iso-view
snmp-agent target-host host-name nms trap address udp-domain 10.7.60.66 params securityname adminuser v3 privacy
#
snmp-agent mib-view included iso-view iso
snmp-agent usm-user v3 adminuser
snmp-agent usm-user v3 adminuser group admingroup
snmp-agent usm-user v3 adminuser authentication-mode sha cipher %^%#BQV1%E-zm5`pG^HCe.4-yi-EUx$iv=S(jiKO7tJN%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
snmp-agent usm-user v3 adminuser privacy-mode aes128 cipher %^%#4_o.,z8`_OmbfU4svg>8"[TxSo\9'R]d/[TXR3!&%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
#
stelnet server enable
ssh user admin@admin123
ssh user admin@admin123 authentication-type password
ssh user admin@admin123 service-type stelnet
ssh authorization-type default aaa  //This command is supported since V100R005C10
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 105501

Downloads: 7472

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next