No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides several AAA configuration examples, including networking requirements, configuration notes, and configuration roadmap.

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 12-19, users belong to the domain huawei. Switch Module functions as the network access server of the destination network. Users can access the destination network through Switch Module only after being authenticated. The remote authentication on Switch Module is described as follows:

  • The RADIUS server performs authentication and accounting for access users.

  • The RADIUS server at 10.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813.

Figure 12-19 Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group.
  2. Configure an authentication scheme and an accounting scheme.
  3. Apply the RADIUS server group, authentication scheme, and accounting scheme to the domain.
NOTE:

Ensure that there are reachable routes between the Switch Module and the RADIUS server.

Procedure

  1. Configure a RADIUS server group.

    # Configure a RADIUS group shiva.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch Module
    [~Switch Module] radius enable
    [*Switch Module] radius server group shiva

    # Configure the IP address and port numbers of the primary RADIUS authentication and accounting server.

    [*Switch Module-radius-shiva] radius server authentication 10.7.66.66 1812 
    [*Switch Module-radius-shiva] radius server accounting 10.7.66.66 1813 

    # Configure the IP address and port numbers of the secondary RADIUS authentication and accounting server.

    [*Switch Module-radius-shiva] radius server authentication 10.7.66.67 1812 secondary
    [*Switch Module-radius-shiva] radius server accounting 10.7.66.67 1813 secondary

    # Configure the shared key and retransmission count of the RADIUS server.

    NOTE:

    Ensure that the shared key in the RADIUS server group are the same as the settings on the RADIUS server.

    [*Switch Module-radius-shiva] radius server shared-key-cipher hello
    [*Switch Module-radius-shiva] radius server retransmit 2
    [*Switch Module-radius-shiva] commit
    [~Switch Module-radius-shiva] quit

  2. Configure authentication and accounting schemes.

    # Configure authentication scheme auth and set the authentication method to RADIUS authentication.

    [~Switch Module] aaa
    [~Switch Module-aaa] authentication-scheme auth
    [*Switch Module-aaa-authen-auth] authentication-mode radius
    [*Switch Module-aaa-authen-auth] commit
    [~Switch Module-aaa-authen-auth] quit

    # Configure the accounting scheme abc that uses RADIUS accounting.

    [~Switch Module-aaa] accounting-scheme abc
    [*Switch Module-aaa-accounting-abc] accounting-mode radius
    [*Switch Module-aaa-accounting-abc] commit
    [~Switch Module-aaa-accounting-abc] quit

  3. Configure a domain huawei and apply authentication scheme auth, accounting scheme abc, and RADIUS server group shiva to the domain.

    [~Switch Module-aaa] domain huawei
    [*Switch Module-aaa-domain-huawei] authentication-scheme auth
    [*Switch Module-aaa-domain-huawei] accounting-scheme abc
    [*Switch Module-aaa-domain-huawei] radius server group shiva
    [*Switch Module-aaa-domain-huawei] commit
    [~Switch Module-aaa-domain-huawei] quit
    [~Switch Module-aaa] quit
    [~Switch Module] quit

  4. Verify the configuration.

    # Run the display radius server configuration group command on Switch Module B, and you can see that the configuration of the RADIUS server group meets the requirements.

    <Switch Module> display radius server configuration group shiva
    -----------------------------------------------------------------------------   
    Server group name                   :  shiva                                    
    Protocol version                    :  standard                                 
    Shared secret key                   :  ****************                         
    Timeout interval(in second)         :  5                                        
    Primary authentication server       :  10.7.66.66-1812:-:-:-                   
    Primary accounting server           :  10.7.66.66-1813:-:-:-                   
    Secondary authentication server     :  10.7.66.67-1812:-:-:-                   
    Secondary accounting server         :  10.7.66.67-1813:-:-:-                   
    Retransmission                      :  2                                        
    Domain included                     :  YES                                      
    Mode                                :  Pri-secondary                            
    -----------------------------------------------------------------------------   

Configuration Files

Configuration files on Switch Module

#
 sysname Switch Module
#                                                                               
radius server group shiva                                                    
 radius server shared-key-cipher %@%@1W4@>f)q*6>%)K)s8At=,D_2%@%@               
 radius server authentication 10.7.66.66 1812                                  
 radius server authentication 10.7.66.67 1812 secondary                        
 radius server accounting 10.7.66.66 1813                                      
 radius server accounting 10.7.66.67 1813 secondary                            
 radius server retransmit 2                                                     
# 
aaa
 authentication-scheme auth
  authentication-mode radius
 # 
 accounting-scheme abc
  accounting-mode radius
 # 
 domain default     
 # 
 domain default_admin 
 # 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius server group shiva
#
return

Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Networking Requirements

As shown in Figure 12-20, the customer requirements are as follows:

  • The HWTACACS server will authenticate access users for Switch Module. If HWTACACS authentication fails, local authentication is used.
  • The HWTACACS server will authorize access users for Switch Module. If HWTACACS authorization fails, local authorization is used.
  • HWTACACS accounting is used by Switch Module for access users.
  • The IP addresses of primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Figure 12-20 Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure authentication, authorization, and accounting schemes.
  3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to the domain.

Procedure

  1. Enable HWTACACS.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch Module
    [~Switch Module] hwtacacs enable
    [*Switch Module] commit

  2. Configure an HWTACACS server template.

    # Configure the HWTACACS server template ht.

    [~Switch Module] hwtacacs server template ht

    # Configure the IP addresses and port numbers of the primary HWTACACS authentication, authorization, and accounting servers.

    [*Switch Module-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49
    [*Switch Module-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49
    [*Switch Module-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49

    # Configure the IP addresses and port numbers of the secondary HWTACACS authentication, authorization, and accounting servers.

    [*Switch Module-hwtacacs-ht] hwtacacs server authentication 10.7.66.67 49 secondary
    [*Switch Module-hwtacacs-ht] hwtacacs server authorization 10.7.66.67 49 secondary
    [*Switch Module-hwtacacs-ht] hwtacacs server accounting 10.7.66.67 49 secondary

    # Configure the shared key of the HWTACACS server.

    NOTE:

    Ensure that the shared key in the HWTACACS server template are the same as the settings on the HWTACACS server.

    [*Switch Module-hwtacacs-ht] hwtacacs server shared-key cipher hello
    [*Switch Module-hwtacacs-ht] commit
    [~Switch Module-hwtacacs-ht] quit

  3. Configure the authentication scheme, authorization scheme, and accounting scheme.

    # Create an authentication scheme l-h. In the authentication scheme, the system performs HWTACACS authentication first, and performs local authentication if HWTACACS authentication fails.

    [~Switch Module] aaa
    [~Switch Module-aaa] authentication-scheme l-h
    [*Switch Module-aaa-authen-l-h] authentication-mode hwtacacs local
    [*Switch Module-aaa-authen-l-h] commit
    [~Switch Module-aaa-authen-l-h] quit

    # Create an authorization scheme hwtacacs. In the authorization scheme, the system performs HWTACACS authorization first, and performs local authorization if HWTACACS authorization fails.

    [~Switch Module-aaa] authorization-scheme hwtacacs
    [*Switch Module-aaa-author-hwtacacs] authorization-mode hwtacacs local
    [*Switch Module-aaa-author-hwtacacs] commit
    [~Switch Module-aaa-author-hwtacacs] quit

    # Create an accounting scheme hwtacacs and set HWTACACS accounting.

    [~Switch Module-aaa] accounting-scheme hwtacacs
    [*Switch Module-aaa-accounting-hwtacacs] accounting-mode hwtacacs
    [*Switch Module-aaa-accounting-hwtacacs] commit
    [~Switch Module-aaa-accounting-hwtacacs] quit

  4. Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.

    [~Switch Module-aaa] domain huawei
    [*Switch Module-aaa-domain-huawei] authentication-scheme l-h
    [*Switch Module-aaa-domain-huawei] authorization-scheme hwtacacs
    [*Switch Module-aaa-domain-huawei] accounting-scheme hwtacacs
    [*Switch Module-aaa-domain-huawei] hwtacacs server ht
    [*Switch Module-aaa-domain-huawei] commit
    [~Switch Module-aaa-domain-huawei] quit
    [~Switch Module-aaa] quit
    [~Switch Module] quit

  5. Verify the configuration.

    # Run the display hwtacacs server template command on Switch Module, and you can see that the configuration of the HWTACACS server template meets the requirements.

    <Switch Module> display hwtacacs server template ht
    --------------------------------------------------------------------------------
    Template name                          : ht 
    Template ID                            : 0  
    Primary authentication server          : 10.7.66.66-49:-  
    Primary authorization server           : 10.7.66.66-49:- 
    Primary accounting server              : 10.7.66.66-49:- 
    Primary common server                  : 0.0.0.0-0:- 
    Current authentication server          : 10.7.66.66:49:- 
    Current authorization server           : 10.7.66.66-49:-
    Current accounting server              : 10.7.66.66-49:- 
    Source IP address                      : 0.0.0.0  
    Shared key                             : ****************  
    Quiet interval (min)                   : 5     
    Response timeout interval (sec)        : 5    
    Domain included                        : Yes    
    Secondary authentication server count  : 1 
    Secondary authorization server count   : 1 
    Secondary accounting server count      : 1 
    Secondary common server count          : 0 
    --------------------------------------------------------------------------------

    # Run the display aaa domain command on Switch Module, and you can see that the configuration of the domain meets the requirements.

    <Switch Module> display aaa domain huawei  
    ---------------------------------------------------------------                 
    Domain-name                 : huawei                                            
    Domain-state                : Active                                            
    Authentication-scheme-name  : l-h                                               
    Authorization-scheme-name   : hwtacacs                                          
    Accounting-scheme-name      : hwtacacs                                          
    User-access-limit           : No                                                
    Online-number               : 0                                                 
    AdminUser-priority          : -
    HWTACACS-server-template    : ht                                                
    RADIUS-server-group         : -                                                 
    ---------------------------------------------------------------                 

Configuration Files

Configuration files on Switch Module

#
sysname Switch Module
#
hwtacacs server template ht
 hwtacacs server authentication 10.7.66.66
 hwtacacs server authentication 10.7.66.67 secondary
 hwtacacs server authorization 10.7.66.66
 hwtacacs server authorization 10.7.66.67 secondary
 hwtacacs server accounting 10.7.66.66
 hwtacacs server accounting 10.7.66.67 secondary 
 hwtacacs server shared-key cipher @%@%X[mtX5,[ZE;nWGR.VAK7<`;n@%@%
#  
aaa
 authentication-scheme l-h
  authentication-mode hwtacacs local
 # 
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 # 
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 # 
 domain huawei
  authentication-scheme l-h
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs server ht
#
return 
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57833

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next