No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Schemes

Configuring AAA Schemes

Context

To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and the accounting mode in an accounting scheme to RADIUS.

If RADIUS authentication is configured, you can also configure local authentication or non-authentication as the backup. This allows local authentication or non-authentication to be implemented if RADIUS authentication fails.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication, allowing only authenticated users to access the device or network.

Procedure

  • Configuring an authentication scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      authentication-scheme authentication-scheme-name

      Create an authentication scheme and enter its view, or directly enter the view of an existing authentication scheme.

      By default, there is an authentication scheme named default on the device. The default authentication scheme can only be modified, but cannot be deleted.

    4. Run:

      authentication-mode radius

      RADIUS authentication is configured.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode radius local command to configure local authentication.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response from the current authentication. The device stops the authentication if the current authentication fails.

    5. (Optional) Run:

      authentication-super [ hwtacacs | radius | super ] * none

      The authentication mode for upgrading user levels in an authentication scheme is configured.

      By default, the super mode is used. That is, local authentication is used.

    6. Run:

      quit

      Return to the AAA view.

    7. (Optional) Run:

      domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is configured.

    8. (Optional) Run:

      remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

      The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are set.

      By default, the remote AAA account locking function is enabled, authentication retry interval is 30 minutes, maximum number of consecutive authentication failures is 30, and account locking period is 30 minutes.

    9. (Optional) Run:

      remote-user authen-fail unblock { all | username username }

      The remote AAA authentication accounts are unlocked.

  • Configuring an accounting scheme
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. The default accounting scheme can only be modified, but cannot be deleted.

    4. Run:

      accounting-mode radius

      The accounting mode is configured.

      By default, the accounting mode is none.

    5. (Optional) Run:

      accounting start-fail { online | offline }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run:

      accounting realtime interval

      Real-time accounting is enabled and the interval for real-time accounting is set.

      By default, the device performs accounting based on user online duration, the real-time accounting function is disabled, and the interval for real-time accounting is not set.

    7. (Optional) Run:

      accounting interim-fail [ max-times times ] { online | offline }

      The maximum number of real-time accounting failures is set and a policy used after the number of real-time accounting failures exceeds the maximum is configured.

      After real-time accounting is enabled, the maximum number of real-time accounting requests is 3 and the device keeps paid users online after a real-time accounting failure by default.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13586

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next