No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a RADIUS Server Template

Configuring a RADIUS Server Template

Context

In a RADIUS server template, you must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings, such as the RADIUS user name format, traffic unit, and number of times RADIUS request packets are retransmitted, have default values and can be changed based on network requirements.

The RADIUS server template settings such as the RADIUS user name format and shared key must be the same as those on the RADIUS server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    radius-server template template-name

    The RADIUS server template view is displayed.

  3. (Optional) Run:

    radius-server algorithm { loading-share | master-backup }

    The algorithm for selecting RADIUS server is configured.

    By default, the algorithm for selecting RADIUS servers is master/backup.

  4. Run:

    radius-server authentication ip-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } | weight weight-value ] * or radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] *

    The RADIUS authentication server is configured.

    By default, no RADIUS authentication server is configured.

  5. Run:

    radius-server accounting ip-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } | weight weight-value ] * or radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] *

    The RADIUS accounting server is configured.

    By default, no RADIUS accounting server is configured.

  6. Run:

    radius-server shared-key cipher key-string

    The RADIUS shared key is set.

    By default, the RADIUS shared key is huawei and the password is in cipher text.

  7. (Optional) Run:

    radius-server user-name domain-included or radius-server user-name original

    The RADIUS user name format is configured.

    By default, the device does not modify the user name entered by the user in the packets sent to the RADIUS server.

    If the RADIUS server does not accept the user name with the domain name, run the undo radius-server user-name domain-included command to delete the domain name from the user name.

  8. (Optional) Run:

    radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The RADIUS traffic unit is set.

    The default RADIUS traffic unit is byte on the device.

  9. (Optional) Run:

    radius-server { retransmit retry-times | timeout time-value | dead-time dead-time } *

    The number of times that RADIUS request packets are retransmitted, timeout interval, and interval for the primary server to return to the active state are set.

    By default, the number of retransmission times is 3, timeout interval is 5 seconds, and the interval for the primary server to return to the active state is 5 minutes.

  10. (Optional) Run:

    radius-server nas-port-format { new | old }

    The NAS port format of the RADIUS server is configured.

    By default, the format of the NAS-Port attribute is new.

  11. (Optional) Run:

    radius-server nas-port-id-format { new | old }

    The ID format of the NAS port on the RADIUS server is set.

    By default, the new format of the NAS port ID attribute is used.

  12. (Optional) Run:

    radius-attribute nas-ip ip-address or radius-attribute nas-ipv6 ipv6-address

    The RADIUS NAS-IP-Address or NAS-IPv6-Address attribute is set.

  13. (Optional) Run:

    radius-server accounting-stop-packet resend [ resend-times ]

    Retransmission of accounting-stop packets is enabled and the number of accounting-stop packets that can be retransmitted each time is set.

    By default, the number of retransmission times is 0. That is, accounting-stop packets are not retransmitted.

  14. (Optional) Run:

    radius-attribute check attribute-name

    The specified attributes in the received RADIUS Access-Accept packets are checked.

    By default, the device does not check whether a RADIUS Access-Accept packet contains the specified attributes.

  15. (Optional) Run:

    radius-attribute set attribute-name attribute-value

    The value of the RADIUS attribute is changed.

  16. (Optional) Run:

    calling-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ] or calling-station-id mac-format unformatted [ lowercase | uppercase ]

    The encapsulation format of the MAC address in the calling-station-id attribute (Type 31) of RADIUS packets is set.

    By default, the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets is xxxx-xxxx-xxxx, in lowercase.

  17. Run:

    quit

    Return to the system view.

  18. (Optional) Run:

    radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name | shared-key cipher key-string } * [ ack-reserved-interval interval ]

    A RADIUS authorization server is configured.

    By default, no RADIUS authorization server is configured.

  19. Run:

    return

    The user view is displayed.

  20. (Optional) Run:

    test-aaa user-name user-password radius-template template-name [ chap | pap ]

    The device is configured to test whether a user can be authenticated using RADIUS authentication.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13332

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next