No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS Authentication and Accounting

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 1-21, all users belong to the domain huawei. Router functions as the network access server of the destination network. Users can access the destination network through Router only after being authenticated. The remote authentication on Router is described as follows:

  • The RADIUS server will authenticate access users for Router. If RADIUS authentication fails, local authentication is used.

  • The RADIUS server at 10.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813.

Figure 1-21  Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server template.
  2. Configure an authentication scheme and an accounting scheme.
  3. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.
NOTE:

Ensure that there are reachable routes between the Router and the RADIUS server.

Procedure

  1. Configure a RADIUS server template.

    # Configure a RADIUS template shiva.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] radius-server template shiva

    # Configure the IP address and port numbers of the primary RADIUS authentication and accounting server.

    [Router-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
    [Router-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80

    # Configure the IP address and port numbers of the secondary RADIUS authentication and accounting server.

    [Router-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
    [Router-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40

    # Set the key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

    NOTE:

    Ensure that the shared key in the RADIUS server template are the same as the settings on the RADIUS server.

    [Router-radius-shiva] radius-server shared-key cipher Huawei@2012
    [Router-radius-shiva] radius-server retransmit 2
    [Router-radius-shiva] undo radius-server user-name domain-included
    [Router-radius-shiva] quit

  2. Configure authentication and accounting schemes.

    # Create an authentication scheme auth. In the authentication scheme, the system performs RADIUS authentication first, and performs local authentication if RADIUS authentication fails.

    [Router] aaa
    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode radius local
    [Router-aaa-authen-auth] quit

    # Configure the accounting scheme abc that uses RADIUS accounting and the policy that the device is kept online when accounting fails.

    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] accounting start-fail online
    [Router-aaa-accounting-abc] quit

  3. Configure a domain huawei and apply authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Router-aaa] domain huawei
    [Router-aaa-domain-huawei] authentication-scheme auth
    [Router-aaa-domain-huawei] accounting-scheme abc
    [Router-aaa-domain-huawei] radius-server shiva
    [Router-aaa-domain-huawei] quit
    [Router-aaa] quit
    [Router] quit
    NOTE:

    After the domain huawei is configured, if a user enters the user name in the format of user@huawei, the device authenticates the user in the domain huawei. If the user name does not contain the domain name or the domain name does not exist, the device authenticates the user in the default domain.

    The domain that a user belongs to depends on the RADIUS client but not the RADIUS server. After the undo radius-server user-name domain-included command is executed on Router, it sends the user name without the domain name to the RADIUS server after receiving the user name in the format of user@huawei. However, Routerplaces the user in the domain huawei for authentication.

  4. Configure AAA local authentication.

    [Router] aaa
    [Router-aaa] local-user user1 password irreversible-cipher Huawei@123
    [Router-aaa] local-user user1 service-type http
    [Router-aaa] local-user user1 privilege level 15
    [Router-aaa] quit
    

  5. Verify the configuration.

    # Run the display radius-server configuration template template-name command on Router B, and you can verify that the configuration of the RADIUS server template meets the requirements.

    <Router> display radius-server configuration template shiva
      ------------------------------------------------------------------------------
      Server-template-name          :  shiva
      Protocol-version              :  standard
      Traffic-unit                  :  B
      Shared-secret-key             :  %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
      Timeout-interval(in second)   :  5
      Retransmission                :  2
      EndPacketSendTime             :  0
      Dead time(in minute)          :  5
      Domain-included               :  NO
      NAS-IP-Address                :  0.0.0.0
      Calling-station-id MAC-format :  xxxx-xxxx-xxxx
      NAS-IPv6-Address              :  :: 
      Server algorithm              :  master-backup 
      Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80
                                       Vrf:- LoopBack:NULL
                                       Source IP: ::
      Authentication Server 2       :  10.7.66.67     Port:1812  Weight:40
                                       Vrf:- LoopBack:NULL
                                       Source IP: ::
      Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80
                                       Vrf:- LoopBack:NULL
                                       Source IP: ::
      Accounting Server     2       :  10.7.66.67     Port:1813  Weight:40
                                       Vrf:- LoopBack:NULL
                                       Source IP: ::
      ------------------------------------------------------------------------------ 

Configuration Files

Router configuration file

#
 sysname Router
#
radius-server template shiva
 radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server authentication 10.7.66.67 1812 weight 40
 radius-server accounting 10.7.66.66 1813 weight 80
 radius-server accounting 10.7.66.67 1813 weight 40
 radius-server retransmit 2
 undo radius-server user-name domain-included
#
aaa
 authentication-scheme auth
  authentication-mode radius local
 accounting-scheme abc
  accounting-mode radius
  accounting start-fail online 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
 local-user user1 password irreversible-cipher %^%#iv-e(@1]P90{2*&tcll)JN*KQ9c`"Ob^#"Al|p7EHK>qVzB%(7On,d&6iweF%^%#
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13752

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next