No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Configuration Commands

RADIUS Configuration Commands

calling-station-id mac-format

Function

The calling-station-id mac-format command sets the encapsulation format of the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.

The undo calling-station-id mac-format command restores the default encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets.

By default, the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets is xxxx-xxxx-xxxx, in lowercase.

Format

calling-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

calling-station-id mac-format unformatted [ lowercase | uppercase ]

undo calling-station-id mac-format

Parameters

Parameter Description Value
dot-split Indicates that the dot (.) is used as the separator in a MAC address. -
hyphen-split Indicates that the hyphen (-) is used as the separator in a MAC address. -
unformatted Indicates that no separator is used in a MAC address. -
mode1 Indicates that the MAC address in the calling-station-id attribute uses the xxxx-xxxx-xxxx format. -
mode2 Indicates that the MAC address in the calling-station-id attribute uses the xx-xx-xx-xx-xx-xx format. -
lowercase Indicates that the MAC address in the calling-station-id attribute uses the lowercase. -
uppercase Indicates that the MAC address in the calling-station-id attribute uses the uppercase. -

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

The default format of the MAC address in the calling-station-id attribute of RADIUS packets from the device is xxxx-xxxx-xxxx. If the RADIUS server does not support the default format, run the calling-station-id mac-format command to change the format.

Example

# Set the dot as the separator in a MAC address and the encapsulation format of the MAC address in the calling-station-id attribute to XX-XX-XX-XX-XX-XX in uppercase.

<Huawei> system-view
[Huawei] radius-server template huawei
[Huawei-radius-huawei] calling-station-id mac-format dot-split mode2 uppercase

display radius-attribute

Function

The display radius-attribute command displays the RADIUS attributes supported by the device.

Format

display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 } ]

Parameters

Parameter

Description

Value

name attribute-name

Displays a specified RADIUS attribute. attribute-name specifies the name of the RADIUS attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 }

Displays the RADIUS attribute of a specified type:
  • attribute-number1 specifies the standard attribute.
  • huawei attribute-number2 specifies a Huawei attribute.
  • microsoft attribute-number3 specifies a Microsoft attribute.

The value of attribute-number1, attribute-number2, or attribute-number3 is an integer that ranges from 1 to 2048.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Before connecting the device to a RADIUS server, run the display radius-attribute command to view the RADIUS attributes supported by the device. If the device and RADIUS server support different RADIUS attributes according to the command output, run the radius-attribute disable command on the device to disable RADIUS attributes that are not supported by the RADIUS server or run the radius-attribute translate command to translate RADIUS attributes.

Example

# Display the RADIUS attributes supported by the device.

<Huawei> display radius-attribute
  Codes: Auth(Authentication), Acct(Accounting)
         Req(Request), Accp(Accept), Rej(Reject)
         Resp(Response), COA(Change-of-Authorization)
         0(Can not exist in this packet)
         1(Can exist in this packet)
--------------------------------------------------------------------------------
Attribute                       Service    Auth Auth Auth Acct Acct COA COA
Name(Type)                       Type      Req  Accp Rej  Req  Resp Req Ack
--------------------------------------------------------------------------------
User-Name(1)                     All       1    0    0    1    0    1    1
User-Password(2)                 All       1    0    0    0    0    0    0
CHAP-Password(3)                 All       1    0    0    0    0    0    0
NAS-IP-Address(4)                All       1    0    0    1    0    1    1
NAS-Port(5)                      All       1    0    0    1    0    1    1
Service-Type(6)                  All       1    1    0    0    0    0    0
......
NOTE:

The preceding information is an example. The displayed attribute type depends on the actual situation.

Table 14-18  Description of the display radius-attribute command output

Item

Description

Attribute Name(Type)

Attribute name and type.

Service Type

Protocol type of the attribute.

Auth Req

Authentication request packet.

Auth Accp

Authentication accept packet.

Auth Rej

Authentication reject packet.

Acct Req

Accounting request packet.

Acct Resp

Accounting response packet.

COA Req

Change of Authorization (COA) request packet.

COA Ack

COA acknowledgement packet.

# Display the RADIUS attribute numbered 2.

<Huawei> display radius-attribute type 2
 Radius Attribute Type        : 2
 Radius Attribute Name        : User-Password
 Radius Attribute Description :  This Attribute indicates the password of the user to be authenticated. Only valid for the PAP authen
tication.
 Supported Packets            : Auth Request  
Table 14-19  Description of the display radius-attribute type command output

Item

Description

Radius Attribute Type

Type of the RADIUS attribute.

Radius Attribute Name

Name of the RADIUS attribute.

Radius Attribute Description

Description of the RADIUS attribute.

Supported Packets

Packets that support the RADIUS attribute.

display radius-attribute check

Function

The display radius-attribute check command displays the attributes to be checked in RADIUS Access-Accept packets.

Format

display radius-attribute [ template template-name ] check

Parameters

Parameter

Description

Value

template template-name

Displays the RADIUS attribute check configuration of a specified RADIUS server template.

The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the radius-attribute check command is executed to configure the attributes to be checked in RADIUS Access-Accept packets, you can use the display radius-attribute check command to view these attributes.

Example

# Check whether the RADIUS Access-Accept packets contain the framed-protocol attribute.

<Huawei> system-view
[Huawei] radius-server template test1
 Info: Create a new server template.  
[Huawei-radius-test1] radius-attribute check framed-protocol
[Huawei-radius-test1] quit
[Huawei] quit

# Check the attributes to be checked in RADIUS Access-Accept packets.

<Huawei> display radius-attribute check
Server-template-name: test1                                                     
--------------------------------------------------                              
check-attr                                                                      
--------------------------------------------------                              
Framed-Protocol                                                                 
-------------------------------------------------- 
Table 14-20  Description of the display radius-attribute check command output

Item

Description

Server-template-name

Name of the RADIUS server template.

check-attr

Attributes to be checked in RADIUS Access-Accept packets.

display radius-attribute disable

Function

The display radius-attribute disable command displays the disabled RADIUS attributes.

Format

display radius-attribute [ template template-name ] disable

Parameters

Parameter

Description

Value

template template-name

Displays the disabled RADIUS attributes in a specified RADIUS server template.

If this parameter is not specified, the disabled RADIUS attributes in all the RADIUS server templates are displayed.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can use the display radius-attribute disable command to view the RADIUS attributes disabled by using the radius-attribute disable command.

To enable a RADIUS attribute, run the undo radius-attribute disable command in the RADIUS server template view.

Example

# Display the disabled RADIUS attributes on the device.

<Huawei> display radius-attribute disable
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 ind
icates invalid. Bit 1 to bit 4 indicate the authentication request, authenticati
on accept, accounting request, and accounting response packets. 

Server-template-name: template1
--------------------------------------------------------------------------------
Source-attr                                       Dest-attr           Direct
--------------------------------------------------------------------------------
NAS-IP-Address                                    Disable             receive
--------------------------------------------------------------------------------
Table 14-21  Description of the display radius-attribute disable command output

Item

Description

Server-template-name

Name of the RADIUS server template.

Source-attr

Source attribute name.

Dest-attr

Destination attribute name.

Direct

Direction in which the attribute is disabled.

display radius-attribute translate

Function

The display radius-attribute translate command displays the RADIUS attribute translation configuration.

Format

display radius-attribute [ template template-name ] translate

Parameters

Parameter

Description

Value

template template-name

Displays the RADIUS attribute translation configuration of a specified RADIUS server template. template-name specifies the name of the RADIUS server template that is created using the radius-server template command.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After running the radius-attribute translate command to configure the device to translate RADIUS attributes, run the display radius-attribute translate command to check the configuration.

Example

# Display the RADIUS attribute translation configuration.

<Huawei> display radius-attribute translate
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 ind
icates invalid. Bit 1 to bit 4 indicate the authentication request, authenticati
on accept, accounting request, and accounting response packets.   

Server-template-name: rds                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
0                6             0              40           receive    0 0 0 0   
--------------------------------------------------------------------------------
Server-template-name: eee                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
234567           123           2011           20           --         0 1 0 1   
--------------------------------------------------------------------------------
Table 14-22  Description of the display radius-attribute translate command output

Item

Description

Server-template-name

RADIUS server template name.

Source-Vendor-ID

Vendor ID of the source attribute.

Source-Sub-ID

ID of the source attribute's sub-attribute.

Dest-Vendor-ID

Vendor ID of the destination attribute.

Dest-Sub-ID

ID of the destination attribute's sub-attribute.

Direct

Direction in which the attribute is translated.
  • receive: Translates RADIUS attributes for received packets.
  • send: Translates RADIUS attributes for sent packets.

Packet-Type

Type of RADIUS packets.
  • 0: The RADIUS attributes of this type of packets are not translated.
  • 1: The RADIUS attributes of this type of packets are translated.

display radius-server accounting-stop-packet

Function

The display radius-server accounting-stop-packet command displays information about accounting-stop packets on the RADIUS server.

Format

display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Displays all the accounting-stop packets.

-

ip ip-address

Displays the accounting-stop packets with the specified IP address.

The value of ip-address is in dotted decimal notation.

ip ipv6-address

Displays the accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display radius-server accounting-stop-packet command output helps you check configurations or isolate faults.

Example

# Display the accounting-stop packets with the IP address being 10.138.104.32.

<Huawei> display radius-server accounting-stop-packet ip 10.138.104.32
 ------------------------------------------------------------------------------ 
 Time Stamp  Resend Times  Session Time  Username                               
 ------------------------------------------------------------------------------ 
 1980409     6             22            g@rds                                  
 ------------------------------------------------------------------------------ 
Table 14-23  Description of the display radius-server accounting-stop-packet command output

Item

Description

Time Stamp

Timestamp of an accounting-stop packet.

Resend Times

Number of times that accounting-stop packets have been retransmitted.

Session Time

Session time.

Username

User name.

display radius-server authorization configuration

Function

The display radius-server authorization configuration command displays the configuration of RADIUS authorization servers.

Format

display radius-server authorization configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After running the radius-server authorization command to configure an authorization server, run the display radius-server authorization configuration command to check whether the authorization server configuration is correct.

Example

# Display the configuration of RADIUS authorization servers.

<Huawei> display radius-server authorization configuration
 -------------------------------------------------------------------------------
 IP-Address      Shared-key               Group           Ack-reserved-interval 
 -------------------------------------------------------------------------------
 10.1.1.114     ****************         radius                              20
 vpn-instance : - 
-------------------------------------------------------------------------------
 1 Radius authorization server(s) in total
Table 14-24  Description of the display radius-server authorization configuration command output

Item

Description

IP-Address

IP address of a RADIUS authorization server.

Shared-key

Shared key of the RADIUS authorization server.

Group

Name of the RADIUS server group matching the RADIUS authorization server.

Ack-reserved-interval

Holdtime of RADIUS authorization response packets.

vpn-instance

Name of the VPN instance that the RADIUS authorization server is bound to.

display radius-server configuration

Function

The display radius-server configuration command displays the configurations of RADIUS server templates.

Format

display radius-server configuration [ template template-name ]

Parameters

Parameter

Description

Value

template template-name

Specifies the name of a RADIUS server template.

If this parameter is not specified, the configuration of all the RADIUS server templates is displayed.

The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display radius-server configuration command output helps you check the configuration of RADIUS server templates or isolate RADIUS faults.

Example

# Display the configuration of RADIUS server templates.

<Huawei> display radius-server configuration template shiva
  ------------------------------------------------------------------------------
  Server-template-name          :  shiva
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  %^%#Q94<"%IJ&3#^{n)3ou4+:zS7%^%#
  Timeout-interval(in second)   :  5
  Retransmission                :  2
  EndPacketSendTime             :  0
  Dead time(in minute)          :  5
  Domain-included               :  YES
  NAS-IP-Address                :  0.0.0.0
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  NAS-IPv6-Address              :  ::
  Server algorithm              :  master-backup 
  Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80
                                   Vrf:- LoopBack:NULL
                                   Source IP: ::
  Authentication Server 2       :  10.7.66.67     Port:1812  Weight:80
                                   Vrf:- LoopBack:NULL
                                   Source IP: ::
  Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80
                                   Vrf:- LoopBack:NULL
                                   Source IP: ::
  Accounting Server     2       :  10.7.66.67     Port:1813  Weight:80
                                   Vrf:- LoopBack:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------ 
Table 14-25  Description of the display radius-server configuration command output

Item

Description

Server-template-name

Name of the RADIUS server template. To create a RADIUS server template, run the radius-server template command.

Protocol-version

RADIUS protocol version.

Traffic-unit

Traffic unit in the RADIUS server template:

  • B
  • KB
  • MB
  • GB

To configure the RADIUS traffic unit, run the radius-server traffic-unit command.

Shared-secret-key

Shared key in the RADIUS server template. To configure the shared key of a RADIUS server, run the radius-server shared-key command.

Timeout-interval(in second)

Response timeout interval of the RADIUS server. To set the response timeout interval of the RADIUS server, run the radius-server retransmit timeout dead-time command.

Retransmission

Number of times that RADIUS packets are retransmitted. To set the number of times that RADIUS packets are retransmitted, run the radius-server retransmit timeout dead-time command.

EndPacketSendTime

Number of times that RADIUS accounting-stop packets are resent. To set the number of times that RADIUS accounting-stop packets are resent, run the radius-server accounting-stop-packet command.

Dead time(in minute)

Interval for the primary RADIUS server to restore to the active state. To set the interval for the primary RADIUS server to return to the active state, run the radius-server retransmit timeout dead-time command.

Domain-included

Whether the user name sent to the RADIUS server contains the domain name:

  • YES: The user name contains the domain name.
  • NO: The user name does not contain the domain name.
  • Original: The device does not modify the user name entered by the user.

To configure the device to encapsulate the domain name in the user name of packets sent to the RADIUS server, run the radius-server user-name command.

NAS-IP-Address

NAS-IP-Address attribute in RADIUS packets.

Calling-station-id MAC-format

To configure the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets, run the calling-station-id mac-format command.

NAS-IPv6-Address

NAS-IPv6-Address attribute in RADIUS packets.

Server algorithm

Algorithm for selecting RADIUS servers:

  • master-backup: specifies the algorithm for selecting RADIUS servers as primary/secondary.
  • loading-share: specifies the algorithm for selecting RADIUS servers as load balancing.

To configure an algorithm for selecting RADIUS servers, run the radius-server algorithm command.

Authentication Server 1

The IP address, port number, weight and source IP address of the primary RADIUS authentication server. To configure a RADIUS authentication server, run the radius-server authentication command.

Authentication Server 2

The IP address, port number, weight and source IP address of the secondary RADIUS authentication server. To configure a RADIUS authentication server, run the radius-server authentication command.

Accounting Server 1

The IP address, port number, weight and source IP address of the primary RADIUS accounting server. To configure a RADIUS accounting server, run the radius-server accounting command.

Accounting Server 2

The IP address, port number, weight and source IP address of the secondary RADIUS accounting server. To configure a RADIUS accounting server, run the radius-server accounting command.

radius-attribute check

Function

The radius-attribute check command enables the device to check the specified attributes in the received RADIUS Access-Accept packets.

The undo radius-attribute check command disables the device from checking the specified attributes in the received RADIUS Access-Accept packets.

By default, the device does not check whether a RADIUS Access-Accept packet contains the specified attributes.

Format

radius-attribute check attribute-name

undo radius-attribute check [ attribute-name ]

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of the RADIUS attribute. If this parameter is specified, the RADIUS Access-Accept packets are checked based on attribute names.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the radius-attribute check command is executed, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If yes, the device considers that authentication was successful; if not, the device considers that authentication failed and discards the packet. For example, after the radius-attribute check filter-id command is executed, the device checks the filter-id attribute in the received RADIUS Access-Accept packets. If a RADIUS packet does not contain this attribute, authentication fails.

Precautions

  • When you use the undo radius-attribute check command with parameters, the device checks the specified attributes in the RADIUS Access-Accept packets. When you use the undo radius-attribute check command without any parameter, the device does not check RADIUS Access-Accept packets.
  • The display radius-attribute can display RADIUS attribute names.

Example

# Check whether the RADIUS Access-Accept packets contain the framed-protocol attribute.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-attribute check framed-protocol

radius-attribute disable

Function

The radius-attribute disable command disables RADIUS attributes.

The undo radius-attribute disable command restores the default setting.

By default, no RADIUS attribute is disabled.

Format

radius-attribute disable attribute-name { receive | send } *

undo radius-attribute disable [ attribute-name ]

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of a RADIUS attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

receive

Disables RADIUS attributes for received packets.

-

send

Disables RADIUS attributes for sent packets.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Generally, a RADIUS server connects to multiple network devices, which can be one vendor's devices or different vendors' devices. If some vendors' devices require the RADIUS server to deliver an attribute to support a specified feature but other vendors' device do not support the delivered attribute, the RADIUS attribute may fail to be parsed.

The device may communicate with RADIUS servers of different vendors. Some RADIUS servers require the device to send some attributes but other RADIUS servers cannot process the attributes. Errors may occur.

The radius-attribute disable command disables RADIUS attributes on the device. You can configure the device to ignore incompatible attributes when receiving RADIUS packets to prevent parsing failures. You can also configure the device to disable RADIUS attributes when sending RADIUS packets. When the device sends RADIUS packets, it does not encapsulate the disabled RADIUS attributes in the RADIUS packets.

Prerequisites

The RADIUS attribute translation function has been enabled using the radius-server attribute translate command.

Precautions

Before disabling RADIUS attributes, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Example

# Disable the Frame-Route attribute in sent packets.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate
[Huawei-radius-test1] radius-attribute disable framed-route send

radius-attribute nas-ip

Function

The radius-attribute nas-ip command sets the NAS-IP-Address attribute in a RADIUS packet sent from an NAS.

The undo radius-attribute nas-ip command deletes the configured NAS-IP-Address attribute.

By default, the NAS source IP address is used as the NAS-IP-Address attribute value.

Format

radius-attribute nas-ip ip-address

undo radius-attribute nas-ip

Parameters

Parameter

Description

Value

ip-address

Specifies the NAS-IP-Address attribute.

The value is a valid unicast address in dotted decimal notation.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A RADIUS server uses the NAS-IP-Address attributes in RADIUS packets sent by NASs to identify NASs. You can run the radius-attribute nas-ip command in the RADIUS server template view to set the NAS-IP-Address attribute.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

  • If a RADIUS server template is being used by online users, the configuration fails and an error message is displayed.
  • If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IP-Address attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute nas-ip 10.3.3.3

radius-attribute nas-ipv6

Function

The radius-attribute nas-ipv6 command sets the NAS-IPv6-Address attribute in a RADIUS packet sent from a network access server (NAS).

The undo radius-attribute nas-ipv6 command deletes the configured NAS-IPv6-Address attribute.

By default, no NAS-IPv6-Address attribute is configured.

Format

radius-attribute nas-ipv6 ipv6-address

undo radius-attribute nas-ipv6

Parameters

Parameter

Description

Value

ipv6-address

Specifies the NAS-IPv6-Address attribute in a RADIUS packet.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The RADIUS server uses IP addresses to identify different NASs. The NAS-IPv6-Address attribute in a RADIUS packet can be configured using the radius-attribute nas-ipv6 command in the RADIUS template.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

  • If a RADIUS server template is being used by online users, the configuration fails and an error message is displayed.
  • If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IPv6-Address attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute nas-ipv6 FC00::/7

radius-attribute set

Function

The radius-attribute set command modifies the RADIUS attributes.

The undo radius-attribute set command restores the default RADIUS attributes.

Format

radius-attribute set attribute-name attribute-value

undo radius-attribute set attribute-name

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of the attribute to be modified.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

attribute-value

Indicates the value of the attribute to be modified.

The value of attribute-value is automatically displayed.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The RADIUS attribute values of different vendors are different. To ensure that Huawei device can successfully communicate with the devices of other vendors, run the radius-attribute set command to modify the RADIUS attribute values.

For example, the Huawei device uses Service-Type value 2 to indicate an authentication request from a common user by default, while a non-Huawei RADIUS server uses Service-Type value 1 to indicate an authentication request from a common user; you can run the radius-attribute set service-type 1 command to change the Service-Type value on the device so that the device can communicate with the RADIUS server.

Precautions

  • The radius-attribute set command can modify only the RADIUS attributes in the authentication or accounting request packets sent from the device to the RADIUS server. To view the RADIUS attribute settings in the RADIUS authentication or accounting request packets, run the display radius-attribute command.

  • Among the RADIUS attributes that can be carried in the authentication or accounting packets sent from the device to the RADIUS server, you cannot run the radius-attribute set command to modify the following attributes: User-Password, NAS-IP-Address, NAS-IPv6-Address, CHAP-Password, CHAP-Challenge, EAP-Message, Framed-Interface-Id, Framed-IPv6-Prefix, and Message-Authenticator.
  • The type of the attribute modified by the radius-attribute set command cannot be changed.

  • A maximum of 8 attributes can be set in a RADIUS server template.

Example

# Create the template temp1 and set the Service-Type attribute value to 1.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute set service-type 1

radius-attribute translate

Function

The radius-attribute translate command configures a RADIUS attribute to be translated.

The undo radius-attribute translate command cancels the configuration.

By default, no RADIUS attribute is translated.

Format

radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *

radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

undo radius-attribute translate [ src-attribute-name ]

undo radius-attribute translate extend src-attribute-name

undo radius-attribute translate extend vendor-specific src-vendor-id src-sub-id

Parameters

Parameter

Description

Value

src-attribute-name

Specifies the name of the source attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

dest-attribute-name

Specifies the name of the destination attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

receive

Translates RADIUS attributes for received packets.

-

send

Translates RADIUS attributes for sent packets.

-

access-request

Translates RADIUS attributes for Authentication Request packets.

-

account-request

Translates RADIUS attributes for Accounting Request packets.

-

access-accept

Translates RADIUS attributes for Authentication Accept packets.

-

account-response

Translates RADIUS attributes for Accounting Response packets.

-

extend

Translates extended RADIUS attributes.

-

vendor-specific src-vendor-id src-sub-id
Specifies the source extended attribute to be translated.
  • src-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated.
  • src-sub-id: The sub ID in the RADIUS attributes needs to be translated.
  • The value of src-vendor-id is an integer ranging from 1 to 4294967295.
  • The value of src-sub-id is an integer ranging from 1 to 255.
vendor-specific dest-vendor-id dest-sub-id
Specifies the destination extended attribute to be translated.
  • dest-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated.
  • dest-sub-id: The sub ID in the extended RADIUS attributes needs to be translated.
  • The value of dest-vendor-id is an integer ranging from 1 to 4294967295.

  • The value of dest-sub-id is an integer ranging from 1 to 255.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

RADIUS attribute translation is used in the following modes:

  • Format translation for the same attribute

    This mode is widely applied. It solves the problem of compatibility because different users have different requirements for the format of a RADIUS attribute.

  • Translation between different attributes

    This mode is used because different vendors have different implementations of RADIUS attributes.

    For example, the device delivers the priority of the administrator by using the Huawei proprietary attribute HW-Exec-Privilege (26-29), whereas another vendor's device delivers it by using the Login-service (15) attribute. When the device and the vendor's device use the same RADIUS server on a network, the user hopes that the device can deliver the priority of the administrator by using the Login-service (15) attribute. After the radius-attribute translate command is configured, the device automatically processes the Login-service attribute in the received RADIUS authentication response packet as the HW-Exec-Privilege attribute.

Prerequisites

RADIUS attribute translation has been enabled by using the radius-server attribute translate command.

Before configuring RADIUS attribute translation, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Precautions

When the device sends packets, if attribute A is to be translated to attribute B, the type of the encapsulated attribute is the same as that of attribute B but the attribute content and format are the same as those of attribute A.

When the device receives packets, if attribute A is to be translated to attribute B, the device parses the received attribute A as attribute B.

The device cannot translate the NAS_IP_Address and NAS_IPv6_Address attributes.

Three commands are available to translate RADIUS attributes:
  • To translate the attributes supported by the device to other attributes also supported by the device, run the radius-attribute translate command.
  • To translate the non-Huawei attributes not supported by the device to the attributes supported by the device, run the radius-attribute translate extend command.
  • To translate the attributes supported by the device to the non-Huawei attributes not supported by the device, run the radius-attribute translate extend vendor-specific command.

Example

# Configure the device to translate NAS-Identifier into NAS-Port-Id when sending RADIUS packets.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate nas-identifier nas-port-id send

# Translate the Cisco No. 2 attribute (vendor ID 9) in Authentication Accept and Accounting Response packets to Huawei No. 155 extended attribute HW-URL-Flag.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate extend Vendor-Specific 9 2 HW-URL-Flag access-accept account-response

# Translate the Huawei No. 153 extended attribute HW-Access-Type in Authentication Request and Accounting Request packets to Cisco No. 11 attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate extend HW-Access-Type vendor-specific 9 11 access-request account-request

radius-server (AAA domain view)

Function

The radius-server command applies a RADIUS server templateto a domain.

The undo radius-server command unbinds an RADIUS server template from a domain.

By default, no RADIUS server template is applied to a domain.

Format

radius-server template-name

undo radius-server

Parameters

Parameter

Description

Value

template-name

Specifies the name of a RADIUS server template.

The RADIUS server template must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication and accounting for users in a domain, apply a RADIUS server template to the domain. A RADIUS server template takes effect only after the RADIUS server template is applied to a domain.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Example

# Apply the RADIUS server template template1 to the domain radius1.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] quit
[Huawei] aaa
[Huawei-aaa] domain radius1
[Huawei-aaa-domain-radius1] radius-server template1

radius-server accounting

Function

The radius-server accounting command configures the RADIUS accounting server.

The undo radius-server accounting command deletes the configuration.

By default, no RADIUS accounting server is configured.

Format

radius-server accounting ip-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } | weight weight-value ] *

radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] *

undo radius-server aaccounting [ ip-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } ] * ] ]

undo radius-server accounting [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address } ] ] ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of a RADIUS accounting server.

The value is a 32-digit hexadecimal number, in the format X:X::X:X.

port

Specifies the port number of a RADIUS accounting server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS accounting server is bound to.

The vpn-instance must already exist.

source loopback interface-number

Specifies the number of a loopback interface.

The loopback interface must already exist.

source ip-address ip-address

Specifies the source IP address of a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

weight weight-value

Specifies the weight of a RADIUS accounting server.

The value is an integer that ranges from 0 to 100.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform accounting for users, configure a RADIUS accounting server. The device communicates with a RADIUS accounting server to obtain accounting information, and performs accounting for users based on the accounting information. The device sends accounting packets to a RADIUS accounting server only after the IP address and port number of a RADIUS accounting server is specified in a RADIUS server template using the radius-server accounting command.

Precautions

The IP address of the primary accounting server must be different from the IP address of the secondary accounting server; otherwise, the configuration fails.

Example

# Configure the primary RADIUS accounting server.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server accounting 10.163.155.12 1813

radius-server accounting-stop-packet resend

Function

The radius-server accounting-stop-packet resend command enables retransmission of accounting-stop packets and sets the number of accounting-stop packets that can be retransmitted each time.

The undo radius-server accounting-stop-packet resend command disables retransmission of accounting-stop packets.

By default, the retransmission times is 0. That is, accounting-stop packets are not retransmitted.

Format

radius-server accounting-stop-packet resend [ resend-times ]

undo radius-server accounting-stop-packet resend

Parameters

Parameter

Description

Value

resend-times

Specifies the number of accounting-stop packets that can be retransmitted each time.

The value is an integer that ranges from 1 to 300. If resend-times is not specified, the default value 100 is used.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

When accounting-stop packets cannot be sent to the RADIUS server that is unreachable, you can run the radius-server accounting-stop-packet command to save the accounting-stop packets in the buffer and send them at the preset intervals until the number of allowed retransmission times is reached or the packets are sent successfully.

You can modify this configuration only when no online user exists on the RADIUS server template.

Example

# Enable the retransmission of accounting-stop packets and set the number of accounting-stop packets that can be retransmitted each time to 50.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server accounting-stop-packet resend 50

radius-server algorithm

Function

The radius-server algorithm command configures the algorithm for selecting RADIUS servers.

The undo radius-server algorithm command restores the default algorithm for selecting RADIUS servers.

By default, the algorithm for selecting RADIUS servers is primary/secondary.

Format

radius-server algorithm { loading-share | master-backup }

undo radius-server algorithm

Parameters

Parameter

Description

Value

loading-share

Sets the algorithm for selecting RADIUS servers to load balancing.

-

master-backup

Sets the algorithm for selecting RADIUS servers to primary/secondary.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When two or more than two RADIUS servers are available, you can use the radius-server algorithm command to set the algorithm for selecting RADIUS servers.
  • When master-backup is specified, the weight is used to determine the primary and secondary RADIUS authentication or accounting servers. The server with a larger weight is the primary server. If devices have the same weight, the server that was first configured is the primary server.
  • When loading-share is specified, the device sends a packet to a server according to the weights configured on servers. For example, if the weights of RADIUS server A, RADIUS server B, and RADIUS server C are 80, 80, and 40 respectively, the probabilities of sending packets to RADIUS server A, RADIUS server B, and RADIUS server C are as follows:
    • RADIUS server A: 80/(80 + 80 + 40) = 40%
    • RADIUS server B: 80/(80 + 80 + 40) = 40%
    • RADIUS server C: 40/(80 + 80 + 40) = 20%

Configuration Impact

If you run the radius-server algorithm command multiple times in the same RADIUS server template view, only the latest configuration takes effect.

Example

# Set the algorithm for selecting RADIUS servers to load balancing.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server algorithm loading-share

radius-server attribute translate

Function

The radius-server attribute translate command enables RADIUS attribute translation.

The undo radius-server attribute translate command disables RADIUS attribute translation.

By default, RADIUS attribute translation is disabled.

Format

radius-server attribute translate

undo radius-server attribute translate

Parameters

None

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

Follow-up Procedure

After RADIUS attribute translation is enabled, perform either of the following operations to make the function to take effect:

Example

# Enable RADIUS attribute translation.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate

radius-server authentication

Function

The radius-server authentication command configures a RADIUS authentication server.

The undo radius-server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius-server authentication ip-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } | weight weight-value ] *

radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] *

undo radius-server authentication [ ip-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ip-address } ] * ] ]

undo radius-server authentication [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address } ] ] ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of a RADIUS authentication server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a RADIUS authentication server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authentication server is bound to.

The value is a string of 1 to 31 case-sensitive characters.

source loopback interface-number

Specifies the IP address of the loopback interface taken as the source IP address. interface-number specifies the number of a loopback interface.

The value is an integer that ranges from 0 to 1023.

source ip-address ip-address

Specifies the source IP address in RADIUS packets sent from the device to a RADIUS authentication server.

If this parameter is not specified, the IP address of the outbound interface is used as the source IP address in RADIUS packets sent from the device to a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.

weight weight-value

Specifies the weight of a RADIUS authentication server.

When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication.

The value is an integer that ranges from 0 to 100. The default value is 80.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server template.

When the radius-server algorithm master-backup command has been executed to specify the master/backup algorithm on the RADIUS authentication server and both the primary and secondary authentication servers are configured, the device sends an authentication request packet to the secondary authentication server in either of the following situations:
  • The primary authentication server does not send an authentication response packet.
  • The authentication request packet retransmission count reaches the maximum.

Precautions

You must specify different IP addresses for the primary and secondary RADIUS authentication servers; otherwise, the configuration fails.

Example

# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server authentication 10.163.155.13 1812

radius-server authorization

Function

The radius-server authorization command configures the RADIUS authorization server.

The undo radius-server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name | shared-key cipher key-string } * [ ack-reserved-interval interval ]

undo radius-server authorization { all | ip-address [ vpn-instance vpn-instance-name ] }

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS authorization server.

The value is a unicast address in dotted decimal notation.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authorization server is bound to.

The value is a string of 1 to 31 case-sensitive characters.

server-group group-name

Specifies the name of a RADIUS group corresponding to a RADIUS server template.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

shared-key cipher key-string

Specifies the shared key of a RADIUS server.

The value is a case-sensitive character string without spaces, single quotation marks ('), and question marks (?). The key-string may be a plain-text password consisting of 1 to 128 characters or a cipher-text password consisting of 48, 68, 88, 108, 128, 148, 168, or 188 characters.

By default, the RADIUS authorization server shared key is huawei and the password is in cipher text.

ack-reserved-interval interval

Specifies the duration for retaining a RADIUS authorization response packet.

The value is an integer that ranges from 0 to 300, in seconds. By default, the value is 0s.

all

Deletes all RADIUS authorization servers.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An independent RADIUS authorization server can be used to authorize online users. RADIUS provides two authorization methods: Change of Authorization (CoA) and Disconnect Message (DM).
  • CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
  • DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.

After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.

Precautions

If RADIUS authorization response packets need to be retained for retransmission, set the duration for retaining the RADIUS authorization response packets when you configure the RADIUS authorization server. To disable retaining of authorization response packets, set the duration to 0.

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.

Example

# Specify a RADIUS authorization server.

<Huawei> system-view
[Huawei] radius-server authorization 10.1.1.116 shared-key cipher Huawei@huawei2015

radius-server dead-time

Function

The radius-server dead-time command sets the interval for the primary server to return to the active state.

The undo radius-server dead-time command restores the default interval for the primary server to return to the active state.

By default, the time for the primary server to return to the active state is 5 minutes.

Format

radius-server dead-time dead-time

undo radius-server dead-time [ dead-time ]

Parameters

Parameter

Description

Value

dead-time

Interval for the primary server to return to the active state.

The value is an integer that ranges from 1 to 65535, in minutes. The default value is 5.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can set the interval for the primary server to return to the active state using the radius-server dead-time command. At the interval, the device sets the RADIUS server in Down state to Up and tries to connect to the RADIUS server. After this, if new users need to be authenticated in RADIUS mode, the device tries to connect to the RADIUS server. If the connection fails, the device sets the RADIUS server state to Down.

You can modify this configuration only when the RADIUS server template is not in use.

Precautions

If the automatic RADIUS server status detection is configured using the radius-server testuser command, the interval configured using this command for the primary server to return to the active state will not take effect.

Example

# Set the interval for the primary server to return to the active state to 3 minutes.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server dead-time 3

radius-server detect-server

Function

Using the radius-server detect-server command, you can set the RADIUS automatic detection interval.

Using the undo radius-server detect-server command, you can restore the default RADIUS automatic detection interval.

The default RADIUS automatic detection interval is 60 seconds.

Format

radius-server detect-server interval interval

undo radius-server detect-server interval

Parameters

Parameter

Description

Value

interval interval

Specifies the detection interval.

The value is an integer that ranges from 5 to 3600, in seconds.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

After the detection interval is set in the RADIUS server template view, the device periodically checks the RADIUS server status.

Example

# Set the detection interval to 100 seconds in the RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server detect-server interval 100

radius-server nas-port-format

Function

The radius-server nas-port-format command sets the format of the NAS port attribute.

undo radius-server nas-port-format command restores the default format of the NAS port attribute.

By default, the new NAS port format is used.

Format

radius-server nas-port-format { new | old }

undo radius-server nas-port-format

Parameters

Parameter

Description

Value

new

Uses the new format of an NAS port.

-

old

Uses the old format of an NAS port.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The NAS port format affects the information about the physical port. The NAS port format can be used by the RADIUS server to process services, such as binding the user name and port. This attribute is developed by Huawei, which is used to ensure connectivity and service cooperation among Huawei devices.

Precautions

The difference between the two NAS port formats lies in the physical ports connected to Ethernet access users.
  • The new format of the NAS port attribute is slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits).
  • The old format of the NAS port attribute is slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).

The format of the NAS port attribute for Asymmetric Digital Subscriber Line (ADSL) access users is slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). This format is not affected by the command.

Example

# Set the format of the NAS port attribute to new.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server nas-port-format new

radius-server nas-port-id-format

Function

The radius-server nas-port-id-format command sets the format of the NAS port ID attribute.

The undo radius-server nas-port-id-format command restores the default format of the NAS port ID attribute.

By default, the new format of the NAS port ID attribute is used.

Format

radius-server nas-port-id-format { new | old }

undo radius-server nas-port-id-format

Parameters

Parameter

Description

Value

new

Uses the new format of the NAS port ID.

-

old

Uses the old format of the NAS port ID.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The NAS port format and the NAS port ID format are developed by Huawei, which are used to ensure connectivity and service cooperation among Huawei devices.

Precautions

When new is specified:
  • For Ethernet access users, the NAS port ID format is slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx, in which slot ranges from 0 to 15, subslot from 0 to 15, port from 0 to 255, and VLAN ID from 1 to 4094.
  • For ADSL access users, the NAS port ID format is slot=xx; subslot=x; port=x;VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot from 0 to 9, port from 0 to 9, VPI from 0 to 255, and VCI from 0 to 65535.
When old is specified:
  • For Ethernet access users, the NAS port ID format is slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLAN ID (9 characters).
  • For ADSL access users, the NAS port ID format is slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). A field is prefixed with 0s if its actual value contains fewer characters.

Example

# Set the format of the NAS port ID attribute to new.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server nas-port-id-format new

radius-server retransmit timeout dead-time

Function

The radius-server retransmit timeout dead-time command sets the number of times RADIUS request packets are retransmitted, timeout interval, and interval for the primary server to return to the active state.

The undo radius-server retransmit timeout dead-time command restores the default number of retransmission times, the default timeout interval, and the default interval for the primary server to return to the active state.

By default, the number of retransmission times is 3, timeout interval is 5 seconds, and the interval for the primary server to return to the active state is 5 minutes.

Format

radius-server { retransmit retry-times | timeout time-value | dead-time dead-time } *

undo radius-server { retransmit [ retry-times ] | timeout [ time-value ] | dead-time dead-time } *

Parameters

Parameter

Description

Value

retransmit retry-times

Specifies the number of retransmission times. The value is the total number of times a packet is transmitted.

The value is an integer that ranges from 1 to 5.

timeout time-value

Specifies the timeout interval.

The value is an integer that ranges from 3 to 10, in seconds.

dead-time dead-time

Specifies the interval for the primary server to return to the active state.

The value is an integer that ranges from 1 to 65535, in minutes.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the device sends a request packet to a RADIUS server, if the device does not receive a response packet in the specified period, the device retransmits the request packet. If the maximum number of retransmission times is reached, the device considers the RADIUS server as unavailable.

The number of retransmission times, timeout interval, and interval for the primary server to return to the active state that are set using the radius-server retransmit timeout dead-time command improve reliability of RADIUS authentication.

The default values are recommended.

Precautions

You can modify this configuration only when the RADIUS server template is not in use.

If more than 8 authentication server IP addresses are configured in the RADIUS server template, reduce the number of retransmission times and timeout interval.

The request packet retransmission time (number of retransmission times x timeout interval) of the RADIUS server must be shorter than the request packet retransmission time of the Portal server.

If the automatic RADIUS server status detection is configured using the radius-server testuser command, the interval configured using this command for the primary server to return to the active state will not take effect.

Example

# Set the number of retransmission times to 4 and the timeout interval to 8s.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server retransmit 4 timeout 8

radius-server shared-key

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

The undo radius-server shared-key command restores the default shared key of a RADIUS server.

By default, the RADIUS shared key is huawei and the password is in cipher text.

Format

radius-server shared-key cipher key-string

undo radius-server shared-key

Parameters

Parameter

Description

Value

cipher

Indicates the shared key in cipher text.

-

key-string

Specifies the shared key of a RADIUS server.

The value is a case-sensitive character string without spaces, single quotation marks ('), and question marks (?). The key-string may be a plain-text password consisting of 1 to 128 characters or a cipher-text password consisting of 48, 68, 88, 108, 128, 148, 168, or 188 characters.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with a RADIUS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. To ensure validity of both communication parties, the device and RADIUS server must be configured with the same shared key.

To improve security, change the default shared key immediately. It is recommended that the new shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.

Example

# Set the shared key of a RADIUS server to Huawei@huawei2015 in cipher text.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server shared-key cipher Huawei@huawei2015

radius-server template

Function

The radius-server template command creates a RADIUS server template and displays the RADIUS server template view.

The undo radius-server template command deletes a RADIUS server template.

By default, no RADIUS server template is created on the device.

Format

radius-server template template-name

undo radius-server template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of a RADIUS server template.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Creating a RADIUS server template is the prerequisite for configuring RADIUS authentication and accounting. You can perform RADIUS configurations, such as the configuration of authentication servers, accounting servers, and shared key only after a RADIUS server template is created.

Follow-up Procedure

Configure an authentication server, an accounting server, and shared key in the RADIUS server template view, and then run the radius-server (AAA domain view) command to apply the RADIUS server template.

Precautions

A maximum of 16 RADIUS server templates can be configured on the device.

Example

# Create a RADIUS server template template1 and enter the RADIUS server template view.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] 

radius-server testuser

Function

Using the radius-server testuser command, you can create a user account for RADIUS automatic detection.

Using the undo radius-server testuser command, you can delete a user account for RADIUS automatic detection.

By default, no user account for automatic detection is configured.

Format

radius-server testuser username username password cipher password

undo radius-server testuser

Parameters

Parameter

Description

Value

username username

Specifies a user name used for automatic detection.

The value is a string of 1 to 64 characters without spaces. It is case sensitive.

cipher

Displays the password in cipher text.

-

password

Specifies the user password for automatic detection.

The value is a character string of 1 to 16 characters without spaces and question marks. It is case sensitive. If it is in cipher text, the password is a string of 32 characters.

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

The radius-server testuser command configures the user name and password in the RADIUS server template view for automatic detection. The user name and password do not need to be configured on the RADIUS server.

The device learns the RADIUS server status according to the RADIUS server's response to the user account. The device uses PAP authentication to detect the RADIUS server.

Example

# Create a user account with the user name test and password Huawei@2012 in RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server testuser username test password cipher Huawei@2012

radius-server traffic-unit

Function

The radius-server traffic-unit command sets the traffic unit used by a RADIUS server.

The undo radius-server traffic-unit command restores the default traffic unit used by a RADIUS server.

The default RADIUS traffic unit is byte on the device.

Format

radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

undo radius-server traffic-unit

Parameters

Parameter

Description

Value

byte

Indicates that the traffic unit is byte.

-

kbyte

Indicates that the traffic unit is kilobyte.

-

mbyte

Indicates that the traffic unit is megabyte.

-

gbyte

Indicates that the traffic unit is gigabyte.

-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Different RADIUS servers may use different traffic units; therefore, you need to set the traffic unit for each RADIUS server group on the router and the traffic unit must be the same as that on the RADIUS server.

Precautions

You can change the traffic unit only when the RADIUS server template is not in use.

Example

# Set the traffic unit used by a RADIUS server to kilobyte.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server traffic-unit kbyte

radius-server user-name

Function

The radius-server user-name domain-included command configures the device to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server.

The radius-server user-name original command configures the device not to modify the user name entered by the user in the packets sent to the RADIUS server.

The undo radius-server user-name domain-included command configures the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

By default, the device does not modify the user name entered by the user in the packets sent to the RADIUS server.

Format

radius-server user-name domain-included

radius-server user-name original

undo radius-server user-name domain-included

Parameters

None

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the RADIUS server does not accept the user name with the domain name, run the undo radius-server user-name domain-included command to delete the domain name from the user name.

Precautions

You can modify this configuration only when the RADIUS server template is not in use.

If the user names in the RADIUS packets sent from the device to RADIUS server contain domain names, ensure that the total length of a user name (user name + domain name delimiter + domain name) is not longer than 64 characters; otherwise, the user name cannot be contained in RADIUS packets. As a result, authentication will fail.

Example

# Configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] undo radius-server user-name domain-included

reset radius-server accounting-stop-packet

Function

The reset radius-server accounting-stop-packet command clears statistics on the remaining buffer information of RADIUS accounting-stop packets.

Format

reset radius-server accounting-stop-packet { all | ip { ip-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets.

-

ip ip-address

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IP address.

The value of ip-address is in dotted decimal notation.

ip ipv6-address

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command can clear statistics on the remaining buffer information of RADIUS accounting-stop packets. The deleted statistics cannot be restored.

Example

# Clear statistics on the remaining buffer information of all RADIUS accounting-stop packets.

<Huawei> reset radius-server accounting-stop-packet all

test-aaa

Function

The test-aaa command tests whether a user can be authenticated using RADIUS authentication.

Format

test-aaa user-name user-password radius-template template-name [ chap | pap ]

Parameters

Parameter

Description

Value

user-name

Specifies a user name.

The value is a string of 1 to 64 case-insensitive characters without spaces.

user-password

Specifies a user password.

The value is a string of 1 to 128 case-sensitive characters.

radius-template template-name

Specifies the name of a RADIUS server template.

The value is a string of 1 to 32 characters, including characters A to Z and a to z (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

chap

Indicates Challenge Handshake Authentication Protocol (CHAP) authentication.

-

pap

Indicates Password Authentication Protocol (PAP) authentication.

-

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user fails to be authenticated, run the test-aaa command on the device to locate the fault.

  • If the test result indicates that the user can be authenticated using RADIUS authentication, the fault occurs in access authentication.
  • If the test result indicates that the user fails to be authenticated using RADIUS authentication, the fault occurs in RADIUS authentication.

Prerequisites

A RADIUS server template has been created, an authentication server has been specified in the RADIUS server template, and the RADIUS server has been configured.

Follow-up Procedure

If the test result indicates that the user fails to be authenticated by using RADIUS authentication, check whether the configuration of the RADIUS server template and the RADIUS server is correct.

Precautions

chap and pap are two authentication modes.
  • PAP: The NAS device adds the user name and encrypted password to the corresponding fields of authentication request packets, and then sends the packets to the RADIUS server. The NAS device determines whether to allow the user go online based on the result returned by the RADIUS server.
  • CHAP: The NAS device sends the user name, password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user.

Before running the test-aaa command, you only need to create a RADIUS server template and specify an authentication server in the RADIUS server template.

Example

# Test whether the user user1@default can be authenticated using CHAP authentication in the RADIUS server template huawei.

<Huawei> test-aaa user1@default userkey radius-template huawei chap
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35462

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next