No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an AAA Scheme

Configuring an AAA Scheme

Context

An AAA scheme defines the authentication, authorization, and accounting modes used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in the authentication scheme, and set the accounting mode to RADIUS in the accounting scheme. RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. If RADIUS authentication is used, you do not need to configure an authorization scheme.

To prevent authentication failures caused by no response from a single authentication mode, configure local authentication or non-authentication as the backup authentication mode in the authentication scheme.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two schemes can only be modified, but cannot be deleted.

    4. Run authentication-mode radius

      The authentication mode is set to RADIUS.

      By default, local authentication is used.

      To configure local authentication as the backup authentication mode, run the authentication-mode radius local command.

    5. (Optional) Run authentication-super [ hwtacacs | radius | super ] * none

      The authentication mode used to upgrade user levels in the current authentication scheme is configured.

      By default, the super mode is used. That is, local authentication is used.

    6. Run quit

      Return to the AAA view.

    7. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 300 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    8. (Optional) Run aaa-author session-timeout invalid-value enable

      The device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers the Session-Timeout attribute with value 0.

      By default, when the RADIUS server delivers the Session-Timeout attribute with value 0, this attribute does not take effect.

    9. Run quit

      Return to the system view.

    10. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication timeout interval is configured.

      By default, the bypass authentication function is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. This scheme can only be modified, but cannot be deleted.

    4. Run accounting-mode radius

      The accounting mode is set to RADIUS.

      By default, the accounting mode is none.

    5. (Optional) Configure policies for accounting failures.

      • Configure a policy for accounting-start failures.

        Run accounting start-fail { offline | online }

        A policy for accounting-start failures is configured.

        By default, users cannot go online if accounting-start fails.

      • Configure a policy for real-time accounting failures.

        1. Run accounting realtime interval

          The real-time accounting function is enabled, and the interval for real-time accounting is configured.

          By default, the device performs accounting based on the user online duration, and the real-time accounting function is disabled.

        2. Run accounting interim-fail [ max-times times ] { offline | online }

          The maximum number of real-time accounting failures and a policy used after the number of real-time accounting failures exceeds the maximum are configured.

          By default, the maximum number of real-time accounting failures is 3, and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

      • Configure a policy for accounting-stop failures.

        1. Run quit

          Return to the AAA view.

        2. Run quit

          Return to the system view.

        3. Run radius-server template template-name

          The RADIUS server template view is displayed.

        4. Run radius-server accounting-stop-packet resend [ resend-times ]

          Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted each time is configured.

          By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

    6. (Optional) Run quit

      Return to the system view.

    7. (Optional) Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

      By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

      NOTE:

      Only the NAC unified mode supports this command.

    8. (Optional) Run authentication update-ip-accounting enable

      The device is configured to send accounting packets upon address updating.

      By default, the device sends accounting packets upon address updating.

      NOTE:

      Only the NAC unified mode supports this command.

Verifying the Configuration

  • Run the display authentication-scheme [ authentication-scheme-name ] command to view the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to view the accounting scheme configuration.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58482

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next