No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Authentication for Telnet Login Users (RADIUS Authentication)

Example for Configuring Authentication for Telnet Login Users (RADIUS Authentication)

Networking Requirements

On the network shown in Figure 1-29, the network administrator of an enterprise needs to log in to the remote device from the VTY user interface through Telnet and manage the device using RADIUS authentication. The requirements are as follows:

  1. The administrator enters the correct user name and password to log in to the device through Telnet.
  2. After logging in to the device through Telnet, the administrator can run the commands at levels 0-15.
Figure 1-29  Configuring authentication for Telnet login users (RADIUS authentication)

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable the Telnet server function.
  2. Configure AAA authentication for the VTY user interface.
  3. Configure RADIUS authentication, including creating a RADIUS server template, an AAA authentication scheme, and a service scheme, and applying the schemes to a domain.
  4. Configure the domain to which the administrator belongs as the global default management domain.
NOTE:
  • Ensure that the devices are routable before the configuration.
  • If the RADIUS server does not accept the user name containing the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.

  • After the domain is set to the global default management domain, and the user name of the administrator carries the domain name or does not carry any domain name, the administrator uses AAA configuration information in the global default management domain.
  • After the undo radius-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.

Procedure

  1. Enable the Telnet server function.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] telnet server enable
    

  2. Configure AAA authentication for the VTY user interface.

    [Switch] user-interface maximum-vty 15
    [Switch] user-interface vty 0 14
    [Switch-ui-vty0-14] authentication-mode aaa  
    [Switch-ui-vty0-14] protocol inbound telnet  
    [Switch-ui-vty0-14] quit
    

  3. Configure RADIUS authentication.

    # Configure a RADIUS server template for communication between the device and RADIUS server.

    [Switch] radius-server template 1
    [Switch-radius-1] radius-server authentication 10.1.6.6 1812
    [Switch-radius-1] radius-server shared-key cipher Huawei@123
    [Switch-radius-1] quit
    

    # Configure an AAA authentication scheme and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme sch1
    [Switch-aaa-authen-sch1] authentication-mode radius
    [Switch-aaa-authen-sch1] quit
    

    # Set the user level to 15.

    [Switch-aaa] service-scheme sch1
    [Switch-aaa-service-sch1] admin-user privilege level 15
    [Switch-aaa-service-sch1] quit
    

    # Apply the AAA authentication scheme, RADIUS server template, and service scheme to a domain.

    [Switch-aaa] domain huawei.com
    [Switch-aaa-domain-huawei.com] authentication-scheme sch1
    [Switch-aaa-domain-huawei.com] radius-server 1
    [Switch-aaa-domain-huawei.com] service-scheme sch1
    [Switch-aaa-domain-huawei.com] quit
    [Switch-aaa] quit
    

  4. Configure the domain to which the administrator belongs as the global default management domain so that the administrator does not need to enter the domain name when logging in to the device through Telnet.

    [Switch] domain huawei.com admin
    

  5. Verify the configuration.

    # Run the test-aaa command on the device to test whether the administrator can pass the RADIUS authentication.

    [Switch] test-aaa user1 Huawei@1234 radius-template 1

    # Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1 and password Huawei@1234 to log in to the device through Telnet.

    C:\Documents and Settings\Administrator> telnet 10.1.2.10
    Username:user1
    Password:***********

Configuration Files

Switch configuration file

#
sysname Switch
#
domain huawei.com admin 
#
telnet server enable
#
radius-server template 1                                                        
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 10.1.6.6 1812 weight 80                           
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 service-scheme sch1             
  admin-user privilege level 15
 domain huawei.com            
  authentication-scheme sch1     
  service-scheme sch1 
  radius-server 1      
# 
user-interface maximum-vty 15  
user-interface vty 0 14          
 authentication-mode aaa  
 protocol inbound telnet          
#
return 

Related Information

AAA Attribute Query Tool

This tool provides details about AAA attributes of switches. You do not need to register a Huawei account before using this tool.

AAA Attribute Query Tool

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54535

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next