No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Configuration Commands

RADIUS Configuration Commands

authentication-type

Function

The authentication-type command sets the RADIUS authentication type to Microsoft Challenge Handshake Authentication Protocol version 1 (MSCHAPv1).

The undo authentication-type command restores the default settings.

By default, the RADIUS authentication type is PAP.

Format

authentication-type radius mschapv1

undo authentication-type radius mschapv1

Parameters

Parameter Description Value
radius

Indicates RADIUS authentication.

-

mschapv1 Indicates the authentication type of MSCHAPv1.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

MSCHAPv1 is an encryption and authentication protocol used for the remote client to access the remote server. The remote server sends a challenge message carrying a session ID and a random challenge character string to the remote client. The remote client can pass the authentication only after returning a response message that carries the user name, Message Digest 4 (MD4) hash value of the received challenge character string, session ID, and password encrypted using the one-way MD4 hash algorithm. This authentication method ensures that the password is not transmitted in simple text on networks.

To set the RADIUS authentication type to MSCHAPv1, run the authentication-type command.

Precautions

MSCHAPv1 authentication uses insecure MD4 or DES as the encryption algorithm, posing security risks.

Example

# Set the RADIUS authentication type to MSCHAPv1.

<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme scheme1
[*HUAWEI-aaa-authen-scheme1] authentication-type radius mschapv1

display radius attribute

Function

The display radius attribute command displays the RADIUS attributes supported by the device.

Format

display radius attribute [ name attribute-name | type { huawei | standard | microsoft } attribute-id ]

Parameters

Parameter

Description

Value

name attribute-name

Displays a specified RADIUS attribute. attribute-name specifies the name of the RADIUS attribute.

The value is a string of 1 to 64 characters.

type { huawei | standard | microsoft } attribute-id
Displays the RADIUS attribute of a specified type:
  • huawei attribute-id specifies a Huawei attribute.
    NOTE:
    The RADIUS protocol has good extensibility. The No. 26 attribute (Vendor-Specific) defined in RFC2865 is used to extend RADIUS to implement the functions not supported by standard RADIUS attributes. Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.
  • standard attribute-id specifies a standard attribute.
  • microsoft attribute-id specifies a Microsoft attribute.
The value of attribute-id is an integer that ranges from 1 to 2048.

Views

All views

Default Level

3: Management level

Usage Guidelines

Before connecting the device to a RADIUS server, run the display radius-attribute command to view the RADIUS attributes supported by the device. If the device and RADIUS server support different RADIUS attributes according to the command output, run the radius attribute disable command on the device to disable RADIUS attributes that are not supported by the RADIUS server.

Example

# Display the RADIUS attributes supported by the device.

<HUAWEI> display radius attribute
  Codes: Auth(Authentication), Acct(Accounting)
         Req(Request), Accp(Accept), Rej(Reject)
         Resp(Response), COA(Change-of-Authorization)
         0(Can not be existed in this packet)
         1(Can be existed in this packet)
------------------------------------------------------------------------------
Attribute                        Service   Auth Auth Auth Acct Acct COA COA
Name(Type)                       Type      Req  Accp Rej  Req  Resp Req Ack
------------------------------------------------------------------------------
User-Name(1)                     All       1    1    0    1    0    1    1
User-Password(2)                 All       1    0    0    0    0    0    0
CHAP-Password(3)                 All       1    0    0    0    0    0    0
NAS-IP-Address(4)                All       1    0    0    1    0    1    1
NAS-Port(5)                      All       1    0    0    1    0    1    1
Service-Type(6)                  All       1    1    0    1    0    0    0
......
NOTE:

The preceding information is an example. The displayed attribute type depends on the actual situation.

Table 16-24  Description of the display radius attribute command output

Item

Description

Attribute Name(Type)

Attribute name and type.

Service Type

Protocol type of the attribute.

Auth Req

Authentication request packet.

Auth Accp

Authentication accept packet.

Auth Rej

Authentication reject packet.

Acct Req

Accounting request packet.

Acct Resp

Accounting response packet.

COA Req

Change of Authorization (COA) request packet.

COA Ack

COA acknowledgement packet.

# Display the RADIUS attribute numbered 2.

<HUAWEI> display radius attribute type standard 2
 Radius Attribute Type        : 2
 Radius Attribute Name        : User-Password
 Radius Attribute Description :  This Attribute indicates the password of the user to be authenticated. Only valid for the PAP authen
tication.
 Supported Packets            : Auth Request  
Table 16-25  Description of the display radius attribute type standard standardattribute-id command output

Item

Description

Radius Attribute Type

Type of the RADIUS attribute.

Radius Attribute Name

Name of the RADIUS attribute.

Radius Attribute Description

Description of the RADIUS attribute.

Supported Packets

Packets that support the RADIUS attribute.

display radius attribute packet-count

Function

The display radius attribute packet-count command displays the count of attributes in RADIUS packets.

Format

display radius attribute packet-count

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius attribute packet-count command displays counts of attributes in RADIUS packets, which helps locate RADIUS authentication or accounting problems on the live network.

The following packet types are supported:
  • Authentication request (AuthReq)
  • Authentication accept (AuthAccp)
  • Authentication reject (AuthRej)
  • Accounting request (AcctReq)
  • Accounting response (AcctResp)
  • COA request (COAReq)
  • COA Acknowledgement (COAAck)
NOTE:

The sign (~) indicates that an attribute is not supported for the packet type in current version. For example, NAS-Port attribute should not be in an Authentication accept packet.

Example

# Display the RADIUS attributes supported by the device.

<HUAWEI> display radius attribute packet-count
-------------------------------------------------------------------------------------------------  
AttributeName(Type)                     ServiceType  AuthReq     AuthAccp    AuthRej     AcctReq 
                                        AcctResp     COAReq      COAAck         
-------------------------------------------------------------------------------------------------  
Unknown-Attribute                       ALL           0           0           0           0       
                                         0            ~0          ~0            
                                                                                
User-Name(1)                            ALL           0           0           ~0          0       
                                         ~0           0           ~0            
                                                                                
User-Password(2)                        ALL           0           ~0          ~0          ~0      
                                         ~0           ~0          ~0            
                                                                                
CHAP-Password(3)                        ALL           0           ~0          ~0          ~0      
                                         ~0           ~0          ~0            
                                                                                
NAS-IP-Address(4)                       ALL           0           ~0          ~0          0      
                                         ~0           ~0          ~0            
                                                                                
Service-Type(6)                         ALL           0           0           ~0          ~0     
                                         ~0           0           ~0            
......
NOTE:

The preceding information is an example. The displayed attribute type depends on the actual situation.

Table 16-26  Description of the display radius attribute packet-count command output

Item

Description

AttributeName(Type)

Attribute name and type.

ServiceType

Protocol type of the attribute.

AuthReq

Authentication request packet.

AuthAccp

Authentication accept packet.

AuthRej

Authentication reject packet.

AcctReq

Accounting request packet.

AcctResp

Accounting response packet.

COAReq

Change of Authorization (COA) request packet.

COAAck

COA acknowledgement packet.

display radius current-status

Function

The display radius current-status command displays the RADIUS current status.

Format

display radius current-status [ group group-name ]

Parameters

Parameter Description Value
group group-name Specifies the name of a RADIUS server group. The RADIUS server group must exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius current-status command displays the current status of RADIUS client, client-identifier and global pending request for this device.

To check whether new users have sent requests in the server group, view the total number of pending requests.

Example

# Display the current status of the huawei group.

<HUAWEI> display radius current-status group huawei
 Info: * means current server.                                                                                                      
----------------------------------------------------------------------------------------------------------------------------------- 
 Type       Address                                       Port      State     Pending Request    VPN                                
----------------------------------------------------------------------------------------------------------------------------------- 
 Auth       1.1.1.1                                       1         Up        0                  -                                  
 Auth       1.1.1.2                                       1         Up        0                  -                                  
----------------------------------------------------------------------------------------------------------------------------------- 
Table 16-27  Description of the display radius current-status group group-name command output.

Item

Description

Type

Type of RADIUS server.

Address

RADIUS server IP address.

Port

RADIUS server port.

State

RADIUS server state. It can be one of the following:
  • Up
  • Down
  • Probe
  • Stale
Pending Request

Total number of pending requests.

VPN

Bound VPN.

# Display the current status of RADIUS client.

<HUAWEI> display radius current-status
-------------------------------------------------------------------------------------------------
RADIUS client                             :   Disabled                          
RADIUS COA server                         :   Disabled                          
Client identifier                         :   HUAWEI0    
Total authentication pending request      :   1024     
Total accounting pending request          :   0
Dead count                                :   10
Dead interval                             :   5
Dead time                                 :   3 
-------------------------------------------------------------------------------------------------
Table 16-28  Description of the display radius current-status command output.

Item

Description

RADIUS client
RADIUS client state. It can be one of the following:
  • Enabled
  • Disabled
RADIUS COA server
RADIUS authorization server state. It can be one of the following:
  • Enabled
  • Disabled
Client identifier

Client identifier.

Total authentication pending request

Total number of authentication pending requests for RADIUS client.

Total accounting pending request

Total number of accounting pending requests for RADIUS client.

Dead count

Displays the number of times the RADIUS server fails to respond to the packets from the RADIUS Client.

Dead interval

Displays the interval between the first and the last packets that are not responded for the RADIUS Client, in seconds.

Dead time

Displays the RADIUS server recovery time, in minutes.

display radius server authorization configuration

Function

The display radius server authorization configuration command displays the configuration of RADIUS authorization servers.

Format

display radius server authorization configuration

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

After running the radius server authorization command to configure an authorization server, run the display radius server authorization configuration command to check whether the authorization server configuration is correct.

Example

# Display the configuration of RADIUS authorization servers.

<HUAWEI> display radius server authorization configuration
----------------------------------------------------------------------------------------------------------------------------------- 
IP Address                                  vpn-instance                    shared key       Ack reserved interval                  
----------------------------------------------------------------------------------------------------------------------------------- 
10.2.3.4                                     -                               **************** 0                                      
----------------------------------------------------------------------------------------------------------------------------------- 
1 Radius authorization server(s) in total 
Table 16-29  Description of the display radius server authorization configuration command output

Item

Description

IP Address

IP address of a RADIUS authorization server.

vpn-instance

Name of the VPN instance that the RADIUS authorization server is bound to.

shared key

Shared key of the RADIUS authorization server.

Ack reserved interval

Holdtime of RADIUS authorization response packets.

display radius server configuration

Function

The display radius server configuration command displays the configurations of RADIUS server groups.

Format

display radius server configuration [ group group-name ]

Parameters

Parameter

Description

Value

group group-name

Specifies the name of a RADIUS server group.

If this parameter is not specified, the configuration of all the RADIUS server groups is displayed.

The RADIUS server group must exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius server configuration command output helps you check the configuration of RADIUS server groups or isolate RADIUS faults.

Example

# Display the configuration of the huawei.

<HUAWEI> display radius server configuration group huawei
-----------------------------------------------------------------------------
Server group name                   :  huawei
Protocol version                    :  standard
Shared secret key                   :  ****************
Timeout interval(in second)         :  5
Primary authentication server       :  10.164.155.13-1812:-:-:-
Primary accounting server           :  10.10.10.5-1000:-:-:-
Secondary authentication server     :  10.10.10.7-1000:-:-:-
Secondary accounting server         :  10.10.10.6-1000:-:-:-
Retransmission                      :  3
Domain included                     :  YES
Mode                                :  Pri-secondary
Source interface                    :  LoopBack1   
NAS-IP-Address                      :  1.2.3.4   
-----------------------------------------------------------------------------
Table 16-30  Description of the display radius server configuration group command output.

Item

Description

Server group name

Name of a RADIUS server group.

Protocol version

Version of RADIUS.

Shared secret key

Shared key.

Timeout interval(in second)

Response timeout interval of the RADIUS server.

Primary authentication server

Primary authentication server.

Primary accounting server

Primary accounting server.

Secondary authentication server

Secondary authentication server.

Secondary accounting server

Secondary accounting server.

Retransmission

Number of times that RADIUS packets are retransmitted.

Domain included

Whether the user name includes the domain name:
  • Yes
  • No

Mode

Working mode in a server group. There are two working modes:
  • Pri-secondary
  • Load-balance

Source interface

Source interface used by the device to send RADIUS packets.

To specify the parameter, run the radius server source interface command.

NAS-IP-Address

NAS IP address used by the device to send RADIUS packets.

To specify the parameter, run the radius server nas-ip-address command.

mode load-balance

Function

The mode load-balance command switches RADIUS server group from active/standby mode to load balance mode.

The undo mode load-balance command restores the default setting.

By default, the mode of RADIUS server group is active/standby.

Format

mode load-balance

undo mode load-balance

Parameters

None

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

You can verify the configuration by using the display radius server configuration command.

Example

# To configure mode as load-balance for RADIUS server group htipl.

<HUAWEI> system-view
[~HUAWEI] radius server group htipl
[*HUAWEI-radius-htipl] mode load-balance

radius enable

Function

The radius enable command starts the RADIUS client services.

The undo radius enable command stops the RADIUS client services.

By default, the RADIUS service is disabled.

Format

radius enable

undo radius enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

After executing the radius enable command, the RADIUS client starts to serve the AAA authentication request.

After executing the undo radius enable command, the RADIUS client stops to serve the AAA authentication request. If the undo radius enable command is run when a user is performing RADIUS authentication, the command does not take effect.

Example

# Enable the RADIUS client.

<HUAWEI> system-view
[~HUAWEI] radius enable

radius attribute disable

Function

The radius attribute disable command disables RADIUS attributes.

The undo radius attribute disable command restores the default setting.

By default, no RADIUS attribute is disabled.

Format

radius attribute disable attribute-name { receive | send } *

radius attribute disable attribute-name { access-accept | access-request | account [ start ] } *

radius attribute disable attribute-name { bin string | integer integer | ip ip-address | string string } receive

undo radius attribute disable [ attribute-name [ { bin string | integer integer | ip ip-address | string string } receive ] ]

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of a RADIUS attribute.

The value is a string of 1 to 64 characters.

receive

Disables RADIUS attributes for received packets.

-

send

Disables RADIUS attributes for sent packets.

-

access-accept

Disables the RADIUS attributes for Access-Accept packets.

-
access-request

Disables the RADIUS attributes for Access-Request packets.

-
account

Disables the RADIUS attributes for accounting packets.

-
start

Disables the RADIUS attributes for Accounting-Start packets.

-
bin string

Specifies a value in binary format.

The device disables a RADIUS attribute only when the attribute value is the same as the specified value in binary format.

The value is in binary format and ranges from 1 to 254.
integer integer

Specifies an integer.

The device disables a RADIUS attribute only when the attribute value is the same as the specified integer.

The value is an integer that ranges from 0 to 4294967295.
ip ip-address

Specifies an IP address.

The device disables a RADIUS attribute only when the attribute value is the same as the specified IP address.

The value is in dotted decimal notation.
string string

Specifies a character string.

The device disables a RADIUS attribute only when the attribute value is the same as the specified character string.

The value is a string of 1 to 254 characters.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Generally, a RADIUS server connects to multiple network devices, which can be one vendor's devices or different vendors' devices. If some vendors' devices require the RADIUS server to deliver an attribute to support a specified feature but other vendors' device do not support the delivered attribute, the RADIUS attribute may fail to be parsed.

The device may communicate with RADIUS servers of different vendors. Some RADIUS servers require the device to send some attributes but other RADIUS servers cannot process the attributes. Errors may occur.

The radius-attribute disable command disables RADIUS attributes on the device. You can configure the device to ignore incompatible attributes when receiving RADIUS packets to prevent parsing failures. You can also configure the device to disable RADIUS attributes when sending RADIUS packets. When the device sends RADIUS packets, it does not encapsulate the disabled RADIUS attributes in the RADIUS packets.

Prerequisites

The RADIUS attribute translation function has been enabled using the radius server attribute translate command.

Precautions

Before disabling RADIUS attributes, run the display radius attribute command to view the RADIUS attributes supported by the device.

Example

# Disable the Frame-Route attribute in sent packets.

<HUAWEI> system-view
[~HUAWEI] radius server group test1
[*HUAWEI-radius-test1] radius server attribute translate
[*HUAWEI-radius-test1] radius attribute disable framed-route send

radius server group (AAA domain view)

Function

The radius server group command applies a RADIUS server group to a domain.

The undo radius server group command unbinds an RADIUS server group from a domain.

By default, no RADIUS server group is applied to a domain.

Format

radius server group group-name

undo radius server group

Parameters

Parameter

Description

Value

group-name

Specifies the name of a RADIUS server group.

The RADIUS server group must exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication and accounting for users in a domain, apply a RADIUS server group to the domain. A RADIUS server group takes effect only after the RADIUS server group is applied to a domain.

Prerequisites

A RADIUS server group has been created using the radius server group command.

Example

# Apply the RADIUS server group template1 to the domain radius1.

<HUAWEI> system-view
[~HUAWEI] radius server group template1
[*HUAWEI-radius-template1] quit
[*HUAWEI] aaa
[*HUAWEI-aaa] domain radius1
[*HUAWEI-aaa-domain-radius1] radius server group template1

radius server accounting

Function

The radius server accounting command configures the RADIUS accounting server.

The undo radius server accounting command deletes the configuration.

By default, no RADIUS accounting server is configured.

Format

radius server accounting ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * [ secondary ]

radius server accounting hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * [ secondary ]

radius server accounting ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] [ secondary ]

radius server accounting retransmit retransmit-number timeout timeout-value

undo radius server accounting [ ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } ] * secondary ]

undo radius server accounting [ hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } ] * secondary ]

undo radius server accounting [ ipv6-address port secondary ]

undo radius server accounting retransmit timeout

Parameters

Parameter Description Value
ip-address Specifies the IPv4 address of a server. The value is in dotted decimal notation and must be a valid unicast address.
hostname hostname

Specifies the host name of a server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

ipv6-address Specifies the IPv6 address of a server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port Specifies the port number of a server. It is an integer data type. The value range is from 1 to 65535.
vpn-instance vpn-instance-name Specifies the vpn-instance name.

The VPN instance must exist.

source interface-type interface-number

Specifies the source interface-type and interface number.

The interface must have been configured with an IP address.

source ip-address ip-address

Specifies the source IP address of a server.

The value is a valid unicast address in dotted decimal notation.

shared-key key-string Specifies the shared key in plain text.

The value is a string of 1 to 128 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

shared-key-cipher cipher-string Specifies the shared key in plain or cipher text.

In the case of a plain text password, the value is a string of 1 to 128 case-sensitive characters, without spaces. In the case of a cipher text password, the value is a string of 24 or 32 to 268 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

secondary

If this parameter is specified, the secondary RADIUS accounting server is configured. If this parameter is not specified, the primary RADIUS accounting server is configured.

-
retransmit retransmit-number

Specifies the number of times to retransmit the accounting request.

The value is an integer and ranges from 1 to 5.

timeout timeout-value

Specifies the timeout value for the accounting request.

The value is an integer and ranges from 3 to 25, in seconds.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform accounting for users, configure a RADIUS accounting server. The device uses the RADIUS protocol to communicate with a RADIUS accounting server to obtain accounting information, and performs accounting for users based on the accounting information. The device sends accounting packets to a RADIUS accounting server only after the IP address and port number of a RADIUS accounting server is specified in a RADIUS server template using the radius server accounting command.

Precautions

The IP address and port number of the primary accounting server must be different from those of the secondary accounting server; otherwise, the configuration fails.

You can modify this configuration only when the RADIUS server group is not in use.

Example

# Configure the primary RADIUS accounting server.

<HUAWEI> system-view
[~HUAWEI] radius server group group1
[*HUAWEI-radius-group1] radius server accounting 10.163.155.12 1813

radius server attribute translate

Function

The radius server attribute translate command enables RADIUS attribute translation.

The undo radius server attribute translate command disables RADIUS attribute translation.

By default, RADIUS attribute translation is disabled.

Format

radius server attribute translate

undo radius server attribute translate

Parameters

None

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

Example

# Enable RADIUS attribute translation.

<HUAWEI> system-view
[~HUAWEI] radius server group test1
[*HUAWEI-radius-test1] radius server attribute translate
Related Topics

radius server authentication

Function

The radius server authentication command configures a RADIUS authentication server.

The undo radius server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius server authentication ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * [ secondary ]

radius server authentication hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * [ secondary ]

radius server authentication ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] [ secondary ]

radius server authentication retransmit retransmit-number timeout timeout-value

undo radius server authentication [ ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } ] * secondary ]

undo radius server authentication [ hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } ] * secondary ]

undo radius server authentication [ ipv6-address port secondary ]

undo radius server authentication retransmit timeout

Parameters

Parameter Description Value
ip-address Specifies the IPv4 address of a server. The value is in dotted decimal notation and must be a valid unicast address.
hostname hostname

Specifies the host name of a server.

The value is a string of 1 to 255 case-sensitive characters, without spaces. It can be any combination of letters, digits, periods (.), hyphens (-), and underlines (_), and contains at least one letter or digit.

ipv6-address Specifies the IPv6 address of a server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port Specifies the port number of a server. It is an integer data type. The value range is from 1 to 65535.
vpn-instance vpn-instance-name Specifies the vpn-instance name.

The VPN instance must exist.

source interface-type interface-number Specifies the source interface-type and interface number.

The interface must have been configured with an IP address.

source ip-address ip-address

Specifies the source IP address of a server.

The value is a valid unicast address in dotted decimal notation.

shared-key key-string Specifies the shared key in plain text.

The value is a string of 1 to 128 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

shared-key-cipher cipher-string Specifies the shared key in plain or cipher text.

In the case of a plain text password, the value is a string of 1 to 128 case-sensitive characters, without spaces. In the case of a cipher text password, the value is a string of 24 or 32 to 268 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

secondary

If this parameter is specified, the secondary RADIUS authentication server is configured. If this parameter is not specified, the primary RADIUS authentication server is configured.

-
retransmit retransmit-number

Specifies the number of times to retransmit the authentication request.

The value is an integer and ranges from 1 to 5.

timeout timeout-value

Specifies the timeout value for the authentication request.

The value is an integer and ranges from 3 to 25, in seconds.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server group. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server group.

After retransmission times and timeout period are configured, the device retransmits an authentication request packet to the RADIUS server if the RADIUS server does not respond to the previous authentication request packet within the specified period. When the number of retransmission times exceeds the limit, the device considers that the server is unavailable.

NOTE:
  • The system supports a maximum of 32 RADIUS servers per group, including 1 primary authentication server, 1 primary accounting server, and 30 backup servers.
  • The primary authentication server configuration is effective in any mode and does not have any significance in load balance mode.

When RADIUS authentication is used for management users, you are advised to configure the user locking mechanism on the RADIUS server. If the user locking mechanism is not configured, brute force cracking may occur.

Precautions

You must specify different IP addresses and port numbers for the primary and secondary RADIUS authentication servers; otherwise, the configuration fails.

You can modify this configuration only when the RADIUS server group is not in use.

Example

# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.

<HUAWEI> system-view
[~HUAWEI] radius server group group1
[*HUAWEI-radius-group1] radius server authentication 10.163.155.13 1812
Related Topics

radius server authorization

Function

The radius server authorization command configures the RADIUS authorization server.

The undo radius server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius server authorization ip-address [ vpn-instance vpn-instance-name ] { shared-key key-string | shared-key-cipher cipher-string } [ ack-reserved-interval interval ]

radius server authorization ipv6-address { shared-key key-string | shared-key-cipher cipher-string } [ ack-reserved-interval interval ]

undo radius server authorization ip-address [ vpn-instance vpn-instance-name ]

undo radius server authorization ipv6-address

Parameters

Parameter

Description

Value

ip-address Specifies the IPv4 address of a server. The value is in dotted decimal notation and must be a valid unicast address.
ipv6-address Specifies the IPv6 address of a server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authorization server is bound to.

The VPN instance must exist.

ack-reserved-interval interval

Specifies the duration for retaining a RADIUS authorization response packet.

The value is an integer that ranges from 0 to 300, in seconds. The default value is 0.

shared-key key-string

Specifies the shared key in plain text.

The value is a string of 1 to 128 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

shared-key-cipher cipher-string

Specifies the shared key in plain or cipher text.

In the case of a plain text password, the value is a string of 1 to 128 case-sensitive characters, without spaces. In the case of a cipher text password, the value is a string of 24 or 32 to 268 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An independent RADIUS authorization server can be used to authorize online users. RADIUS provides two authorization methods: Change of Authorization (CoA) and Disconnect Message (DM).
  • CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
  • DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.

After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.

Precautions

The RADIUS protocol has been enabled by using the radius enable command.

If RADIUS authorization response packets need to be retained for retransmission, set the duration for retaining the RADIUS authorization response packets when you configure the RADIUS authorization server. To disable retaining of authorization response packets, set the duration to 0.

When many operators concurrently use the DM method to disconnect users or CoA method to modify user rights on the RADIUS server, a large number of memory resources are occupied.

Example

# Specify a RADIUS authorization server.

<HUAWEI> system-view
[~HUAWEI] radius server authorization 10.1.1.116 shared-key-cipher Huawei@huawei2015

radius server

Function

The radius server command sets the interval at which a RADIUS server alternates between Up and Down.

The undo radius server command restores the default setting.

By default, the value of dead-count is 10, the value of dead-interval is 5 seconds, and the value of dead-time is 3 minutes. That is, the number of times a RADIUS server does not respond consecutively is 10, the interval between the first packet with no response and the number dead-count packet is 5 seconds, and the waiting time for restoring the RADIUS server is 3 minutes.

Format

radius server { dead-count dead-count [ fail-rate fail-rate-value ] | dead-interval dead-interval | dead-time dead-time [ recover-count invalid ] } *

undo radius server { dead-count | dead-interval | dead-time | fail-rate | recover-count } *

Parameters

Parameter Description Value
dead-count dead-count Indicates the number of times the RADIUS server does not respond consecutively, after which the RADIUS will be considered abnormal. The value is an integer that ranges from 3 to 65535.
fail-rate fail-rate-value

Specifies the packet loss rate of timeout packets calculated by diving the number of timeout packets into the number of sent packets.

The value is an integer ranging from 1 to 100. The default value is 100.

dead-interval dead-interval Indicates the interval between the first packet with no response and the number dead-count packet. The value is an integer that ranges from 0 to 60, in seconds.
dead-time dead-time Indicates the waiting time for restoring the RADIUS server. The value is an integer that ranges from 1 to 65535, in minutes.
recover-count invalid

Indicates that the device sets the RADIUS server status to Up only after the Up timer expires, irrespective of whether the device receives packets from the RADIUS server after it goes Up. This parameter is not configured by default.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the server or the link between the device and server fails, user authentication will fail or time out. To avoid this situation, run this command to set the interval at which a RADIUS server alternates between Up and Down. If the device does not receive any response packet from a RADIUS server after consecutively sending a certain number (set by this command) of RADIUS packets, and the interval between the first packet with no response and the number dead-count packet is larger than dead-interval, the device considers that the RADIUS server does not work normally and sets the status of the RADIUS server to Down. In addition, the device attempts to communicate with another RADIUS server.

After setting the status of the RADIUS server to Down, the device waits for dead-time minutes. Then the device sets the status of the RADIUS server to Up and attempts to connect to this RADIUS server. If the connection fails, the device sets the status of the RADIUS server to Down again.

Precautions

It is recommended that you set the interval at which a RADIUS server alternates between Up and Down according to the number of standby RADIUS servers. If the interval is too short, the authentication or accounting may frequently fail because the device repeatedly attempts to communicate with the RADIUS server that is in Up state but actually unreachable.

Example

# Configure the device to consider a RADIUS server abnormal when the RADIUS server does not respond after the device sends 22 packets consecutively within 44 seconds. Set the time before the device attempts to connect to the RADIUS server again to 3 minutes.

<HUAWEI> system-view
[~HUAWEI] radius server dead-count 22 dead-interval 44 dead-time 3
# Set the status of the RADIUS server to Down when the device has not received a response from the RADIUS server for 20 times in 10s or 20 timeout packets are received and the packet loss rate of the timeout packets reaches 50%. Set the RADIUS status to Up after 30 minutes, irrespective of whether the device receives a response from the RADIUS server.
<HUAWEI> system-view
[~HUAWEI] radius server dead-count 20 fail-rate 50 dead-time 30 recover-count invalid dead-interval 10

radius server nas-ip-address

Function

The radius server nas-ip-address command configures the network access server (NAS) IP address for a RADIUS server group.

The undo radius server nas-ip-address command deletes the NAS IP address of a RADIUS server group.

By default, no NAS IP address is configured for a RADIUS server group. That is, the IP address of the interface that sends packets are used as the NAS IP address.

Format

radius server nas-ip-address ip-address

undo radius server nas-ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies the NAS IP address for the RADIUS server group.

The value is a valid unicast address in dotted decimal notation.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

The RADIUS server obtains the NAS-IP-Address attribute from the received RADIUS packets. If the NAS-IP-Address attribute in a packet is the same as the IP address of the access device managed by the server, the server processes the authentication or accounting request from this access device. Therefore, the NAS-IP-Address attributes in the RADIUS packets sent by the access devices must be the same as the IP addresses of access devices specified on the RADIUS server; otherwise, the authentication and accounting packets cannot be processed by the server.

By default, the IP address of the interface that sends RADIUS packets is used as the NAS IP address. If the IP address of the interface sending RADIUS packets changes, the authentication and accounting packets sent by the device cannot be processed by the server. To address this problem, configure the NAS IP address for the RADIUS server group.

Example

# Set the NAS IP address of the RADIUS server group to 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] radius server group huawei
[*HUAWEI-radius-huawei] radius server nas-ip-address 10.1.1.1

radius server retransmit timeout

Function

The radius server retransmit timeout command sets the number of times RADIUS request packets are retransmitted and the timeout interval.

The undo radius server retransmit timeout command restores the default number of retransmission times and the default timeout interval.

By default, the number of retransmission times is 3 and the timeout interval is 5 seconds.

Format

radius server { retransmit retry-times | timeout time-value } *

undo radius server { retransmit | timeout } *

Parameters

Parameter

Description

Value

retransmit retry-times

Specifies the number of retransmission times.

The value is an integer that ranges from 1 to 5.

timeout time-value

Specifies the timeout interval.

The value is an integer that ranges from 3 to 25, in seconds.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the device sends a request packet to a RADIUS server, if the device does not receive a response packet in the specified period, the device retransmits the request packet. If the maximum number of retransmission times is reached, the device considers the RADIUS server as unavailable.

The number of retransmission times and timeout interval that are set using the radius server retransmit timeout command improve reliability of RADIUS authentication.

The default values are recommended.

Precautions

You can modify this configuration only when the RADIUS server group is not in use.

The request packet retransmission time (number of retransmission times x timeout interval) of the RADIUS server must be shorter than the request packet retransmission time of the Portal server.

Example

# Set the number of retransmission times to 4 and the timeout interval to 8s.

<HUAWEI> system-view
[~HUAWEI] radius server group test1
[*HUAWEI-radius-test1] radius server retransmit 4 timeout 8

radius server shared-key

Function

The radius server shared-key command configures the shared key of a RADIUS server.

The undo radius server shared-key command deletes the configured shared key of the RADIUS server.

By default, the shared key for the radius server is not configured.

Format

radius server { shared-key key-string | shared-key-cipher cipher-string }

undo radius server shared-key

Parameters

Parameter

Description

Value

shared-key key-string Specifies a simple text password.

The value is a string of 1 to 128 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

shared-key-cipher cipher-string Specifies a cipher text password.

In the case of a plain text password, the value is a string of 1 to 128 case-sensitive characters, without spaces. In the case of a cipher text password, the value is a string of 24 or 32 to 268 case-sensitive characters, without spaces. When double quotation marks are used around the string, spaces are allowed in the string.

A 32-character ciphertext password configured in an earlier version is also supported in this version.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with a RADIUS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. To ensure validity of both communication parties, the device and RADIUS server must be configured with the same shared key.

NOTE:

Configuring a shared key improves the security of intercommunication between the device and RADIUS server.

Example

# Set the shared key of a RADIUS server to Huawei@huawei2015 in cipher text.

<HUAWEI> system-view
[~HUAWEI] radius server group template1
[*HUAWEI-radius-template1] radius server shared-key-cipher Huawei@huawei2015

radius server source interface

Function

The radius server source interface command configures the source interface used by the device to send RADIUS packets.

The undo radius server source command deletes the source interface used by the device to send RADIUS packets.

By default, the source interface used by the device to send RADIUS packets is not specified.

Format

radius server source interface interface-type interface-number

undo radius server source

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the source interface used by the device to send RADIUS packets.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

The interface must already have been assigned with IP address.

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a physical interface is configured as the source interface, the device cannot receive the packets returned by the server if the physical interface is Down. Therefore, configure a loopback interface as the source interface.

After a source interface is specified, the device sends RADIUS packets to the server through this interface and uses the source interface address as the source address of RADIUS packets.

Prerequisites

An IP address has been configured for the interface that you want to configure as the source interface.

Precautions

When a RADIUS server is located in a VPN, the device uses the specified source interface address as the source address to send RADIUS packets to the server. If no source interface is specified, the device searches a route based on the VPN and destination IP address, and then uses the outbound interface IP address of the route as the source address. If the route is not found, the device selects the IP address of any interface in the VPN as the source address.

If you run the radius server source interface command in the same view multiple times, the last configuration takes effect.

Example

# Configure LoopBack1 used by the device to send RADIUS packets as the source interface.

<HUAWEI> system-view
[~HUAWEI] interface loopback 1
[*HUAWEI-LoopBack1] ip address 192.168.2.10 32
[*HUAWEI-LoopBack1] commit
[~HUAWEI-LoopBack1] quit
[~HUAWEI] radius server group huawei
[*HUAWEI-radius-huawei] radius server source interface loopback 1

radius server group

Function

The radius server group command creates a RADIUS server template and displays the RADIUS server group view.

The undo radius server group command deletes a RADIUS server group.

By default, no RADIUS server group is created on the device.

Format

radius server group group-name

undo radius server group group-name

Parameters

Parameter

Description

Value

group-name

Specifies the name of a RADIUS server group.

The value is a string of 1 to 32 characters without spaces, including case-insensitive letters, digits (0 to 9), periods (.), hyphens (-), and underlines (_).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Creating a RADIUS server group is the prerequisite for configuring RADIUS authentication and accounting. You can perform RADIUS configurations, such as the configuration of authentication servers, accounting servers, and shared key only after a RADIUS server group is created.

Follow-up Procedure

Configure an authentication server, an accounting server, and shared key in the RADIUS server group view, and then run the radius server group (AAA domain view) command to apply the RADIUS server group.

Precautions

A maximum of 128 RADIUS server groups can be configured on the device.

Example

# Create a RADIUS server group template1 and enter the RADIUS server group view.

<HUAWEI> system-view
[~HUAWEI] radius server group template1
[*HUAWEI-radius-template1] 

radius server user-name

Function

The radius server user-name domain-excluded command configures the device not to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server.

The radius server user-name original command configures the device not to modify the user name entered by the user in the packets sent to the RADIUS server.

The undo radius server user-name domain-excluded command configures the device to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

By default, the device encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.

Format

radius server user-name domain-excluded

radius server user-name original

undo radius server user-name domain-excluded

Parameters

None

Views

RADIUS server group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the RADIUS server does not accept the user name with the domain name, run the radius server user-name domain-excluded command to delete the domain name from the user name.

Precautions

You can modify this configuration only when the RADIUS server group is not in use.

Example

# Configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

<HUAWEI> system-view
[~HUAWEI] radius server group template1
[*HUAWEI-radius-template1] radius server user-name domain-excluded

reset radius attribute packet-count

Function

The reset radius attribute packet-count command resets the count of attributes in RADIUS packets.

Format

reset radius attribute packet-count

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you want to view the precise number of times RAIUDS attributes occur in RADIUS packets within a certain period by using the display radius attribute packet-count command, you can run this command to delete the existing count of RADIUS attributes first.

Precautions

Before using this command, ensure that the RADIUS protocol is enabled by using the radius enable command.

Example

# Reset the count of attributes in RADIUS packets.

<HUAWEI> reset radius attribute packet-count
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 68903

Downloads: 374

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next