No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA

Configuring AAA

Configuring Local Authentication and Authorization

Local Authentication and Authorization

After local authentication and authorization are configured, the device authenticates and authorizes access users based on local user information. In local authentication and authorization, user information, including the local user name, password, and attributes, is configured on the device. Local authentication and authorization feature fast processing and low operation cost. However, the amount of local authentication and authorization information that can be stored is subject to the device hardware capacity.

Configuration Procedure

Configuration

Procedure

Description

Configure a local server.

Configure a local user.

Create a local user. The device authenticates the local user using the created user information.

Configure local authorization rules.

Create authorization rules. The device authorizes the user based on the created authorization rules.

Configure and apply AAA schemes.

Configure AAA schemes.

Configure authentication, authorization, and accounting schemes.

(Optional) Configure a service scheme.

User authorization information can also be configured in the service scheme.

Apply the AAA schemes to a domain.

The created AAA schemes and service scheme take effect only after they are applied to the domain to which users belong.

-

Verify the configuration.

Verify the configuration.

Configuring a Local Server

Context

AAA authentication and authorization can be implemented on a network access server (NAS) device or a server. If AAA authentication and authorization are implemented on the NAS, a local AAA server is configured on the NAS. Local authentication features fast processing and low operation costs. However, how much user information can be stored depends on the hardware capacity of the device.

To configure a local server, you need to configure user authentication and authorization information on the device, including configuring a local user and configuring local authorization.

Configuring a Local User

Context

When configuring a local user, you can configure the number of connections that can be established by the local user, local user level, idle timeout period, and login time, and allow the local user to change the password.

NOTE:
  • After you change the local account's rights (including the password, access type, FTP directory, and level), the rights of users who are already online remain unchanged. Rather, the rights are only changed once a user goes online again.
  • Local users' access types include:

    • Administrative: ftp, http, ssh, telnet, x25-pad, and terminal
    • Common: 802.1x, ppp, and web

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Create a local user.

    NOTE:

    Run the local-user user-name password { cipher | irreversible-cipher } password state { block | active } user-group group-name [ service-type { 8021x | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } ] command to set the local user name, password, and access type. These parameters can also be set using the following commands.

    Procedure

    Command

    Description

    (Optional) Enable the password complexity check.

    user-password complexity-check

    By default, the password complexity check is enabled.

    To ensure device security, enable password complexity check and change the password periodically.

    Create a local user name and a password (using either of the commands).

    local-user user-name password

    By default, the local account password is not configured.

    This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks.

    If a user name contains a domain name delimiter (such as @, |, or %) and the domain name parsing direction is not configured using the domainname-parse-direction right-to-left command, the character string before the delimiter is considered as the user name, and that after the delimiter is considered as the domain name. If a user name does not contain a domain name delimiter, the entire character string is considered as the user name. By default, common users are authenticated in the domain default, and administrators are authenticated in the domain default_admin.

    local-user user-name password { cipher | irreversible-cipher } password

    Configure an access type for the local user.

    local-user user-name service-type { 8021x | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *

    By default, all access types are disabled for a local user.

    The access type configured for portal access users is web.

    If the user exists, note that:
    • If the irreversible password algorithm is used, the access type can only be administrative.
    • If the reversible password algorithm is used, the access type can be common or administrative, but cannot be a combination of common and administrative. In addition, when the access type is set to an administrative type, the password encryption algorithm is automatically changed to the irreversible algorithm.

  4. (Optional) Set the user level, user group, access time range, idle timeout period, and number of connections that can be established by the user.

    Procedure

    Command

    Description

    Set the local user level.

    local-user user-name privilege level level

    The default level of a local user is 0.

    Set the local user group.

    local- user user-name user-group group-name

    By default, a local user does not belong to any group.

    Set the access time range for the local user.

    local-user user-name time-range time-name

    By default, no access time range is configured and the local user can access the network anytime.

    Set the idle timeout period for the specified user.

    local-user user-name idle-timeout minutes [ seconds ]

    You can specify the idle timeout period. If the local user is idle for longer than the specified period, the user automatically goes offline.

    If the idle timeout period is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. Instead, you are advised to run the lock command to lock the connection.

    Set the maximum number of connections that can be established by the local user.

    local-user user-name access-limit max-number

    By default, the number of connections that can be established by a user is not limited.

    To configure the local account to be logged in to on only one terminal, set max-number to 1.

  5. (Optional) Configure security of the local user.

    Procedure

    Command

    Description

    Enable the local account lock function, and set the retry interval, maximum number of consecutive authentication failures, and account lock period.

    local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

    By default, the local account lock function is enabled, the retry interval is 5 minutes, the maximum number of consecutive authentication failures is 3, and the account lock period is 5 minutes.

    Configure the password policy for local access users.

    Enable the password policy for local access users and enter the local access user password policy view.

    local-aaa-user password policy access-user

    By default, the password policy for local access users is disabled.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local access user password policy view.

    quit

    -

    Configure the password policy for local administrators.

    Enable the password policy for local administrators and enter the local administrator password policy view.

    local-aaa-user password policy administrator

    By default, the password policy for local administrators is disabled.

    Enable the password expiration prompt function and set the password expiration prompt period.

    password alert before-expire day

    By default, the system displays a prompt 30 days before the password expires.

    Enable the initial password change prompt function.

    password alert original

    By default, the system prompts users to change initial passwords.

    Enable the password expiration function and set the password validity period.

    password expire day

    By default, the password validity period is 90 days.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local administrator password policy view.

    quit

    -

  6. (Optional) Set parameters of access rights for the local user.

    Procedure

    Command

    Description

    Configure the FTP directory that FTP users can access.

    local-user user-name ftp-directory directory

    By default, the FTP directory that FTP users can access is not configured.

    If the access type of the local user is FTP, you must configure the FTP directory, and the local user level cannot be lower than the management level; otherwise, the FTP user cannot log in to the device.

    Set the local user state.

    local-user user-name state { active | block }

    By default, a local user is in the active state.

    The device processes requests from users in different states as follows:

    • If the local user is in the active state, the device accepts and processes the authentication request from the user.

    • If the local user is in the block state, the device rejects the authentication request from the user.

    Set the expiration date for the local account.

    local-user user-name expire-date expire-date [ expire-hour expire-hour ]

    By default, a local account is permanently valid.

  7. (Optional) Change the login password of the local user.

    Procedure

    Command

    Description

    Return to the user view.

    return

    -

    Change the login password of the local user.

    local-user change-password

    -

Configuring Authorization Rules

Context

Table 25-44 describes authorization parameters that can be set locally during local authorization configuration.

Table 25-44  Local authorization parameters

Authorization Parameter

Usage Scenario

Description

VLAN

VLAN-based authorization is easy to deploy and maintenance costs are low. It applies to scenarios where employees in an office or a department have the same access rights.

In local authorization, you only need to configure VLANs and corresponding network resources on the device.

If a user uses Portal authentication or mixed authentication including Portal authentication, the device cannot authorize the user based on a VLAN. In addition, after a user is authorized based on a VLAN, the user needs to manually trigger an IP address request using DHCP.

Service scheme

A service scheme and corresponding network resources need to be configured on the device.

You need to configure a service scheme and corresponding network resources on the device.

A service scheme can be applied to a domain, and users in the domain then can obtain authorization information in the service scheme.

User group

A user group consists of users (terminals) with the same attributes, such as the role and rights. For example, according to the enterprise department structure, you can divide users on a campus network into different groups, such as R&D group, finance group, marketing group, and guest group, and perform different security policies for these groups.

In local authorization, all you need to do is configure user groups and corresponding network resources on the device.

A user group can be applied to a domain, and users in the domain then can obtain authorization information in the user group.

For details on how to configure a user group, see Configure an authorization user group.

Procedure

  • Configure an authorization VLAN.

    Configure a VLAN and the network resources in the VLAN on the device.

  • Configure a service scheme.

    For details on how to configure a service scheme, see (Optional) Configuring a Service Scheme.

  • Configure an authorization user group.
    1. Configure a QoS profile.

      Procedure

      Command

      Description

      Enter the system view.

      system-view

      -

      Create a QoS profile and enter the QoS profile view.

      qos-profile name profile-name

      -

      Configure the action of re-marking 802.1p priorities of VLAN-tagged packets.

      remark { inbound | outbound } 8021p 8021p-value

      By default, the action of re-marking 802.1p priorities of VLAN-tagged packets is not configured.

      Configure the action of re-marking DSCP priorities of IP packets.

      remark { inbound | outbound } dscp 8021p-value

      By default, the action of re-marking DSCP priorities of IP packets is not configured.

      Configure the action of re-marking internal priorities of packets.

      remark local-precedence { local-precedence-name | local-precedence-value }

      By default, the action of re-marking internal priorities of packets is not configured.

      Set traffic policing parameters.

      car { inbound | outbound } cir cir-value [ pir pir-value [ cbs cbs-value pbs pbs-value ] ]

      By default, no traffic policing parameter is set.

      Return to the system view.

      quit

      -

    2. Create and configure a user group.

      Procedure

      Command

      Description

      Create a user group and enter the user group view.

      user-group group-name

      When using a user group in a hot standby scenario or a dual-link backup scenario, specify the user group index, and ensure that the user group name and index specified on the active device are the same as those specified on the standby device.

      Bind the QoS profile to the user group.

      qos-profile name

      By default, no QoS profile is bound to a user group.

      Bind an ACL to the user group.

      acl-id acl-number

      By default, no ACL is bound to a user group.

      The IPv4 ACL to be bound to a user group must have been created using the acl (system view) command.

      Bind a VLAN to the user group.

      user-vlan { vlan-id | vlan-pool vlan-pool-name }

      By default, no VLAN or VLAN pool is specified for a user group.

      If the device authorizes users based on the VLAN pool, the VLAN assignment algorithm for the VLAN pool must be hash.

      Configure intra-group and inter-group isolation.

      user-isolated { inter-group | inner-group } *

      By default, intra-group or inter-group isolation is not configured in a user group.

Configuring AAA Schemes

Context

To use local authentication and authorization, set the authentication mode in an authentication scheme to local authentication and the authorization mode in an authorization scheme to local authorization.

By default, the device performs local authentication and authorization for access users.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or an existing authentication scheme view is displayed.

      Two default authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode local

      The authentication mode is set to local.

      By default, local authentication is used.

    5. Run quit

      The AAA view is displayed.

    6. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the domain name is parsed is specified.

      By default, a domain name is parsed from left to right.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or an existing authorization scheme view is displayed.

      A default authorization scheme named default is available on the device. This authorization scheme can be modified but not deleted.

    4. Run authorization-mode local [ none ]

      The authorization mode is set.

      By default, local authorization is used.

    5. Run quit

      The AAA view is displayed.

    6. (Optional) Run authorization-modify mode { modify | overlay }

      The update mode of user authorization information delivered by the authorization server is set.

      The default mode is overlay.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization function is disabled.

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Run redirect-acl { acl-number | name acl-name }

    The ACL used for redirection is configured in the service scheme.

    By default, no ACL used for redirection is configured in a service scheme.

  7. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

Applying the AAA Scheme
NOTE:
If AAA schemes are applied to both a domain and an authentication profile, the AAA scheme applying to the authentication profile has a higher priority.
Configuring a Domain

Context

The created authentication and authorization schemes take effect only after being applied to a domain. When local authentication and authorization are used, non-accounting is used by default.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    A domain is created and the domain view is displayed, or an existing domain view is displayed.

    The device has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators.

    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Apply AAA schemes to the domain.

    Procedure

    Command

    Description

    Apply an authentication scheme to the domain.

    authentication-scheme authentication-scheme-name

    By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named default is applied to other domains.

    Apply an authorization scheme to the domain.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is applied to a domain.

  5. Configure local authorization rules.

    Procedure

    Command

    Description

    (Optional) Apply a user group to the domain.

    user-group group-name

    By default, no user group is applied to a domain.

    (Optional) Apply a service scheme to the domain.

    service-scheme service-scheme-name

    By default, no service scheme is applied to a domain.

  6. (Optional) Specify the domain state and enable traffic statistics collection for the domain.

    Procedure

    Command

    Description

    Specify the domain state.

    state { active | block [ time-range time-name &<1–4> ] }

    When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

    Enable traffic statistics collection for the domain.

    statistic enable

    By default, traffic statistics collection is disabled for a domain.

  7. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile.)

    Procedure

    Command

    Description

    Exit from the domain view.

    quit

    -

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name is resolved from left to right.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name is placed after the domain name delimiter.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, the security string delimiter is an asterisk (*).

Applying the AAA Scheme to an Authentication Profile

Context

The created authentication and authorization schemes take effect only after being applied to authentication profiles. When local authentication and authorization are used, the default accounting scheme, namely, non-accounting, is used.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    An authentication profile is created and the authentication profile view is displayed, or the view of an existing authentication profile is displayed.

    By default, the device has four authentication schemes: dot1x_authen_profile, mac_authen_profile, portal_authen_profile, and macportal_authen_profile.

  3. Configure AAA schemes for the authentication profile.

    Procedure

    Command

    Description

    Configure an authentication scheme for the authentication profile.

    authentication-scheme authentication-scheme-name

    By default, no authentication scheme is configured in an authentication profile.

    Configure an authorization scheme for the authentication profile.

    authorization-scheme authorization-scheme-name

    By default, no accounting scheme is configured in an authentication profile.

  4. (Optional) Configure other functions for the authentication profile.

    Procedure

    Command

    Description

    Enable traffic statistics collection for the authentication profile.

    statistic enable

    By default, user traffic statistics collection is disabled for the users in an authentication profile.

    Configure a default or forcible domain for users.

    access-domain domain-name [ dot1x | mac-authen | portal ]* [ force ]

    By default, no default or forcible domain is configured in an authentication profile.

    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

  5. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies to only wireless users.)

    Procedure

    Command

    Description

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name resolution direction is not configured.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    By default, no domain name delimiter is configured.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name location is not configured.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, no security string delimiter is configured.

    Configure the permitted domain for WLAN users.

    permit-domain name domain-name &<1-4>

    By default, no permitted domain is specified for WLAN users.

Verifying the Local Authentication and Authorization Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display authorization-scheme [ authorization-scheme-name ] command to verify the authorization scheme configuration.
  • Run the display access-user [ domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address | access-slot slot-id | user-group user-group-name | username user-name ] [ detail ], display access-user ssid ssid-name, display access-user [ mac-address mac-address | service-scheme service-scheme-name | user-id user-id | statistics ], or display access-user access-type admin [ ftp | ssh | telnet | terminal | web ] [ username user-name ] command to verify the information about online users.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display local-user [ domain domain-name | state { active | block } | username username ] * command to check the brief information about local users.
  • Run the display local-aaa-user password policy { access-user | administrator } command to display the password policy for local users.
  • Run the display local-user expire-time command to verify the time when the local account expires.
  • Run the display aaa statistics access-type-authenreq command to verify the number of authentication requests.

Using RADIUS to Perform Authentication, Authorization, and Accounting

RADIUS Authentication, Authorization, and Accounting

Remote Authentication Dial-In User Service (RADIUS) is often used to implement authentication, authorization, and accounting (AAA). It uses the client/server model and prevents unauthorized access to networks that require high security and control of remote user access.

NOTE:

To ensure security of data transmission between the device and RADIUS server, you are advised to deploy the communication networks between the device and RADIUS server in a security domain.

Configuration Procedure
Configuring an AAA Scheme

Context

An AAA scheme defines the authentication, authorization, and accounting modes used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in the authentication scheme, and set the accounting mode to RADIUS in the accounting scheme. RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. If RADIUS authentication is used, you do not need to configure an authorization scheme.

To prevent authentication failures caused by no response from a single authentication mode, configure local authentication or non-authentication as the backup authentication mode in the authentication scheme.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two schemes can only be modified, but cannot be deleted.

    4. Run authentication-mode radius

      The authentication mode is set to RADIUS.

      By default, local authentication is used.

      To configure local authentication as the backup authentication mode, run the authentication-mode radius local command.

    5. Run quit

      Return to the AAA view.

    6. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 30 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    7. (Optional) Run aaa-author session-timeout invalid-value enable

      The device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers the Session-Timeout attribute with value 0.

      By default, when the RADIUS server delivers the Session-Timeout attribute with value 0, this attribute does not take effect.

    8. Run quit

      Return to the system view.

    9. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication timeout interval is configured.

      By default, the bypass authentication function is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. This scheme can only be modified, but cannot be deleted.

    4. Run accounting-mode radius

      The accounting mode is set to RADIUS.

      By default, the accounting mode is none.

    5. (Optional) Configure policies for accounting failures.

      • Configure a policy for accounting-start failures.

        Run accounting start-fail { offline | online }

        A policy for accounting-start failures is configured.

        By default, users cannot go online if accounting-start fails.

      • Configure a policy for real-time accounting failures.

        1. Run accounting realtime interval

          The real-time accounting function is enabled, and the interval for real-time accounting is configured.

          By default, the device performs accounting based on the user online duration, and the real-time accounting function is disabled.

        2. Run accounting interim-fail [ max-times times ] { offline | online }

          The maximum number of real-time accounting failures and a policy used after the number of real-time accounting failures exceeds the maximum are configured.

          By default, the maximum number of real-time accounting failures is 3, and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

      • Configure a policy for accounting-stop failures.

        1. Run quit

          Return to the AAA view.

        2. Run quit

          Return to the system view.

        3. Run radius-server template template-name

          The RADIUS server template view is displayed.

        4. Run radius-server accounting-stop-packet resend [ resend-times ]

          Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted each time is configured.

          By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

    6. (Optional) Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

      By default, the device has five built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, and macportal_authen_profile.

    7. (Optional) Run authentication { roam-accounting | update-ip-accounting } * enable

      The device is configured to send accounting packets upon roaming and address updating.

      By default, the device sends accounting packets upon roaming and address updating.

Verifying the Configuration
  • Run the display authentication-scheme [ authentication-scheme-name ] command to view the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to view the accounting scheme configuration.
Configuring a RADIUS Server Template

Context

You can specify the RADIUS server connected to the device in a RADIUS server template. Such a template contains the server IP address, port number, source interface, and shared key settings.

The settings in a RADIUS server template must be the same as those on the RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure RADIUS authentication and accounting servers.

    Step

    Command

    Remarks

    Configure a RADIUS authentication server.

    • radius-server authentication ipv4-address port [ source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS authentication server is configured.

    Configure a RADIUS accounting server.

    • radius-server accounting ipv4-address port [ source { loopback interface-number | ip-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS accounting server is configured.

    NOTE:

    You can also run the radius-server source ip-address ipv4-address command in the system view to configure the source IP address used by the device to communicate with RADIUS servers.

    The radius-server source ip-address command configured in the system view is effective to all RADIUS server templates. If the source IP address is configured in both the RADIUS server template view and system view, the configuration in the RADIUS server template view takes precedence.

  4. Run radius-server shared-key cipher key-string

    The shared key of the RADIUS server is configured.

    By default, no shared key is configured for a RADIUS server.

    NOTE:

    When a RADIUS server is configured in multiple RADIUS server templates:

    • If the RADIUS server templates use different shared keys, you need to configure the shared keys in each RADIUS server template view.
    • If the RADIUS server templates use the same shared key, you can configure the shared key in the system view using the radius-server ip-address ip-address shared-key cipher key-string command.
    • When shared keys are configured in both the RADIUS server template view and system view, the configuration in the system view takes effect.

  5. (Optional) Run radius-server algorithm { loading-share | master-backup }

    The algorithm for selecting RADIUS servers is configured.

    By default, the algorithm for selecting RADIUS servers is primary/secondary (specified by master-backup).

    When multiple authentication or accounting servers are configured in a RADIUS server template, the device selects RADIUS servers based on the configured algorithm and the weight configured for each server.
    • When the algorithm for selecting RADIUS servers is set to primary/secondary, the server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.

    • If the algorithm for selecting RADIUS servers is set to load balancing, packets are sent to RADIUS servers according to weights of the servers.

  6. (Optional) Run radius-server { retransmit retry-times | timeout time-value } *

    The number of times that RADIUS request packets are retransmitted and the timeout interval are set.

    By default, RADIUS request packets can be retransmitted three times, and the timeout interval is 5 seconds.

  7. (Optional) Configure the format of the user name in packets sent from the device to the RADIUS server.

    • Run radius-server user-name domain-included

      The device is configured to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run radius-server user-name original

      The device is configured not to modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included except-eap

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server (applicable to other authentication modes except EAP authentication).

    By default, the device does not modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

  8. (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The traffic unit used by the RADIUS server is configured.

    By default, the RADIUS traffic unit is byte on the device.

  9. (Optional) Run radius-attribute service-type with-authenonly-reauthen

    The reauthentication mode is set to reauthentication only.

    By default, the reauthentication mode is reauthentication and reauthorization.

    This function takes effect when the Service-Type attribute on the RADIUS server is set to Authenticate Only.

Verifying the Configuration

Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration.

Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command to check the connectivity between the device and the RADIUS authentication or accounting server. Only when they are reachable, the authentication or accounting server can perform authentication or accounting properly for users.

If an error message is displayed in the command output, troubleshoot the fault by referring to Testing Whether a User Can Pass RADIUS Authentication or Accounting.

(Optional) Configuring RADIUS Attributes
Disabling or Translating RADIUS Attributes

Context

RADIUS attributes supported by different vendors are incompatible with each other, so RADIUS attributes must be disabled or translated in interoperation and replacement scenarios.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-server attribute translate

    The RADIUS attribute disabling and translation functions are enabled.

    By default, the RADIUS attribute disabling and translation functions are disabled.

  4. Run radius-attribute disable attribute-name { receive | send } *

    A RADIUS attribute is disabled.

    By default, no RADIUS attribute is disabled.

  5. Configure the RADIUS attribute to be translated.

    • radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *
    • radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *
    • radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

    By default, no RADIUS attribute is translated.

Verifying the Configuration
  • Run the display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ] command to check the RADIUS attributes supported by the device.
  • Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes.
  • Run the display radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration.
Configuring the RADIUS Attribute Check Function

Context

After the RADIUS attribute check function is configured, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If so, the device considers that authentication is successful; if not, the device considers that authentication fails and discards the packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute check attribute-name

    The device is configured to check whether the received RADIUS Access-Accept packets contain the specified attribute.

    By default, the device does not check whether RADIUS Access-Accept packets contain the specified attribute.

Modifying the Value of a RADIUS Attribute

Context

The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute set attribute-name attribute-value [ auth-type mac | user-type ipsession ]

    The value of a RADIUS attribute is modified.

    By default, values of RADIUS attributes are not modified.

Configuring Standard RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some standard RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure standard RADIUS attributes.

    • Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-Address).

      • Run radius-attribute nas-ip ip-address

        RADIUS attribute 4 (NAS-IP-Address) is configured.

        By default, the source IP address of the NAS is the value of the NAS-IP-Address attribute.

      NOTE:

      You can also run the radius-attribute nas-ip ip-address command in the system view to configure RADIUS attribute 4 (NAS-IP-Address).

      The configuration in the system view takes effect for all RADIUS server templates. If the RADIUS attribute is configured in both the RADIUS server template view and system view, the configuration in the RADIUS server template view takes precedence.

    • Configure RADIUS attribute 5 (NAS-Port).

      1. Run radius-server nas-port-format { new | old }

        The format of the NAS port is configured.

        By default, the new NAS port format is used.

        When the new NAS port format is used, you can perform the following operation to configure the specific format.

      2. Run radius-server format-attribute nas-port nas-port-sting

        The new NAS port format is configured.

        By default, the default new NAS port format is used.

    • Configure RADIUS attribute 30 (Called-Station-Id).

      1. Run called-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ] or called-station-id mac-format unformatted [ lowercase | uppercase ]

        The encapsulation format of the MAC address in the Called-Station-Id (30) attribute is configured.

        By default, the MAC address format in the Called-Station-Id (30) attribute is XX-XX-XX-XX-XX-XX, in uppercase.

    • Configure RADIUS attribute 31 (Calling-Station-Id).

      Run Calling-Station-Id mac-format { dot-split | hyphen-split | colon-split } [ mode1 | mode2 ] [ lowercase | uppercase ] or Calling-Station-Id mac-format { unformatted [ lowercase | uppercase ] | bin }

      The encapsulation format of the MAC address in the Calling-Station-Id (31) attribute is configured.

      By default, the MAC address format in the Calling-Station-Id (31) attribute is xxxx-xxxx-xxxx, in lowercase

    • Configure RADIUS attribute 32 (NAS-Identifier).

      Run radius-server nas-identifier-format { hostname | vlan-id }

      The encapsulation format of the NAS-Identifier attribute is configured.

      By default, the NAS-Identifier encapsulation format is the user's hostname.

    • Configure RADIUS attribute 80 (Message-Authenticator).

      Run radius-server attribute message-authenticator access-request

      The device is configured to carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

      By default, the device does not carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

    • Configure RADIUS attribute 87 (NAS-Port-Id).

      Run radius-server nas-port-id-format { new | old }

      The format of the NAS port ID is configured.

      By default, the new format of the NAS port ID is used.

Configuring Huawei Proprietary RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some Huawei proprietary RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure Huawei proprietary RADIUS attributes.

    • Run radius-server hw-ap-info-format include-ap-ip

      The device is configured to carry the AP's IP address in Huawei proprietary attribute 26-141 (HW-AP-Information).

      By default, the device does not carry the AP's IP address in Huawei proprietary attribute 26-141 (HW-AP-Information).

    • Run radius-server hw-dhcp-option-format { new | old }

      The format of Huawei proprietary attribute 26-158 (HW-DHCP-Option) is configured.

      By default, the format of Huawei proprietary attribute 26-158 (HW-DHCP-Option) is old.

(Optional) Configuring Authorization Information
(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Run redirect-acl { acl-number | name acl-name }

    The ACL used for redirection is configured in the service scheme.

    By default, no ACL used for redirection is configured in a service scheme.

  7. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

Configuring a User Group

Context

Users must obtain authorization information before going online. You can configure a user group to manage authorization information about users.

Procedure

  • Configure a user group.
    1. Configure a QoS profile.

      Step

      Command

      Remarks

      Enter the system view.

      system-view -

      Create a QoS profile and enter the QoS profile view.

      qos-profile name profile-name

      -

      Configure the action of re-marking 802.1p priorities of VLAN packets in the QoS profile.

      remark { inbound | outbound } 8021p 8021p-value

      By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

      Configure the action of re-marking DSCP priorities of IP packets in the QoS profile.

      remark { inbound | outbound } dscp 8021p-value

      By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

      Configure the action of re-marking internal priorities of packets in the QoS profile.

      remark local-precedence { local-precedence-name | local-precedence-value }

      By default, the action of re-marking internal priorities of packets is not configured in a QoS profile.

      Set traffic policing parameters in the QoS profile.

      car { inbound | outbound } cir cir-value [ pir pir-value [ cbs cbs-value pbs pbs-value ] ]

      By default, no traffic policing parameter is set in a QoS profile.

      Return to the system view.

      quit

      -

    2. Configure a user group.

      Step

      Command

      Remarks

      Create a user group and enter the user group view.

      user-group group-name

      When using a user group in a two-node or dual-link HSB scenario, specify the user group index and ensure that the user group names and user group indexes configured on the active and standby devices are the same.

      Bind a QoS profile to the user group.

      qos-profile name

      By default, no QoS profile is bound to a user group.

      Bind an ACL to the user group.

      acl-id acl-number

      By default, no ACL is bound to a user group.

      The IPv4 ACL bound to a user group must have been created using the acl (system view) command.

      Bind a VLAN to the user group.

      user-vlan { vlan-id | vlan-pool vlan-pool-name }

      By default, no VLAN or VLAN pool is bound to a user group.

      When a VLAN pool is used to authorize users, the VLAN assignment algorithm must be set to hash for VLANs in the VLAN pool.

      Configure intra-group isolation or inter-group isolation in the user group.

      user-isolated { inter-group | inner-group } *

      By default, inter-group or intra-group isolation is not configured in a user group.

Applying an AAA Scheme, a Server Template, and Authorization Information
NOTE:
If an AAA scheme, a server template, and authorization information are applied in both a domain and an authentication profile, the applied information in the authentication profile has a higher priority.
Applying an AAA Scheme, a Server Template, and Authorization Information to a Domain

Context

The created authentication scheme, accounting scheme, and RADIUS server template take effect only after being applied to a domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    By default, a device has two domains: default and default_admin. You can modify the configurations of the two domains but cannot delete the domains.

    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Configure an AAA scheme to be applied to the domain.

    Procedure

    Command

    Description

    Configure an authentication scheme for the domain.

    authentication-scheme scheme-name

    By default, the authentication scheme radius is applied to the default domain, the authentication scheme default is applied to the default_admin domain, and the authentication scheme radius is applied to other domains.

    Configure an accounting scheme for the domain.

    accounting-scheme accounting-scheme-name

    By default, the accounting scheme default is applied to a domain. In the accounting scheme default, non-accounting is used and the real-time accounting function is disabled.

  5. Configure a RADIUS server template to be applied to the domain.

    Procedure

    Command

    Description

    Configure a RADIUS server template for the domain.

    radius-server template-name

    By default, the RADIUS server template default is bound to the user-created domain and the domain default, and no RADIUS server template is bound to the domain default_admin.

  6. (Optional) Configure authorization information to be applied to a domain.

    Procedure

    Command

    Description

    Configure a service scheme for the domain.

    service-scheme service-scheme-name

    By default, no service scheme is configured for a domain.

    Configure a user group for the domain.

    user-group group-name

    By default, no user group is configured for a domain.

  7. (Optional) Run state { active | block [ time-range time-name &<1–4> ] }

    The domain status is configured.

    By default, a domain is in active state after being created. When a domain is in blocking state, users in this domain cannot log in.

  8. (Optional) Run statistic enable

    The traffic statistics collection function is enabled in the domain.

    By default, the traffic statistics collection function is disabled in a domain.

  9. (Optional) Configure a domain name resolution scheme and the security string function. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile.)

    Procedure

    Command

    Description

    Exit from the domain view.

    quit

    -

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, a domain name is resolved from left to right.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    The domain name delimiter can be any of the following: \ / : < > | @ ' %

    The default domain name delimiter is @.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name is placed behind the domain name delimiter.

    Enable the security string function.

    security-name enable

    By default, the security string function is enabled.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, the security string delimiter is an asterisk (*).

Applying the AAA Scheme to an Authentication Profile

Context

The created authentication scheme, accounting scheme, and RADIUS server template take effect only after being applied to an authentication profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    An authentication profile is created and the authentication profile view is displayed, or the view of an existing authentication profile is displayed.

    By default, the device has four authentication schemes: dot1x_authen_profile, mac_authen_profile, portal_authen_profile, and macportal_authen_profile.

  3. Configure AAA schemes for the authentication profile.

    Procedure

    Command

    Description

    Configure the authentication scheme for the authentication profile.

    authentication-scheme authentication-scheme-name

    By default, no authentication scheme is configured in an authentication profile.

    Configure the accounting scheme for the authentication profile.

    accounting-scheme accounting-scheme-name

    By default, no accounting scheme is configured in an authentication profile.

  4. Configure RADIUS server template and traffic statistics collection for the authentication profile.

    Procedure

    Command

    Description

    Configure the RADIUS server template for the authentication profile.

    radius-server template-name

    By default, no RADIUS server template is configured in an authentication profile.

    Enable user traffic statistics collection for the authentication profile.

    statistic enable

    By default, user traffic statistics collection is disabled for the users in an authentication profile.

    Configure a default or forcible domain for users.

    access-domain domain-name [ dot1x | mac-authen | portal ]* [ force ]

    By default, no default or forcible domain is configured in an authentication profile.

    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

  5. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies to only wireless users.)

    Procedure

    Command

    Description

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name resolution direction is not configured.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    By default, no domain name delimiter is configured.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name location is not configured.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, no security string delimiter is configured.

    Configure the permitted domain for WLAN users.

    permit-domain name domain-name &<1-4>

    By default, no permitted domain is specified for WLAN users.

Configuring the RADIUS CoA or DM Function

Context

The device supports the RADIUS CoA and DM functions defined in RFC 5176. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure an authorization server.

    Step

    Command

    Remarks

    Configure a RADIUS authorization server.

    radius-server authorization ip-address { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ ack-reserved-interval interval ]

    By default, no RADIUS authorization server is configured.

  3. (Optional) Run authorization-info check-fail policy { online | offline }

    The policy to be enforced after the authorization information check fails is configured.

    By default, the device allows users to go online after the authorization information check fails.

  4. (Optional) Run radius-server session-manage { ip-address shared-key cipher share-key | any }

    Session management is enabled for the RADIUS server.

    By default, session management is disabled for the RADIUS server.

  5. (Optional) Configure the format of a RADIUS attribute to be parsed.

    • Run radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }

      The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is configured.

      By default, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is xxxxxxxxxxxx, in lowercase.

    • Run radius-server authorization attribute-decode-sameastemplate

      The device is configured to parse the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server template configurations.

      By default, the device is not configured to parse RADIUS attribute 31 in RADIUS CoA or DM packets based on RADIUS server template configurations.

      In a RADIUS server template, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) is configured using the calling-station-id mac-format command.

  6. (Optional) Configure the update mode of user authorization information.

    1. Run aaa

      The AAA view is displayed.

    2. Run authorization-modify mode { modify | overlay }

      The update mode of user authorization information delivered by the authorization server is configured.

      By default, the update mode of user authorization information delivered by the authorization server is overlay.

Verifying the Configuration

Run the display radius-server authorization configuration command to check the RADIUS authorization server configuration.

Verifying the RADIUS AAA Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to verify the accounting scheme configuration.
  • Run the display service-scheme [ name name ] command to verify the service scheme configuration.
  • Run the display radius-server configuration [ template template-name ] command to verify the RADIUS server template configuration.
  • Run the display radius-server item { ip-address ipv4-address { accounting | authentication } | template template-name } command to verify the RADIUS server configuration.
  • Run the display radius-server { dead-interval | dead-count } command to verify the specified RADIUS server detection interval and maximum number of consecutive unacknowledged packets.
  • Run the display radius-server authorization configuration command to verify the RADIUS authorization server configuration.
  • Run the display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ] command to verify settings for the RADIUS attributes supported by the device.
  • Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes.
  • Run the display radius-attribute [ template template-name ] translate command to verify the setting for RADIUS attribute translation.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display radius-server accounting-stop-packet { all | ip ip-address } command to verify the accounting-stop packets of the RADIUS server.
  • Run the display radius-attribute [ template template-name ] check command to verify the to-be-tested attributes in RADIUS Access-Accept packets.
  • Run the display remote-user authen-fail [ blocked | username username ] command to verify information about the accounts that fail in remote AAA authentication.
  • Run the display aaa statistics access-type-authenreq command to display the number of authentication requests.
  • Run the display radius-server session-manage configuration command to verify the session management configuration for the RADIUS server.

Using HWTACACS to Perform Authentication, Authorization, and Accounting

HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for access users by communicating with the HWTACACS server.

HWTACACS protects a network from unauthorized access and supports command-line authorization. HWTACACS is more reliable in transmission and encryption than RADIUS, and is more suitable for security control.

Configuration Procedure
Configuring an HWTACACS Server

If HWTACACS authentication and authorization are used, users' authentication, authorization, and accounting information needs to be configured on the HWTACACS server.

If a user wants to establish a connection with the access device through a network to obtain rights to access other networks and network resources, the access device transparently transmits the user's authentication, authorization, and accounting information to the HWTACACS server. The HWTACACS server determines whether the user can pass authentication based on the configured information. If the user passes the authentication, the RADIUS server sends an Access-Accept packet containing the user's authorization information to the access device. The access device then allows the user to access the network and grants rights to the user based on information in the Access-Accept packet.

Configuring AAA Schemes

Context

To use HWTACACS authentication, authorization, and accounting, set the authentication mode in the authentication scheme, authorization mode in the authorization scheme, and accounting mode in the accounting scheme to HWTACACS.

When configuring HWTACACS authentication, you can configure local authentication or non-authentication as the backup. This allows local authentication to be implemented if HWTACACS authentication fails. When configuring HWTACACS authorization, you can configure local authorization or non-authorization as the backup.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. These two authentication schemes can be modified but not deleted.

    4. Run authentication-mode hwtacacs

      The HWTACACS authentication mode is specified.

      By default, local authentication is used.

      To use local authentication as the backup, run the authentication-mode hwtacacs [ local ] command.

    5. Run quit

      The AAA view is displayed.

    6. (Optional) Run security-name enable

      The security string function is enabled.

      By default, the security string function is enabled.

    7. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is specified.

      By default, a domain name is parsed from left to right.

    8. Run quit

      The system view is displayed.

    9. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication duration is set.

      By default, the bypass authentication function is disabled.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

      By default, an authorization scheme named default is available on the device. The default authorization scheme can be modified but not deleted.

    4. Run authorization-mode hwtacacs [ local ] [ none ]

      The authorization mode is specified.

      By default, local authorization is used.

      If HWTACACS authorization is configured, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    5. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ] [ none ]

      Command-line authorization is enabled for users at a certain level.

      By default, command-line authorization is disabled for users at a certain level.

      If command-line authorization is enabled, you must configure an HWTACACS server template and apply the template to the corresponding user domain.

    6. Run quit

      The AAA view is displayed.

    7. Run quit

      The system view is displayed.

    8. (Optional) Run aaa-author-bypass enable time time-value

      The bypass authorization duration is set.

      By default, the bypass authorization is disabled.

    9. (Optional) Run aaa-author-cmd-bypass enable time time-value

      The bypass command-line authorization duration is set.

      By default, the bypass command-line authorization is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, an accounting scheme named default is available on the device. The default accounting scheme can be modified but not deleted.

    4. Run accounting-mode hwtacacs

      The hwtacacs accounting mode is specified.

      The default accounting mode is none.

    5. (Optional) Run accounting start-fail { offline | online }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run accounting realtime interval

      Real-time accounting is enabled and the accounting interval is set.

      By default, real-time accounting is disabled. The device performs accounting for users based on their online duration.

    7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }

      The maximum number of real-time accounting failures is set, and a policy is specified for the device if the maximum number of real-time accounting attempts fail.

      The default maximum number of real-time accounting failures is 3. The device will keep the users online if three real-time accounting attempts fail.

Configuring an HWTACACS Server Template

Context

When configuring an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Other settings, such as the HWTACACS user name format and traffic unit, have default values and can be modified based on network requirements.

The HWTACACS server template settings such as the HWTACACS user name format and shared key must be the same as those on the HWTACACS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run hwtacacs enable

    HWTACACS is enabled.

    By default, HWTACACS is enabled.

  3. Run hwtacacs-server template template-name

    An HWTACACS server template is created and the HWTACACS server template view is displayed.

    By default, no HWTACACS server template is configured on the device.

  4. Configure HWTACACS authentication, authorization, and accounting servers.

    Configuration

    Command

    Description

    Configure an HWTACACS authentication server.

    hwtacacs-server authentication ip-address [ port ] [ public-net ] [ secondary | third ]

    By default, no HWTACACS authentication server is configured.

    Configure an HWTACACS authorization server.

    hwtacacs-server authorization ip-address [ port ] [ public-net ] [ secondary | third ]

    By default, no HWTACACS authorization server is configured.

    Configure an HWTACACS accounting server.

    hwtacacs-server accounting ip-address [ port ] [ public-net ] [ secondary | third ]

    By default, no HWTACACS accounting server is configured.

  5. Set parameters for interconnection between the device and an HWTACACS server.

    Procedure

    Command

    Description

    Set the shared key for the HWTACACS server.

    hwtacacs-server shared-key cipher key-string

    By default, no shared key is set for an HWTACACS server.

    (Optional) Configure the format of the user name in the packet sent by the device to the HWTACACS server.

    • Configure the user name to contain the domain name: hwtacacs-server user-name domain-included
    • Configure the original user name: hwtacacs-server user-name original
    • Configure the user name not to contain the domain name: undo hwtacacs-server user-name domain-included

    By default, the device does not change the user name entered by the user when sending packets to the HWTACACS server.

    (Optional) Set the HWTACACS traffic unit.

    hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The default HWTACACS traffic unit on the device is bytes.

    (Optional) Set the source IP address for communication between the device and HWTACACS server.

    System view

    Return to the system view.

    quit

    -

    Set the source IP address for communication between the device and HWTACACS server.

    hwtacacs-server source-ip ip-address

    By default, the source IP address for communication between the device and HWTACACS server is not set.

    Enter the HWTACACS server template view.

    hwtacacs-server template template-name

    -

    HWTACACS server template view

    hwtacacs-server source-ip { ip-address | source-loopback interface-number }

    By default, the source IP address for communication between the device and HWTACACS server is not set. The device uses the IP address of the outbound interface as the source IP address in HWTACACS packets.

  6. (Optional) Set the response timeout interval and activation interval for the HWTACACS server.

    Procedure

    Command

    Description

    Set the response timeout interval for the HWTACACS server.

    hwtacacs-server timer response-timeout interval

    The default response timeout interval for an HWTACACS server is 5 seconds.

    If the device does not receive a response packet from an HWTACACS server within the response timeout interval, it considers that the HWTACACS server is unreachable and then tries other authentication and authorization methods.

    Set the interval for the primary HWTACACS server to restore to the active state.

    hwtacacs-server timer quiet interval

    The default interval for the primary HWTACACS server to restore to the active state is 5 minutes.

  7. Run quit

    The system view is displayed.

  8. (Optional) Run hwtacacs-server accounting-stop-packet resend { disable | enable number }

    Retransmission of accounting-stop packets is enabled and the number of packets that can be retransmitted each time is specified.

    By default, retransmission of accounting-stop packets is enabled, and 100 account-stop packets can be retransmitted each time.

  9. Run return

    The user view is displayed.

  10. (Optional) Run hwtacacs-user change-password hwtacacs-server template-name

    The password saved on the HWTACACS server is changed.

    NOTE:

    To ensure device security, you are advised to frequently change the password.

  11. (Optional) Run test-aaa user-name user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]

    Connectivity between the device and authentication or accounting server is tested. If the user passes the HWTACACS authentication or accounting, the device is properly connected to the authentication or accounting server.

(Optional) Configuring a Recording Scheme

Context

Improper operations by a network administrator may sometimes cause a network failure. After HWTACACS authentication and authorization are configured, the server can record administrator's operations. These records can be used to locate the problem if a network failure occurs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run recording-scheme recording-scheme-name

    A recording scheme is created and the recording scheme view is displayed.

    By default, no recording scheme is configured on the device.

  4. Run recording-mode hwtacacs template-name

    The recording scheme is associated with the HWTACACS server template.

    By default, a recording scheme is not associated with any HWTACACS server template.

  5. Run quit

    The AAA view is displayed.

  6. Run cmd recording-scheme recording-scheme-name

    A policy is configured to record the commands that have been executed on the device.

    By default, the commands used on the device are not recorded.

  7. Run outbound recording-scheme recording-scheme-name

    A policy is configured to record connection information.

    By default, connection information is not recorded.

  8. Run system recording-scheme recording-scheme-name

    A policy is configured to record system events.

    By default, system events are not recorded.

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Run redirect-acl { acl-number | name acl-name }

    The ACL used for redirection is configured in the service scheme.

    By default, no ACL used for redirection is configured in a service scheme.

  7. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

Applying the AAA Scheme
NOTE:
If AAA schemes are applied to both a domain and an authentication profile, the AAA scheme applying to the authentication profile has a higher priority.
Configuring a Domain

Context

The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template take effect only after being applied to a domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    A domain is created and the domain view is displayed, or an existing domain view is displayed.

    By default, the device has two domains: default and default_admin. The two domains can be modified but not deleted.

    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Apply AAA schemes to the domain.

    Procedure

    Command

    Description

    Apply an authentication scheme to the domain.

    authentication-scheme scheme-name

    By default, the authentication scheme default is applied to the default_admin domain, and the authentication scheme named radius is applied to the default domain and other domains.

    Apply an authorization scheme to the domain.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is applied to a domain.

    Apply an accounting scheme to the domain.

    accounting-scheme accounting-scheme-name

    By default, the accounting scheme default is applied to a domain. In this accounting scheme, non-accounting is used and real-time accounting is disabled.

  5. Apply a service scheme and an HWTACACS server template to the domain.

    Procedure

    Command

    Description

    (Optional) Apply a service scheme to the domain.

    service-scheme service-scheme-name

    By default, no service scheme is applied to a domain.

    Apply an HWTACACS server template to the domain.

    hwtacacs-server template-name

    By default, no HWTACACS server template is applied to a domain.

  6. (Optional) Configure other functions for the domain.

    Procedure

    Command

    Description

    Specify the domain state.

    state { active | block [ time-range time-name &<1–4> ] }

    When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

    Apply a user group to the domain.

    user-group group-name

    By default, no user group is applied to a domain.

    Enable domain-based traffic statistics collection.

    statistic enable

    By default, domain-based traffic statistics collection is disabled.

  7. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile.)

    Procedure

    Command

    Description

    Exit from the domain view.

    quit

    -

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name is resolved from left to right.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name is placed after the domain name delimiter.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, the security string delimiter is an asterisk (*).

Applying the AAA Scheme to an Authentication Profile

Context

The created authentication scheme, authorization scheme, accounting scheme, and HWTACACS server template take effect only after being applied to an authentication profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    An authentication profile is created and the authentication profile view is displayed, or the view of an existing authentication profile is displayed.

    By default, the device has four authentication schemes: dot1x_authen_profile, mac_authen_profile, portal_authen_profile, and macportal_authen_profile.

  3. Configure AAA schemes for the authentication profile.

    Procedure

    Command

    Description

    Configure the authentication scheme for the authentication profile.

    authentication-scheme authentication-scheme-name

    By default, no authentication scheme is configured in an authentication profile.

    Configure the authorization scheme for the authentication profile.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is configured in an authentication profile.

    Configure the accounting scheme for the authentication profile.

    accounting-scheme accounting-scheme-name

    By default, no accounting scheme is configured in an authentication profile.

  4. Configure RADIUS server template and traffic statistics collection for the authentication profile.

    Procedure

    Command

    Description

    Configure the HWTACACS server template for the authentication profile.

    hwtacacs-server template-name

    By default, no HWTACACS server template is configured in an authentication profile.

    Enable user traffic statistics collection for the authentication profile.

    statistic enable

    By default, user traffic statistics collection is disabled for the users in an authentication profile.

    Configure a default or forcible domain for users.

    access-domain domain-name [ dot1x | mac-authen | portal ]* [ force ]

    By default, no default or forcible domain is configured in an authentication profile.

    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

  5. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies to only wireless users.)

    Procedure

    Command

    Description

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name resolution direction is not configured.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    By default, no domain name delimiter is configured.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name location is not configured.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, no security string delimiter is configured.

    Configure the permitted domain for WLAN users.

    permit-domain name domain-name &<1-4>

    By default, no permitted domain is specified for WLAN users.

Verifying the HWTACACS AAA Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display authorization-scheme [ authorization-scheme-name ] command to verify the authorization scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to verify the accounting scheme configuration.
  • Run the display recording-scheme [ recording-scheme-name ] command to verify the recording scheme configuration.
  • Run the display service-scheme [ name name ] command to verify the service scheme configuration.
  • Run the display hwtacacs-server template [ template-name ] command to verify the HWTACACS server template configuration.
  • Run the display hwtacacs-server template template-name verbose command to check statistics about HWTACACS authentication, accounting, and authorization.
  • Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-address } command to verify information about accounting-stop packets of the HWTACACS server.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display aaa statistics access-type-authenreq command to display the number of authentication requests.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116771

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next