No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Maintaining AAA

Maintaining AAA

Forcing Users to Go Offline

Context

You can force online users to go offline by specifying the domain name or interface. This function is applicable to situations such as when the online users are unauthorized, the number of online users reaches the maximum, or the AAA configurations are modified. For example, when you modify the AAA configurations of online users, the new AAA configurations take effect on these users only after you force them to go offline.

NOTE:
  • If you delete the AAA configuration of online users, the users may be forced to go offline.

Procedure

  • Run the cut access-user { domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address | mac-address mac-address | service-scheme service-scheme-name | access-slot slot-id | ssid ssid-name | user-group group-number | user-id begin-number [ end-number ] | username user-name } or cut access-user access-type admin [ ftp | ssh | telnet | terminal | web ] [ username user-name ] command in the AAA view to disconnect one or more sessions. After a session of a user is disconnected, the user is forced to go offline.

Testing Whether a User Can Pass RADIUS Authentication or Accounting

Prerequisites

RADIUS authentication or accounting is configured.

NOTE:
If HWTACACS authentication or accounting is configured, you can run the test-aaa user-name user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ] commands to test connectivity between the device and authentication server or accounting server.

Context

Test whether a user can pass RADIUS authentication or accounting, helping the administrator locate faults.

Procedure

  • Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command in any view to test whether a user can pass RADIUS authentication or accounting.

Follow-up Procedure

  • The test-aaa command returns an account test timeout message.

    RADIUS authentication test for a single user times out.
    <Huawei> test-aaa user1 huawei123 radius-template huawei
    Info: Account test time out.
    RADIUS accounting test for a single user times out.
    <Huawei> test-aaa user1 huawei123 radius-template huawei accounting
    Info: Account test time out.
    • The possible causes are as follows:
      • The route between the device and the server is unreachable.
      • The NAS-IP in the RADIUS server template is different from the NAS-IP configured on the RADIUS server.
      • The authentication or accounting port in the RADIUS server template is incorrect.
      • The authentication or accounting port on the RADIUS server is occupied by another application.
      • The RADIUS server address in the RADIUS server template is incorrect.
      • The IP address of the access control device is incorrect or the RADIUS server is not started.
    • Handling procedure:
      • Run the ping command to check whether a reachable route exists between the device and the server. If there is no reachable route, establish a static route or use a routing protocol to establish a dynamic route between the device and the server.
      • Run the display radius-server configuration [ template template-name ] command in any view to check whether the port number and NAS-IP in the RADIUS server template are the same as those on the RADIUS server. If they are not the same, configure the same port number and NAS-IP.
      • Check whether the authentication and accounting port numbers on the RADIUS server are 1812 and 1813, respectively. If not, configure the correct authentication and accounting port numbers.
      • When a controller is used as the RADIUS server, run the netstat -nao | findstr 1812 and netstat -nao | findstr 1813 commands on the server to check whether the ports are occupied. If yes, disable the applications that occupy the ports.
      • Check whether the IP address of the access control device is correct. If not, carry out the corresponding configuration to rectify this.
  • The test-aaa command returns an account test failure.

    RADIUS authentication test for a single user fails.
    <Huawei> test-aaa user1 huawei123 radius-template huawei
    Info: Account test failed.
    RADIUS accounting test for a single user fails.
    <Huawei> test-aaa user1 huawei123 radius-template huawei accounting
    Info: Account test failed.
    • The possible causes are as follows:
      • The shared key of the RADIUS server is not configured.
      • The IP address of the RADIUS server is not configured.
    • Handling procedure:
      • Run the display radius-server configuration [ template template-name ] command in any view to check whether the shared key and IP address are configured in the RADIUS server template. If they are not the same, reconfigure the shared key and IP address in the RADIUS server template.
  • After the test-aaa command is run, the test is passed, but authentication or accounting cannot be performed for the user.

    • The possible causes are as follows:
      • The route between the device and the server is unreachable.
      • The user authentication or accounting domain is different from the RADIUS authentication or accounting domain configured on the device.
    • Handling procedure:
      • Run the ping command to check whether a reachable route exists between the user and device. If there is no reachable route, establish a static route or use a routing protocol to establish a dynamic route between the device and the server.
      • Run the display this command in the AAA view to check whether the user authentication or accounting domain is the same as the RADIUS authentication or accounting domain configured on the device.

        • When the user name entered by the user contains a domain name, check whether RADIUS authentication or accounting has been configured in the domain. If not, configure RADIUS authentication or accounting in the domain.
        • When the user name entered by the user does not contain a domain name, check whether RADIUS authentication or accounting has been configured in the global default domain (administrator uses default_admin and common users use default). If not, configure RADIUS authentication or accounting in the domain.
      • Run the display this command in the AAA view to check whether the AAA authentication or accounting scheme and RADIUS server template have been applied to the domain. If not, apply the AAA authentication or accounting scheme and RADIUS server template to the domain.
      • If NAC has been configured, check whether the NAC configuration is correct. If not, correctly configure the NAC.

Configuring the AAA Alarm Report Function

Context

You can configure the alarm report function, which helps you obtain real-time running status of AAA (for example, the status of the communication with the RADIUS server becomes Down) and facilitates O&M.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent trap enable feature-name radius [ trap-name { hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown | hwradiusauthserverup } ]

    The alarm report function is enabled for the RDS module.

    By default, the alarm report function is disabled for the RDS module.

Verifying the Configuration

Run the display snmp-agent trap feature-name radius all command to view alarm status of the RDS module.

Recording Login and Logout Information

Context

Enabling the recording of information related to normal logout, abnormal logout, and login failure helps administrators locate and analyze problems.

Procedure

  • Run the aaa offline-record command in the system view to record normal logout information.

    By default, the device is enabled to record normal logout information.

  • Run the aaa abnormal-offline-record command in the system view to record abnormal logout information.

    By default, the device is enabled to record abnormal logout information.

  • Run the aaa online-fail-record command in the system view to record login failure information.

    By default, the device is enabled to record login failure information.

Follow-up Procedure
  • Run the display aaa { offline-record | abnormal-offline-record | online-fail-record } { all | reverse-order | domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address | mac-address mac-address | access-slot slot-number | time start-time end-time [ date start-date end-date ] | username user-name [ time start-time end-time [ date start-date end-date ] ] } [ brief ] to check normal logout, abnormal logout, and login failure records.

  • Run the display aaa statistics offline-reason command in any view to check the reasons for users to go offline.

Clearing AAA Statistics

Context

The AAA statistics cannot be restored after being cleared. Clear AAA statistics with caution.

Run the following commands to clear the statistics.

Procedure

  • Run the reset aaa { abnormal-offline-record | offline-record | online-fail-record } command in the system view to clear records of abnormal logout, logout, and login failures.
  • Run the reset aaa statistics offline-reason command in any view to clear the statistics on reasons why users go offline.
  • Run the reset access-user statistics command in any view to clear the statistics on access user authentication.
  • Run the reset hwtacacs-server statistics { accounting | all | authentication | authorization } command in the user view to clear the statistics on HWTACACS authentication, accounting, and authorization.
  • Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command to clear remaining buffer information on HWTACACS accounting-stop packets.
  • Run the reset radius-server accounting-stop-packet { all | ip ipv4-address } command to clear remaining buffer information on RADIUS accounting-stop packets.
  • Run the reset local-user [ user-name ] password history record command in the AAA view to clear historical passwords of local users.
  • Run the reset aaa statistics access-type-authenreq command in any view to clear the number of authentication requests.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118765

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next