No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Should I Be Aware of When Connecting the Device to an H3C iMC RADIUS Server?

What Should I Be Aware of When Connecting the Device to an H3C iMC RADIUS Server?

When the device connects to an H3C iMC RADIUS server to perform authentication, authorization, or accounting for 802.1X users, configure security check policies on the RADIUS server to improve security. For example, check whether the 802.1X client has two network cards and whether the 802.1X client version is correct. In addition, perform the following operations on the device:
  1. Configure RADIUS accounting.

  2. Run the dot1x authentication-method eap command to configure EAP relay authentication for 802.1X users.

  3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to configure the device to return the EAP packets with type value of 10 and data type of 25 to the RADIUS server.

  4. Run the radius-attribute translate HW-Up-Priority HW-User-Information receive command to convert the HW-Up-Priority attribute in received RADIUS packets into HW-User-Information.

  5. If the RADIUS server needs to dynamically authorize AAA users, the attributes delivered based on the security check policy may be different from the attributes delivered during CoA. Therefore, run the authorization-modify mode modify command to set the update mode for user authorization information delivered by the RADIUS server to Modify. After the command is executed, the attributes delivered by CoA will not overwrite the attributes delivered by the security check policy.

  6. (In V200R010C00 and later versions) To use the session management function, run the radius-server session-manage ip-address shared-key cipher share-key command to enable session management on the RADIUS server and set the IP address and shared key for the RADIUS session management server.

If the active server fails, the switch sends the authentication request packets to the standby server. The timeout interval of the security check session on the iNode client is short. Therefore, you are advised to run the following command to ensure non-stop services:

Run the radius-server retransmit retry-times timeout time-value command to set the number of RADIUS request packet retransmissions to 1 and timeout interval to be shorter than 5s.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123863

Downloads: 59

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next