No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a RADIUS Server Template

Configuring a RADIUS Server Template

Context

You can specify the RADIUS server connected to the device in a RADIUS server template. Such a template contains the server IP address, port number, source interface, and shared key settings.

The settings in a RADIUS server template must be the same as those on the RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure RADIUS authentication and accounting servers.

    Step

    Command

    Remarks

    Configure a RADIUS authentication server.

    • IPv4 server: radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *
    • IPv6 server: radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS authentication server is configured.

    Configure a RADIUS accounting server.

    • IPv4 server: radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *
    • IPv6 server: radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS accounting server is configured.

  4. Run radius-server shared-key cipher key-string

    The shared key of the RADIUS server is configured.

    By default, no shared key is configured for a RADIUS server.

  5. (Optional) Run radius-server algorithm { loading-share [ based-user ] | master-backup }

    The algorithm for selecting RADIUS servers is configured.

    By default, the algorithm for selecting RADIUS servers is primary/secondary (specified by master-backup).

    When multiple authentication or accounting servers are configured in a RADIUS server template, the device selects RADIUS servers based on the configured algorithm and the weight configured for each server.
    • When the algorithm for selecting RADIUS servers is set to primary/secondary, the server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.

    • If the algorithm for selecting RADIUS servers is set to load balancing, packets are sent to RADIUS servers according to weights of the servers.

  6. (Optional) Run radius-server { retransmit retry-times | timeout time-value } *

    The number of times that RADIUS request packets are retransmitted and the timeout interval are set.

    By default, RADIUS request packets can be retransmitted three times, and the timeout interval is 5 seconds.

  7. (Optional) Configure the format of the user name in packets sent from the device to the RADIUS server.

    • Run radius-server user-name domain-included

      The device is configured to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run radius-server user-name original

      The device is configured not to modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included except-eap

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server (applicable to other authentication modes except EAP authentication).

    By default, the device does not modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

  8. (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The traffic unit used by the RADIUS server is configured.

    By default, the RADIUS traffic unit is byte on the device.

  9. (Optional) Run radius-attribute service-type with-authenonly-reauthen

    The reauthentication mode is set to reauthentication only.

    By default, the reauthentication mode is reauthentication and reauthorization.

    This function takes effect when the Service-Type attribute on the RADIUS server is set to Authenticate Only.

Verifying the Configuration

Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration.

Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command to check the connectivity between the device and the RADIUS authentication or accounting server. Only when they are reachable, the authentication or accounting server can perform authentication or accounting properly for users.

If an error message is displayed in the command output, troubleshoot the fault by referring to Testing Whether a User Can Pass RADIUS Authentication or Accounting.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119298

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next