No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Configuration Commands

RADIUS Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

called-station-id mac-format

Function

The called-station-id mac-format command sets the encapsulation format of the MAC address in the called-station-id (Type 30) attribute of RADIUS packets.

The undo called-station-id mac-format command restores the default encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets.

By default, the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets is XX-XX-XX-XX-XX-XX, in uppercase.

Format

called-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

called-station-id mac-format unformatted [ lowercase | uppercase ]

undo called-station-id mac-format

Parameters

Parameter Description Value
dot-split Indicates that the dot (.) is used as the separator in a MAC address. -
hyphen-split Indicates that the hyphen (-) is used as the separator in a MAC address. -
unformatted Indicates that no separator is used in a MAC address. -
mode1 Indicates that the MAC address in the called-station-id attribute uses the XXXX-XXXX-XXXX or XXXX.XXXX.XXXX format. -
mode2 Indicates that the MAC address in the called-station-id attribute uses the XX-XX-XX-XX-XX-XX or XX.XX.XX.XX.XX.XX format. -
lowercase Indicates that the MAC address in the called-station-id attribute uses the lowercase. -
uppercase Indicates that the MAC address in the called-station-id attribute uses the uppercase. -

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The Called-station-id (Type 30) attribute indicates the MAC address and SSID of an AP. The default format of the MAC address in the called-station-id attribute of RADIUS packets from the device is XX-XX-XX-XX-XX-XX. If the RADIUS server does not support the default format, run the called-station-id mac-format command to change the format.

Example

# Set the dot as the separator in a MAC address and the encapsulation format of the MAC address in the called-station-id attribute to XX.XX.XX.XX.XX.XX in uppercase.

<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] called-station-id mac-format dot-split mode2 uppercase

calling-station-id mac-format

Function

The calling-station-id mac-format command sets the encapsulation format of the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.

The undo calling-station-id mac-format command restores the default encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets.

By default, the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets is xxxx-xxxx-xxxx, in lowercase.

Format

calling-station-id mac-format { dot-split | hyphen-split | colon-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

calling-station-id mac-format unformatted [ lowercase | uppercase ]

calling-station-id mac-format bin

undo calling-station-id mac-format

Parameters

Parameter Description Value
dot-split Indicates that the dot (.) is used as the separator in a MAC address. -
hyphen-split Indicates that the hyphen (-) is used as the separator in a MAC address. -
colon-split Indicates that the colon (:) is used as the separator in a MAC address. -
unformatted Indicates that no separator is used in a MAC address. -
mode1 Indicates that the MAC address in the calling-station-id attribute uses the "xxxxseparatorxxxxseparatorxxxx" format. -
mode2 Indicates that the MAC address in the calling-station-id attribute uses the "xxseparatorxxseparatorxxseparatorxxseparatorxxseparatorxx" format. -
lowercase Indicates that the MAC address in the calling-station-id attribute uses the lowercase. -
uppercase Indicates that the MAC address in the calling-station-id attribute uses the uppercase. -
bin Indicates that the MAC address in the calling-station-id attribute uses the binary form. -

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The default format of the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets from the device is xxxx-xxxx-xxxx. If the RADIUS server does not support the default format, run the calling-station-id mac-format command to change the format.

Example

# Set the dot as the separator in a MAC address and the encapsulation format of the MAC address in the calling-station-id attribute to XX.XX.XX.XX.XX.XX in uppercase.

<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] calling-station-id mac-format dot-split mode2 uppercase

display radius-attribute

Function

The display radius-attribute command displays the RADIUS attributes supported by the device.

Format

display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ]

Parameters

Parameter

Description

Value

name attribute-name

Displays a specified RADIUS attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 }

Displays the RADIUS attribute of a specified type:
  • attribute-number1 specifies the standard attribute.
  • huawei attribute-number2 specifies a Huawei attribute.
  • microsoft attribute-number3 specifies a Microsoft attribute.
  • dslforum attribute-number4 specifies a Digital Subscriber Line Forum attribute.

The value of attribute-number1, attribute-number2, attribute-number3, or attribute-number4 is an integer that ranges from 1 to 2048.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Before connecting the device to a RADIUS server, run the display radius-attribute command to view the RADIUS attributes supported by the device. If the device and RADIUS server support different RADIUS attributes according to the command output, run the radius-attribute disable command on the device to disable RADIUS attributes that are not supported by the RADIUS server or run the radius-attribute translate command to translate RADIUS attributes.

Example

# Display the RADIUS attributes supported by the device.

<HUAWEI> display radius-attribute
  Codes: Auth(Authentication), Acct(Accounting)
         Req(Request), Accp(Accept), Rej(Reject)
         Resp(Response), COA(Change-of-Authorization)
         0(Can not exist in this packet)
         1(Can exist in this packet)
--------------------------------------------------------------------------------
Attribute                       Service    Auth Auth Auth Acct Acct COA COA
Name(Type)                       Type      Req  Accp Rej  Req  Resp Req Ack
--------------------------------------------------------------------------------
User-Name(1)                     All       1    0    0    1    0    1    1
User-Password(2)                 All       1    0    0    0    0    0    0
CHAP-Password(3)                 All       1    0    0    0    0    0    0
NAS-IP-Address(4)                All       1    0    0    1    0    1    1
NAS-Port(5)                      All       1    0    0    1    0    1    1
Service-Type(6)                  All       1    1    0    0    0    0    0
......
NOTE:

The preceding information is an example. The displayed attribute type depends on the actual situation.

Table 13-19  Description of the display radius-attribute command output

Item

Description

0(Can not exist in this packet) Attribute not supported in packets.
1(Can exist in this packet) Attribute supported in packets.

Attribute Name(Type)

Attribute name and type.

Service Type

Protocol type of the attribute.

Auth Req

Authentication request packet.

Auth Accp

Authentication accept packet.

Auth Rej

Authentication reject packet.

Acct Req

Accounting request packet.

Acct Resp

Accounting response packet.

COA Req

Change of Authorization (COA) request packet.

COA Ack

COA acknowledgement packet.

# Display the RADIUS attribute numbered 2.

<HUAWEI> display radius-attribute type 2
 Radius Attribute Type        : 2
 Radius Attribute Name        : User-Password
 Radius Attribute Description : This Attribute indicates the password of the user to be authenticated. Only valid for the PAP authentication.
 Supported Packets            : Auth Request  
Table 13-20  Description of the display radius-attribute type command output

Item

Description

Radius Attribute Type

Type of the RADIUS attribute.

Radius Attribute Name

Name of the RADIUS attribute.

Radius Attribute Description

Description of the RADIUS attribute.

Supported Packets

Packets that support the RADIUS attribute.

display radius-attribute check

Function

The display radius-attribute check command displays the attributes to be checked in RADIUS Access-Accept packets.

Format

display radius-attribute [ template template-name ] check

Parameters

Parameter

Description

Value

template template-name

Displays the RADIUS attribute check configuration of a specified RADIUS server template.

The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the radius-attribute check command is executed to configure the attributes to be checked in RADIUS Access-Accept packets, you can use the display radius-attribute check command to view these attributes.

Example

# Check the attributes to be checked in RADIUS Access-Accept packets.

<HUAWEI> display radius-attribute check
Server-template-name: test1                                                     
--------------------------------------------------                              
check-attr                                                                      
--------------------------------------------------                              
Framed-Protocol                                                                 
-------------------------------------------------- 
Table 13-21  Description of the display radius-attribute check command output

Item

Description

Server-template-name

Name of the RADIUS server template.

check-attr

Attributes to be checked in RADIUS Access-Accept packets.

Framed-Protocol

Encapsulation protocol for services of the Frame type.

display radius-attribute disable

Function

The display radius-attribute disable command displays the disabled RADIUS attributes.

Format

display radius-attribute [ template template-name ] disable

Parameters

Parameter

Description

Value

template template-name

Displays the disabled RADIUS attributes in a specified RADIUS server template.

If this parameter is not specified, the disabled RADIUS attributes in all the RADIUS server templates are displayed.

The value must be an existing RADIUS server template name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the display radius-attribute disable command to view the RADIUS attributes disabled by using the radius-attribute disable command.

To enable a RADIUS attribute, run the undo radius-attribute disable command in the RADIUS server template view.

Example

# Display the disabled RADIUS attributes on the device.

<HUAWEI> display radius-attribute disable
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 ind
icates invalid. Bit 1 to bit 4 indicate the authentication request, authenticati
on accept, accounting request, and accounting response packets.                 
                                                                                
Server-template-name: d                                                         
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
0                7             0              0            send       0 0 0 0   
--------------------------------------------------------------------------------
Table 13-22  Description of the display radius-attribute disable command output

Item

Description

Server-template-name

RADIUS server template name.

Source-Vendor-ID

Vendor ID of the source attribute.

Source-Sub-ID

ID of the source attribute's sub-attribute.

Dest-Vendor-ID

Vendor ID of the destination attribute.

Dest-Sub-ID

ID of the destination attribute's sub-attribute.

Direct

Direction in which the attribute is translated.
  • receive: Translates RADIUS attributes for received packets.
  • send: Translates RADIUS attributes for sent packets.

Packet-Type

Type of RADIUS packets.
  • 0: The RADIUS attributes of this type of packets are not translated.
  • 1: The RADIUS attributes of this type of packets are translated.

display radius-attribute translate

Function

The display radius-attribute translate command displays the RADIUS attribute translation configuration.

Format

display radius-attribute [ template template-name ] translate

Parameters

Parameter

Description

Value

template template-name

Displays the RADIUS attribute translation configuration of a specified RADIUS server template. template-name specifies the name of the RADIUS server template that is created using the radius-server template command.

If this parameter is not specified, the disabled RADIUS attributes translation configuration in all the RADIUS server templates are displayed.

The value must be an existing RADIUS server template name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After running the radius-attribute translate command to configure the device to translate RADIUS attributes, run the display radius-attribute translate command to check the configuration.

Example

# Display the RADIUS attribute translation configuration.

<HUAWEI> display radius-attribute translate
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 indicates invalid. Bit 1 to bit 4 indicate the authentication request, authentication accept, accounting request, and accounting response packets.   

Server-template-name: rds                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
0                6             0              40           receive    0 0 0 0   
--------------------------------------------------------------------------------
Server-template-name: eee                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
234567           123           2011           20           --         0 1 0 1   
--------------------------------------------------------------------------------
Table 13-23  Description of the display radius-attribute translate command output

Item

Description

Server-template-name

Server template name.

Source-Vendor-ID

Vendor ID of the source attribute.

Source-Sub-ID

ID of the source attribute's sub-attribute.

Dest-Vendor-ID

Vendor ID of the destination attribute.

Dest-Sub-ID

ID of the destination attribute's sub-attribute.

Direct

Direction in which the attribute is translated.
  • receive: Translates RADIUS attributes for received packets.
  • send: Translates RADIUS attributes for sent packets.

Packet-Type

Type of RADIUS packets.
  • 0: The RADIUS attributes of this type of packets are not translated.
  • 1: The RADIUS attributes of this type of packets are translated.

display radius-server accounting-stop-packet

Function

The display radius-server accounting-stop-packet command displays information about accounting-stop packets on the RADIUS server.

Format

display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Displays all the accounting-stop packets.

-

ip ip-address

Displays the accounting-stop packets with the specified IP address.

The value of ip-address is in dotted decimal notation.

ip ipv6-address

Displays the accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius-server accounting-stop-packet command output helps you check configurations or isolate faults.

Example

# Display the accounting-stop packets with the IP address being 10.138.104.32.

<HUAWEI> display radius-server accounting-stop-packet ip 10.138.104.32
 ------------------------------------------------------------------------------ 
 Time Stamp  Resend Times  Session Time  Username                               
 ------------------------------------------------------------------------------ 
 1980409     6             22            g@rds                                  
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1
Table 13-24  Description of the display radius-server accounting-stop-packet command output

Item

Description

Time Stamp

Timestamp of an accounting-stop packet.

Resend Times

Number of times that accounting-stop packets have been retransmitted.

Session Time

Session time, in seconds.

Username

User name.

display radius-server authorization configuration

Function

The display radius-server authorization configuration command displays the configuration of RADIUS authorization servers.

Format

display radius-server authorization configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After running the radius-server authorization command to configure an authorization server, run the display radius-server authorization configuration command to check whether the authorization server configuration is correct.

Example

# Display the configuration of RADIUS authorization servers.

<HUAWEI> display radius-server authorization configuration
 ------------------------------------------------------------------------------
 IP-Address      Shared-key               Group           Ack-reserved-interval
 ------------------------------------------------------------------------------
 10.10.1.114     ****************         -                             20
 vpn-instance : -
 ------------------------------------------------------------------------------
 1 RADIUS authorization server(s) in total
Table 13-25  Description of the display radius-server authorization configuration command output

Item

Description

IP-Address

IP address of a RADIUS authorization server.

To configure this field, run the radius-server authorization command.

Shared-key

Shared key of the RADIUS authorization server.

To configure this field, run the radius-server authorization command.

Group

RADIUS server group matching the RADIUS authorization server.

To configure this field, run the radius-server authorization command.

Ack-reserved-interval

Holdtime of RADIUS authorization response packets.

To configure this field, run the radius-server authorization command.

vpn-instance

Name of the VPN instance that the RADIUS authorization server is bound to.

To configure this field, run the radius-server authorization command.

NOTE:

Only the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support vpn-instance.

display radius-server configuration

Function

The display radius-server configuration command displays configuration information about a RADIUS server template.

Format

display radius-server configuration [ template template-name ]

Parameters

Parameter

Description

Value

template template-name

Specifies the name of a RADIUS server template.

If this parameter is not specified, configuration information of all RADIUS server templates is displayed.

The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the configuration of a RADIUS server template is completed or a RADIUS fault needs to be rectified, you can run this command to check whether the configuration of the RADIUS server template is correct.

Example

# Display configuration information about the RADIUS server template named shiva.

<HUAWEI> display radius-server configuration template shiva
  ------------------------------------------------------------------------------
  Server-template-name          :  shiva
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  %^%#O09i(W[^YT4g#Z37Nct9$IK#TH(-B6-1|<;q|D)"%^%#
  Group-filter                  :  class
  Timeout-interval(in second)   :  5
  Retransmission                :  2
  EndPacketSendTime             :  0
  Dead time(in minute)          :  5
  Domain-included               :  YES
  NAS-IP-Address                :  -
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  Called-station-id MAC-format  :  XX.XX.XX.XX.XX.XX
  NAS-Port-ID format            :  New 
  Service-type                  :  - 
  NAS-IPv6-Address              :  ::
  Server algorithm              :  master-backup 
  Detect-interval(in second)    :  60 
  Testuser-username             :  huawei
  Testuser-ciperpwd             :  %^%#.5*EDl^j_WXg[#Z>plj8;k|8.s*ju<_F~g9k`0*9%^%#
  Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Authentication Server 2       :  10.7.66.67     Port:1812  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     2       :  10.7.66.67     Port:1813  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------ 
Table 13-26  Description of the display radius-server configuration template template-name command output

Item

Description

Server-template-name

Name of a RADIUS server template. To configure this item, run the radius-server template command.

Protocol-version

RADIUS protocol version:
  • standard
  • huawei
  • iphotel
  • portal

Traffic-unit

Traffic unit in the RADIUS server template:

  • B: Byte
  • KB: Kilobyte
  • MB: Megabyte
  • GB: Gigabyte

To configure this item, run the radius-server traffic-unit command.

Shared-secret-key

Shared key in the RADIUS server template. To configure this item, run the radius-server shared-key command.

Group-filter

Filtering field of a user group. Currently, only the class field can be used as the filtering field of a user group.

Timeout-interval(in second)

Response timeout period of a RADIUS server. To configure this item, run the radius-server retransmit timeout dead-time command.

Retransmission

Number of times RADIUS packets are retransmitted. To configure this item, run the radius-server retransmit timeout dead-time command.

EndPacketSendTime

Number of times RADIUS accounting-stop packets are retransmitted. To configure this item, run the radius-server accounting-stop-packet resend command.

Dead time(in minute)

Interval for the primary RADIUS server to revert to the active status. To configure this item, run the radius-server retransmit timeout dead-time command.

Domain-included

Whether the RADIUS user name contains the domain name.

  • YES: The user name contains the domain name.
  • NO: The user name does not contain the domain name.
  • Original: The device does not modify the user name entered by the user.

To configure this item, run the radius-server user-name domain-included command.

NAS-IP-Address

NAS IP address in RADIUS packets.

Calling-station-id MAC-format

Encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets.

Called-station-id MAC-format

Encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. To configure this item, run the called-station-id mac-format command.

NAS-Port-ID format

Format of the NAS-Port-ID attribute on the RADIUS server.

  • New: Uses the new format of the NAS-Port-ID attribute.
  • Old: Uses the old format of the NAS-Port-ID attribute.
  • Vm: Uses the NAS-Port-ID attribute format of the VM.
    NOTE:

    Only the S5720EI supports this parameter.

To configure this item, run the radius-server nas-port-id-format command.

Service-type

Service type.

NAS-IPv6-Address

NAS IPv6 address in RADIUS packets.

Server algorithm

Algorithm for selecting RADIUS servers.

  • master-backup: Specifies the algorithm for selecting RADIUS servers as primary/secondary.
  • loading-share: Specifies the algorithm for selecting RADIUS servers as packet-based load balancing.
  • loading-share based-user: Specifies the algorithm for selecting RADIUS servers as single user-based load balancing.

To configure this item, run the radius-server algorithm command.

Detect-interval(in second)

Automatic detection interval for RADIUS servers. To configure this item, run the radius-server detect-server command.

Testuser-username User name for automatic RADIUS server detection. To configure this item, run the radius-server testuser command.
Testuser-ciperpwd User password for automatic RADIUS server detection. To configure this item, run the radius-server testuser command.

Authentication Server 1

IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the primary RADIUS authentication server. To configure this item, run the radius-server authentication command.

Authentication Server 2

IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the secondary RADIUS authentication server. To configure this item, run the radius-server authentication command.

Accounting Server 1

IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the primary RADIUS accounting server. To configure this item, run the radius-server accounting command.

Accounting Server 2

IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the secondary RADIUS accounting server. To configure this item, run the radius-server accounting command.

display radius-server dead-interval dead-count

Function

The display radius-server dead-interval dead-count command displays configuration information about the RADIUS server detection interval and maximum number of consecutive unacknowledged packets in each detection interval.

Format

display radius-server { dead-interval | dead-count }

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the RADIUS server detection interval and maximum number of consecutive unacknowledged packets in each detection interval are configured using the radius-server dead-interval dead-count command, you can run the display radius-server { dead-interval | dead-count } command to check configuration information about the RADIUS server detection interval and maximum number of consecutive unacknowledged packets in each detection interval.

Example

# Display configuration information about the RADIUS server detection interval.

<HUAWEI> display radius-server dead-interval
Radius server state detected internal is 5.

# Display configuration information about the maximum number of consecutive packets that are not acknowledged by the RADIUS server in each detection interval.

<HUAWEI> display radius-server dead-count
Radius server state detected count is 2. 
Table 13-27  Description of the display radius-server { dead-interval | dead-count } command output

Item

Description

Radius server state detected internal is

Detection interval of the current RADIUS server.

Radius server state detected count is

Maximum number of consecutive packets that are not acknowledged by the RADIUS server.

display radius-server item

Function

The display radius-server item command shows the RADIUS server configuration.

Format

display radius-server item { ip-address { ipv4-address | ipv6-address } { accounting | authentication } | template template-name }

Parameters

Parameter

Description

Value

ip-address { ipv4-address | ipv6-address }

Specifies the IP address of the RADIUS server.

ipv4-address: The value is in dotted decimal notation.

ipv6-address: The value is a 32-digit hexadecimal number.

accounting

Indicates the RADIUS accounting server.

-

authentication

Indicates the RADIUS authentication server.

-

template template-name

Specifies the RADIUS server template name.

The value must be an existing RADIUS server template name.

Views

ALL views

Default Level

3: Management level

Usage Guidelines

The display radius-server item command shows the RADIUS server configuration.

Example

# Display the configuration of RADIUS server template rds.

<HUAWEI> display radius-server item template rds
 ------------------------------------------------------------------------------ 
  Type       = auth-server                                                      
  State      = state-up                                                         
  AlarmFlag  = false                                                            
  STUseNum   = 1 
  IPAddress  = 192.168.30.1 
  AlarmTimer = 0xffffffff 
  Head       = 1057 
  Tail       = 1311
  ProbeID    = 255
  Type       = acct-server 
  State      = state-up 
  AlarmFlag  = false 
  STUseNum   = 1                                                                
  IPAddress  = 192.168.30.1                                                     
  AlarmTimer = 0xffffffff                                                       
  Head       = 1057                                                             
  Tail       = 1311                                                             
  ProbeID    = 255                                                              
 ------------------------------------------------------------------------------ 
Table 13-28  Description of the display radius-server item template command output

Item

Description

Type

RADIUS server type: authentication or accounting server.
  • auth-server: indicates authentication server.
  • acct-server: indicates accounting server.

State

RADIUS server status.
  • state-up: indicates that the RADIUS server is in UP status.
  • state-down: indicates that the RADIUS server is in DOWN status.
  • state-probe: indicates that the RADIUS server is in detection status.

AlarmFlag

Alarm flag.

  • true: indicates that an alarm about status change has been sent.
  • false: indicates that an alarm about status change is not sent.

STUseNum

RADIUS server template ID.

IPAddress

RADIUS server IP address.

AlarmTimer

ID of the alarm timer.

Head

Head pointer used to allocate the ID to RADIUS packets.

Tail

Tail pointer used to allocate the ID to RADIUS packets.

ProbeID

ID of probe packets.

display radius-server session-manage configuration

Function

The display radius-server session-manage configuration command displays session management configuration on the RADIUS server.

Format

display radius-server session-manage configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After session management is enabled using the radius-server session-manage command on the RADIUS server, you can run this command to view session management configuration.

Example

# Display session management configuration on the RADIUS server.

<HUAWEI> display radius-server session-manage configuration
 ------------------------------------------------------------------------------ 
 Session Manage Enable : True    Session Manage AnyServer : False               
 ------------------------------------------------------------------------------ 
 IP Address      VPN Instance                     Shared-key                    
 ------------------------------------------------------------------------------ 
 10.1.1.1        -                                ****************              
 ------------------------------------------------------------------------------ 
 1 Radius session manage server(s) in total                                     
Table 13-29  Description of the display radius-server session-manage configuration command output

Item

Description

Session Manage Enable

Whether session management is enabled:
  • True: enabled
  • False: disabled

To set this parameter, run the radius-server session-manage command.

Session Manage AnyServer

Whether any RADIUS session management server is configured:
  • True: configured
  • False: not configured

IP Address

IP address of the RADIUS session management server.

VPN Instance

Name of the VPN instance bound to the RADIUS session management server.

NOTE:

Only the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this parameter.

Shared-key

Shared key of the RADIUS session management server.

Radius session manage server(s) in total

Number of the RADIUS session management servers.

display snmp-agent trap feature-name radius all

Function

The display snmp-agent trap feature-name radius all command displays the status of all traps on the RDS module.

Format

display snmp-agent trap feature-name radius all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After enabling the trap function for the RDS module, you can run this command to check the status of all traps on the RDS module. To enable the trap function for the RDS module, run the snmp-agent trap enable feature-name radius command.

Prerequisites

The SNMP function has been enabled on the device.

Example

# Display the status of all traps on the RDS module.

<HUAWEI>display snmp-agent trap feature-name radius all
------------------------------------------------------------------------------                                                      
Feature name: radius                                                                                                                
Trap number : 4                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwRadiusAuthServerUp            off                     off                                                                         
hwRadiusAuthServerDown          off                     off                                                                         
hwRadiusAcctServerUp            off                     off                                                                         
hwRadiusAcctServerDown          off                     off
Table 13-30  Description of the display snmp-agent trap feature-name radius all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the RDS module include:

  • hwRadiusAuthServerUp: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is restored.

  • hwRadiusAuthServerDown: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is interrupted.

  • hwRadiusAcctServerUp: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is restored.

  • hwRadiusAcctServerDown: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is interrupted.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

radius-attribute check

Function

The radius-attribute check command enables the device to check the specified attributes in the received RADIUS Access-Accept packets.

The undo radius-attribute check command disables the device from checking the specified attributes in the received RADIUS Access-Accept packets.

By default, the device does not check whether a RADIUS Access-Accept packet contains the specified attributes.

Format

radius-attribute check attribute-name

undo radius-attribute check [ attribute-name ]

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of the RADIUS attribute. If this parameter is specified, the RADIUS Access-Accept packets are checked based on attribute names.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the radius-attribute check command is executed, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If yes, the device considers that authentication was successful; if not, the device considers that authentication failed and discards the packet. For example, after the radius-attribute check filter-id command is executed, the device checks the filter-id attribute in the received RADIUS Access-Accept packets. If a RADIUS packet does not contain this attribute, authentication fails.

Precautions

  • When you use the undo radius-attribute check command with parameters, the device checks the specified attributes in the RADIUS Access-Accept packets. When you use the undo radius-attribute check command without any parameter, the device does not check RADIUS Access-Accept packets.
  • The display radius-attribute can display RADIUS attribute names.

Example

# Check whether the RADIUS Access-Accept packets contain the framed-protocol attribute.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-attribute check framed-protocol

radius-attribute disable

Function

The radius-attribute disable command disables a RADIUS attribute.

The undo radius-attribute disable command enables a disabled RADIUS attribute.

By default, no RADIUS attribute is disabled.

Format

radius-attribute disable attribute-name { receive | send } *

undo radius-attribute disable [ attribute-name ]

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of a RADIUS attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.
receive

Disables a RADIUS attribute for received packets.

-

send

Disables a RADIUS attribute for sent packets.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Generally, a RADIUS server connects to multiple network devices, which can be one vendor's devices or different vendors' devices. If some vendors' devices require the RADIUS server to deliver an attribute to support a specified feature but other vendors' device do not support the delivered attribute, the RADIUS attribute may fail to be parsed.

The device may communicate with RADIUS servers of different vendors. Some RADIUS servers require the device to send some attributes but other RADIUS servers cannot process the attributes. Errors may occur.

The radius-attribute disable command disables RADIUS attributes on the device. You can configure the device to ignore incompatible attributes when receiving RADIUS packets to prevent parsing failures. You can also configure the device to disable RADIUS attributes when sending RADIUS packets. When the device sends RADIUS packets, it does not encapsulate the disabled RADIUS attributes in the RADIUS packets.

Prerequisites

The RADIUS attribute translation function has been enabled using the radius-server attribute translate command.

Precautions

Before disabling RADIUS attributes, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Example

# Disable the Frame-Route attribute in sent packets.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute translate
[HUAWEI-radius-test1] radius-attribute disable framed-route send

radius-attribute nas-ip

Function

The radius-attribute nas-ip command sets the NAS-IP-Address attribute in a RADIUS packet sent from an NAS.

The undo radius-attribute nas-ip command deletes the configured NAS-IP-Address attribute.

By default, the source IP address of the NAS is the NAS-IP-Address attribute value.

Format

radius-attribute nas-ip ip-address

undo radius-attribute nas-ip

Parameters

Parameter

Description

Value

ip-address

Specifies the NAS-IP-Address attribute value in RADIUS packets sent by the device.

The value is a valid unicast address in dotted decimal notation.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A RADIUS server uses the NAS-IP-Address attributes in RADIUS packets sent by NASs to identify NASs. You can run the radius-attribute nas-ip command in the RADIUS server template view to set the NAS-IP-Address attribute.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IP-Address attribute.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute nas-ip 10.3.3.3

radius-attribute nas-ipv6

Function

The radius-attribute nas-ipv6 command sets the NAS-IPv6-Address attribute in a RADIUS packet sent from a network access server (NAS).

The undo radius-attribute nas-ipv6 command deletes the configured NAS-IPv6-Address attribute.

By default, no NAS-IPv6-Address attribute is configured.

Format

radius-attribute nas-ipv6 ipv6-address

undo radius-attribute nas-ipv6

Parameters

Parameter

Description

Value

ipv6-address

Specifies the NAS-IPv6-Address attribute in a RADIUS packet.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The RADIUS server uses IP addresses to identify different NASs. The NAS-IPv6-Address attribute in a RADIUS packet can be configured using the radius-attribute nas-ipv6 command in the RADIUS template.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IPv6-Address attribute.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute nas-ipv6 FC00::7

radius-attribute service-type with-authenonly-reauthen

Function

The radius-attribute service-type with-authenonly-reauthen command set the reauthentication mode to reauthentication only.

The undo radius-attribute service-type with-authenonly-reauthen command restores the reauthentication mode to reauthentication and reauthorization.

By default, this command is not configured and the reauthentication mode is reauthentication and reauthorization.

Format

radius-attribute service-type with-authenonly-reauthen

undo radius-attribute service-type with-authenonly-reauthen

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A large number of users are online at the same time and each user has a lot of authorization information. If the users need to be reauthenticated, the device delivers authorization information to each user after the authentication is successful. It is difficult for the device to process a lot of authorization information. As a result, users go offline due to authorization failures. After the radius-attribute service-type with-authenonly-reauthen command is run in the RADIUS server template view, the device only reauthenticates users during reauthentication, and does not redeliver authorization information, preventing users from going offline due to authorization failures.

Precautions

After this command is configured, users still use the original authorization information after being successfully reauthenticated even if the user authorization information changes.

This function takes effect after the Service-Type attribute on the RADIUS server is set to Authenticate Only.

Example

# Set the reauthentication mode to reauthentication only.

<HUAWEI> system-view
[HUAWEI] radius-server template test
[HUAWEI-radius-test] radius-attribute service-type with-authenonly-reauthen

radius-attribute set

Function

The radius-attribute set command modifies the RADIUS attributes.

The undo radius-attribute set command restores the default RADIUS attributes.

Format

radius-attribute set attribute-name attribute-value [ auth-type mac | user-type ipsession ]

undo radius-attribute set attribute-name

Parameters

Parameter

Description

Value

attribute-name

Specifies the name of the attribute to be modified.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

attribute-value

Indicates the value of the attribute to be modified.

The value of attribute-value is automatically displayed.

auth-type mac

Sets the user authentication mode to MAC address authentication. Only the Service-Type attribute supports this parameter.

-
user-type ipsession

Specifies the users with user type being IP session. Only the Service-Type attribute supports this parameter.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The RADIUS attribute values of different vendors are different. To ensure that Huawei device can successfully communicate with the devices of other vendors, run the radius-attribute set command to modify the RADIUS attribute values.

For example, the Huawei device uses Service-Type value 2 to indicate an authentication request from a common user by default, while a non-Huawei RADIUS server uses Service-Type value 1 to indicate an authentication request from a common user; you can run the radius-attribute set service-type 1 command to change the Service-Type value on the device so that the device can communicate with the RADIUS server.

Precautions

  • The radius-attribute set command can modify only the RADIUS attributes in the authentication or accounting request packets sent from a device to the RADIUS server, and cannot modify the RADIUS attributes in the packets sent from the RADIUS server to a device.

    If you run the display radius-attribute command to check the RADIUS attributes supported by a device and the Auth Req or Acct Req field in the command output displays 1, the RADIUS attributes supported by the device can be carried in the authentication or accounting request packets sent from the device to the RADIUS server.

    Among the RADIUS attributes that can be carried in the authentication or accounting packets sent from the device to the RADIUS server, you cannot run the radius-attribute set command to modify the following attributes: User-Password, Agent-Circuit-Id, Agent-Remote-Id, NAS-IP-Address, NAS-IPv6-Address, CHAP-Password, CHAP-Challenge, EAP-Message, Framed-Interface-Id, Framed-IPv6-Prefix, and Message-Authenticator.

  • The type of the attribute modified by the radius-attribute set command cannot be changed.

  • The radius-attribute set service-type attribute-value { auth-type mac | user-type ipsession } command has a higher priority than the radius-attribute set service-type attribute-value command.

  • If the value of the HW-Output-Committed-Information-Rate attribute is changed to 0, sent packets do not carry this attribute.

Example

# Create the template temp1 and set the Service-Type attribute value to 1.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-attribute set service-type 1

radius-attribute translate

Function

The radius-attribute translate command configures a RADIUS attribute to be translated.

The undo radius-attribute translate command cancels the configuration.

By default, no RADIUS attribute is translated.

Format

radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *

radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

undo radius-attribute translate [ src-attribute-name ]

undo radius-attribute translate extend src-attribute-name

undo radius-attribute translate extend vendor-specific src-vendor-id src-sub-id

Parameters

Parameter

Description

Value

src-attribute-name

Specifies the name of the source attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

dest-attribute-name

Specifies the name of the destination attribute.

The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

receive

Translates RADIUS attributes for received packets.

-

send

Translates RADIUS attributes for sent packets.

-

access-request

Translates RADIUS attributes for Authentication Request packets.

-

account-request

Translates RADIUS attributes for Accounting Request packets.

-

access-accept

Translates RADIUS attributes for Authentication Accept packets.

-

account-response

Translates RADIUS attributes for Accounting Response packets.

-

extend

Translates extended RADIUS attributes.

-

vendor-specific src-vendor-id src-sub-id
Specifies the source extended attribute to be translated.
  • src-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated.
  • src-sub-id: The sub ID in the RADIUS attributes needs to be translated.
  • The value of src-vendor-id is an integer ranging from 1 to 4294967295.
  • The value of src-sub-id is an integer ranging from 1 to 255.
vendor-specific dest-vendor-id dest-sub-id
Specifies the destination extended attribute to be translated.
  • dest-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated.
  • dest-sub-id: The sub ID in the extended RADIUS attributes needs to be translated.
  • The value of dest-vendor-id is an integer ranging from 1 to 4294967295.

  • The value of dest-sub-id is an integer ranging from 1 to 255.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

RADIUS attribute translation is used in the following modes:

  • Format translation for the same attribute

    This mode is widely applied. It solves the problem of compatibility because different users have different requirements for the format of a RADIUS attribute.

  • Translation between different attributes

    This mode is used because different vendors have different implementations of RADIUS attributes.

    For example, the device delivers the priority of the administrator by using the Huawei proprietary attribute HW-Exec-Privilege (26-29), whereas another vendor's device delivers it by using the Login-service (15) attribute. When the device and the vendor's device use the same RADIUS server on a network, the user hopes that the device can deliver the priority of the administrator by using the Login-service (15) attribute. After the radius-attribute translate command is configured, the device automatically processes the Login-service attribute in the received RADIUS authentication response packet as the HW-Exec-Privilege attribute.

Prerequisites

RADIUS attribute translation has been enabled by using the radius-server attribute translate command.

Before configuring RADIUS attribute translation, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Precautions

  • When the device sends packets, if attribute A is to be translated to attribute B, the type of the encapsulated attribute is the same as that of attribute B but the attribute content and format are the same as those of attribute A.

  • When the device receives packets, if attribute A is to be translated to attribute B, the device parses the received attribute A as attribute B.

  • Three commands are available to translate RADIUS attributes:

    • To translate the attributes supported by the device to other attributes also supported by the device, run the radius-attribute translate command.
    • To translate the non-Huawei attributes not supported by the device to the attributes supported by the device, run the radius-attribute translate extend vendor-specific command.
    • To translate the attributes supported by the device to the non-Huawei attributes not supported by the device, run the radius-attribute translate extend command.
  • The RADIUS attribute consists of Type, Length, and Value fields. A device can translate a non-Huawei RADIUS attribute (specified using the src-sub-id and dest-sub-id parameters) only when the length of the Type field in the RADIUS attribute is 1 byte.
  • The device can translate the RADIUS attribute only when the type of the source RADIUS attribute is the same as that of the destination RADIUS attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively, they cannot be translated into each other.

Example

# Configure the device to translate NAS-Identifier into NAS-Port-Id when sending RADIUS packets.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate nas-identifier nas-port-id send

# Translate the Cisco No. 2 attribute (vendor ID 9) in Authentication Accept and Accounting Response packets to Huawei No. 155 extended attribute HW-URL-Flag.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate extend Vendor-Specific 9 2 HW-URL-Flag access-accept account-response

# Translate the Huawei No. 153 extended attribute HW-Access-Type in Authentication Request and Accounting Request packets to Cisco No. 11 attribute.

<HUAWEI> system-view
[HUAWEI] radius-server template temp1
[HUAWEI-radius-temp1] radius-server attribute translate
[HUAWEI-radius-temp1] radius-attribute translate extend HW-Access-Type vendor-specific 9 11 access-request account-request

radius-server (aaa domain view)

Function

The radius-server command applies a RADIUS server template to a domain.

The undo radius-server command unbinds an RADIUS server template from a domain.

By default, the RADIUS server template default is bound to a configured domain and the domain default, and no RADIUS server template is bound to the domain default_admin.

Format

radius-server template-name

undo radius-server

Parameters

Parameter

Description

Value

template-name

Specifies the name of a RADIUS server template.

The RADIUS server template must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication and accounting for users in a domain, apply a RADIUS server template to the domain. A RADIUS server template takes effect only after the RADIUS server template is applied to a domain.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Example

# Apply the RADIUS server template template1 to the domain radius1.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] quit
[HUAWEI] aaa
[HUAWEI-aaa] domain radius1
[HUAWEI-aaa-domain-radius1] radius-server template1

radius-server accounting

Function

The radius-server accounting command configures the RADIUS accounting server.

The undo radius-server accounting command deletes the configuration.

By default, no RADIUS accounting server is configured.

Format

radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *

radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

undo radius-server accounting [ ipv4-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight ] * ] ]

undo radius-server accounting [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight ] ] ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

ipv4-address

Specifies the IPv4 address of a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of a RADIUS accounting server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a RADIUS accounting server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS accounting server is bound to.

The value must be an existing VPN instance name.

source loopback interface-number

Specifies the number of a loopback interface.

The loopback interface must already exist.

source ip-address ipv4-address

Specifies the source IPv4 address in RADIUS packets sent from the device to a RADIUS accounting server.

If this parameter is specified, ensure that the value of this parameter is the same as the client's IPv4 address specified on the RADIUS accounting server.

If this parameter is not specified, the IPv4 address of the outbound interface is used as the source IPv4 address in RADIUS packets sent from the device to a RADIUS accounting server.

The value is a valid unicast address in dotted decimal notation.

source ip-address ipv6-address

Specifies the source IPv6 address in RADIUS packets sent from the device to a RADIUS accounting server.

If this parameter is not specified, the IPv6 address of the outbound interface is used as the source IPv6 address in RADIUS packets sent from the device to a RADIUS accounting server.

This address cannot be a virtual IPv6 address of a VRRP6 group.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

source vlanif interface-number

Specifies the IP address of a VLANIF interface as the source IP address. interface-number specifies the number of a VLANIF interface.

The VLANIF interface must exist.

weight weight-value

Specifies the weight of a RADIUS accounting server.

When multiple servers are available, the device uses the server with the highest weight to perform accounting. If the servers have the same weights, the device uses the server configured first to perform accounting.

The value is an integer that ranges from 0 to 100.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform accounting for users, configure a RADIUS accounting server. The device communicates with a RADIUS accounting server to obtain accounting information, and performs accounting for users based on the accounting information. The device sends accounting packets to the RADIUS accounting server only after the IP address and port number of the RADIUS accounting server are specified in the RADIUS server template.

Precautions

The IP address of the primary accounting server must be different from the IP address of the secondary accounting server; otherwise, the configuration fails.

Example

# Configure the primary RADIUS accounting server.

<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server accounting 10.163.155.12 1813

# Configure the secondary RADIUS accounting server.

<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server accounting 10.163.155.15 1813 weight 50

radius-server accounting-stop-packet resend

Function

The radius-server accounting-stop-packet resend command enables retransmission of accounting-stop packets and sets the number of accounting-stop packets that can be retransmitted each time.

The undo radius-server accounting-stop-packet resend command disables retransmission of accounting-stop packets.

By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

Format

radius-server accounting-stop-packet resend [ resend-times ]

undo radius-server accounting-stop-packet resend

Parameters

Parameter

Description

Value

resend-times

Specifies the number of accounting-stop packets that can be retransmitted each time.

The value is an integer that ranges from 0 to 300.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

When accounting-stop packets cannot be sent to the RADIUS server that is unreachable, you can run the radius-server accounting-stop-packet resend command to save the accounting-stop packets in the buffer and send them at the preset intervals until the number of allowed retransmission times is reached or the packets are sent successfully.

Example

# Enable the retransmission of accounting-stop packets and set the number of accounting-stop packets that can be retransmitted each time to 50.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server accounting-stop-packet resend 50

radius-server algorithm

Function

The radius-server algorithm command configures the algorithm for selecting RADIUS servers.

The undo radius-server algorithm command restores the default algorithm for selecting RADIUS servers.

By default, the algorithm for selecting RADIUS servers is primary/secondary.

Format

radius-server algorithm { loading-share [ based-user ] | master-backup }

undo radius-server algorithm

Parameters

Parameter

Description

Value

loading-share

Sets the algorithm for selecting RADIUS servers to load balancing.

-

based-user

Sets the algorithm for selecting RADIUS servers to single user-based load balancing.

If this parameter is not specified, the algorithm for selecting RADIUS servers is packet-based load balancing.

-

master-backup

Sets the algorithm for selecting RADIUS servers to primary/secondary.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When two or more than two RADIUS servers are available, you can use the radius-server algorithm command to set the algorithm for selecting RADIUS servers.
  • When master-backup is specified, the weight is used to determine the primary and secondary RADIUS authentication or accounting servers. The server with a larger weight value is the primary server. If devices have the same weight, the server that was first configured is the primary server.
  • When loading-share is specified, the device sends a packet to a server according to the weights configured on servers. For example, if the weights of RADIUS server A, RADIUS server B, and RADIUS server C are 80, 80, and 40 respectively, the probabilities of sending packets to RADIUS server A, RADIUS server B, and RADIUS server C are as follows:
    • RADIUS server A: 80/(80 + 80 + 40) = 40%
    • RADIUS server B: 80/(80 + 80 + 40) = 40%
    • RADIUS server C: 40/(80 + 80 + 40) = 20%

    If the algorithm for selecting RADIUS servers is configured as single user-based load balancing, authentication server information is saved in the authentication phase, and the device preferentially sends an accounting request to the accounting server in the accounting phase when the accounting server is the same as the authentication server. If the algorithm for selecting RADIUS servers is configured as packet-based load balancing, authentication server information is not saved in the authentication phase, and the accounting server is reselected based on the algorithm in the accounting phase, which may result in that authentication and accounting for a user is not performed on the same server.

Precautions

If you run the radius-server algorithm command multiple times in the same RADIUS server template view, only the latest configuration takes effect.

Example

# Set the algorithm for selecting RADIUS servers to load balancing.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server algorithm loading-share

radius-server attribute message-authenticator access-request

Function

The radius-server attribute message-authenticator access-request command carries the Message-Authenticator attribute in RADIUS authentication packets sent by the device.

The undo radius-server attribute message-authenticator access-request command cancels the Message-Authenticator attribute from RADIUS authentication packets sent by the device.

By default, RADIUS authentication packets do not carry the Message-Authenticator attribute.

Format

radius-server attribute message-authenticator access-request

undo radius-server attribute message-authenticator access-request

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The Message-Authenticator attribute is used to identify and verify authentication packets to prevent invalid packets.

NOTE:
  • This command is used when the PAP or CHAP authentication is enabled.
  • When EAP authentication is enabled, RADIUS packets contain the Message-Authenticator attribute by default. You do not need to run this command.

Example

# Configure the Message-Authenticator attribute to RADIUS authentication packets.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute message-authenticator access-request

radius-server attribute translate

Function

The radius-server attribute translate command enables RADIUS attribute translation.

The undo radius-server attribute translate command disables RADIUS attribute translation.

By default, RADIUS attribute translation is disabled.

Format

radius-server attribute translate

undo radius-server attribute translate

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

Follow-up Procedure

After RADIUS attribute translation is enabled, perform either of the following operations to make the function to take effect:

Example

# Enable RADIUS attribute translation.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server attribute translate

radius-server authentication

Function

The radius-server authentication command configures a RADIUS authentication server.

The undo radius-server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *

radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

undo radius-server authentication [ ipv4-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight ] * ] ]

undo radius-server authentication [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight ] ] ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

ipv4-address

Specifies the IPv4 address of a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.

ipv6-address

Specifies the IPv6 address of a RADIUS authentication server.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

port

Specifies the port number of a RADIUS authentication server.

The value is an integer that ranges from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authentication server is bound to.

The value must be an existing VPN instance name.

source loopback interface-number

Specifies the IP address of the loopback interface taken as the source IP address. interface-number specifies the number of a loopback interface.

The loopback interface must already exist.

source ip-address ipv4-address

Specifies the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server.

If this parameter is specified, ensure that the value of this parameter is the same as the client's IPv4 address specified on the RADIUS authentication server.

If this parameter is not specified, the IPv4 address of the outbound interface is used as the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server.

The value is a valid unicast address in dotted decimal notation.

source ip-address ipv6-address

Specifies the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server.

If this parameter is not specified, the IPv6 address of the outbound interface is used as the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server.

This address cannot be a virtual IPv6 address of a VRRP6 group.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

source vlanif interface-number

Specifies the IP address of a VLANIF interface as the source IP address. interface-number specifies the number of a VLANIF interface.

The VLANIF interface must exist.

weight weight-value

Specifies the weight of a RADIUS authentication server.

When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication.

The value is an integer that ranges from 0 to 100. The default value is 80.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server template.

When the radius-server algorithm master-backup command has been executed to specify the master/backup algorithm on the RADIUS server and both the primary and secondary authentication servers are configured, the device sends an authentication request packet to the secondary authentication server in either of the following situations:
  • The primary authentication server does not send an authentication response packet.
  • The authentication request packet retransmission count reaches the maximum.

When the 802.1x authentication mode is set to EAP, the device and RADIUS authentication servers exchange packets multiple times. During the first exchange process, the device sends a request packet to the primary RADIUS authentication server. If the device resends the request packet for the maximum number of times but does not receive a response packet from the primary RADIUS authentication server, the device sends a request packet to the secondary RADIUS authentication server. If the secondary RADIUS authentication server sends a response packet to the device, the device will directly send request packets to the secondary RADIUS authentication server in the following exchange processes. In this way, the device does not need to send a request packet to the primary RADIUS authentication server first in the following exchange processes, shortening the authentication time and preventing the user authentication connection from being disconnected because the client does not receive a response packet for a long time.

Example

# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.

<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server authentication 10.163.155.13 1812

# Configure the IP address of the secondary RADIUS authentication server to 10.163.155.15, the port number to 1812 and the weigh to 50.

<HUAWEI> system-view
[HUAWEI] radius-server template group1
[HUAWEI-radius-group1] radius-server authentication 10.163.155.15 1812 weight 50

radius-server authorization

Function

The radius-server authorization command configures the RADIUS authorization server.

The undo radius-server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ ack-reserved-interval interval ]

undo radius-server authorization { all | ip-address [ vpn-instance vpn-instance-name ] }

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS authorization server.

The value is a unicast address in dotted decimal notation.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance that the RADIUS authorization server is bound to.

The value must be an existing VPN instance name.

server-group group-name

Specifies the name of a RADIUS group corresponding to a RADIUS server template.

The value is a string of 1 to 32 characters, including letters (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

shared-key cipher key-string

Specifies the shared key of a RADIUS server.

The value is a case-sensitive character string without spaces or question marks (?). key-string can be a string of 1 to 128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

ack-reserved-interval interval

Specifies the duration for retaining a RADIUS authorization response packet.

The value is an integer that ranges from 0 to 300, in seconds. By default, the value is 0s.

all

Deletes all RADIUS authorization servers.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An independent RADIUS authorization server can be used to authorize online users. RADIUS provides two authorization methods: Change of Authorization (CoA) and Disconnect Message (DM).
  • CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
  • DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.

After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.

Precautions

To improve security, it is recommended that the password contains at least three types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.

Example

# Specify a RADIUS authorization server.

<HUAWEI> system-view
[HUAWEI] radius-server authorization 10.1.1.116 shared-key cipher Huawei@2012

radius-server authorization attribute-decode-sameastemplate

Function

The radius-server authorization attribute-decode-sameastemplate command configures the device to parse RADIUS dynamic authorization packet attributes based on the configuration in RADIUS server template.

The undo radius-server authorization attribute-decode-sameastemplate command restores the default method of parsing RADIUS authorization packet attributes.

By default, the device parses RADIUS dynamic authorization packet attributes based on global configuration.

Format

radius-server authorization attribute-decode-sameastemplate

undo radius-server authorization attribute-decode-sameastemplate

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device parses the MAC address in the Calling-Station-Id attribute in RADIUS dynamic authorization packets. By default, the MAC address format that can be parsed is configured using the radius-server authorization calling-station-id decode-mac-format command in the system view. When the device is connected to multiple RADIUS servers, the MAC address formats are different in the Calling-Station-Id attribute in dynamic authorization packets sent by different RADIUS servers. In this case, the MAC address may fail to be parsed if the same parse mode is used, resulting in that the device fails to be connected to some RADIUS servers. You can run the radius-server authorization attribute-decode-sameastemplate command to configure the device to parse RADIUS dynamic authorization packet attributes based on the Calling-Station-Id attribute encapsulation mode configured in each RADIUS server template, making the device be successfully connected to multiple RADIUS servers.

Prerequisites

This function is used to make the Calling-Station-Id attribute parse mode the same as the Calling-Station-Id attribute encapsulation mode configured in RADIUS server template. Therefore, make sure that the following steps have been performed before using this function.
  1. The calling-station-id mac-format command has been run in the RADIUS server template view to configure the encapsulation mode of the MAC address in the Calling-Station-Id attribute.
  2. The radius-server authorization command has been run in the system view to configure the authorization server to use the RADIUS server template server-group.
NOTE:
If the RADIUS server template used by the authorization server is not specified, this function cannot be implemented on a device. You can run the radius-server authorization calling-station-id decode-mac-format command in the system view to configure the Calling-Station-Id attribute parse mode.

Precautions

The configuration in a RADIUS server template has a higher priority than the global configuration.

Example

# Configure the RADIUS authorization server to parse attributes depending on the configuration in a RADIUS template.

<HUAWEI> system-view
[HUAWEI] radius-server authorization attribute-decode-sameastemplate

radius-server authorization calling-station-id decode-mac-format

Function

The radius-server authorization calling-station-id decode-mac-format command sets the format of MAC address that can be parsed by a device in the calling-station-id (Type 31) attribute carried in RADIUS authorization packets.

The undo radius-server authorization calling-station-id decode-mac-format command restores the default format of the MAC address in the calling-station-id (Type 31) attribute.

By default, the MAC address format in the calling-station-id attribute carried in RADIUS dynamic authorization packets is xxxxxxxxxxxx, in lowercase.

Format

radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }

undo radius-server authorization calling-station-id decode-mac-format

Parameters

Parameter Description Value
bin Indicates that the MAC address in the calling-station-id attribute uses the binary format. -
ascii Indicates that the MAC address in the calling-station-id attribute uses the ASCII format. -
unformatted Indicates that no separator is used in the MAC address in the calling-station-id field. -
dot-split Indicates that dots are used as the separators in MAC address. -
hyphen-split Indicates that the hyphens are used as the separators in MAC address. -
common Indicates that the MAC address in the calling-station-id attribute uses the "xxseparatorxxseparatorxxseparatorxxseparatorxxseparatorxx" format. -
compress Indicates that the MAC address in the calling-station-id attribute uses the "xxxxseparatorxxxxseparatorxxxx" format. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, the MAC address format in the calling-station-id attribute carried in RADIUS dynamic authorization packets is xxxxxxxxxxxx. If the MAC address format in the calling-station-id attribute sent by the RADIUS server is not the default format used on the device, run the radius-server authorization calling-station-id decode-mac-format command to change the MAC address format on the device.

When a device connects to multiple RADIUS servers, the RADIUS servers may send MAC addresses in different formats in the calling-station-id attribute to the device. You need to run the radius-server authorization attribute-decode-sameastemplate command to configure the device to parse the RADIUS authorization packet attributes based on the configuration in RADIUS server template, so that the device can work with these RADIUS servers.

Precautions

The configuration in a RADIUS server template has a higher priority than the global configuration.

Example

# Set the format of MAC address that can be parsed by the device in the calling-station-id attribute to binary.

<HUAWEI> system-view
[HUAWEI] radius-server authorization calling-station-id decode-mac-format bin

radius-server dead-detect-condition by-server-ip

Function

The radius-server dead-detect-condition by-server-ip command configures keepalive detection for RADIUS server based on the RADIUS server IP address.

The undo radius-server dead-detect-condition by-server-ip command restores the default setting.

By default, keepalive detection is performed for only RADIUS authentication server.

Format

radius-server dead-detect-condition by-server-ip

undo radius-server dead-detect-condition by-server-ip

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device periodically sends authentication request packets to the RADIUS server in Down state. If the RADIUS server responds, the device sets the RADIUS authentication server status to Up. The device does not perform keepalive detection for RADIUS accounting servers in Down state. Instead, the device sets the RADIUS accounting server status to Up only when the server recovery time expires.

To allow the device to promptly detect the status of RADIUS accounting servers that are in Down state, run the radius-server dead-detect-condition by-server-ip command. After the command is executed, the device performs keepalive detection on RADIUS servers based on the RADIUS server IP address, so that the status of RADIUS accounting server is associated with the status of authentication server.

Precautions

After the radius-server dead-detect-condition by-server-ip command is executed, run the radius-server testuser command to configure automatic user detection.

When detecting the Down states of RADIUS authentication and accounting servers, the device counts the numbers of authentication and accounting request packets separately. After the radius-server dead-detect-condition by-server-ip command is executed, if the authentication and accounting servers sharing the same IP address are in the same VPN instance, the device accumulates the number of authentication and accounting packets sent by the servers. In addition, the status of RADIUS authentication server with the same IP address in the same VPN instance is updated.

Example

# Configure keepalive detection for RADIUS server based on RADIUS server IP address.

<HUAWEI> system-view
[HUAWEI] radius-server dead-detect-condition by-server-ip

radius-server dead-interval dead-count

Function

The radius-server dead-interval dead-count command configures the RADIUS server detection interval and maximum number of consecutive unacknowledged packets in each detection interval.

The undo radius-server dead-interval dead-count command restores the default settings.

By default, the RADIUS server detection interval is 5 seconds and the maximum number of consecutive unacknowledged packets in each detection interval is 2.

Format

radius-server { dead-interval dead-interval | dead-count dead-count }

undo radius-server { dead-interval | dead-count }

Parameters

Parameter

Description

Value

dead-interval

Specifies the RADIUS server detection interval.

The value is an integer that ranges from 1 to 300, in seconds.

dead-count

Specifies the maximum number of consecutive unacknowledged packets in each detection interval.

The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the system starts, the RADIUS server status detection timer runs. The device sets the RADIUS server status to Up. When the device sends a RADIUS request packet to the RADIUS server, if the conditions for setting the RADIUS server status to Down are met, the device sets the RADIUS server status to Down; if the conditions are not met, the RADIUS server status remains to be Up.

If multiple RADIUS servers are configured, some servers are Up and the other servers are Down, and the device receives an authentication request packet from a user, the device retransmits the packet to a RADIUS server in Up status based on the server priority and detects the actual status of the server. The following describes the process in which a device detects the status of a RADIUS server.
  1. If the device receives no response packet from the RADIUS server and the number of times that the device receives no response packet after sending an authentication request packet is greater than or equal to the maximum number of consecutive unacknowledged packets within the detection interval, the device records a communication interruption.
  2. If the device records two consecutive communication interruptions with one RADIUS server, the device considers that the RADIUS server is unavailable and the condition for the device to set the status of the RADIUS server to Down is met.
    NOTE:
    If the first connection attempt fails but the second one succeeds, the device deletes the recorded communication interruption with the RADIUS server.
  3. When sending an authentication request packet to the RADIUS server again, the device sets the server status to Down. If a response packet is received from the server, the device restores the server status to Up. If no response packet is received from the server and the number of retransmission times is not reached, the device sends an authentication request packet to the server again. If the server still does not respond, the device no longer sends any authentication request packet to the server.
If the device sets the status of all servers that are originally set to Up to Down after the device completes the server status detection based on the preceding detection process or these servers do not respond to the authentication request packets sent from the device, the device sends an authentication request packet to a RADIUS server that is originally set to be Down based on the server priority to detect the server status. (In the original mechanism, the device does not send authentication request packets to the RADIUS servers that are originally set to be Down.)

Precautions

  • If the device has reported a RADIUS server Up alarm and needs to report a RADIUS server Down alarm, the device will send the Down alarm 10 seconds after the Up alarm is sent, even if the RADIUS server Down detection interval is shorter than 10 seconds (for example, the value of dead-interval is set to 4 seconds, and the RADIUS server Down detection interval is 8 seconds). This function prevents frequent alarm sending.

  • To rapidly detect whether the RADIUS server goes Down, when there are a small number of users, smaller values are recommended for the detection interval and maximum number.

  • If a user terminal is authenticated using a client and more than one server is deployed on the live network, the authentication request packet is retransmitted by each server upon timeout. If a server is faulty, the timeout wait period of the client software is smaller than the total timeout period of the servers, and the client repeatedly redials and cannot access the network. In addition, if the RADIUS server escape function is configured, the total timeout period of the servers is required to be smaller than the timeout period of the client software, ensuring that the escape rights can be properly configured for the user.

    Therefore, run the radius-server retransmit timeout dead-time and radius-server dead-interval dead-count commands to ensure that users can properly access the network or are configured with proper escape rights. For example, the response timeout period of the RADIUS server is within 4 seconds and the timeout period of the 802.1X client is more than 18 seconds. The recommended configurations in the active/standby mode are as follows:
    • When a server is configured:
      • Run the radius-server dead-interval 5 and radius-server dead-count 1 commands in the system view.

      • Run the radius-server retransmit 3 timeout 5 command in the RADIUS server template view.
    • When two servers are configured:
      • Run the radius-server dead-interval 2 and radius-server dead-count 1 commands in the system view.

      • Run the radius-server retransmit 3 timeout 2 command in the RADIUS server template view.
    • When three servers are configured:
      • Run the radius-server dead-interval 1 and radius-server dead-count 1 commands in the system view.

      • Run the radius-server retransmit 5 timeout 1 command in the RADIUS server template view.

Example

# Set the RADIUS server detection interval to 10 seconds and maximum number of consecutive unacknowledged packets in each detection interval to 2.

<HUAWEI> system-view
[HUAWEI] radius-server dead-interval 10
[HUAWEI] radius-server dead-count 2

radius-server detect-server interval

Function

The radius-server detect-server interval command configures an automatic detection interval for RADIUS servers.

The undo radius-server detect-server interval command restores the default settings.

The default automatic detection interval is 60 seconds.

Format

radius-server detect-server interval interval

undo radius-server detect-server interval

Parameters

Parameter

Description

Value

interval

Specifies the automatic detection interval for RADIUS servers.

The value is an integer that ranges from 5 to 3600, in seconds.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

After the automatic detection function is enabled using the radius-server testuser command, you can run the radius-server detect-server interval command to adjust the automatic detection interval for RADIUS servers.

Example

# Set the automatic detection interval for RADIUS servers to 100 seconds in the RADIUS server template acs.

<HUAWEI> system-view
[HUAWEI] radius-server template acs
[HUAWEI-radius-acs] radius-server detect-server interval 100

radius-server format-attribute

Function

The radius-server format-attribute command configures the format of the NAS-Port attribute.

The undo radius-server format-attribute command deletes the configured attribute format.

By default, the format of the NAS-Port attribute is new.

Format

radius-server format-attribute nas-port nas-port-sting

undo radius-server format-attribute nas-port

Parameters

Parameter

Description

Value

nas-port nas-port-sting

Specifies the format of the NAS-Port attribute.
  • The keywords s, t, p, o, and i stand for slot, subslot, port, out-vlan (qinqvlan)/vpi, and vlan (user-vlan)/vci respectively. The keywords n and z are used as paddings. The keyword n indicates 1 and the keyword z indicates 0.
  • The keywords s, t, p, o, and i must be followed by numbers, and the numbers must range from 1 to 32. The keywords s, t, p, o, and i can be present in the format string only once.
  • The keywords s, t, p, o, i, n, and z must range from 1 to 9.
  • n and z can be present multiple times at any position. They are followed by numbers. For example, n12 indicates that this position is filled by twelve 1s, and z12 indicates that this position is filled by twelve 0s.
  • The character string must contain 32 bits.
  • The format string must start with s, t, p, o, i, n, or z and end with a number.
  • If no VLAN exists, you can add n or z before o or i to indicate whether this position is filled by 0s or 1s. That is, n and z can be followed by numbers or o/i in this case, and the numbers must range from 1 to 32.
  • To specify the format string, determine the interface type, and then determine the encapsulation type of the interface. If the format string does not contain o or i, the NAS-Port attribute does not contain the QinQ VLAN or user VLAN field. If the format string contains o or i but no outer VLAN exists, the outer VLAN field is filled by 0s. If n is added before o or i, this field is filled by 1s when no outer VLAN or inner VLAN exists.

The value is a string of 1 to 32 characters.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The NAS port format affects the information about the physical port. The NAS port format can be used by the RADIUS server to process services, such as binding the user name and port. This attribute is developed by Huawei, which is used to ensure connectivity and service cooperation among Huawei devices.

If the radius-server nas-port-format command sets the format of the NAS-Port attribute to new (the default format is new), the device will check whether the radius-server format-attribute nas-port command configuration exists. If yes, the device will assemble the NAS-Port attribute in the format configured by the radius-server format-attribute nas-port command. If no, the device will assemble the NAS-Port attribute in the new format. If the radius-server nas-port-format command sets the format of the NAS-Port attribute to old, the device will assemble the NAS-Port attribute in the old format, regardless of whether the radius-server format-attribute nas-port command configuration exists.

Example

# Configure the format of the NAS-Port attribute to s2t2p6no10ni12. That is, the NAS-Port attribute consists of a 2-bit slot field, a 2-bit subslot field, a 6-bit port field, a 10-bit outer VLAN field, and a 12-bit inner VLAN field. If the outer VLAN does not exist, this field is filled by ten 1s. If the inner VLAN does not exist, this field is filled by twelve 1s. Therefore, the NAS-port attribute contains 32 bits.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server format-attribute nas-port s2t2p6no10ni12

radius-server hw-ap-info-format include-ap-ip

Function

The radius-server hw-ap-info-format include-ap-ip command configures the AP's IP address carried in Huawei extended attribute HW-AP-Information.

The undo radius-server hw-ap-info-format command restores the default setting.

By default, Huawei extended attribute HW-AP-Information does not carry AP's IP address.

NOTE:

This function is supported only by S5720HI.

Format

radius-server hw-ap-info-format include-ap-ip

undo radius-server hw-ap-info-format

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

RADIUS is a fully extensible protocol. Device vendors can expand the No. 26 attribute defined in the protocol to implement functions not supported by standard RADIUS attributes. Huawei defines the No. 141 sub-attribute (HW-AP-Information) in the No. 26 attribute to indicate AP information, including the MAC and IP addresses of an AP. The HW-AP-Information attribute is carried in the authentication or accounting request packet send by a device, so that the RADIUS server can use the AP's MAC and IP addresses as the filter criterion to select a policy template to be delivered.

When an AP's IP address is carried in the HW-AP-Information attribute, the encapsulation format of the attribute is AP-MAC AP-IP.

Example

#Configure the AP's IP address in Huawei extended attribute HW-AP-Information.

<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] radius-server hw-ap-info-format include-ap-ip

radius-server hw-dhcp-option-format

Function

The radius-server hw-dhcp-option-format command sets the format of the Huawei extended attribute HW-DHCP-Option.

The undo radius-server hw-dhcp-option-format command restores the default setting.

By default, the format of HW-DHCP-Option is old.

Format

radius-server hw-dhcp-option-format { new | old }

undo radius-server hw-dhcp-option-format

Parameters

Parameter

Description

Value

new

Sets the format of Huawei extended attribute HW-DHCP-Option to new.

-

old

Sets the format of Huawei extended attribute HW-DHCP-Option to old.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The RADIUS protocol has good extensibility. Device vendors can expand the No. 26 RADIUS attribute to implement new functions. Huawei defines that the No.158 sub-attribute in the No.26 attribute represents DHCP option and is encapsulated through Type, Length, Value (TLV). The device adds this attribute in authentication request or accounting request packets and sends the DHCP option information to the RADIUS server.

To connect to different types of RADIUS server, the device supports two HW-DHCP-Option formats: new and old.
  • new: When the attribute is encapsulated through TLV, the Type field length is 1 byte. This format is applicable when the device connects to most types of RADIUS servers.
  • old: When the attribute is encapsulated through TLV, the Type field length is 2 bytes. This format is applicable when the device connects to special RADIUS servers, for example, Huawei RADIUS server.

Example

# Set the format of Huawei extended attribute HW-DHCP-Option to new.

<HUAWEI> system-view
[HUAWEI] radius-server template huawei
[HUAWEI-radius-huawei] radius-server hw-dhcp-option-format new

radius-server nas-identifier-format

Function

The radius-server nas-identifier-format command sets the encapsulation format of the NAS-Identifier attribute.

The undo radius-server nas-identifier-format command restores the default encapsulation format of the NAS-Identifier attribute.

By default, the NAS-Identifier attribute encapsulation format is the user's hostname.

Format

radius-server nas-identifier-format { hostname | vlan-id }

undo radius-server nas-identifier-format

Parameters

Parameter

Description

Value

hostname

Sets the encapsulation format of NAS-Identifier to a user's host name.

-

vlan-id

Sets the encapsulation format of NAS-Identifier to a user's VLAN ID.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

A RADIUS server uses the NAS-Identifier attributes to identify NASs. The NASs also use the NAS-Identifier attributes carried in the sent RADIUS packets to identify themselves.

Example

# Set the NAS-Identifier encapsulation format to VLAN ID.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-identifier-format vlan-id

radius-server nas-port-format

Function

The radius-server nas-port-format command sets the format of the NAS port attribute.

The undo radius-server nas-port-format command restores the default format of the NAS port attribute.

By default, the new NAS port format is used.

Format

radius-server nas-port-format { new | old }

undo radius-server nas-port-format

Parameters

Parameter

Description

Value

new

Uses the new format of an NAS port. The new format of the NAS port attribute is slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits).

-

old

Uses the old format of an NAS port. The old format of the NAS port attribute is slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The NAS port format affects the information about the physical port. The NAS port format can be used by the RADIUS server to process services, such as binding the user name and port. This attribute is developed by Huawei, which is used to ensure connectivity and service cooperation among Huawei devices.

Precautions

The difference between the two NAS port formats lies in the physical ports connected to Ethernet access users.
  • The new format of the NAS port attribute is slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits).
  • The old format of the NAS port attribute is slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).

The format of the NAS port attribute for Asymmetric Digital Subscriber Line (ADSL) access users is slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). This format is not affected by the command.

Example

# Set the format of the NAS port attribute to new.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-port-format new

radius-server nas-port-id-format

Function

The radius-server nas-port-id-format command sets the format of the NAS port ID attribute.

The undo radius-server nas-port-id-format command restores the default format of the NAS port ID attribute.

By default, the new format of the NAS port ID attribute is used.

Format

radius-server nas-port-id-format { new | old | vm }

undo radius-server nas-port-id-format

Parameters

Parameter

Description

Value

new

Uses the new format of the NAS port ID.

-

old

Uses the old format of the NAS port ID.

-

vm

Uses the NAS port ID format of the VM.

NOTE:

Only the S5720EI supports this parameter.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The NAS port format and the NAS port ID format are developed by Huawei, which are used to ensure connectivity and service cooperation among Huawei devices.

Precautions

When new is specified:
  • For Ethernet access users, the NAS port ID format is slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx, in which slot ranges from 0 to 15, subslot from 0 to 15, port from 0 to 255, and VLAN ID from 1 to 4094.
  • For ADSL access users, the NAS port ID format is slot=xx; subslot=x; port=x;VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot from 0 to 9, port from 0 to 9, VPI from 0 to 255, and VCI from 0 to 65535.
When old is specified:
  • For Ethernet access users, the NAS port ID format is slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLAN ID (9 characters).
  • For ADSL access users, the NAS port ID format is slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). A field is prefixed with 0s if its actual value contains fewer characters.

Example

# Set the format of the NAS port ID attribute to new.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server nas-port-id-format new

radius-server retransmit timeout dead-time

Function

The radius-server retransmit timeout dead-time command sets the number of times that RADIUS request packets are retransmitted, timeout period, and interval for the server to revert to the active status.

The undo radius-server retransmit timeout dead-time command restores the default number of retransmission times, the default timeout period, and the default interval for the server to revert to the active status.

By default, the number of retransmission times is 3, timeout period is 5 seconds, and the interval for the server to revert to the active status is 5 minutes.

Format

radius-server { retransmit retry-times | timeout time-value | dead-time dead-time } *

undo radius-server { retransmit [ retry-times ] | timeout [ time-value ] | dead-time [ dead-time ] } *

Parameters

Parameter

Description

Value

retransmit retry-times

Specifies the number of retransmission times. The value is the total number of times a packet is transmitted.

The value is an integer that ranges from 1 to 5.

timeout time-value

Specifies the timeout period.

The value is an integer that ranges from 1 to 10, in seconds.

dead-time dead-time

Specifies the interval for the server to revert to the active status.

The value is an integer that ranges from 1 to 65535, in minutes.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The retransmission upon timeout mechanism is configured for a device to forward RADIUS Access-Request packets sourced from users to the server. The overall retransmission time depends on the retransmission interval, retransmission times, RADIUS server status, and number of servers configured in the RADIUS server template.

You can configure the number of times that RADIUS request packets are retransmitted and the timeout period using the radius-server retransmit retry-times and radius-server timeout time-value commands, respectively. If a device sends an authentication request packet to the RADIUS server and does not receive any response packet from the server during the timeout period, the device sends an authentication request packet again.

You can run the radius-server dead-time dead-time command to configure the duration for which the RADIUS server status remains Down. After the device sets the RADIUS server status to Down and the interval specified by dead-time expires, the device resets the server status to Force-up. If a new user needs to be authenticated in RADIUS mode and no RADIUS server is available, the device attempts to re-establish a connection with a RADIUS server in Force-up status. The Force-up status is defined to prevent servers in Down status from remaining idle.
NOTE:

If automatic detection for RADIUS servers is configured using the radius-server testuser command, the server status is maintained using the automatic detection function. The interval for the RADIUS server to revert to the active status configured using the radius-server retransmit timeout dead-time command does not take effect.

This command can improve the reliability of RADIUS authentication.

Precautions

  • The request packet retransmission time (number of retransmission times x timeout period) of the RADIUS server must be shorter than the request packet retransmission time of the Portal server.
  • If more than 8 authentication server IP addresses are configured in the RADIUS server template, reduce the number of retransmission times and timeout period.
  • To rapidly detect whether the RADIUS server goes Down, smaller values are recommended for the timeout period and number of retransmission times when there are a small number of users.

Example

# Set the number of retransmission times to 3, the timeout period to 2s, and the interval for the server to revert to the active status to 10 minutes.

<HUAWEI> system-view
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server retransmit 3 timeout 2 dead-time 10

radius-server session-manage

Function

The radius-server session-manage command enables session management on the RADIUS server.

The undo radius-server session-manage command disables session management on the RADIUS server.

By default, session management is disabled on the RADIUS server.

Format

radius-server session-manage { ip-address [ vpn-instance vpn-instance-name ] shared-key cipher share-key | any }

undo radius-server session-manage [ ip-address [ vpn-instance vpn-instance-name ] | all ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of the RADIUS session management server.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Specifies the name of the VPN instance bound to the RADIUS session management server.

The value must be the name of an existing VPN instance.

shared-key cipher share-key

Specifies the shared key of the RADIUS session management server.

The value is a string of case-sensitive characters without spaces, and question marks. share-key can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

any

Indicates that no RADIUS session management server is specified.

-

all

Deletes all RADIUS session management servers.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve device security, run this command to enable session management on the RADIUS server. After this function is enabled, the device checks the source IP addresses and shared keys for the received session management packets. When the source IP addresses and shared keys match the configured values, the packets are processed; otherwise, the packets are discarded.

Precautions

  • This command has been supported since V200R010C00. When a device is upgraded from a version earlier than V200R010C00 to V200R010C00 or a later version, the radius-server session-manage any command is configured by default.
  • When the any parameter is specified, there is a security risk. You are advised to configure the IP address and shared key for a specified RADIUS session management server.

Example

# Enable session management on the RADIUS server, and set the IP address and shared key of the RADIUS session management server to 10.1.1.1 and Huawei@2012 respectively.

<HUAWEI> system-view
[HUAWEI] radius-server session-manage 10.1.1.1 shared-key cipher Huawei@2012

radius-server shared-key (RADIUS server template view)

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

The undo radius-server shared-key command deletes the shared key of a RADIUS server.

By default, no shared key of RADIUS server is configured.

Format

radius-server shared-key cipher key-string

undo radius-server shared-key

Parameters

Parameter

Description

Value

cipher

Indicates the shared key in cipher text.

-

key-string

Specifies the shared key of a RADIUS server.

The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). key-string can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with a RADIUS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. To ensure validity of both communication parties, the device and RADIUS server must be configured with the same shared key.

Precautions

In the versions earlier than V200R010C00SPC300, the default RADIUS shared key is huawei. The key is not displayed in command output.

In V200R010C00SPC300 and later versions, there is no default RADIUS shared key.

If the default shared key is used in a version earlier than V200R010C00SPC300, the radius-server shared-key huawei command is automatically executed to set the shared key to huawei after the version is upgraded to V200R010C00SPC300 or later.

Example

# Set the shared key of a RADIUS server to Huawei@2012 in cipher text.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server shared-key cipher Huawei@2012

radius-server shared-key (system view)

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

The undo radius-server shared-key command deletes the shared key of a RADIUS server.

By default, no global shared key is configured for the RADIUS server.

Format

radius-server ip-address { ipv4-address | ipv6-address } shared-key cipher key-string

undo radius-server ip-address { ipv4-address | ipv6-address } shared-key

Parameters

Parameter

Description

Value

ip-address { ipv4-address | ipv6-address }

Specifies the IPv4 or IPv6 address of the RADIUS server.

  • ipv4-address: The value is in dotted decimal notation.

  • ipv6-address: The value is a 32-bit hexadecimal string in format X:X:X:X:X:X:X:X.

cipher key-string

Specifies the shared key in cipher text.

The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). key-string can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with a RADIUS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. To ensure validity of both communication parties, the device and RADIUS server must be configured with the same shared key.

You can run the radius-server shared-key (RADIUS server template view) command in the RADIUS server template view to configure the shared keys. However, after this command is run, all RADIUS servers in the template use the same shared key. To configure different shared keys for RADIUS servers, run the radius-server shared-key command in the system view.

Precautions

To improve security, it is recommended that the shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

When the shared keys are configured in both the RADIUS server template and system view, the configuration in the system view takes effect.

Example

# Set the shared key for RADIUS server to Huawei@2012.

<HUAWEI> system-view
[HUAWEI] radius-server ip-address 10.1.1.1 shared-key cipher Huawei@2012

radius-server template

Function

The radius-server template command creates a RADIUS server template and displays the RADIUS server template view.

The undo radius-server template command deletes a RADIUS server template.

By default, the device contains the RADIUS server template default. The template can be modified, but cannot be deleted.

Format

radius-server template template-name

undo radius-server template template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of a RADIUS server template.

The value is a string of 1 to 32 case-sensitive characters, including letters (case-sensitive), numerals (0 to 9), punctuation mark (.), underline (_), and hyphens (-). The value cannot be - or --.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Creating a RADIUS server template is the prerequisite for configuring RADIUS authentication and accounting. You can perform RADIUS configurations, such as the configuration of authentication servers, accounting servers, and shared key only after a RADIUS server template is created.

Follow-up Procedure

Configure an authentication server, an accounting server, and shared key in the RADIUS server template view, and then run the radius-server (aaa domain view) command to apply the RADIUS server template.

Example

# Create a RADIUS server template template1 and enter the RADIUS server template view.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] 

radius-server testuser

Function

The radius-server testuser command enables the automatic detection function and configures an automatic detection account.

The undo radius-server testuser command restores the default settings.

By default, the automatic detection function is disabled.

Format

radius-server testuser username user-name password cipher password

undo radius-server testuser

Parameters

Parameter

Description

Value

username user-name

Specifies a user name used for automatic detection.

The value is a string of 1 to 253 case-sensitive characters. If the user name contains spaces, you must enclose the name with double quotation marks ("), for example, "user for test".

password cipher password

Specifies the user password for automatic detection.

The value is a character string of 1 to 128 characters without spaces and question marks. It is case sensitive. If it is in cipher text, the password is a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

After the RADIUS server status is set to Down, you can configure the automatic detection function to test the RADIUS server reachability.

After automatic detection is configured for users, the device periodically performs automatic detection on the RADIUS server in Down status. You can set the automatic detection interval using the radius-server detect-server command.

For the automatic status detection function, only the automatic detection user name and password need to be configured in the RADIUS server template on the device, and the automatic detection account does not need to be configured on the RADIUS server. Authentication success is not mandatory. If the device can receive the authentication failure response packet, the RADIUS server is properly working and the device sets the RADIUS server status to Up. If the device cannot receive the response packet, the RADIUS server is unavailable and the device sets the RADIUS server status to Down.

Example

# Create a user account with the user name test and password Huawei@2012 in RADIUS server template acs.

<HUAWEI> system-view
[HUAWEI] radius-server template acs
[HUAWEI-radius-acs] radius-server testuser username test password cipher Huawei@2012

radius-server traffic-unit

Function

The radius-server traffic-unit command sets the traffic unit used by a RADIUS server.

The undo radius-server traffic-unit command restores the default traffic unit used by a RADIUS server.

The default RADIUS traffic unit is byte on the device.

Format

radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

undo radius-server traffic-unit

Parameters

Parameter

Description

Value

byte

Indicates that the traffic unit is byte.

-

kbyte

Indicates that the traffic unit is kilobyte.

-

mbyte

Indicates that the traffic unit is megabyte.

-

gbyte

Indicates that the traffic unit is gigabyte.

-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Different RADIUS servers may use different traffic units; therefore, you need to set the traffic unit for each RADIUS server group on the router and the traffic unit must be the same as that on the RADIUS server.

Example

# Set the traffic unit used by a RADIUS server to kilobyte.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server traffic-unit kbyte

radius-server user-name domain-included

Function

The radius-server user-name domain-included command configures the device to encapsulate the domain name in the user name in RADIUS packets to be sent to a RADIUS server.

The radius-server user-name original command configures the device not to modify the user name entered by the user in the packets sent to the RADIUS server.

The undo radius-server user-name domain-included command configures the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

The undo radius-server user-name domain-included except-eap command configures the device not to encapsulate the domain name in the user name when sending packets to a RADIUS server (applicable to other authentication modes except EAP authentication).

By default, the device does not modify the user name entered by the user in the packets sent to the RADIUS server.

Format

radius-server user-name domain-included

radius-server user-name original

undo radius-server user-name domain-included

undo radius-server user-name domain-included except-eap

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the RADIUS server does not accept the user name with the domain name, run the undo radius-server user-name domain-included command to delete the domain name from the user name.

Precautions

If the user names in the RADIUS packets sent from the device to RADIUS server contain domain names, ensure that the total length of a user name (user name + domain name delimiter + domain name) is not longer than 253 characters; otherwise, the user name cannot be contained in RADIUS packets. As a result, authentication will fail.

Example

# Configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

<HUAWEI> system-view
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] undo radius-server user-name domain-included

reset radius-server accounting-stop-packet

Function

The reset radius-server accounting-stop-packet command clears statistics on the remaining buffer information of RADIUS accounting-stop packets.

Format

reset radius-server accounting-stop-packet { all | ip { ipv4-address | ipv6-address } }

Parameters

Parameter

Description

Value

all

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets.

-

ip ipv4-address

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IPv4 address.

The value of ipv4-address is in dotted decimal notation.

ip ipv6-address

Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command can clear statistics on the remaining buffer information of RADIUS accounting-stop packets. The deleted statistics cannot be restored.

Example

# Clear statistics on the remaining buffer information of all RADIUS accounting-stop packets.

<HUAWEI> reset radius-server accounting-stop-packet all

snmp-agent trap enable feature-name radius

Function

The snmp-agent trap enable feature-name radius command enables the trap function for the RDS module.

The undo snmp-agent trap enable feature-name radius command disables the trap function for the RDS module.

By default, the trap function is disabled for the RDS module.

Format

snmp-agent trap enable feature-name radius [ trap-name { hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown | hwradiusauthserverup } ]

undo snmp-agent trap enable feature-name radius [ trap-name { hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown | hwradiusauthserverup } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for a specified event of the RDS module.

-

hwradiusacctserverdown

Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is interrupted.

-

hwradiusacctserverup

Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is restored.

-

hwradiusauthserverdown

Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is interrupted.

-

hwradiusauthserverup

Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is restored.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

After the trap function is enabled, the device generates traps during operation and sends the traps to the NMS through the SNMP module. If the trap function is disabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the trap function for hwradiusacctserverdown of the RDS module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name radius trap-name hwradiusacctserverdown

test-aaa

Function

The test-aaa command tests the connectivity between the device and the authentication server or accounting server, and tests whether a user can be authenticated using authentication server and whether the accounting server can charge a user.

Format

test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ]

Parameters

Parameter

Description

Value

user-name

Specifies a user name.

The value is a string of 1 to 253 case-insensitive characters. When the user name contains spaces, you must put the string in double quotation marks ("").

user-password

Specifies a user password.

The value is a string of 1 to 128 case-sensitive characters.

radius-template template-name

Specifies the name of a RADIUS server template.

The RADIUS server template must already exist.

chap

Indicates Challenge Handshake Authentication Protocol (CHAP) authentication.

The NAS device sends the user name, password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user.

-

pap

Indicates Password Authentication Protocol (PAP) authentication.

The NAS device adds the user name and encrypted password to the corresponding fields of authentication request packets, and then sends the packets to the RADIUS server. The NAS device determines whether to allow the user go online based on the result returned by the RADIUS server.

-

accounting

Indicates accounting. By default, an accounting-start packet is sent.

-

start

Indicates that the sent packet is an accounting-start packet.

-

realtime

Indicates that the sent packet is a real-time accounting packet.

-

stop

Indicates that the sent packet is an accounting-stop packet.

-

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user fails to be authenticated or accounting for the user fails, run the test-aaa command on the device to locate the fault.

  • If the test result indicates that the user can be authenticated or accounting is successful, the fault occurs in access authentication or accounting.
  • If the test result indicates that the user fails to be authenticated or accounting fails, the fault occurs in RADIUS authentication or accounting.

Prerequisites

An authentication server template or accounting server template has been created, an authentication server or accounting server has been specified in the authentication server template or accounting server template, and the authentication server or accounting server has been configured.

Follow-up Procedure

If the test result indicates that the user fails to be authenticated by using authentication server or the accounting server fails to charge the user, check whether the configuration of the authentication server template and the authentication server is correct, and check the connectivity between the device and the authentication server.

Precautions

chap and pap are two authentication modes.
  • PAP: The NAS device adds the user name and encrypted password to the corresponding fields of authentication request packets, and then sends the packets to the RADIUS server. The NAS device determines whether to allow the user go online based on the result returned by the RADIUS server.
  • CHAP: The NAS device sends the user name, password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user.

Before running the test-aaa command, you only need to create a RADIUS server template and specify an authentication server or accounting server in the RADIUS server template.

Example

# Test whether the user user1 can be authenticated using CHAP authentication in the RADIUS server template huawei.

<HUAWEI> test-aaa user1 userkey radius-template huawei chap
Info: The server template does not exist.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42192

Downloads: 1103

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next