No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS Authentication and Accounting

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 1-29, users belong to the domain huawei. Router functions as the network access server on the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Router is described as follows:

  • The RADIUS server will authenticate access users for Router. If RADIUS authentication fails, local authentication is used.

  • The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

Figure 1-29  Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server template.
  2. Configure an authentication scheme and an accounting scheme.
  3. Apply the RADIUS server template, authentication scheme, and accounting scheme to a domain.
NOTE:
  • Ensure that the devices are routable before the configuration.
  • Ensure that the shared key in the RADIUS server template is the same as the setting on the RADIUS server.

  • If the RADIUS server does not accept the user name containing the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.

  • After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.
  • After the undo radius-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.

Procedure

  1. Configure a RADIUS server template.

    # Configure a RADIUS template named shiva.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] radius-server template shiva

    # Set the IP address and port numbers for the primary RADIUS authentication and accounting server.

    [Router-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
    [Router-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80

    # Set the IP address and port numbers for the secondary RADIUS authentication and accounting server.

    [Router-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
    [Router-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40

    # Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.

    [Router-radius-shiva] radius-server shared-key cipher Huawei@2012
    [Router-radius-shiva] radius-server retransmit 2
    [Router-radius-shiva] undo radius-server user-name domain-included
    [Router-radius-shiva] quit

  2. Configure authentication and accounting schemes.

    # Create an authentication scheme named auth. Configure the authentication scheme to use RADIUS authentication as the active authentication mode and local authentication as the backup.

    [Router] aaa
    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode radius local
    [Router-aaa-authen-auth] quit

    # Create an accounting scheme named abc, and configure the accounting scheme to use the RADIUS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.

    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] accounting start-fail online
    [Router-aaa-accounting-abc] quit

  3. Create a domain named huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Router-aaa] domain huawei
    [Router-aaa-domain-huawei] authentication-scheme auth
    [Router-aaa-domain-huawei] accounting-scheme abc
    [Router-aaa-domain-huawei] radius-server shiva
    [Router-aaa-domain-huawei] quit
    [Router-aaa] quit
    

  4. Set the domain huawei to the global default domain.

    [Router] domain huawei
    [Router] domain huawei admin

  5. Configure local authentication.

    [Router] aaa
    [Router-aaa] local-user user1 password irreversible-cipher Huawei@123
    [Router-aaa] local-user user1 service-type http
    [Router-aaa] local-user user1 privilege level 15
    [Router-aaa] quit
    

  6. Verify the configuration.

    # Run the display radius-server configuration template template-name command on Router to verify the RADIUS server template configuration.

    [Router] display radius-server configuration template shiva
      ------------------------------------------------------------------------------
      Server-template-name          :  shiva
      Protocol-version              :  standard
      Traffic-unit                  :  B
      Shared-secret-key             :  %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^%#
      Group-filter                  :  class 
      Timeout-interval(in second)   :  5
      Retransmission                :  2
      EndPacketSendTime             :  3 
      Dead time(in minute)          :  5
      Domain-included               :  NO
      NAS-IP-Address                :  - 
      Calling-station-id MAC-format :  xxxx-xxxx-xxxx
      Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
      NAS-Port-ID format            :  New 
      Service-type                  :  - 
      NAS-IPv6-Address              :  ::
      Server algorithm              :  master-backup 
      Detect-interval(in second)    :  60 
      Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Authentication Server 2       :  10.7.66.67     Port:1812  Weight:40  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Accounting Server     2       :  10.7.66.67     Port:1813  Weight:40  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      ------------------------------------------------------------------------------ 

Configuration Files

Router configuration file

#
 sysname Router
#
domain huawei                                                                                                                       
domain huawei admin                                                                                                                 
# 
radius-server template shiva
 radius-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server authentication 10.7.66.67 1812 weight 40
 radius-server accounting 10.7.66.66 1813 weight 80
 radius-server accounting 10.7.66.67 1813 weight 40
 radius-server retransmit 2
 undo radius-server user-name domain-included
#
aaa
 authentication-scheme auth
  authentication-mode radius local
 accounting-scheme abc
  accounting-mode radius
  accounting start-fail online 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
 local-user user1 password irreversible-cipher 
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112675

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next