No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS AAA

RADIUS AAA

Overview of RADIUS

AAA can be implemented using multiple protocols. RADIUS is most frequently used in actual scenarios.

RADIUS is a protocol that uses the client/server model in distributed mode and protects a network from unauthorized access. It is often used on networks that require high security and control remote user access. It defines the UDP-based RADIUS packet format and transmission mechanism, and specifies UDP ports 1812 and 1813 as the default authentication and accounting ports respectively.

At the very beginning, RADIUS was only the AAA protocol used for dial-up users. As the user access mode diversifies, such as Ethernet access, RADIUS can also be applied to these access modes. RADIUS provides the access service through authentication and authorization and records the network resource usage of users through accounting.

RADIUS has the following characteristics:

  • Client/Server model

  • Secure message exchange mechanism

  • Fine scalability

Client/Server Model
  • RADIUS client

    RADIUS clients run on the NAS to transmit user information to a specified RADIUS server and process requests (for example, permit or reject user access requests) based on the responses from the server. RADIUS clients can locate at any node on a network.

    As a RADIUS client, a device supports:

    • standard RADIUS protocol and its extensions, including RFC 2865 and RFC 2866

    • Huawei extended RADIUS attributes

    • RADIUS server status detection

    • retransmission of Accounting-Request(Stop) packets in the local buffer

    • active/standby and load balancing functions between RADIUS servers

  • RADIUS server

    RADIUS servers typically run on central computers and workstations to maintain user authentication and network service access information. The servers receive connection requests from users, authenticate the users, and send all required information (such as permitting or rejecting authentication requests) to the clients. A RADIUS server generally needs to maintain three databases, as shown in Figure 1-5.

    Figure 1-5  Databases maintained by a RADIUS server

    • Users: This database stores user information such as user names, passwords, protocols, and IP addresses.
    • Clients: This database stores RADIUS client information, such as the shared keys and IP addresses.
    • Dictionary: This database stores the attributes in the RADIUS protocol and their value descriptions.
Secure Message Exchange Mechanism

Authentication messages between a RADIUS server and RADIUS clients are exchanged using a shared key. The shared key is a character string that is transmitted in out-of-band mode, is known to both clients and the server, and does not need to be transmitted independently on the network.

A RADIUS packet has a 16-octet Authenticator field that contains the digital signature data of the whole packet. The signature data is calculated using the MD5 algorithm and shared key. The RADIUS packet receiver needs to verify whether the signature is correct and discards the packet if the signature is incorrect.

This mechanism improves security of message exchange between RADIUS clients and the RADIUS server. In addition, user passwords contained in RADIUS packets are encrypted using shared keys before the packets are transmitted to prevent the user passwords from being stolen during transmission on an insecure network.

Fine Scalability

A RADIUS packet consists of a packet header and a certain number of attributes. The protocol implementation remains unchanged even if new attributes are added to a RADIUS packet.

RADIUS Packets

RADIUS Packet Format

RADIUS is based on the UDP protocol. Figure 1-6 shows the RADIUS packet format.

Figure 1-6  RADIUS packet format

Each RADIUS packet contains the following information:
  • Code: The Code field is one octet and identifies type of a RADIUS packet. Value of the Code field varies depending on the RADIUS packet type. For example, the value 1 indicates an Access-Request packet and the value 2 indicates an Access-Accept packet.
  • Identifier: The identifier field is one octet, and helps the RADIUS server match requests and responses and detect duplicate requests retransmitted within a certain period. After a client sends a request packet, the server sends a reply packet with the same Identifier value as the request packet.
  • Length: The Length field is two octets and specifies length of a RADIUS packet. Octets outside the range of the Length field must be treated as padding and ignored on reception. If a packet is shorter than the Length field, it must be silently discarded.
  • Authenticator: The Authenticator field is 16 octets. This value is used to authenticate the reply from the RADIUS server and is used in the password hiding algorithm.
  • Attribute: This field is variable in length. RADIUS attributes carry the specific authentication, authorization, accounting information and configuration details for the request and reply packets. The Attribute field may contain multiple attributes, each of which consists of Type, Length, and Value. For details, see RADIUS Attributes.

    • Type: The Type field is one octet and indicates the RADIUS attribute ID. The value ranges from 1 to 255.
    • Length: The Length field is one octet, and indicates the length of the RADIUS attribute (including the Type, Length and Value fields). The Length is measured in octets.
    • Value: The maximum length of the Value field is 253 bytes. The Value field contains information specific to the RADIUS attribute. The format and length of the Value field is determined by the Type and Length fields.
RADIUS Packet Type

RADIUS defines 16 types of packets. Table 1-5 describes types of the authentication packets, Table 1-6 describes types of the accounting packets. For RADIUS CoA/DM packets, see RADIUS CoA/DM.

Table 1-5  RADIUS authentication packet

Packet Name

Description

Access-Request

Access-Request packets are sent from a client to a RADIUS server and is the first packet transmitted in a RADIUS packet exchange process. This packet conveys information (such as the user name and password) used to determine whether a user is allowed access to a specific NAS and any special services requested for that user.

Access-Accept

After a RADIUS server receives an Access-Request packet, it must send an Access-Accept packet if all attribute values in the Access-Request packet are acceptable (authentication success). The user is allowed access to requested services only after the RADIUS client receives this packet.

Access-Reject

After a RADIUS server receives an Access-Request packet, it must send an Access-Reject packet if any of the attribute values are not acceptable (authentication failure).

Access-Challenge

During an EAP relay authentication, when a RADIUS server receives an Access-Request packet carrying the user name from a client, it generates a random MD5 challenge and sends the MD5 challenge to the client through an Access-Challenge packet. The client encrypts the user password using the MD5 challenge, and then sends the encrypted password in an Access-Request packet to the RADIUS server. The RADIUS server compares the encrypted password received from the client with the locally encrypted password. If they are the same, the server determines the user is valid.

Table 1-6  RADIUS accounting packet

Packet Name

Description

Accounting-Request(Start)

If a RADIUS client uses RADIUS accounting, the client sends this packet to a RADIUS server before accessing network resources.

Accounting-Response(Start)

The RADIUS server must send an Accounting-Response(Start) packet after the server successfully receives and records an Accounting-Request(Start) packet.

Accounting-Request(Interim-update)

You can configure the real-time accounting function on a RADIUS client to prevent the RADIUS server from continuing user accounting if it fails to receive the Accounting-Request(Stop) packet. The client then periodically sends Accounting-Request(Interim-update) packets to the server, reducing accounting deviation.

Accounting-Response(Interim-update)

The RADIUS server must send an Accounting-Response(Interim-update) packet after the server successfully receives and records an Accounting-Request(Interim-update) packet.

Accounting-Request(Stop)

When a user goes offline proactively or is forcibly disconnected by the NAS, the RADIUS client sends this packet carrying the network resource usage information (including the online duration and number of incoming/outgoing bytes) to the RADIUS server, requesting the server to stop accounting.

Accounting-Response(Stop)

The RADIUS server must send an Accounting-Response(Stop) packet after receiving an Accounting-Request(Stop) packet.

RADIUS Authentication, Authorization, and Accounting Process

A device that functions as a RADIUS client collects user information, including the user name and password, and sends the information to the RADIUS server. The RADIUS server then authenticates users according to the information, after which it performs authorization and accounting for the users. Figure 1-7 shows the information exchange process between a user, a RADIUS client, and a RADIUS server.

Figure 1-7  RADIUS authentication, authorization, and accounting process

  1. A user needs to access a network and sends a connection request containing the user name and password to the RADIUS client (device).
  2. The RADIUS client sends a RADIUS Access-Request packet containing the user name and password to the RADIUS server.
  3. The RADIUS server verifies the user identity:

    • If the user identity is valid, the RADIUS server returns an Access-Accept packet to the RADIUS client to permit further operations of the user. The Access-Accept packet contains authorization information because RADIUS provides both authentication and authorization functions.
    • If the user identity is invalid, the RADIUS server returns an Access-Reject packet to the RADIUS client to reject access from the user.
  4. The RADIUS client notifies the user of whether authentication is successful.
  5. The RADIUS client permits or rejects the user access request according to the authentication result. If the access request is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.
  6. The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client and starts accounting.
  7. The user starts to access network resources.
  8. (Optional) If interim accounting is enabled, the RADIUS client periodically sends an Accounting-Request (Interim-update) packet to the RADIUS server, preventing incorrect accounting result caused by unexpected user disconnection.
  9. (Optional) The RADIUS server returns an Accounting-Response (Interim-update) packet and performs interim accounting.
  10. The user sends a logout request.
  11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
  12. The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client and stops accounting.
  13. The RADIUS client notifies the user of the processing result, and the user stops accessing network resources.

RADIUS Packet Retransmission Mechanism

When a user is authenticated, a device sends an Access-Request packet to the RADIUS server. To ensure that the device can receive a response packet from the server even if a network fault or delay occurs, a retransmission upon timeout mechanism is used. The retransmission times and retransmission interval are controlled using timers.

As shown in Figure 1-8, 802.1X authentication and client-initiated authentication are used as an example. After receiving an EAP packet (EAP-Response/Identity) containing the user name of the client, the device encapsulates the packet into a RADIUS Access-Request packet and sends the packet to the RADIUS server. The retransmission timer is enabled at the same time. The retransmission timer is composed of the retransmission interval and retransmission times. If the device does not receive any response packet from the RADIUS server when the retransmission interval expires, it sends a RADIUS Access-Request packet again.

Figure 1-8  RADIUS authentication packet retransmission flowchart
The device stops packet retransmission if any of the following conditions is met:
  • The device receives a response packet from the RADIUS server. It then stops packet retransmission and marks the RADIUS server status as Up.
  • The device detects that the RADIUS server status is Down. After the device marks the RADIUS server status as Down:
    • If the number of retransmitted packets has reached the upper limit, the device stops packet retransmission and retains the RADIUS server status to Down.
    • If the number of retransmitted packets has not reached the upper limit, the device retransmits an Access-Request packet once again to the RADIUS server. If the device receives a response packet from the server, it stops packet retransmission and restores the RADIUS server status to Up. Otherwise, it still stops packet retransmission and retains the RADIUS server status to Down.
  • The number of retransmitted packets has reached the upper limit. The device then stops packet retransmission and performs the following:
    • If the device receives a response packet from the RADIUS server, it marks the RADIUS server status as Up.
    • If the device has detected that the RADIUS server status is Down, it marks the server status as Down.
    • If the device receives no response packet from the RADIUS server and does not detect that the server status is Down, the device does not change the server status. Actually, the server does not respond.
      NOTE:

      The device does not definitely mark the status of the server that does not respond as Down. The device marks the server status as Down only if the corresponding conditions are met.

For the RADIUS server status introduction and conditions for a device to mark the server status as Down, see RADIUS Server Status Detection.

RADIUS packet retransmission discussed here applies only to a single server. If multiple servers are configured in a RADIUS server template, the overall retransmission period depends on the retransmission interval, retransmission times, RADIUS server status, number of servers, and algorithm for selecting the servers.

You can set the timer using the following commands:

Command

Description

radius-server retransmit retry-times

Specifies the retransmission times. The default value is 3.

radius-server timeout time-value

Specifies the retransmission interval. The default value is 5 seconds.

RADIUS Server Selection Mechanism

Typically, multiple RADIUS servers are deployed on a large-scale enterprise network. If a server is faulty, user access will not be disrupted. In addition, load balancing is performed between these servers, preventing resources of a single server from being exhausted in the event that a large number of users access the network. If multiple servers are configured in a RADIUS server template and a device needs to send a packet to a server, select one of the following algorithms to select the RADIUS server based on the command configuration.
  • RADIUS server primary/secondary algorithm (default)
  • RADIUS server load balancing algorithm

In addition, the algorithm for selecting a RADIUS server can be set to the single user-based or packet-based algorithm. If the algorithm for selecting a RADIUS server is set to the single user-based algorithm, authentication server information is saved in the authentication phase, and the device preferentially sends an accounting request to the accounting server in the accounting phase when the authentication server is also the accounting server. If the algorithm for selecting a RADIUS server is set to the packet-based algorithm, authentication server information is not saved in the authentication phase, and the accounting server is reselected in the accounting phase, which may result in that authentication and accounting for a user is not performed on the same server.

RADIUS Server Primary/Secondary Algorithm

The primary and secondary roles are determined by the weights configured for the RADIUS authentication servers or RADIUS accounting servers. The server with the largest weight is the primary server. If the weight values are the same, the earliest configured server is the primary server. As shown in Figure 1-9, the device preferentially sends an authentication or accounting packet to the primary server among all servers in Up status. If the primary server does not respond, the device then sends the packet to the secondary server.

Figure 1-9  Diagram for the RADIUS server primary/secondary algorithm
RADIUS Server Load Balancing Algorithm

If this algorithm is used and a device sends an authentication or accounting packet to a server, the device selects a server based on the weights configured for the RADIUS authentication servers or RADIUS accounting servers. As shown in Figure 1-10, RADIUS server1 is in Up status and its weight is 80, and RADIUS server2 is also in Up status and its weight is 20. The possibility for the device to send the packet to RADIUS server1 is 80% [80/(80 + 20)], and that for RADIUS server2 is 20% [20/(80 + 20)].

Figure 1-10  Diagram for the RADIUS server load balancing algorithm

Regardless of which algorithm is used, if all the servers in Up status do not respond to a packet sent by a device, the device retransmits the packet to a server among the servers whose status is originally marked as Down (to which the device has not sent any authentication or accounting packets) based on the server weight. If the device does not receive any response in the current authentication mode, the backup authentication mode is used, for example, local authentication mode. The backup authentication mode needs to be already configured in the authentication scheme. Otherwise, the authentication process ends.

RADIUS Server Status Detection

Availability and maintainability of a RADIUS server are the prerequisites of user access authentication. If a device cannot communicate with the RADIUS server, the server cannot perform authentication or authorization for users. To resolve this issue, the device supports the user escape function upon transition of the RADIUS server status to Down. To be specific, if the RADIUS server goes Down, users cannot be authorized by the server but still have certain network access rights.

The user escape function upon transition of the RADIUS server status to Down can be enabled only after the device marks the RADIUS server status as Down. If the RADIUS server status is not marked as Down and the device cannot communicate with the RADIUS server, users cannot be authorized by the server and the escape function is also unavailable. As a result, users have no network access rights. Therefore, the device must be capable of detecting the RADIUS server status in a timely manner. If the device detects that the RADIUS server status transitions to Down, users can obtain escape rights; if the device detects that the RADIUS server status reverts to Up, escape rights are removed from the users and the users are reauthenticated.

RADIUS Server Status

A device can mark the RADIUS server status as Up, Down, or Force-up. The following table lists descriptions of the three RADIUS server status and their corresponding scenarios.

Status

Whether the RADIUS Server Is Available

Condition for Switching the Server Status

Up The RADIUS server is available.
  • The device initially marks the RADIUS server status as Up.
  • The device marks the RADIUS server status as Up if receiving packets from the server.
Down The RADIUS server is unavailable. The conditions for marking the RADIUS server status as Down are met.
Force-up When no RADIUS server is available, the device selects the RADIUS server in Force-up status. The device marks the RADIUS server status as Force-up if the timer specified by dead-time expires.

The RADIUS server status is initially marked as Up. After a RADIUS Access-Request packet is received and the conditions for marking the RADIUS server status as Down are met, the RADIUS server status transitions to Down. The RADIUS Access-Request packet that triggers the server status transition can be sent during user authentication or constructed by the administrator. For example, the RADIUS Access-Request packet can be a test packet sent when the test-aaa command is run or detection packet sent during automatic detection.

The device changes toe RADIUS server status from Down to Up or to Force-up in the following scenarios:
  • Down to Force-up: The timer specified by dead-time starts after the device marks the RADIUS server status as Down. The timer indicates the duration for which the server status remains Down. After the timer expires, the device marks the RADIUS server status as Force-up. If a new user needs to be authenticated in RADIUS mode and no RADIUS server is available, the device attempts to re-establish a connection with a RADIUS server in Force-up status.
  • Down to Up: After receiving packets from the RADIUS server, the device changes the RADIUS server status from Down to Up. For example, after automatic detection is configured, the device receives response packets from the RADIUS server.
Conditions for Marking the RADIUS Server Status as Down

Whether the status of a RADIUS server can be marked as Down depends on the following factors:

  • Number of times the RADIUS Access-Request packet is sent
  • Interval of sending the RADIUS Access-Request packet
  • Interval of detecting the RADIUS server status
  • Maximum number of consecutive unacknowledged packets in each detection interval
As shown in Figure 1-11, the conditions for marking the RADIUS server status as Down are as follows:
  1. In a detection interval, if the number of times the device receives no response packet after sending RADIUS Access-Request packets (n) is greater than or equal to the maximum number of consecutive unacknowledged packets (dead-count), the device records a communication interruption.
  2. If the device records communication interruptions with one RADIUS server in consecutive two detection intervals, the device considers that the RADIUS server is unavailable and the conditions for the device to mark the RADIUS server status as Down are met.
    NOTE:
    If the device does not record any communication interruption in the second detection interval, the first communication interruption record is cleared.
  3. When the device sends an Access-Request packet to the server for the (2n+1)th time, it marks the server status as Down.
    • If the device receives a response packet from the server, the server status reverts to Up.
    • If no response packet is received from the server and the number of packet retransmission times is not reached, the device sends an Access-Request packet to the server for the (2n+2)th time. If the server still does not respond, the device no longer sends any Access-Request packet to the server.

If multiple servers are configured in the RADIUS server template, the overall status detection time is related to the number of servers and the server selection algorithm. If a user terminal uses the client software for authentication and the timeout period of the terminal client software is less than the summary of all the status detection time, the terminal client software may dial up repeatedly and cannot access the network. If the user escape function is configured, the summary of all the status detection time must be less than the timeout period of the terminal client software to ensure that escape rights can be added to the users.

Figure 1-11  Logic flowchart for marking the RADIUS server status as Down

The following table lists the related commands.

Command

Description

radius-server { dead-interval dead-interval | dead-count dead-count }

Configures conditions for marking the RADIUS server status as Down during the RADIUS server status detection.

  • dead-interval dead-interval: Specifies the detection interval. The default value is 5 seconds.
  • dead-count dead-count: Specifies the maximum number of consecutive unacknowledged packets. The default value is 2.
Automatic Detection

After the RADIUS server status is marked as Down, you can configure the automatic detection function to test the RADIUS server reachability.

Then, if the device does not receive any RADIUS Access-Request packet from users within the automatic detection interval, the device does not use the RADIUS server in this interval and the server status marked by the device is not the latest. In this case, the device sends a RADIUS Access-Request packet to the RADIUS server to verify the server status.

The automatic detection function needs to be manually enabled. The automatic server status detection function can be enabled only if the user name and password for automatic detection are configured in the RADIUS server template view on the device rather than on the RADIUS server. Authentication success is not mandatory. If the device can receive the authentication failure response packet, the RADIUS server is properly working and the device marks the RADIUS server status as Up. If the device cannot receive the response packet, the RADIUS server is unavailable and the device marks the RADIUS server status as Down.

The following table lists commands related to automatic detection.

Command

Description

radius-server testuser username user-name password cipher password

Enables the automatic detection function.

  • user-name: Specifies the user name for automatic detection.
  • password: Specifies the password for automatic detection.
radius-server detect-server interval interval Specifies the automatic detection interval. The default value is 60 seconds.
Consecutive Processing After the RADIUS Server Status Is Marked as Down

After the device marks the RADIUS server status as Down, you can configure the escape function to make users obtain escape authorization. After the device detects that the RADIUS server status reverts to Up, you can configure the reauthentication function to make users obtain authorization from the server through reauthentication, as shown in Figure 1-12.

NOTE:

For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection authorization and can be redirected to the Portal server for authentication only if the users attempt to access network resources.

Figure 1-12  Consecutive processing after the RADIUS server status is marked as Down

The following table lists the commands for configuring the escape rights upon transition of the RADIUS server status to Down and configuring the reauthentication function, respectively.

Command

Description

authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name } [ response-fail ]

Configures the escape function upon transition of the RADIUS server status to Down.

authentication event authen-server-up action re-authen

Configures the reauthentication function for users in escape status when the RADIUS server status reverts to Up.

RADIUS CoA/DM

The device supports the RADIUS Change of Authorization (CoA) and Disconnect Message (DM) functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users. This section contains the following contents:
RADIUS CoA/DM packet

Table 1-7 describes types of the CoA/DM packets.

Table 1-7  RADIUS CoA/DM packet

Packet Name

Description

CoA-Request

When an administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the RADIUS server sends this packet to the RADIUS client, requesting the client to modify the user rights.

CoA-ACK

If the RADIUS client successfully modifies the user rights, it returns this packet to the RADIUS server.

CoA-NAK

If the RADIUS client fails to modify the user rights, it returns this packet to the RADIUS server.

DM-Request

When an administrator needs to disconnect a user, the server sends this packet to the RADIUS client, requesting the client to disconnect the user.

DM-ACK

If the RADIUS client has disconnected the user, it returns this packet to the RADIUS server.

DM-NAK

If the RADIUS client fails to disconnect the user, it returns this packet to the RADIUS server.

Exchange Procedure

CoA allows the administrator to change the rights of an online user or perform reauthentication for the user through RADIUS after the user passes authentication. Figure 1-13 shows the CoA interaction process.

Figure 1-13  CoA interaction process

  1. The RADIUS server sends a CoA-Request packet to the device according to service information, requesting the device to modify user authorization information. This packet can contain authorization information including the ACL.
  2. Upon receiving the CoA-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the device modifies authorization information of the user. Otherwise, the device retains the original authorization information of the user.
  3. The device returns a CoA-ACK or CoA-NAK packet as follows:
    • If authorization information is successfully modified, the device sends a CoA-ACK packet to the RADIUS server.
    • If authorization information fails to be modified, the device sends a CoA-NAK packet to the RADIUS server.

When a user needs to be disconnected forcibly, the RADIUS server sends a DM packet to the device. Figure 1-14 shows the DM interaction process.

Figure 1-14  DM interaction process

  1. The administrator forcibly disconnects a user on the RADIUS server. The RADIUS server sends a DM-Request packet to the device, requesting the device to disconnect the user.
  2. Upon receiving the DM-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the user is notified to go offline. Otherwise, the user remains online.
  3. The device returns a DM-ACK or DM-NAK packet as follows:

    • If the user successfully goes offline, the device sends a DM-ACK packet to the RADIUS server.
    • Otherwise, the device sends a DM-NAK packet to the RADIUS server.

Different from the process in which authorization is performed for an online user or a user proactively goes offline, the server sends a request packet and the device sends a response packet in the CoA/DM process. If CoA/DM succeeds, the device returns an ACK packet. Otherwise, the device returns a NAK packet.

Session Identification

Each service provided by the NAS to a user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended.

After the device receives a CoA-Request or DM-Request packet from the RADIUS server, it identifies the user depending on some RADIUS attributes in the packet. The following RADIUS attributes can be used to identify users:
  • User-Name (IETF attribute #1)
  • Acct-Session-ID (IETF attribute #4)
  • Framed-IP-Address (IETF attribute #8)
  • Calling-Station-Id (IETF attribute #31)

The match methods are as follows:

  • any method

    The device performs a match check between an attribute and user information on the device. The priority for identifying the RADIUS attributes used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) > Framed-IP-Address (8). The device searches for the attributes in the request packet based on the priority, and performs a match check between the first found attribute and user information on the device. If the attribute is successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

  • all method

    The device performs a match check between all attributes and user information on the device. The device identifies the following RADIUS attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31), Framed-IP-Address (8), and User-Name (1). The device performs a match check between all the preceding attributes in the Request packet and user information on the device. If all the preceding attributes are successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

Error Code Description

When the CoA-Request or DM-Request packet from the RADIUS server fails to match user information on the device, the device describes the failure cause using the error code in the CoA-NAK or DM-NAK packet. For the error code description, see Table 1-8 and Table 1-9.

Table 1-8  Error codes in a CoA-NAK packet

Name

Value

Description

RD_DM_ERRCODE_MISSING_ATTRIBUTE 402 The request packet lacks key attributes, so that the integrity check of the RADIUS attributes fails.
RD_DM_ERRCODE_NAS_IDENTIFICATION_MISMATCH 403 One or more attributes in the request packet fail to be matched.
RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_INVALID_ATTRIBUTE_VALUE 407 The request packet contains attributes that are not supported by the device or do not exist, so that the attribute check fails.

Contents of the authorization check include VLAN, ACL, CAR, number of the ACL used for redirection, and whether Huawei RADIUS extended attributes RD_hw_URL_Flag and RD_hw_Portal_URL can be authorized to the interface-based authenticated user.

Errors that may occur are as follows:
  • The authorized service scheme does not exist.
  • The authorized QoS profile does not exist or no user queue is configured in the QoS profile.
  • The authorized values of upstream and downstream priorities exceed the maximum values.
  • The authorized index value of the UCL group is not within the specification.
  • The ISP VLAN and outbound interface information are incorrectly parsed.
  • Reauthentication attributes and other attributes are authorized simultaneously.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_FOUND 503 The session request fails. The cause includes:
  • Authorization for the current request user is being processed.
  • The temporary RADIUS table fails to be requested.
  • User information does not match or no user is found.
  • The user is a non-RADIUS authentication user.
RD_DM_ERRCODE_RESOURCES_UNAVAILABLE 506 This error code is used for other authorization failures.
Table 1-9  Error codes in a DM-NAK packet

Name

Value

Description

RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_REMOVABLE 504 The user fails to be deleted or the user does not exist.

RADIUS Attributes

RADIUS attributes are Attribute fields in RADIUS packets, which carry dedicated authentication, authorization, and accounting information. This chapter covers the following sections:

For more information about RADIUS attributes, use the AAA Attribute Query Tool.

Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1-10.

Table 1-10  Standard RADIUS attributes

Attribute No.

Attribute Name

Attribute Type

Description

1

User-Name

string

User name for authentication. The user name format can be user name@domain name, or just user name.

2

User-Password

string

User password for authentication, which is only valid for the Password Authentication Protocol (PAP).

3

CHAP-Password

string

Response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge.

4

NAS-IP-Address

ipaddr

Internet Protocol (IP) address of the NAS carried in authentication request packets. By default, the attribute value is the source IP address of the authentication request packets sent by the NAS. You can change the attribute value to the specified IP address on the NAS or the IP address of the AP using the radius-attribute nas-ip { ip-address | ap-info } command.

5

NAS-Port

integer

Physical port number of the network access server that is authenticating the user, which is in either of the following formats:
  • new: slot ID (8 bits) + sub-slot ID (4 bits) + port number (8 bits) + Virtual Local Area Network (VLAN) ID (12 bits)
  • old: slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)
  • The ADSL access physical port is in the format: slot ID (4 bits) + sub-slot ID (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits).

6

Service-Type

integer

Service type of the user to be authenticated:
  • 2 (Framed): PPP or 802.1X access users
  • 6 (Administrative): administrator
  • 8 (Authenticate Only): reauthentication only
  • 10 (Call Check): MAC address authentication user or MAC address bypass authentication user

7

Framed-Protocol

integer

Encapsulation protocol of Frame services:
  • For a non-management user, the value is fixed as 1.
  • For a management user, the value is fixed as 6.

8

Framed-IP-Address

ipaddr

User IP address.

9

Framed-IP-Netmask

ipaddr

User IP address mask. This field must be used with the Framed-IP-Address field.

11

Filter-Id

string

User group name or IPv4 Access Control List (ACL) ID.

NOTE:
  • When this attribute carries the IPv4 ACL ID, the IPv4 ACL IDs must range from 3000 to 3999 (wired users) or 3000 to 3031 (wireless users).

  • A RADIUS packet cannot carry the user group name or IPv4 ACL ID simultaneously.

12

Framed-MTU

integer

Maximum transmission unit (MTU) of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet in this attribute. An EAP packet larger than the link MTU may be lost.

14

Login-IP-Host

ipaddr

Management user IP address:
  • If the value is 0 or 0xFFFFFFFF, the IP address of management user is not checked.
  • If this attribute uses other values, the NAS checks whether the management user IP address is the same as the delivered attribute value.

15

Login-Service

integer

Service to use to connect the user to the login host:
  • 0: Telnet
  • 5: X25-PAD
  • 50: SSH
  • 51: FTP
  • 52: Terminal
NOTE:

An attribute can contain multiple service types.

18

Reply-Message

string

This attribute determines whether a user is authenticated:
  • When an Access-Accept packet is returned, the user is successfully authenticated.
  • When an Access-Reject packet is returned, the user fails authentication.

19

Callback-Number

string

Information sent from the authentication server and to be displayed to a user, such as a mobile number.

22

Framed-Route

string

Routing information provided by the RADIUS server to users, in format Destination/Mask NextHop Metric, for example, 192.168.1.0/24 192.168.1.1 1.

If the NextHop value is 0.0.0.0, the user IP address is used as the next hop address. The device can obtain only one Metric value. If the attribute delivered by the RADIUS server contains multiple Metric values, the device obtains only the first one.

24

State

string

This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

25

Class

string

If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value.

26

Vendor-Specific

string

Vendor-specific attribute. For details, see Table 1-11. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes.

27

Session-Timeout

integer

In the Access-Request packet, this attribute indicates the maximum number of seconds a user should be allowed to remain connected.

In the Access-Challenge packet, this attribute indicates the duration for which EAP authentication users are reauthenticated.

The value of this attribute must be larger than 0.

NOTE:

This attribute is only valid for 802.1X, MAC address, Portal, and PPPoE authentication users.

When the RADIUS server delivers only this attribute, the value of attribute 29 Termination-Action is set to 0 (users are forced offline) by default.

28

Idle-Timeout

integer

Maximum number of consecutive seconds of idle connection the user is allowed before termination of the session or prompt.

NOTE:
  • This attribute is only valid for administrators, PPPoE users, and Portal users.
  • This attribute can be used together with the traffic and direction configured using the idle-cut command in the service scheme view. When no authorization service scheme is configured or this command is not configured in the service scheme, and a user does not produce upstream traffic within the idle-cut period, the user is disconnected.
  • In V200R010C00 and later versions, idle-cut is performed in seconds. In versions earlier than V200R010C00, idle-cut is performed in minutes. When a switch or an AC interconnects with an AP running a version earlier than V200R009C00, the idle-cut period is round up to an integer in seconds; for example, 60s is round up to 1 minute, and values 61s to 119s are round up to 2 minutes.

29

Termination-Action

integer

What action the NAS should take when the specified service is completed:
  • 0: forcible disconnection
  • 1: reauthentication
NOTE:

This attribute is only valid for 802.1X and MAC address authentication users.

When the RADIUS server delivers only this attribute, the value of attribute 27 Session-Timeout is set to 3600s (for 802.1X authentication users) or 1800s (for MAC address authentication users) by default.

30

Called-Station-Id

string

Identification number of the NAS.
  • For wired users, it is the NAS MAC address.
  • For wireless users, it is the SSID and MAC address of the AP.

31

Calling-Station-Id

string

This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology.

32

NAS-Identifier

string

String identifying the network access server originating the Access-Request. By default, the attribute value is the host name of the user. You can change the attribute value to the VLAN ID of the user or the MAC address of the AP using the radius-server nas-identifier-format { hostname | vlan-id | ap-info } command.

40

Acct-Status-Type

integer

Accounting-Request type:
  • 1: Accounting-Start packet
  • 2: Accounting-Stop packet
  • 3: Interim-Accounting packet

41

Acct-Delay-Time

integer

Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time).

44

Acct-Session-Id

string

Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID.

The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) Tick (6 bits) + User ID prefix (2 bits) + User ID (5 bits).

45

Acct-Authentic

integer

User authentication mode:
  • 1: RADIUS authentication
  • 2: Local authentication
  • 3: Other remote authentications

46

Acct-Session-Time

integer

How long (in seconds) the user has received service.

NOTE:

If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect.

49

Acct-Terminate-Cause

string

Cause of a terminated session:
  • User-Request (1): The user requests termination of service.
  • Lost Carrier (2): The connection is torn down due to a handshake failure or heartbeat timeout, such as an ARP probe failure or PPP handshake failure.
  • Lost Service (3): The connection initiated by the peer device is torn down.
  • Idle Timeout (4): The idle timer expires.
  • Session Timeout (5): The session times out or the traffic threshold is reached.
  • Admin Reset (6): The administrator forces the user to go offline.
  • Admin Reboot (7): The administrator restarts the NAS.
  • Port Error (8): A port fails.
  • NAS Error (9): The NAS encounters an internal error.
  • NAS Request (10): The NAS ends the session due to resource changes.
  • NAS Reboot (11): The NAS automatically restarts.
  • Port Unneeded (12): The port is Down.
  • Port Preempted (13): The port is preempted.
  • Port Suspended (14): The port is suspended.
  • Service Unavailable (15): The service is unavailable.
  • Callback (16): NAS is terminating the current session to perform a callback for a new session.
  • User Error (17): User authentication fails or times out.
  • Host Request (18): A host sends a request.

60

CHAP-Challenge

string

Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation.

61

NAS-Port-Type

integer

NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15).

64

Tunnel-Type

integer

Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.

65

Tunnel-Medium-Type

integer

Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.

66

Tunnel-Client-Endpoint

string

Tunnel client address.

67

Tunnel-Server-Endpoint

string

Tunnel server address.

79

EAP-Message

string

Encapsulates Extended Access Protocol (EAP) packets so that RADIUS supports EAP authentication. When an EAP packet is longer than 253 bytes, the packet is encapsulated into multiple attributes. A RADIUS packet can carry multiple EAP-Message attributes.

80

Message-Authenticator

string

Authenticates and verifies authentication packets to prevent spoofing packets.

81

Tunnel-Private-Group-ID

string

Tunnel private group ID, which is used to deliver user VLAN IDs.

NOTE:
To make the VLAN authorization function take effect, ensure the correct access control mode is configured:
  • When the link type is hybrid in untagged mode, the access control mode can be MAC address or interface.
  • When the link type is access or trunk, the access control mode can only be interface.

82

Tunnel-Assignment-Id

string

Specific ID assigned to the tunnel.

85

Acct-Interim-Interval

integer

Interim accounting interval. The value ranges from 60 to 3932100, in seconds. It is recommended that the interval be at least 600 seconds.

87

NAS-Port-Id

string

Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats:
  • New:

    For Ethernet access users, the NAS-Port-Id is in the format "slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 15, "port" 0 to 255, and "VLAN ID" 1 to 4094.

    For ADSL access users, the NAS-Port-Id is in the format "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to 65535.

  • Old:

    For Ethernet access users, the NAS-Port-Id is in the format "port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VLAN ID (9 characters)."

    For ADSL access users: port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain fewer bytes than specified.

  • Vendor 9: Uses the default format of Cisco for encapsulation.

88

Framed-Pool

string

Address pool, which is only included in the Access-Accept packet. It is used as authorization information in Efficient VPN.

90

Tunnel-Client-Auth-Id

string

Client tunnel ID used for authentication during tunnel setup.

91

Tunnel-Server-Auth-Id

string

Server tunnel ID used for authentication during tunnel setup.

95

NAS-IPv6-Address

ipaddr

IPv6 address carried in the authentication request packet sent by the NAS. Both the NAS-IPv6-Address and NAS-IP-Address fields can be included in a packet.

195

HW-SecurityStr

string

Security information of users in EAP relay authentication.

Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC2865 can be used to extend RADIUS for implementing functions not supported by standard RADIUS attributes. Table 1-11 describes Huawei proprietary RADIUS attributes.

NOTE:

Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.

Table 1-11  Huawei proprietary RADIUS attributes

Attribute No.

Attribute Name

Attribute Type

Description

26-1

HW-Input-Peak-Information-Rate

integer

Peak rate at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

26-2

HW-Input-Committed-Information-Rate

integer

Average rate at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

26-3

HW-Input-Committed-Burst-Size

integer

Committed burst size (CBS) at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

26-4

HW-Output-Peak-Information-Rate

integer

Peak rate at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

26-5

HW-Output-Committed-Information-Rate

integer

Average rate at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

26-6

HW-Output-Committed-Burst-Size

integer

Committed burst size at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

26-15

HW-Remanent-Volume

integer

Remaining traffic. The unit is KB.

26-26

HW-Connect-ID

integer

Index of a user connection.

26-28

HW-FTP-Directory

string

Initial directory of an FTP user.

26-29

HW-Exec-Privilege

integer

Management user (such as Telnet user) priority, ranging from 0 to 15. The priority that is greater than or equal to 16 is ineffective.

26-31

HW-Qos-Data

string

Name of the QoS profile. The maximum length of the name is 31 bytes. The RADIUS server uses this field to deliver the QoS profile. The QoS profile must exist on the device.

26-59

HW-NAS-Startup-Time-Stamp

integer

NAS start time, represented by the number of seconds elapsed since 00:00:00 of January 1, 1970.

26-60

HW-IP-Host-Address

string

User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space.

If the user's IP address is detected to be invalid during authentication, the IP address is set to 255.255.255.255.

26-75

HW-Primary-WINS

ipaddr

Primary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-76

HW-Second-WINS

ipaddr

Secondary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-77

HW-Input-Peak-Burst-Size

integer

Upstream peak rate, in bit/s.

26-78

HW-Output-Peak-Burst-Size

integer

Downstream peak rate, in bit/s.

26-94

HW-VPN-Instance

string

VPN instance name delivered by the RADIUS server after a user is successfully authenticated. It specifies the VPN to which the user belongs.

26-135

HW-Client-Primary-DNS

ipaddr

Primary DNS address delivered by the RADIUS server after a user is successfully authenticated.

26-136

HW-Client-Secondary-DNS

ipaddr

Secondary DNS address delivered by the RADIUS server after a user is successfully authenticated.

26-138

HW-Domain-Name

string

Name of the domain used for user authentication. This attribute can be the domain name contained in a user name or the name of a forcible domain.

26-141

HW-AP-Information

string

AP's MAC address used for STA authentication.

26-142

HW-User-Information

string

User security check information delivered by the RADIUS server to an Extensible Authentication Protocol over LAN (EAPoL) user to notify the user of items that require security checks.

26-146

HW-Service-Scheme

string

Service scheme name. A service scheme contains user authorization information and policies.

26-153

HW-Access-Type

integer

User access type carried in the authentication and accounting request packets sent by the RADIUS client to the RADIUS server:
  • 1: Dot1x user
  • 2: MAC address authentication user or MAC address bypass authentication
  • 3: Portal authentication user
  • 4: Static user
  • 6: Management user
  • 7: PPP users

26-155

HW-URL-Flag

integer

This attribute specifies whether a Uniform Resource Locator (URL) is forcibly pushed to users when it is used with another attribute, for example, HW-Portal-URL:
  • 0: No
  • 1: Yes

26-156

HW-Portal-URL

string

Forcibly pushed URL.

If information delivered by the RADIUS server matches the configured URL template, the URL configured in the template is used. Otherwise, the character string delivered by the RADIUS server is used.

26-201

HW-User-Extend-Info

string

Extended user information. This attribute is contained in authentication and accounting request packets. A packet can contain multiple HW-User-Extend-Info attributes. The following describes extended user information:

  • User-Position: Service code of the location where a user goes online
  • User-Position-Type: Type of the location where a user goes online
  • AP-Device-Code: AP code
  • AP-POS-X: Longitude of a moving AP
  • AP-POS-Y: Latitude of a moving AP
  • Wifi-Density: Field strength
  • HW-Access-Time: user access time. The value is the number of seconds elapsed since 00:00:00 of January 1, 1970.802.1X authentication supports only this field.
  • wan-src-ip: Source IPv4/IPv6 address of the external network

    An IPv4 address is expressed by an unsigned integer in host byte order, for example, 2880036141. An IPv6 address is expressed by a colon-delimited hexadecimal notation string (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX), for example, CDCD:910A:2222:5498:1111:3900:2020:6328.

  • wan-src-start-port: Start source IPv4/IPv6 port numbers of the external network

    A source port can be a TCP or an IP port, and the port number range is from 0 to 65535. If only one port is available, the start and end port numbers are the same.

  • wan-src-end-port: End source IPv4/IPv6 port numbers of the external network

    A source port can be a TCP or an IP port, and the port number range is from 0 to 65535.

This attribute applies only to MAC address authentication and Portal authentication.

26-237 HW-Web-Authen-Info

string

Information sent from the portal server via the device (which transparently transmits the information) to the RADIUS server. For example, a user selects the authentication-free option and time information for next login, based on which the RADIUS server saves the MAC address of the user for a period of time. Upon the next login of the user, the login page is not displayed. Instead, MAC address authentication is preferentially used. This attribute can be used for transparent transmission in complex modes such as EAP.

26-241

HW-User-Addr-Network

ipaddr

User's address segment.

26-242

HW-DNS-Domain-Name

string

DNS domain name.

26-243

HW-Auto-Update-URL

string

URL address for version upgrade.

26-244

HW-Reachable-Detect

string

Server reachability detection information. Authentication packets carrying this attribute are server detection packets.

26-247

HW-Tariff-Input-Octets

string

Number of upstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of upstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-248

HW-Tariff-Output-Octets

string

Number of downstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of downstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-249

HW-Tariff-Input-Gigawords

string

Number of times larger the number of upstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Input-Octets field specify the number of upstream bytes at the specified tariff level.

26-250

HW-Tariff-Output-Gigawords

string

Number of times larger the number of downstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Output-Octets field specify the number of downstream bytes at the specified tariff level.

26-254

HW-Version

string

Software version of the device.

26-255

HW-Product-ID

string

NAS product name.

Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft. For details, see Table 1-12.

Table 1-12  Huawei-supported extended RADIUS attributes of other vendors
Attribute No. Attribute Name Attribute Type Description
MICROSOFT-16 MS-MPPE-Send-Key

string

This attribute indicates the MPPE sending key.
MICROSOFT-17 MS-MPPE-Recv-Key

string

This attribute indicates the MPPE receiving key.
RADIUS Attributes Available in Packets
Different RADIUS packets carry different RADIUS attributes.
  • For the RADIUS attributes available in authentication packets, see Table 1-13.
  • For the RADIUS attributes available in accounting packets, see Table 1-14.
  • For the RADIUS attributes available in authorization packets, see Table 1-15.
NOTE:

The following describes the values in the tables:

  • 1: indicates that the attribute must appear once in the packet.
  • 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
  • 0-1: indicates that the attribute can appear once or does not appear in the packet.
  • 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Table 1-13  RADIUS attributes available in authentication packets

Attribute No.

Access-Request

Access-Accept

Access-Reject

Access-Challenge

User-Name(1)

1

0-1

0

0

User-Password(2)

0-1

0

0

0

CHAP-Password(3)

0-1

0

0

0

NAS-IP-Address(4)

1

0

0

0

NAS-Port(5)

1

0

0

0

Service-Type(6)

1

0-1

0

0

Framed-Protocol(7)

1

0-1

0

0

Framed-IP-Address(8)

0-1

0-1

0

0

Framed-IP-Netmask(9)

0

0-1

0

0

Filter-Id(11)

0

0-1

0

0

Framed-Mtu(12)

0-1

0

0

0

Login-IP-Host(14)

0-1

0-1

0

0

Login-Service(15)

0

0-1

0

0

Reply-Message(18)

0

0-1

0-1

0-1

Callback-Number(19)

0

0-1

0

0

Framed-Route(22)

0

0-1

0

0

State(24)

0-1

0-1

0

0-1

Class(25)

0

0-1

0

0

Session-Timeout(27)

0

0-1

0-1

0-1

Idle-Timeout(28)

0

0-1

0

0

Termination-Action(29)

0

0-1

0

0-1

Called-Station-Id(30)

0-1

0

0

0

Calling-Station-Id(31)

1

0-1

0

0

NAS-Identifier(32)

1

0

0

0

Acct-Session-id(44)

1

0

0

0

CHAP-Challenge(60)

0-1

0

0

0

NAS-Port-Type(61)

1

0

0

0

Tunnel-Type(64)

0

0-1

0

0

Tunnel-Medium-Type(65)

0

0-1

0

0

Tunnel-Client-Endpoint(66)

0-1

0-1

0

0

Tunnel-Server-Endpoint(67)

0-1

0-1

0

0

EAP-Message(79)

0-1

0-1

0-1

0-1

Message-Authenticator(80)

0-1

0-1

0-1

0-1

Tunnel-Private-Group-ID(81)

0

0-1

0-1

0

Tunnel-Assignment-Id(82)

0

0-1

0

0

Acct-Interim-Interval(85)

0

0-1

0

0

NAS-Port-Id(87)

0-1

0

0

0

Framed-Pool(88)

0

1

0

0

Tunnel-Client-Auth-Id(90)

0

0-1

0

0

Tunnel-Server-Auth-Id(91)

0

0-1

0

0

NAS-IPv6-Address(95)

0-1

0

0

0

HW-SecurityStr(195)

0-1

0

0

0

HW-Input-Peak-Information-Rate(26-1)

0

0-1

0

0

HW-Input-Committed-Information-Rate(26-2)

0

0-1

0

0

HW-Input-Committed-Burst-Size(26-3)

0

0-1

0

0

HW-Output-Peak-Information-Rate(26-4)

0

0-1

0

0

HW-Output-Committed-Information-Rate(26-5)

0

0-1

0

0

HW-Output-Committed-Burst-Size(26-6)

0

0-1

0

0

HW-Remanent-Volume(26-15)

0

0-1

0

0

HW-Connect-ID(26-26)

1

0

0

0

Ftp-directory(26-28)

0

0-1

0

0

HW-Exec-Privilege(26-29)

0

0-1

0

0

HW-Qos-Data(26-31)

0

0-1

0

0

HW-NAS-Startup-Time-Stamp(26-59)

1

0

0

0

HW-IP-Host-Address(26-60)

1

0

0

0

HW-Primary-WINS(26-75)

0

0-1

0

0

HW-Second-WINS(26-76)

0

0-1

0

0

HW-Input-Peak-Burst-Size(26-77)

0

0-1

0

0

HW-Output-Peak-Burst-Size(26-78)

0

0-1

0

0

HW-VPN-Instance(26-94)

0

0-1

0

0

HW-Client-Primary-DNS(26-135)

0

0-1

0

0

HW-Client-Secondary-DNS(26-136)

0

0-1

0

0

HW-Domain-Name(26-138)

1

0

0

0

HW-AP-Information(26-141)

1

0

0

0

HW-User-Information(26-142)

0

0-1

0

0

HW-Web-Proxy-Name(26-143)

0

0-1

0

0

HW-Port-Forward-Name(26-144)

0

0-1

0

0

HW-IP-Forwarding-Name(26-145)

0

0-1

0

0

HW-Service-Scheme(26-146)

0

0-1

0

0

HW-Access-Type(26-153)

1

0-1

0

0

HW-User-Extend-Info(26-201)

0-1

0

0

0

HW-Web-Authen-Info(26-237)

1

0

0

0

HW-User-Addr-Network(26-241)

0

0-1

0

0

HW-DNS-Domain-Name(26-242)

0

0-1

0

0

HW-Auto-Update-URL(26-243)

0

0-1

0

0

HW-Reachable-Detect(26-244)

0

0

0

0

HW-Version(26-254)

1

0

0

0

HW-Product-ID(26-255)

1

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16)

0

0-1

0

0

MS-MPPE-Recv-Key(MICROSOFT-17)

0

0-1

0

0

Table 1-14  RADIUS attributes available in accounting packets

Attribute No.

Accounting-Request

(Start)

Accounting-Request

(Interim-Update)

Accounting-Request

(Stop)

Accounting-Response

(start)

Accounting-Response (Interim-Update)

Accounting-Response

(Stop)

User-Name(1)

1

1

1

0

0

0

NAS-IP-Address(4)

1

1

1

0

0

0

NAS-Port(5)

1

1

1

0

0

0

Service-Type(6)

1

1

1

0

0

0

Framed-Protocol(7)

1

1

1

0

0

0

Framed-IP-Address(8)

1

1

1

0

0

0

Class(25)

0-1

0-1

0-1

0

0

0

Session-Timeout(27)

0

0

0

0-1

0-1

0

Called-Station-Id(30)

NOTE:
For users who access the network through PPP authentication, this attribute is optional. If the authentication request packet does not carry this attribute, then neither does the accounting request packet.

1

1

1

0

0

0

Calling-Station-Id(31)

1

1

1

0

0

0

NAS-Identifier(32)

1

1

1

0

0

0

Acct-Status-Type(40)

1

1

1

0

0

0

Acct-Delay-Time(41)

0-1

1

1

0

0

0

Acct-Output-Octets(43)

0-1

0-1

0-1

0

0

0

Acct-Session-Id(44)

1

1

1

0

0

0

Acct-Authentic(45)

1

1

1

0

0

0

Acct-Session-Time(46)

0

1

1

0

0

0

Acct-Terminate-Cause(49)

0

0

1

0

0

0

Event-Timestamp(55)

1

1

1

0

0

0

NAS-Port-Type(61)

1

1

1

0

0

0

Tunnel-Client-Endpoint(66)

0-1

0-1

0-1

0

0

0

Tunnel-Server-Endpoint(67)

0-1

0-1

0-1

0

0

0

Tunnel-Assignment-Id(82)

0-1

0-1

0-1

0

0

0

NAS-Port-Id(87)

1

1

1

0

0

0

Tunnel-Client-Auth-Id(90)

0-1

0-1

0-1

0

0

0

Tunnel-Server-Auth-Id(91)

0-1

0-1

0-1

0

0

0

NAS-IPv6-Address(95)

0-1

0-1

0-1

0

0

0

HW-Input-Committed-Information-Rate(26-2)

1

1

1

0

0

0

HW-Output-Committed-Information-Rate(26-5)

1

1

1

0

0

0

HW-Connect-ID(26-26)

1

1

1

0

0

0

HW-IP-Host-Address(26-60)

1

1

1

0

0

0

HW-Domain-Name(26-138)

1

1

1

0

0

0

HW-AP-Information(26-141)

0-1

0-1

0-1

0

0

0

HW-User-Information(26-142)

0

0

0

0-1

0-1

0

HW-Access-Type(26-153)

0-1

0-1

0-1

0

0

0

HW-User-Extend-Info(26-201)

0-1

0-1

0-1

0

0

0

HW-Reachable-Detect(26-244)

0

0

0

0

0

0

HW-Tariff-Input-Octets(26-247)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Octets(26-248)

0

0-1

0-1

0

0

0

HW-Tariff-Input-Gigawords(26-249)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Gigawords(26-250)

0

0-1

0-1

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16)

0

0

0

0

0

0

MS-MPPE-Recv-Key(MICROSOFT-17) 0 0 0 0 0 0
Table 1-15  RADIUS attributes available in CoA/DM packets

Attribute No.

CoA REQUEST

CoA ACK

CoA NAK

DM REQUEST

DM ACK

DM NAK

User-Name(1)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-IP-Address(4)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Port(5)

0-1

0

0

0-1

0

0

Framed-IP-Address(8)

0-1

0-1

0-1

0-1

0-1

0-1

Filter-Id(11)

0-1

0

0

0

0

0

Session-Timeout(27)

0-1

0

0

0

0

0

Idle-Timeout(28)

0-1

0

0

0

0

0

Termination-Action(29)

0-1

0

0

0

0

0

Calling-Station-Id(31)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Identifier(32)

0

0-1

0-1

0

0

0

Acct-Session-Id(44)

1

1

1

1

1

1

Tunnel-Type(64)

0-1

0

0

0

0

0

Tunnel-Medium-Type(65)

0-1

0

0

0

0

0

Tunnel-Private-Group-ID(81)

0-1

0

0

0

0

0

Acct-Interim-Interval(85)

0-1

0

0

0

0

0

NAS-Port-Id(87)

0-1

0

0

0-1

0

0

HW-Input-Peak-Information-Rate(26-1)

0-1

0

0

0

0

0

HW-Input-Committed-Information-Rate(26-2)

0-1

0

0

0

0

0

HW-Output-Peak-Information-Rate(26-4)

0-1

0

0

0

0

0

HW-Output-Committed-Information-Rate(26-5)

0-1

0

0

0

0

0

HW-Output-Committed-Burst-Size(26-6)

0-1

0

0

0

0

0

HW-Qos-Data(26-31)

0-1

0

0

0

0

0

HW-Input-Peak-Burst-Size(26-77)

0-1

0

0

0

0

0

HW-Output-Peak-Burst-Size(26-78)

0-1

0

0

0

0

0

HW-Service-Scheme(26-146)

0-1

0

0

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16) 0 0 0 0 0 0
MS-MPPE-Recv-Key(MICROSOFT-17) 0 0 0 0 0 0

RADIUS Attribute Disablement and Translation

Different vendors support different collections of RADIUS attributes and each vendor may have their private attributes. As a result, RADIUS attributes of different vendors may be incompatible and RADIUS attributes sent between devices from different vendors fail to be parsed. To resolve this issue. the RADIUS attribute disablement and translation functions are often used in interconnection and replacement scenarios.

RADIUS Attribute Disablement

The RADIUS server may have RADIUS attributes with the same attribute IDs and names as but different encapsulation formats or contents from those on the device. In this case, you can configure the RADIUS attribute disablement function to disable such attributes. The device then does not parse these attributes after receiving them from the RADIUS server, and does not encapsulate these attributes into RADIUS packets to be sent to the server.

Currently, Huawei-supported RADIUS attributes (with Huawei-supported attribute names and IDs) in a sent or received packet can be disabled on a device.

RADIUS Attribute Translation

RADIUS attribute translation is used for achieve compatibility between RADIUS attributes defined by different vendors. For example, a Huawei device delivers the priority of an administrator using the Huawei proprietary attribute Exec-Privilege (26-29), whereas another vendor's NAS and the RADIUS server deliver this priority using the Login-service(15) attribute. In a scenario where the Huawei device and another vendor's NAS share one RADIUS server, users want the Huawei device to be compatible with the Login-service(15) attribute. After RADIUS attribute translation is configured on the Huawei device, the device automatically processes the Login-service(15) attribute in a received RADIUS authentication response packet as the Exec-Privilege (26-29) attribute.

Devices translate RADIUS attributes in a sent or received packet based on the Type, Length, and Value fields of the RADIUS attributes.
  • If translation between attributes A and B is configured in the transmit direction on the device and the device sends a packet containing attribute A, the Type field of the attribute is attribute B but the Value field is encapsulated based on the content and format of attribute A.
  • If translation between attributes A and B is configured in the receive direction on the device and the device receives a packet containing attribute A, it parses the Value field of attribute A as that of attribute B. To be specific, it can be understood that the device receives a packet containing attribute B instead of attribute A after attribute translation is configured.

Huawei-supported and non-Huawei-supported RADIUS attributes can be translated into each other. Table 1-16 shows the mode for translating Huawei-supported and non-Huawei-supported RADIUS attributes into each other.

NOTE:
  • The device can translate a RADIUS attribute of another vendor only if the length of the Type field in the attribute is 1 octet.
  • The device can translate the RADIUS attribute only when the type of the source RADIUS attribute is the same as that of the destination RADIUS attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively, they cannot be translated into each other.

Table 1-16  RADIUS attribute translation mode
Whether Huawei Supports the Source RADIUS Attribute Whether Huawei Supports the Destination RADIUS Attribute Supported Translation Direction Configuration Command (RADIUS Server Template View)
Supported Supported Transmit and receive directions

radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *

Supported Not supported Transmit direction

radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

Not supported Supported Receive direction

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126012

Downloads: 230

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next