No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Domain-based User Management

Example for Configuring Domain-based User Management

Networking Requirements

As shown in Figure 1-31, enterprise users access the network through Router. The user names do not contain any domain names.

The enterprise requires that common users access the network and obtain rights after passing RADIUS authentication and that administrators log in to the device for management only after passing local authentication on Router.

Figure 1-31  Configuring domain-based user management

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and a VLANIF interface for Router to communicate with the RADIUS server.
  2. Configure authentication and accounting schemes for common users and apply the schemes to the default domain to authenticate common users, such as users using 802.1X authentication. The user names of the users do not contain domain names.
  3. Configure authentication and authorization schemes for administrators and apply the schemes to the default_admin domain to authenticate administrators, such as a user logging in through Telnet, SSH, or FTP. The user names of administrators do not contain domain names.
NOTE:

Ensure that users have been configured on the RADIUS server. In this example, the user with the user name test1 and password 123456 has been configured on the RADIUS server.

This example provides only the configuration for Router. The configurations of the RADIUS server are not described here.

Procedure

  1. Create a VLAN and configure interfaces.

    # Create VLAN 11 on Router.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 11
    

    # Set the link type of Eth2/0/1 of Router that is connected to the RADIUS server to access, and add Eth2/0/1 to VLAN 11.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 11
    [Router-Ethernet2/0/1] quit

    # Create VLANIF 11, and configure the IP address of 192.168.2.29/24 for VLANIF 11.

    [Router] interface vlanif 11
    [Router-Vlanif11] ip address 192.168.2.29 24
    [Router-Vlanif11] quit
    

  2. Configure RADIUS AAA for common users who use 802.1X authentication.

    NOTE:

    Ensure that the shared key in the RADIUS server template is the same as that set on the RADIUS server.

    # Configure a RADIUS server template named rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server accounting 192.168.2.30 1813
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] radius-server retransmit 2
    [Router-radius-rd1] quit

    # Create authentication and accounting schemes both named abc, and set the authentication and accounting modes to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit
    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] quit

    # Test connectivity between Router and the RADIUS server. Ensure that the test1 user with the password 123456 has been configured on the RADIUS server.

    [Router-aaa] test-aaa test1 123456 radius-template rd1

    # Apply the authentication scheme abc, accounting schemes abc, and RADIUS server template rd1 to the default domain.

    [Router-aaa] domain default
    [Router-aaa-domain-default] authentication-scheme abc
    [Router-aaa-domain-default] accounting-scheme abc
    [Router-aaa-domain-default] radius-server rd1
    [Router-aaa-domain-default] quit
    [Router-aaa] quit

    # Enable 802.1X authentication on GE2/0/0.

    [Router] dot1x-access-profile name d1
    [Router-dot1x-access-profile-d1] quit
    [Router] authentication-profile name p1
    [Router-authen-profile-p1] dot1x-access-profile d1
    [Router-authen-profile-p1] authentication mode multi-authen max-user 100
    [Router-authen-profile-p1] quit
    [Router] vlan batch 10
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] authentication-profile p1
    [Router-Ethernet2/0/0] quit

    # Set the global default domain for common users to default. After common users enter their user names in the format of user@default, the device performs AAA authentication for the users in the default domain. If a user name does not contain a domain name or contains a non-existing domain name, the device authenticates the common user in the default domain for common users.

    [Router] domain default

  3. Configure local authentication and authorization for the administrator test.

    # Configure the device to use AAA for the Telnet user that logs in through the VTY user interface.

    [Router] telnet server enable
    [Router] user-interface vty 0 14
    [Router-ui-vty0-14] authentication-mode aaa 
    [Router-ui-vty0-14] quit
    

    # Configure a local user named test with password admin@12345, and set the user level to 3.

    [Router] aaa
    [Router-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3

    # Set the access type of test to Telnet.

    [Router-aaa] local-user test service-type telnet

    # Configure local account locking. Set the retry interval to 5 minutes, the maximum number of consecutive authentication failures to 3, and the local account locking duration to 5 minutes.

    [Router-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

    # Create an authentication scheme named auth, and configure the authentication scheme to use local authentication.

    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode local
    [Router-aaa-authen-auth] quit

    # Create an authorization scheme named autho, and configure the authorization scheme to use local authorization.

    [Router-aaa] authorization-scheme autho
    [Router-aaa-author-autho] authorization-mode local
    [Router-aaa-author-autho] quit

    # Apply the authentication scheme auth and authorization scheme autho to the default_admin domain.

    [Router-aaa] domain default_admin
    [Router-aaa-domain-default_admin] authentication-scheme auth
    [Router-aaa-domain-default_admin] authorization-scheme autho
    [Router-aaa-domain-default_admin] quit
    [Router-aaa] quit
    

    # Set the global default domain for administrators to default_admin. After administrators enter user names in the format of user@default_admin, the device performs AAA authentication for the administrators in the default_admin domain. If the user name of an administrator does not contain a domain name or contains a non-existing domain name, the device authenticates the administrator in the default domain for administrators.

    [Router] domain default_admin admin
    [Router] quit
    

  4. Verify the configuration.

    # Run the display dot1x interface command on Router to verify the 802.1X authentication configuration.

    # If you log in as a common user, enter the user name test1 and password 123456 on an 802.1X client, and run the display access-user domain and display access-user user-id commands to check the domain to which you belong and your access type.

    <Router> display access-user domain default
     ------------------------------------------------------------------------------
     UserID Username             IP address             MAC               Status
     ------------------------------------------------------------------------------
     16040  test1                -                      00e0-4c97-31f6    Success
     ------------------------------------------------------------------------------
     Total: 1, printed: 1
    <Router> display access-user user-id 16040
    Basic:
      User id                         : 16040
      User name                       : test1
      Domain-name                     : default
      User MAC                        : 00e0-4c97-31f6
      User IP address                 : -
      User IPv6 address               : -
      User access time                : 2009/02/15 19:10:52
      User accounting session ID      : huawei255255000000000f****2016040
      Option82 information            : -
      User access type                : 802.1x
    
    AAA:
      User authentication type        : 802.1x authentication
      Current authentication method   : RADIUS
      Current authorization method    : -
      Current accounting method       : RADIUS

    # If you log in through Telnet, enter the user name test and password admin@12345, and run the display access-user domain and display access-user user-id commands to check the domain to which you belong and your access type.

    <Router> display access-user domain default_admin
     ------------------------------------------------------------------------------
     UserID Username             IP address             MAC               Status
     ------------------------------------------------------------------------------
     16009  test                 10.135.18.217          -                 Success
     ------------------------------------------------------------------------------
     Total: 1, printed: 1
    <Router> display access-user user-id 16009
    Basic:
      User id                         : 16009
      User name                       : test
      Domain-name                     : default_admin
      User MAC                        : -
      User IP address                 : 10.135.18.217
      User IPv6 address               : -
      User access time                : 2009/02/15 05:10:52
      User accounting session ID      : huawei255255000000000f****2016009
      Option82 information            : -
      User access type                : Telnet
    
    AAA:
      User authentication type        : Administrator authentication
      Current authentication method   : Local
      Current authorization method    : Local
      Current accounting method       : None

Configuration File

Router configuration file

#
sysname Router
#
vlan batch 10 to 11
#
authentication-profile name p1
 dot1x-access-profile d1
 authentication mode multi-authen max-user 100
#
radius-server template rd1
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
 radius-server accounting 192.168.2.30 1813 weight 80
 radius-server retransmit 2
#
aaa
 authentication-scheme abc
  authentication-mode radius
 authentication-scheme auth
 authorization-scheme autho
 accounting-scheme abc
  accounting-mode radius
 domain default
  authentication-scheme abc
  accounting-scheme abc
  radius-server rd1
 domain default_admin
  authentication-scheme auth
  authorization-scheme autho
 local-user test password irreversible-cipher $1a$KQje%Ip2q/$bBk."}ISO@KQje%Ip2q/$bBk."}ISO@$
 local-user test privilege level 3
 local-user test service-type telnet
#
interface Vlanif11
 ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
 authentication-profile p1
# 
interface Ethernet2/0/1
 port link-type access
 port default vlan 11
#
 telnet server enable
#
user-interface vty 0 14
 authentication-mode aaa
# 
dot1x-access-profile name d1
#  
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 135228

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next