No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Using RADIUS to Perform Authentication, Authorization, and Accounting

Using RADIUS to Perform Authentication, Authorization, and Accounting

RADIUS Authentication, Authorization, and Accounting

Remote Authentication Dial-In User Service (RADIUS) is often used to implement authentication, authorization, and accounting (AAA). It uses the client/server model and prevents unauthorized access to networks that require high security and control of remote user access.

Configuration Procedure

Configuring an AAA Scheme

Context

An AAA scheme defines the authentication, authorization, and accounting modes used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in the authentication scheme, and set the accounting mode to RADIUS in the accounting scheme. RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. If RADIUS authentication is used, you do not need to configure an authorization scheme.

To prevent authentication failures caused by no response from a single authentication mode, configure local authentication or non-authentication as the backup authentication mode in the authentication scheme.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two schemes can only be modified, but cannot be deleted.

    4. Run authentication-mode radius

      The authentication mode is set to RADIUS.

      By default, local authentication is used.

      To configure local authentication as the backup authentication mode, run the authentication-mode radius local command.

    5. Run quit

      Return to the AAA view.

    6. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 300 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    7. (Optional) Run aaa-author session-timeout invalid-value enable

      The device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers the Session-Timeout attribute with value 0.

      By default, when the RADIUS server delivers the Session-Timeout attribute with value 0, this attribute does not take effect.

    8. Run quit

      Return to the system view.

    9. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication timeout interval is configured.

      By default, the bypass authentication function is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. This scheme can only be modified, but cannot be deleted.

    4. Run accounting-mode radius

      The accounting mode is set to RADIUS.

      By default, the accounting mode is none.

    5. (Optional) Configure policies for accounting failures.

      • Configure a policy for accounting-start failures.

        Run accounting start-fail { offline | online }

        A policy for accounting-start failures is configured.

        By default, users cannot go online if accounting-start fails.

      • Configure a policy for real-time accounting failures.

        1. Run accounting realtime interval

          The real-time accounting function is enabled, and the interval for real-time accounting is configured.

          By default, the device performs accounting based on the user online duration, and the real-time accounting function is disabled.

        2. Run accounting interim-fail [ max-times times ] { offline | online }

          The maximum number of real-time accounting failures and a policy used after the number of real-time accounting failures exceeds the maximum are configured.

          By default, the maximum number of real-time accounting failures is 3, and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

      • Configure a policy for accounting-stop failures.

        1. Run quit

          Return to the AAA view.

        2. Run quit

          Return to the system view.

        3. Run radius-server template template-name

          The RADIUS server template view is displayed.

        4. Run radius-server accounting-stop-packet resend [ resend-times ]

          Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted each time is configured.

          By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

    6. (Optional) Run quit

      Return to the system view.

    7. (Optional) Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

      By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

    8. (Optional) Run authentication { roam-accounting | update-ip-accounting } * enable

      The device is configured to send accounting packets upon roaming and address updating.

      By default, the device sends accounting packets upon roaming and address updating.

      After the roaming accounting function is enabled for multi-link accounting users, you need to run the authentication roam-accounting update-session-mode command to enable the accounting session update mode during roaming accounting.

Verifying the Configuration
  • Run the display authentication-scheme [ authentication-scheme-name ] command to view the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to view the accounting scheme configuration.

Configuring a RADIUS Server Template

Context

You can specify the RADIUS server connected to the device in a RADIUS server template. Such a template contains the server IP address, port number, source interface, and shared key settings.

The settings in a RADIUS server template must be the same as those on the RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure RADIUS authentication and accounting servers.

    Step

    Command

    Remarks

    Configure a RADIUS authentication server.

    • IPv4 server: radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *
    • IPv6 server: radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS authentication server is configured.

    Configure a RADIUS accounting server.

    • IPv4 server: radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] *
    • IPv6 server: radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *

    By default, no RADIUS accounting server is configured.

  4. Run radius-server shared-key cipher key-string

    The shared key of the RADIUS server is configured.

    By default, the shared key of a RADIUS server is huawei.

    NOTE:

    When a RADIUS server is configured in multiple RADIUS server templates:

    • If the RADIUS server templates use different shared keys, you need to configure the shared keys in each RADIUS server template view.
    • If the RADIUS server templates use the same shared key, you can configure the shared key in the system view using the radius-server ip-address { ipv4-address | ipv6-address } shared-key cipher key-string command.
    • When shared keys are configured in both the RADIUS server template view and system view, the configuration in the system view takes effect.

  5. (Optional) Run radius-server algorithm { loading-share | master-backup } [ based-user ]

    The algorithm for selecting RADIUS servers is configured.

    By default, the algorithm for selecting RADIUS servers is primary/secondary (specified by master-backup).

    When multiple authentication or accounting servers are configured in a RADIUS server template, the device selects RADIUS servers based on the configured algorithm and the weight configured for each server.
    • When the algorithm for selecting RADIUS servers is set to primary/secondary, the server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.

    • If the algorithm for selecting RADIUS servers is set to load balancing, packets are sent to RADIUS servers according to weights of the servers.

  6. (Optional) Run radius-server { retransmit retry-times | timeout time-value } *

    The number of times that RADIUS request packets are retransmitted and the timeout interval are set.

    By default, RADIUS request packets can be retransmitted three times, and the timeout interval is 5 seconds.

  7. (Optional) Configure the format of the user name in packets sent from the device to the RADIUS server.

    • Run radius-server user-name domain-included

      The device is configured to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run radius-server user-name original

      The device is configured not to modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server.

    • Run undo radius-server user-name domain-included except-eap

      The device is configured not to encapsulate the domain name in the user name in the RADIUS packets sent to a RADIUS server (applicable to other authentication modes except EAP authentication).

    By default, the device does not modify the user name entered by a user in the RADIUS packets sent to a RADIUS server.

  8. (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

    The traffic unit used by the RADIUS server is configured.

    By default, the RADIUS traffic unit is byte on the device.

  9. (Optional) Run radius-attribute service-type with-authenonly-reauthen

    The reauthentication mode is set to reauthentication only.

    By default, the reauthentication mode is reauthentication and reauthorization.

    This function takes effect when the Service-Type attribute on the RADIUS server is set to Authenticate Only.

Verifying the Configuration

Run the display radius-server configuration [ template template-name ] command to check the RADIUS server template configuration.

Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command to check the connectivity between the device and the RADIUS authentication or accounting server. Only when they are reachable, the authentication or accounting server can perform authentication or accounting properly for users.

If an error message is displayed in the command output, troubleshoot the fault by referring to Testing Whether a User Can Pass RADIUS Authentication or Accounting.

(Optional) Configuring the RADIUS Server Status Detection Function

Context

A device can detect the RADIUS server status using the RADIUS server status detection function. If the RADIUS server status is Down, users can obtain escape rights. If the RADIUS server status reverts to Up, escape rights are removed from the users and the users are reauthenticated.

Procedure

  • Configure conditions for setting the RADIUS server status to Down.

    • Conditions for setting the RADIUS server status to Down during the RADIUS server status detection.

      1. Run system-view

        The system view is displayed.

      2. Run radius-server { dead-interval dead-interval | dead-count dead-count }

        The RADIUS server detection interval and maximum number of consecutive unacknowledged packets in each detection interval are configured.

      3. Run the return command to return to the user view.

  • (Optional) Configure the automatic detection function.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server template template-name

      The RADIUS server template view is displayed.

    3. Run radius-server testuser username user-name password cipher password

      A user account for automatic RADIUS server detection is created.

      By default, no RADIUS template-based user account for automatic detection is configured.

      After the user account for automatic RADIUS server detection is created, the automatic detection function is enabled.

    4. (Optional) Run radius-server detect-server interval interval

      The automatic detection interval for RADIUS servers is configured.

      By default, the automatic detection interval for RADIUS servers is 60 seconds.

    5. Run the return command to return to the user view.

  • (Optional) Configure the duration for which a RADIUS server remains Down, namely, configure the Force-up timer.

    NOTE:

    After setting the RADIUS server status to Force-up and automatic detection is enabled, the device immediately sends a detection packet. If the device receives a response packet from the RADIUS server within the timeout period, the device sets the RADIUS server status to Up; otherwise, the device sets the RADIUS server status to Down.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server template template-name

      The RADIUS server template view is displayed.

    3. Run radius-server dead-time dead-time

      The Force-up timer for RADIUS servers is configured.

      By default, the Force-up timer for RADIUS servers is 5 minutes.

    4. Run the return command to return to the user view.

  • (Optional) Configure status synchronization between RADIUS authentication and accounting servers.

    1. Run system-view

      The system view is displayed.

    2. Run the radius-server dead-detect-condition by-server-ip command to configure IP address-based automatic detection for RADIUS servers.

      By default, RADIUS authentication and accounting servers are detected separately. After this function is configured, RADIUS authentication and accounting servers with the same IP address in the same VPN instance are detected together and their status are updated at the same time.

    3. Run the return command to return to the user view.

Verifying the Configuration
  • Run the display radius-server { dead-interval | dead-count } command to check configuration information about the RADIUS server detection intervaland maximum number of consecutive unacknowledged packets in each detection interval.
  • Run the display radius-server configuration command to check configuration information about the user account for automatic detection, detection interval, and timeout period for detection packets in the RADIUS server template.

Follow-up Procedure

  1. Run the authentication event authen-server-down action authorize command in the authentication profile view to configure the user escape function if the authentication server goes Down. For details, see (Optional) Configuring Authentication Event Authorization Information in NAC Configuration.
  2. Run the authentication event authen-server-up action re-authen command in the authentication profile view to configure the reauthentication function after the authentication server reverts to the Up status. For details, see (Optional) Configuring Re-authentication for Users in NAC Configuration.

(Optional) Configuring RADIUS Attributes

Disabling or Translating RADIUS Attributes

Context

RADIUS attributes supported by different vendors are incompatible with each other, so RADIUS attributes must be disabled or translated in interoperation and replacement scenarios.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-server attribute translate

    The RADIUS attribute disabling and translation functions are enabled.

    By default, the RADIUS attribute disabling and translation functions are disabled.

  4. Run radius-attribute disable attribute-name { receive | send } *

    A RADIUS attribute is disabled.

    By default, no RADIUS attribute is disabled.

  5. Configure the RADIUS attribute to be translated.

    • radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *
    • radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *
    • radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

    By default, no RADIUS attribute is translated.

Verifying the Configuration
  • Run the display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ] command to check the RADIUS attributes supported by the device.
  • Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes.
  • Run the display radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration.
Configuring the RADIUS Attribute Check Function

Context

After the RADIUS attribute check function is configured, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If so, the device considers that authentication is successful; if not, the device considers that authentication fails and discards the packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute check attribute-name

    The device is configured to check whether the received RADIUS Access-Accept packets contain the specified attribute.

    By default, the device does not check whether RADIUS Access-Accept packets contain the specified attribute.

Modifying the Value of a RADIUS Attribute

Context

The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute set attribute-name attribute-value [ auth-type mac | user-type ipsession ]

    The value of a RADIUS attribute is modified.

    By default, values of RADIUS attributes are not modified.

Configuring Standard RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some standard RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure standard RADIUS attributes.

    • Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-Address).

      • Run radius-attribute nas-ip { ip-address | ap-info }

        RADIUS attribute 4 (NAS-IP-Address) is configured.

        By default, the source IP address of the NAS is the value of the NAS-IP-Address attribute.

      • Run radius-attribute nas-ipv6 ipv6-address

        RADIUS attribute 95 (NAS-IPv6-Address) is configured.

        By default, the NAS-IPv6-Address attribute is not configured.

    • Configure RADIUS attribute 5 (NAS-Port).

      1. Run radius-server nas-port-format { new | old }

        The format of the NAS port is configured.

        By default, the new NAS port format is used.

        When the new NAS port format is used, you can perform the following operation to configure the specific format.

      2. Run radius-server format-attribute nas-port nas-port-sting

        The new NAS port format is configured.

        By default, the default new NAS port format is used.

    • Configure RADIUS attribute 30 (Called-Station-Id).

      1. Run called-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

        Or run called-station-id mac-format unformatted [ lowercase | uppercase ]

        The encapsulation format of the MAC address in the Called-Station-Id (30) attribute is configured.

        By default, the MAC address format in the Called-Station-Id (30) attribute is XX-XX-XX-XX-XX-XX, in uppercase.

    • Configure RADIUS attribute 31 (Calling-Station-Id).

      Run calling-Station-Id mac-format { dot-split | hyphen-split | colon-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

      Or run calling-Station-Id mac-format { unformatted [ lowercase | uppercase ] | bin }

      The encapsulation format of the MAC address in the Calling-Station-Id (31) attribute is configured.

      By default, the MAC address format in the Calling-Station-Id (31) attribute is xxxx-xxxx-xxxx, in lowercase

    • Configure RADIUS attribute 32 (NAS-Identifier).

      Run radius-server nas-identifier-format { hostname | vlan-id | ap-info }

      The encapsulation format of the NAS-Identifier attribute is configured.

      By default, the NAS-Identifier encapsulation format is the user's hostname.

    • Configure RADIUS attribute 80 (Message-Authenticator).

      Run radius-server attribute message-authenticator access-request

      The device is configured to carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

      By default, the device does not carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

    • Configure RADIUS attribute 87 (NAS-Port-Id).

      Run radius-server nas-port-id-format { new | old }

      The format of the NAS-Port-Id attribute is configured.

      By default, the new format of the NAS-Port-Id attribute is used.

Configuring Huawei Proprietary RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some Huawei proprietary RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure Huawei proprietary RADIUS attributes.

    • Run radius-server hw-ap-info-format include-ap-ip

      The device is configured to carry the AP's IP address in Huawei proprietary attribute 26-141 (HW-AP-Information).

      By default, the device does not carry the AP's IP address in Huawei proprietary attribute 26-141 (HW-AP-Information).

(Optional) Configuring Authorization Information

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure a DHCP server group. dhcp-server group group-name

    By default, no DHCP server group is configured in a service scheme.

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Configure resources delivered by the server in an Efficient VPN scenario.

    Step

    Command

    Remarks

    Configure the primary WINS server. wins ip-address

    By default, no primary WINS server is configured in a service scheme.

    Configure the secondary WINS server. wins ip-address secondary

    By default, no secondary WINS server is configured in a service scheme.

    Configure the URL and version number in the service scheme. auto-update url url-string version version-number

    By default, no URL or version number is configured in a service scheme.

    Configure the default DNS domain name in the service scheme. dns-name domain-name

    By default, no default DNS domain name is configured in a service scheme.

    Configure the local subnet information to be sent to the remote end. route set acl acl-number

    By default, no local subnet information is sent to the remote end.

    Configure the IP address of the interface bound to the IPSec tunnel to be sent to the remote end. route set interface

    By default, no IP address of the interface bound to the IPSec tunnel is sent to the remote end.

  7. Run ip-pool pool-name [ move-to new-position ]

    An IP address pool is bound to the service scheme or an existing IP address pool is moved.

    By default, no IP address pool is bound to a service scheme.

    NOTE:

    Ensure that the IP address pool has been configured before running this command.

  8. Run qos-profile profile-name

    A QoS profile is bound to the service scheme.

    By default, no QoS profile is bound to a service scheme.

    NOTE:

    Ensure that the QoS profile has been configured before running this command.

  9. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    NOTE:

    The idle-cut function takes effect only after the idle time and traffic threshold are configured. To configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the idle time, use the value of idle-time configured on the device or the value (carried in RADIUS attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value authorized by the RADIUS server has a higher priority.

    The idle-cut command configured in the service scheme view takes effect for administrators. For common users, the function takes effect only for PPPoE and Portal users.

Configuring a User Group

Context

Users must obtain authorization information before going online. You can configure a user group to manage authorization information about users.

Procedure

  • Configure a user group.

    Step

    Command

    Remarks

    Create a user group and enter the user group view.

    user-group group-name

    When using a user group in a two-node or dual-link HSB scenario, specify the user group index and ensure that the user group names and user group indexes configured on the active and standby devices are the same.

    Bind an ACL to the user group.

    acl-id acl-number

    By default, no ACL is bound to a user group.

    The IPv4 ACL bound to a user group must have been created using the acl (system view) command.

    Configure the priority of the user group.

    remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value }*

    By default, the priority of a user group is not configured.

Creating and Configuring a Domain

Context

A NAS performs domain-based user management. A domain is a group of users and each user belongs to a domain. A user uses only AAA configuration information in the domain to which the user belongs.

The device determines the domain to which a user belongs based on the user name. Before performing authentication, authorization, and accounting on users, you need to create the domain to which the users belong.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    By default, the default and default_admin domains are available on the device. The default domain is used by common access users and the default_admin domain is used by administrators.

  4. (Optional) Run state { active | block [ time-range time-name &<1-4> ] }

    The domain state is configured.

    By default, a domain is in active state after being created. When a domain is in blocking state, users in this domain cannot log in.

  5. (Optional) Run statistic enable

    Traffic statistics collection is enabled for users in the domain.

    By default, traffic statistics collection is disabled for users in a domain.

  6. (Optional) Configure the DNS function, which takes effect for all domains on the device.

    1. Run quit

      Return to the AAA view.

    2. Run domainname-parse-direction { left-to-right | right-to-left }

      The domain name resolution direction is configured.

      By default, a domain name is parsed from left to right.

    3. Run domain-name-delimiter delimiter

      The domain name delimiter is configured.

      By default, the domain name delimiter is @.

    4. Run domain-location { after-delimiter | before-delimiter }

      The position of a domain name is configured.

      By default, a domain name is placed behind the domain name delimiter.

    NOTE:

    The DNS function can also be configured in the authentication profile view. If the DNS function is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile, which applies only to wireless users.

  7. (Optional) Configure the security string function.

    1. Run security-name enable

      The security string function is enabled.

      By default, the security string function is enabled.

    2. Run security-name-delimiter delimiter

      The security string delimiter is configured.

      By default, the security string delimiter is an asterisk (*).

      NOTE:

      The security string delimiter can also be configured in the authentication profile view. If the security string delimiter is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile, which applies only to wireless users.

  8. (Optional) Specify a permitted domain for wireless users. (This step applies only to wireless users.)

    Procedure

    Command

    Description

    Return to the system view.

    quit

    -

    Create an authentication profile and enter the authentication profile view.

    authentication-profile name authentication-profile-name

    By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

    Specify a permitted domain for wireless users.

    permit-domain name domain-name &<1-4>

    By default, no permitted domain is specified for wireless users.

    After a permitted domain is specified in an authentication profile, only users in the permitted domain can be subject to authentication, authorization, and accounting.

Configuring Global Default Domains

Context

The device determines the domain to which a user belongs based on the user name. If a user name does not contain a domain name, the device cannot determine the domain to which the user belongs, and adds the user to a global default domain. Based on user types (access users or administrators), global default domains are classified into the global default common domain and global default administrative domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure global default domains.

    • Run domain domain-name

      The global default common domain is configured.

    • Run domain domain-name admin

      The global default administrative domain is configured.

    By default, two global default domains are available on the device: global default common domain named default and global default administrative domain named default_admin.

    NOTE:

    The same domain name can be set for the global default common domain and global default administrative domain.

Verifying the Configuration of Global Default Domains
Run the display aaa configuration command to check the configuration of global default domains.
<Huawei> display aaa configuration
  Domain Name Delimiter            : @
  Domainname parse direction       : Left to right
  Domainname location              : After-delimiter
  Administrator user default domain: default_admin    //Global default administrative domain
  Normal user default domain       : default    //Global default common domain

Applying an AAA Scheme, a RADIUS Server Template, and Authorization Information to a Domain

Context

AAA schemes, server templates, and authorization information are managed in a domain. A user uses only AAA configuration information in the domain to which the user belongs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    By default, the default and default_admin domains are available on the device. The default domain is used by common access users and the default_admin domain is used by administrators.

  4. Run authentication-scheme scheme-name

    An authentication scheme is applied to the domain.

    By default, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named radius is applied to the default domain and other domains.

  5. Run accounting-scheme accounting-scheme-name

    An accounting scheme is applied to the domain.

    By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

  6. Run radius-server template-name

    A RADIUS server template is applied to the domain.

    By default, no RADIUS server template is applied to the default_admin domain, and the RADIUS server template named default is applied to the default domain and other domains.

  7. (Optional) Run accounting-copy radius-server template-name

    The RADIUS accounting packet copy function is enabled, and a RADIUS server template for level-2 accounting is configured.

    By default, the RADIUS accounting packet copy function is disabled.

    NOTE:
    • Ensure that the IP address of the configured level-2 RADIUS accounting server must be different from that of the level-1 RADIUS accounting server (including the active/standby RADIUS accounting server).

    • Ensure that the level-2 RADIUS accounting server template configured in the domain is different from the RADIUS server template for authentication and accounting in the domain. If they are the same, the accounting-copy radius-server command cannot be configured and the system displays an error message during the command configuration.

  8. (Optional) Configure authorization information in the domain.

    • Run user-group group-name

      A user group is applied to the domain. That is, the device will deliver authorization information of the user group to users in the domain.

      By default, no user group is applied to a domain.

    • Run service-scheme service-scheme-name

      A service scheme is applied to the domain. That is, the device will deliver authorization information in the service scheme to users in the domain.

      By default, no service scheme is applied to a domain.

Verifying the Configuration

Run the display domain [ name domain-name ] command to check the domain configuration.

Configuring the RADIUS CoA or DM Function

Context

The device supports the RADIUS CoA and DM functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure an authorization server.

    Step

    Command

    Remarks

    Configure a RADIUS authorization server.

    radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ ack-reserved-interval interval ] [ protect enable ]

    By default, no RADIUS authorization server is configured.

  3. (Optional) Run radius-server authorization match-type { any | all }

    The device is configured to match RADIUS attributes in the received CoA or DM Request packets against user information on the device.

    By default, a device matches RADIUS attributes in the received CoA or DM Request packets against user information on the device in any mode. That is, the device matches an attribute with a high priority in a Request packet against user information on the device.

  4. (Optional) Run radius-server session-manage { ip-address [ vpn-instance vpn-instance-name ] shared-key cipher share-key | any }

    Session management is enabled for the RADIUS server.

    By default, session management is disabled for the RADIUS server.

  5. (Optional) Configure the format of a RADIUS attribute to be parsed.

    • Run radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }

      The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is configured.

      By default, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is xxxxxxxxxxxx, in lowercase.

    • Run radius-server authorization attribute-decode-sameastemplate

      The device is configured to parse the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server template configurations.

      By default, the device is not configured to parse RADIUS attribute 31 in RADIUS CoA or DM packets based on RADIUS server template configurations.

      In a RADIUS server template, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) is configured using the calling-station-id mac-format command.

  6. (Optional) Configure the format of a RADIUS attribute to be encapsulated.

    Run radius-server authorization attribute-encode-sameastemplate

    The device is configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.

    By default, the device is not configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.

    Table 1-34 lists the RADIUS attributes that can be configured in this step.

    Table 1-34  Supported RADIUS attributes

    RADIUS Attribute

    Description

    Command for Configuring the Attribute in a RADIUS Server Template

    RADIUS attribute 1 (User-Name)

    User name

    radius-server user-name domain-included

    RADIUS attribute 4 (NAS-IP-Address)

    NAS IP address

    radius-attribute nas-ip

    RADIUS attribute 31 (Calling-Station-Id)

    MAC address format

    calling-station-id mac-format

  7. (Optional) Configure the update mode of user authorization information.

    1. Run aaa

      The AAA view is displayed.

    2. Run authorization-modify mode { modify | overlay }

      The update mode of user authorization information delivered by the authorization server is configured.

      By default, the update mode of user authorization information delivered by the authorization server is overlay.

Verifying the Configuration

Run the display radius-server authorization configuration command to check the RADIUS authorization server configuration.

Verifying the RADIUS AAA Configuration

Procedure

  • Run the display aaa configuration command to check the AAA summary.
  • Run the display authentication-scheme [ authentication-scheme-name ] command to verify the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to verify the accounting scheme configuration.
  • Run the display service-scheme [ name name ] command to verify the service scheme configuration.
  • Run the display radius-server configuration [ template template-name ] command to verify the RADIUS server template configuration.
  • Run the display radius-server item { ip-address { ipv4-address | ipv6-address } { accounting | authentication } | template template-name } command to verify the RADIUS server configuration.
  • Run the display radius-server { dead-interval | dead-count } command to verify the specified RADIUS server detection interval and maximum number of consecutive unacknowledged packets.
  • Run the display radius-server authorization configuration command to verify the RADIUS authorization server configuration.
  • Run the display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ] command to check the RADIUS attributes supported by the device.
  • Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes.
  • Run the display radius-attribute [ template template-name ] translate command to verify the setting for RADIUS attribute translation.
  • Run the display domain [ name domain-name ] command to verify the domain configuration.
  • Run the display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-address } } command to verify the accounting-stop packets of the RADIUS server.
  • Run the display radius-attribute [ template template-name ] check command to verify the to-be-tested attributes in RADIUS Access-Accept packets.
  • Run the display remote-user authen-fail [ blocked | username username ] command to verify information about the accounts that fail in remote AAA authentication.
  • Run the display aaa statistics access-type-authenreq command to display the number of authentication requests.
  • Run the display radius-server session-manage configuration command to verify the session management configuration for the RADIUS server.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 125394

Downloads: 228

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next