No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring HACA Authentication

Configuring HACA Authentication

HACA Authentication

Two authentication methods are available in cloud-based management scenario: 802.1X authentication and Portal authentication. In 802.1X authentication, the device must be connected to a third-party RADIUS server. Portal authentication is more often used in cloud-based management. The authentication server is located on the cloud, so packets between the device and server must traverse the NAT device. However, Portal protocol packets cannot traverse the NAT device. HACA implements communication between the device and server, and then Portal authentication can be performed.

Similar to the RADIUS protocol, the HACA protocol uses the client/server model to authenticate access users.

Configuration Procedure

Configuring an HACA Server

Context

When HACA authentication and authorization are used, the authentication and authorization information must be configured on the HACA server.

When a user requests to access the Internet, the access device forwards authentication information to the HACA server. The HACA server then decides whether to allow the user to pass based on the configured information. If the user is allowed, the HACA server sends an access-accept message carrying authorization information to the access device. The access device then authorizes network access rights to the user according to the access-accept message.

Configuring an AAA Scheme

Context

If HACA authentication and authorization are used, set the authentication mode in the authentication scheme to HACA and the accounting mode in an accounting scheme to HACA.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and its view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two authentication schemes can be modified but not deleted.

    4. Run authentication-mode haca

      The authentication method is set to HACA.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode haca local command to configure local authentication.

      NOTE:

      If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response from the current authentication. The device stops the authentication if the current authentication fails.

    5. Run quit

      Return to the AAA view.

    6. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 300 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 30 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    7. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the domain name is parsed is configured.

      By default, the domain name is parsed from left to right.

    8. (Optional) Run aaa-author session-timeout invalid-value enable

      The device will not disconnect or reauthenticate users when the RADIUS server delivers session-timeout with value 0.

      By default, the device disconnects or reauthenticates users when the RADIUS server delivers session-timeout with value 0.

    9. Run quit

      Return to the system view.

  • Configuring an accounting scheme
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created, and the corresponding accounting scheme view or an existing accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. This default accounting scheme can be modified but not deleted.

    4. Run accounting-mode haca

      The haca accounting mode in an accounting scheme is configured.

      By default, the accounting mode is none.

    5. (Optional) Run accounting start-fail { offline | online }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run accounting realtime interval

      Real-time accounting is enabled and the interval for real-time accounting is set.

      By default, the device performs accounting based on user online duration, the real-time accounting function is disabled.

    7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }

      The maximum number of real-time accounting failures is set and a policy used after the number of real-time accounting failures exceeds the maximum is configured.

      By default, the maximum number of real-time accounting failures is 3 and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

Configuring an HACA Server Template

Context

In an HACA server template, specify the server IP address and port number. Other settings such as the HACA user name format and HACA server response timeout have default values and can be changed based on network requirements.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run haca-server template template-name

    An HACA server template is created and its view is displayed.

    By default, no HACA server template exists on the device.

  3. Run haca-server server-address ip-address [ port ] pki-realm-name

    The IP address and port number for the HACA server are configured.

    By default, the IP address and port number of the HACA server are not configured on the device.

  4. Run the following commands as required:

    • To add the domain name to the user name in the packets sent to the HACA server, run the haca-server user-name domain-included command.
    • To retain the original user name in the packets sent to the HACA server, run the haca-server user-name original command.

    By default, the device does not modify the user name entered by the user in the packets sent to the HACA server.

  5. Run haca-server source-ip ip-address

    The source IP address is specified for HACA packets.

    By default, no source IP address is specified for HACA packets. The device uses the IP address of the actual outbound interface as the source IP address of HACA packets.

  6. (Optional) Run haca-server timer response-timeout interval

    The response timeout interval for the HACA server is set.

    By default, the timeout duration of the HACA server is 5 minutes.

  7. (Optional) Run haca-server timer down-delay interval

    The delay after which an HACA server is disconnected is set.

    By default, the delay after which an HACA server is disconnected is 30 seconds.

  8. (Optional) Run haca-server timer reconnection interval

    The interval for reconnecting to the HACA server is set.

    By default, the interval for reconnecting to the HACA server is one minute.

  9. (Optional) Run haca-server timer heart-beat interval

    The heartbeat interval is set.

    By default, the heartbeat interval is 5 minutes.

  10. (Optional) Run haca-server accounting-stop-packet resend [ resend-times ]

    Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted is set.

    By default, three accounting-stop packets can be retransmitted.

  11. Run haca enable

    HACA is enabled.

    By default, HACA is disabled.

  12. Run quit

    Return to the system view.

  13. (Optional) Run haca-server timer user-syn interval

    The interval for synchronizing user information to the HACA server is set.

    By default, the interval for synchronizing user information to the HACA server is 10 minutes.

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure a DHCP server group. dhcp-server group group-name

    By default, no DHCP server group is configured in a service scheme.

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Configure resources delivered by the server in an Efficient VPN scenario.

    Step

    Command

    Remarks

    Configure the primary WINS server. wins ip-address

    By default, no primary WINS server is configured in a service scheme.

    Configure the secondary WINS server. wins ip-address secondary

    By default, no secondary WINS server is configured in a service scheme.

    Configure the URL and version number in the service scheme. auto-update url url-string version version-number

    By default, no URL or version number is configured in a service scheme.

    Configure the default DNS domain name in the service scheme. dns-name domain-name

    By default, no default DNS domain name is configured in a service scheme.

    Configure the local subnet information to be sent to the remote end. route set acl acl-number

    By default, no local subnet information is sent to the remote end.

    Configure the IP address of the interface bound to the IPSec tunnel to be sent to the remote end. route set interface

    By default, no IP address of the interface bound to the IPSec tunnel is sent to the remote end.

  7. Run ip-pool pool-name [ move-to new-position ]

    An IP address pool is bound to the service scheme or an existing IP address pool is moved.

    By default, no IP address pool is bound to a service scheme.

    NOTE:

    Ensure that the IP address pool has been configured before running this command.

  8. Run qos-profile profile-name

    A QoS profile is bound to the service scheme.

    By default, no QoS profile is bound to a service scheme.

    NOTE:

    Ensure that the QoS profile has been configured before running this command.

  9. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    NOTE:

    The idle-cut function takes effect only after the idle time and traffic threshold are configured. To configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the idle time, use the value of idle-time configured on the device or the value (carried in RADIUS attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value authorized by the RADIUS server has a higher priority.

    You can only run the idle-cut command in the service scheme view and the local-user idle-cut command in the AAA view to enable the idle-cut function for common users (PPPoE and Portal users). The configuration implemented in the service scheme view has a higher priority. If you need to perform idle-cut for administrators, run the local-user idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28 (Idle-Timeout) during the RADIUS authentication.

Applying an AAA Scheme to a Domain

Context

The created authentication scheme and HACA server template take effect only after being applied to a domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    The device has two default domains named default and default_admin. The two domains can be modified but not deleted.

  4. Run authentication-scheme authentication-scheme-name

    An authentication scheme is applied to the domain.

    By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named radius is applied to other domains.

  5. Run accounting-scheme accounting-scheme-name

    An accounting scheme is applied to the domain.

    By default, the accounting scheme named default is applied to a domain. In this default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

  6. Run service-scheme service-scheme-name

    A service scheme is applied to the domain.

    By default, no service scheme is bound to a domain.

  7. Run haca-server template-name

    An HACA server template is applied to the domain.

    By default, no HACA server template is applied to a domain.

  8. (Optional) Run state { active | block [ time-range time-name &<1–4> ] }

    The domain status is configured.

    By default, a domain is in active state after being created. When a domain is in blocking state, users in this domain cannot log in.

  9. (Optional) Configure a domain name resolution scheme. (If domain name resolution is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)

    Procedure

    Command

    Description

    AAA view

    Exit from the domain view.

    quit

    -

    Configure the domain name resolution direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be resolved from left to right, or from right to left.

    By default, the domain name is resolved from left to right.

    Configure a domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Configure the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name is placed after the domain name delimiter.

    Configure a security string delimiter.

    security-name-delimiter delimiter

    By default, the security string delimiter is an asterisk (*).

Verifying the HACA Authentication Configuration

Procedure

  • Run the display haca-server configuration [ template template-name ] command to check the HACA server template configuration.
  • Run the display haca-server statistics { all | message | packet [ authentication | authorization | accounting | cut-notify | cut-request | register | user-syn ] } [ template template-name ] command to check HACA packet statistics.
  • Run the display haca-server accounting-stop-packet all command to view information about all accounting-stop packets on the HACA server.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95255

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next