No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Operation Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the RADIUS-based Remote Authentication

Configuring the RADIUS-based Remote Authentication

After RADIUS-based remote authentication is configured, eSight uses RADIUS to authenticate users in the AAA system.

Prerequisites

  • You have the information configuration permission.
  • You have collected the following information on the RADIUS server:
    Table 3-12 Parameter Description

    Parameter

    Example

    Server IP

    10.135.38.165

    (Optional) Standby server IP:

    10.137.63.112

    Authentication server port

    1812

    RADIUS authentication

    CHAP

    Shared password

    Admin123

Precaution

The account on the RADIUS server can contain a maximum of 32 characters, including only uppercase and lowercase letters, digits, and hyphens. The account cannot contain the following special characters: #%&'+|/ ();<=>?\

Context

RADIUS is defined through RFC2865 and RFC2866, and is the most widespread AAA protocol. The RADIUS authentication server supports PAP and CHAP authentication modes.

When eSight functions as the RADIUS client, ensure that the RADIUS server complies with RFC1321, RFC2865, and RFC2866, because eSight does not support RFC1227, RFC2548, RFC2607, RFC2609, RFC2867, RFC2868, RFC2869, or RFC2882. Because the RADIUS protocol does not support replay attack protection, client and server interaction content encryption, or high password strength requirements, it is recommended that you deploy eSight and the RADIUS server in the same trusted domain.

In the RADIUS authentication mode, eSight manages roles and associated role permissions rather than users. The RADIUS server manages users and roles, and authenticates user names and passwords used for eSight login. Figure 1-5 shows the RADIUS authentication process.

Figure 3-7 Figure 1-1 RADIUS authentication process

The RADIUS authentication process is as follows:

  1. The eSight Client sends the user name and password to the eSight Server.
  2. When receiving the request, the eSight Server establishes a connection with the RADIUS Server as the RADIUS Client. The connection can be based on user name and password or SSL.

    When the connection is established, the eSight Server transmits user data to the RADIUS Server for authentication. When the authentication is complete, the RADIUS Server sends the result to the eSight Server.

  3. The eSight Server sends the authentication result to the user through the eSight Client. The authentication results are as follows:
    • Authentication succeeded: Users can use eSight functions within the user permission scope.
    • Authentication failed: Users receive a login failure prompt on the eSight Client, including that the user name or password is wrong or that the central authentication server is not connected.

Procedure

  1. Configure interconnection parameters on the RADIUS server.

    1. Log in to the RADIUS server as an operating system user in the Administrators group.
    2. Configure a shared key for the RADIUS server and eSight.
      1. Access RADIUS service installation directory\etc\raddb, open the clients.conf file, and set the IP address, host name, shared key, and connection type for the eSight server in the file.
        NOTE:

        If southbound and northbound services are separated for eSight, the eSight IP address here refers to the northbound IP address. Refer to How to Obtain the IP Address of eSight to obtain the IP address.

        # 
         # clients.conf - client configuration directives 
         # 
         ####################################################################### 
         client 10.137.61.89 {                                 //eSight server IP address
               secret       =  Todlovemary20141111             //Shared key
               shortname    = WIN-9VFDN7KT2KJ.man.sunrise.com  //Host name of the eSight server
               nastype      = other                            //Connection type
         } 
      2. Access RADIUS service installation directory\etc\raddb, open the naslist file, and add parameters specified in 1.2.a to the file.
        #portmaster2.isp.com    pm1.LA      livingston 
         localhost       local       portslave 
         10.137.61.89        WIN-9VFDN7KT2KJ.man.sunrise.com     other    //Add the IP address, host name, and natype of the eSight server.
    3. Configure role information on the RADIUS server.

      Access RADIUS service installation directory\etc\raddb, open the user.conf file, and set users' role information.

      The following example shows how to add role information for the user Tod.

      Tod              User-Password == "Admin123" 
                        Service-Type = Login-User, 
                        Reply-Message = "Administrators,SMManagers"   //Add the role Administrators of Tod on eSight. Use commas (,) to separate the role with the original role SMManagers.

      Repeat this step to add role information for all users.

    4. Restart the RADIUS service.
      1. Right-click the FreeRADIUS icon on the toolbar.
      2. Choose Start FreeRADIUS.net in DEBUG Mode from the shortcut menu to start the RADIUS service.

  2. Configure interconnection parameters on eSight.

    1. Choose System > System Settings > System Interconnection.
    2. Select Authentication to RADIUS.
    3. Set RADIUS authentication parameters in terms of the basic settings, client, custom attribute, and authentication.

      Table 3-13 RADIUS authentication parameters

      Parameter

      Description

      How to Set

      Basic settings

      Server IP

      IP address used by the authentication server.

      Use the same value as that on the RADIUS authentication server.

      Standby server IP

      IP address of the standby RADIUS server in a two-node cluster.

      This parameter is mandatory when the RADIUS server is deployed in a two-node cluster. Use the same value as that on the RADIUS authentication server.

      Authentication server port

      Port for data communication between the authentication server and eSight server.

      Default value: 1812.

      Use the same value as that on the RADIUS authentication server.

      RADIUS authentication

      RADIUS authentication modes:

      • PAP
      • CHAP
      • MS-CHAP
      • MS-CHAPv2

      Default value: CHAP.

      Use the same value as that on the RADIUS authentication server.

      Shared password

      Password used by the RADIUS authentication protocol.

      Use the same value as that on the RADIUS authentication server.

      RADIUS client

      Configure the client information for logging in to the RADIUS server

      Select this option if you need to specify the IP address and port number of the client again.

      The eSight server is the RADIUS client.

      By default, eSight automatically obtains the eSight server IP address and port number. You need to specify the eSight server IP address and port number in any of the following scenarios:

      • The eSight server has multiple network adapters and the automatically obtained IP address is inconsistent with the IP address used by eSight.
      • A firewall exists between the eSight server and the RADIUS authentication server, and the port number must be specified to enable data communication.
      • Other scenarios where the IP address and port number must be specified.

      Client IP address

      eSight server IP address.

      Client port

      Port number for data communication between the eSight server and the RADIUS server.

      Custom Attribute

      Specify custom attributes from authentication requests

      Whether to require the client to carry vendor identifiers for authentication.

      This parameter is mandatory when the client is required to carry vendor identifiers for authentication.

      • Vendor identifier: Enter an identifier which indicates Huawei and can be recognized by the RADIUS server.
      • Custom attribute: Set parameters as required.

      Vendor ID

      Huawei ID that can be recognized by the RADIUS server.

      Custom Attribute

      Attributed negotiated by the RADIUS server and Huawei.

      Authentication

      Bound role obtaining

      eSight obtains the role of login users in either of the following modes:

      • Query the list of bound roles from the eSight server
      • Obtain the role list from default attributes in response packets
      • Obtain the role list from custom attributes in response packets

      Default value: Obtain the role list from default attributes in response packets.

      The method for obtaining the bound role is determined by the configuration on the RADIUS authentication server.

      • If the user role is not configured on the authentication server, use the Query the list of bound roles from the eSight server mode. In this case, create a user and bind it to a role on eSight.
      NOTE:

      In this scenario, the password configured during user creation on eSight does not take effect. The password on the RADIUS authentication server is valid.

      • If the authentication server obtains the user role list from default attributes, use the Obtain the role list from default attributes in response packets mode. The default attribute defined by the RADIUS server for the user role list is Reply-Message.
      • If the authentication server obtains the user role list from custom attributes, use the Obtain the role list from custom attributes in response packets mode. In this case, set Custom Attribute.
      NOTE:

      If either of the last two modes is used, ensure that at least one role from the authentication server role list is available on eSight.

      Attribute type ID

      Name of a specific attribute in the user data model of the RADIUS authentication server.

      This parameter is mandatory when Obtaining bound role is set to Obtain the role list from custom attributes in response packets.

      Use the same value as that on the RADIUS authentication server. If the user data model of the RADIUS server has the following definitions:

      18 = "Administrator;SMManger"

      Then: On eSight, set Attribute type ID to 18.

      Role name separator

      Character that separates roles in the role list defined on the RADIUS authentication server.

      This parameter is mandatory when Obtaining bound role is set to Obtain the role list from default attributes in response packets or Obtain the role list from custom attributes in response packets.

      Use the same value as that on the RADIUS authentication server. If the user data model of the RADIUS server has the following definitions:

      Reply-Message = "Administrator;SMManger"

      Then: On eSight, set Role name separator to ;.

    4. Click Apply.

      RADIUS-based remote authentication is enabled immediately.

Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044378

Views: 57871

Downloads: 264

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next