No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS for User Authentication and Accounting (Through Flexible Interoperation of RADIUS Attributes)

Example for Configuring RADIUS for User Authentication and Accounting (Through Flexible Interoperation of RADIUS Attributes)

This section provides an example for configuring RADIUS for user authentication and accounting. When a Huawei device interoperates with a RADIUS server, the RADIUS attributes supported by the two devices may be different. Python scripts can be loaded to implement flexible interoperation of RADIUS attributes. The example provides the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 3-4, users access the network by logging in to Device A and the users belong to the domain huawei. Device B functions as an access server on the target network. To access the target network, users must first traverse the networks on which Device A and Device B reside and can access the network through Device B after being authenticated by a remote RADIUS server. Remote authentication and accounting modes on Device B are as follows:

  • The RADIUS server performs authentication and accounting for access users.

  • The RADIUS server with an IP address of 10.7.66.66/24 functions as the master authentication and accounting server, whereas the RADIUS server with an IP address of 10.7.66.67/24 functions as the backup authentication and accounting server. The default authentication port number and accounting port number are 1812 and 1813, respectively.

However, when Device B interoperates with the RADIUS server, the attributes carried in authentication and accounting request packets are not all the same. Therefore, you need to load the python script package to implement flexible interoperation of RADIUS attributes.

Figure 3-4 Networking for configuring RADIUS for user authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme.

  2. Bind the RADIUS server group, authentication scheme, and accounting scheme to the domain.

  3. Load the python script package.

  4. Configure a python policy template.

  5. Bind the python policy template to the RADIUS server group.

NOTE:

The python script package must have been uploaded to the cfcard: directory.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of the master and backup RADIUS authentication servers

  • IP addresses of the master and backup RADIUS accounting servers

  • Python script package

  • access-request.py, the python script that processes Access-Request packets

  • acct-request.py, the python script that processes Accounting-Request packets

Procedure

  1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme.

    # Configure a RADIUS server group named shiva.

    <HUAWEI> system-view
    [~Device] radius-server group shiva

    # Configure an IP address and a port number for the master RADIUS authentication and accounting server.

    [*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
    [*Device-radius-shiva] radius-server accounting 10.7.66.66 1813

    # Configure an IP address and a port number for the backup RADIUS authentication and accounting server.

    [*Device-radius-shiva] radius-server authentication 10.7.66.67 1812
    [*Device-radius-shiva] radius-server accounting 10.7.66.67 1813

    # Configure a shared key and the number of retransmissions for the RADIUS server.

    [*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-shiva] radius-server retransmit 2
    [*Device-radius-shiva] commit
    [~Device-radius-shiva] quit

    # Enter the AAA view.

    [~Device] aaa

    # Configure authentication scheme 1, with RADIUS as the authentication mode.

    [~Device-aaa] authentication-scheme 1
    [*Device-aaa-authen-1] authentication-mode radius
    [*Device-aaa-authen-1] commit
    [~Device-aaa-authen-1] quit

    # Configure accounting scheme 1, with RADIUS as the accounting mode.

    [~Device-aaa] accounting-scheme 1
    [~Device-aaa-accounting-1] accounting-mode radius
    [*Device-aaa-accounting-1] commit
    [~Device-aaa-accounting-1] quit

  2. Configure a domain named huawei and bind authentication scheme 1, accounting scheme 1, and RADIUS server group shiva to the domain.

    [~Device-aaa] domain huawei
    [*Device-aaa-domain-huawei] authentication-scheme 1
    [*Device-aaa-domain-huawei] accounting-scheme 1
    [*Device-aaa-domain-huawei] radius-server group shiva
    [*Device-aaa-domain-huawei] commit

  3. Enable the python script extension function.

    <HUAWEI> system-view
    [~HUAWEI] access enable python extend script-package V800R010C10SPC500.zip
    [*HUAWEI] commit

  4. Configure a python policy template for packet processing.

    # Create a python policy template.

    [~HUAWEI] access python-policy py
    [*HUAWEI-python-policy py] commit

    # Configure the association between packets and scripts in the python policy template named py.

    [~HUAWEI-python-policy py] protocol radius packet access-request direction egress python-script access-request.py
    [*HUAWEI-python-policy py] protocol radius packet accounting-request direction egress python-script acct-request.py
    [*HUAWEI-python-policy py] protocol radius packet process-fail passthrough
    [*HUAWEI-python-policy py] commit
    [~HUAWEI-python-policy py] quit

  5. Bind the RADIUS server group to the python policy template.

    [~HUAWEI] radius-server group shiva
    [*HUAWEI-radius-shiva] python-policy huawei
    [*HUAWEI-radius-shiva] commit

  6. Verify the configuration.

    Run the routerdisplay radius-server configuration group shiva command on the router to view the RADIUS server group configuration. The command output shows that the RADIUS server group configuration meets the requirements.

    <HUAWEI> display radius-server configuration group shiva
      -------------------------------------------------------
      Server-group-name    :  shiva
      Authentication-server:  IP:10.7.66.66 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  IP:10.7.66.67 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Accounting-server    :  IP:10.7.66.66 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  IP:10.7.66.67 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Protocol-version     :  radius
      Shared-secret-key    :  ******
      Retransmission       :  2
      Timeout-interval(s)  :  5
      Acct-Stop-Packet Resend  :  NO
      Acct-Stop-Packet Resend-Times  :  0
      Traffic-unit         :  B
      ClassAsCar           :  NO
      User-name-format     :  Domain-included
      Option82 parse mode  :  -
      Attribute-translation:  NO
      Packet send algorithm:  Master-Backup
      Tunnel password      :  cipher
    

    Run the display domain domain-name command on the router to view the domain configuration.

    <HUAWEI> display domain huawei
      ------------------------------------------------------------------------------
      Domain-name                     : huawei
      Domain-state                    : Active
      Authentication-scheme-name      : 1
      Accounting-scheme-name          : 1
      Authorization-scheme-name       :
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      User-group-name                 : -
      Idle-data-attribute (time,flow) : 0, 60
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : COPS
      User-access-limit               : 279552
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      PPPoE-user-URL                  : Disable
      IPUser-ReAuth-Time(second)      : 300
      Ancp auto qos adapt             : Disable
      RADIUS-server-template          : shiva
      Two-acct-template               : -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disabled
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Quota-out                     : Offline
      ------------------------------------------------------------------------------
    

    Run the display access python-script information command on the router to view related information about the loading of a+ python script package.

    <HUAWEI> display access python-script information
      Script Package Name                       : cfcard:/V800R010C10SPC500.zip
      Script Package Version                    : V800R010C10SPC500
      Script Package Run Time                   : 2018-05-21 05:06:22
      Script Info:
      ---------------------------------------------------------------
      ScriptName                                State
      ---------------------------------------------------------------
      acct-request.py                           Running
      access-request.py                         Running
      ---------------------------------------------------------------
      Total = 2
    

Configuration Files

#
sysname HUAWEI
#                                                                               
 radius-server group shiva                                                       
 radius-server authentication 10.7.66.66 1812 weight 0                         
 radius-server authentication 10.7.66.67 1812 weight 0                         
 radius-server accounting 10.7.66.66 1813 weight 0                             
 radius-server accounting 10.7.66.67 1813 weight 0                             
 radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^%                                       
 radius-server retransmit 2                                                    
 python-policy py
#                                                                               
aaa                                                                             
  authentication-scheme 1                                                        
  authentication-mode radius                                                   
 #                                                                              
 authorization-scheme default                                                   
 #                                                                              
  accounting-scheme 1                                                            
  accounting-mode radius                                                        
 #                                                                              
 domain huawei                                                                   
  authentication-scheme 1                                                        
  accounting-scheme 1                                                            
  radius-server group shiva                                                     
#
access enable python extend script-package cfcard:/V800R010C10SPC500c.zip
#
access python-policy py
 protocol radius packet access-request direction egress python-script access-request.py
 protocol radius packet accounting-request direction egress python-script acct-request.py
#
#
return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17264

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next