No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Performing Authentication and Accounting for Users by Using RADIUS

Example for Performing Authentication and Accounting for Users by Using RADIUS

This section provides an example for performing authentication and accounting by using RADIUS, including networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 3-2, the users access the network through Device A and the users belong to the domain named huawei. Device B functions as the access server for the destination network. To access the destination network, the users have to traverse the network where Device A and Device B reside and pass remote authentication of the access server. After that, the users can access the network through Device B. Remote authentication is implemented on the Device B as follows:

  • The RADIUS server performs authentication and accounting for access users.

  • The RADIUS server at 10.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary authentication and accounting server. The default port numbers for authentication and accounting are 1812 and 1813 respectively.

Figure 3-2 Networking diagram of performing authentication and accounting for users by using RADIUS

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme on Device B.

  2. Apply the RADIUS server group, authentication scheme, and accounting scheme on Device B to the domain.

NOTE:

For administrators, the domain must be the default domain default_admin of administrators. If you want users from another domain to log in as administrators, run the adminuser-priority command in this domain. For BAS access users, the domain must be the authentication domain of BAS access users.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of the primary (secondary) RADIUS authentication server

  • IP address of the primary (secondary) RADIUS accounting server

Procedure

  1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme.

    # Configure a RADIUS server group named shiva.

    <Device> system-view
    [~Device] radius-server group shiva

    # Configure the IP addresses and interface numbers of the primary RADIUS authentication and accounting servers.

    [*Device-radius-shiva] radius-server authentication 10.7.66.66 1812
    [*Device-radius-shiva] radius-server accounting 10.7.66.66 1813

    # Configure the IP addresses and interface numbers of the secondary RADIUS authentication and accounting servers.

    [*Device-radius-shiva] radius-server authentication 10.7.66.67 1812
    [*Device-radius-shiva] radius-server accounting 10.7.66.67 1813

    # Set the key and the number of retransmission attempts for the RADIUS server.

    [*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-shiva] radius-server retransmit 2
    [DeviceDevice-radius-shiva] commit
    [~Device-radius-shiva] quit

    # Enter the AAA view.

    [~Device] aaa

    # Configure authentication scheme 1, with the authentication mode being RADIUS.

    [~Device-aaa] authentication-scheme 1
    [*Device-aaa-authen-1] authentication-mode radius
    [*Device-aaa-authen-1] commit
    [~Device-aaa-authen-1] quit

    # Configure accounting scheme 1, with the accounting mode being RADIUS.

    [~Device-aaa] accounting-scheme 1
    [~Device-aaa-accounting-1] accounting-mode radius
    [*Device-aaa-accounting-1] commit
    [~Device-aaa-accounting-1] quit

  2. Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server group shiva in the domain.

    [~Device-aaa] domain huawei
    [*Device-aaa-domain-huawei] authentication-scheme 1
    [*Device-aaa-domain-huawei] accounting-scheme 1
    [*Device-aaa-domain-huawei] radius-server group shiva
    [*Device-aaa-domain-huawei] commit

  3. Verify the configuration.

    Run the display radius-server configuration group shiva command on the router, and you can see that the configurations of the RADIUS server group meet the requirements.

    <Device> display radius-server configuration group shiva
      -------------------------------------------------------
      Server-group-name    :  shiva
      Authentication-server:  IP:10.7.66.66 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  IP:10.7.66.67 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Accounting-server    :  IP:10.7.66.66 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  IP:10.7.66.67 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Protocol-version     :  radius
      Shared-secret-key    :  ******
      Retransmission       :  2
      Timeout-interval(s)  :  5
      Acct-Stop-Packet Resend  :  NO
      Acct-Stop-Packet Resend-Times  :  0
      Traffic-unit         :  B
      ClassAsCar           :  NO
      User-name-format     :  Domain-included
      Option82 parse mode  :  -
      Attribute-translation:  NO
      Packet send algorithm:  Master-Backup
      Tunnel password      :  cipher
    

    Run the display domain domain-name command on the router, and you can view the configurations of the domain.

    <Device> display domain huawei
      ------------------------------------------------------------------------------
      Domain-name                     : huawei
      Domain-state                    : Active
      Authentication-scheme-name      : 1
      Accounting-scheme-name          : 1
      Authorization-scheme-name       :
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      User-group-name                 : -
      Idle-data-attribute (time,flow) : 0, 60
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : COPS
      User-access-limit               : 279552
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      PPPoE-user-URL                  : Disable
      IPUser-ReAuth-Time(second)      : 300
      Ancp auto qos adapt             : Disable
      RADIUS-server-template          : shiva
      Two-acct-template               : -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disabled
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Quota-out                     : Offline
      ------------------------------------------------------------------------------
    

Configuration Files

#
sysname Device
#
sysname Device
#                                                                               
radius-server group shiva                                                       
 radius-server authentication 129.7.66.66 1812 weight 0                         
 radius-server authentication 129.7.66.67 1812 weight 0                         
 radius-server accounting 129.7.66.66 1813 weight 0                             
 radius-server accounting 129.7.66.67 1813 weight 0                             
 radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^%                                       
 radius-server retransmit 2                                                    
#                                                                               
aaa                                                                             
  authentication-scheme 1                                                        
  authentication-mode radius                                                   
 #                                                                              
 authorization-scheme default                                                   
 #                                                                              
  accounting-scheme 1                                                            
  accounting-mode radius                                                        
 #                                                                              
 domain huawei                                                                   
  authentication-scheme 1                                                        
  accounting-scheme 1                                                            
  radius-server group shiva                                                     
#
return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17354

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next