No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Negotiated Parameters of the RADIUS Server

(Optional) Configuring Negotiated Parameters of the RADIUS Server

A RADIUS server and the NE40E must use the same RADIUS parameters and message format to communicate.

Context

The negotiated parameters specify the conventions of the RADIUS protocol and message format used for communication between the RADIUS server and the NE40E. The negotiated parameters are as follows:

  • RADIUS protocol version

    The NE40E supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS+1.1.

    • The standard RADIUS protocol is based on RFC2865.

    • RADIUS+1.0 is a Huawei private RADIUS protocol, compatible with the early versions in which the standard vendor-ID is not defined. For the RADIUS attributes supported by this version.

    • RADIUS+1.1 is an extension of RFC2865, supporting more Huawei private RADIUS attributes. For the RADIUS attributes supported by this version.

  • Key

    The key is used to encrypt user passwords and generate the response authenticator. The RADIUS server encrypts the user password into an authentication packet by using the MD5 algorithm before sending the packet. This ensures the security of authentication data over the network.

    The key on the NE40E must be the same as that on the RADIUS server so that both parties of the authentication identify each other. The key is case sensitive.

  • User name format

    On the NE40E, a user name is in the format of user@domain. Certain RADIUS servers do not support the user names that contain domain names. Therefore, you must set the format of the user name that the NE40E sends to the RADIUS server according to whether the user name containing the domain name is supported on the RADIUS server.

  • Traffic unit

    The traffic units used by different RADIUS servers may be different. The NE40E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of various RADIUS servers.

  • Retransmission parameters

    After sending a packet to the RADIUS server, if no response is returned within the specified time, the NE40E resends the packet. In this manner, authentication or accounting information will not be lost due to temporary congestion on the network.

    Retransmission parameters of the RADIUS server include the timeout period and the number of retransmission times.

  • RADIUS attribute names case-sensitive or case-insensitive

    Some RADIUS servers support case-sensitive attributes of the RADIUS attributes, and only the HW-QoS-Profile-Name attribute is case-sensitive at present.

  • Number of pending packets

    Pending packets refer to those packets that have been sent but are not responded to. The RADIUS server can concurrently process only a certain number of pending packets. Therefore, the number of pending packets must be restricted.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run radius-server packet statistics algorithm { version1 | version2 }

    The mode for collecting statistics about RADIUS authentication request and response packets is configured.

    If version1 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about authentication request packets and retransmitted authentication request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the number of authentication request packets, and the Access Accepts field indicates the number of authentication success packets.

    If version2 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about authentication request packets and retransmitted authentication request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the sum number of authentication request packets and retransmitted authentication request packets, and the Access Accepts field indicates the sum number of all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets.

  3. Run radius-server group group-name

    The RADIUS server group view is displayed.

  4. Run radius-server type { standard | plus10 | plus11 }

    The protocol version of the RADIUS server is configured.

  5. Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher } [ { authentication | accounting } ip-address [ vpn-instance instance-name ] port-number [ weight weight ] ]

    The key of the RADIUS server is configured.

    You can configure a key on the NE40E for each RADIUS server.

  6. Run radius-server user-name { domain-included | original }

    The format of the user name contained in the RADIUS packets is configured.

  7. Run radius-server admin-user domain-exclude enable

    The device is enabled to apply the undo radius-server user-name domain-included command configuration to the default management domain or the domain with the adminuser-priority level command configured.

  8. Run radius-attribute apply user-name match user-type { ipoe | pppoe }

    The router replaces the user name with the user name delivered by the RADIUS server.

  9. Run radius-server traffic-unit { byte | gbyte | kbyte | mbyte }

    The traffic unit of the RADIUS packets is configured.

    This command is invalid for the RADIUS servers that do not measure traffic by bytes and the RADIUS servers that use the standard RADIUS protocol.

  10. Run radius-server { retransmitretry-times | timeouttimeout-value }*

    If you want to configure the number of transmission times and retransmission timeout period for either all RADIUS authentication servers or RADIUS accounting servers, run the radius-server { authentication | accounting } retransmit retry-times timeout timeout-value command.

  11. Run radius-attribute agent-circuit-id format { cn | tr-101 }

    The ID format of the circuit through which RADIUS packets are transmitted to the upstream device is set.

  12. Run radius-server called-station-id include { ap-ip account-request | [ delimiter delimiter ] { ap-mac [ mac-format type1 ] [ delimiter delimiter ] | ssid [ delimiter delimiter] }* }

    The method of constructing the No. 30 RADIUS public attribute is set.

  13. Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter delimiter ] | mac [ mac-format type1 ] [ delimiter delimiter ] | interface [ delimiter delimiter ] | sysname [ delimiter delimiter | option82 [ delimiter delimiter ] ] }*

    The method of constructing the No. 31 RADIUS public attribute is set.

  14. Run radius-server attribute case-sensitive attribute-name

    NOTE:
    • At present, only the HW-QoS-Profile-Name attribute is case-sensitive.

    • The QoS profile name on the router must be the same as the QoS profile name that a RADIUS server delivers. If they use different cases, inconsistency causes the router to use QoS policies incorrectly.

  15. Run radius-server { accounting | authentication } [ip-address [ vpn-instance vpn-instance-name ] ] [ port ] pending-limit max-number

    The maximum number of pending packets that can be sent to the RADIUS server is set.

  16. Run radius-server accounting-start-packet send after-ppp

    The NE40E is configured to send Accounting Start packets to the RADIUS server after NCP goes Up for PPPv6 users that use DHCPv6 to obtain IPv6 addresses.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17705

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next