No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Dynamic ACL Delivery Through the RADIUS Server

Example for Configuring Dynamic ACL Delivery Through the RADIUS Server

This section provides an example for configuring dynamic ACL delivery through the RADIUS server.

Networking Requirements

On the network shown in Figure 3-3, users in the domain named huawei access the network through Device A. Device B functions as the access server for the target network. The users can access the target network only through Device A and Device B and after they are being authenticated by the remote server. Remote authentication on Device B is as follows:

  • RADIUS servers are used to perform authentication on the access users.

  • The RADIUS server at 10.7.66.66/24 functions as the master authentication server, and the RADIUS server at 10.7.66.67/24 functions as the backup authentication server. The default authentication port number 1812 is used.

Figure 3-3 Configuring dynamic ACL delivery through the RADIUS server

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group, an authentication scheme, and dynamic ACL delivery.

  2. Bind the RADIUS server group and authentication scheme and apply dynamic ACL delivery to the domain.

NOTE:

Run the adminuser-priority command in the domain view if you want to configure a user not in the default_admin domain to log in as the administrator. The domain must be configured as the authentication domain for BAS access users.

Data Preparation

To complete the configuration, you need the IP addresses of the master and backup RADIUS authentication servers.

Procedure

  1. Configure a RADIUS server group, an authentication scheme, and dynamic ACL delivery.

    # Configure a RADIUS server group named shiva.

    <Device> system-view
    [~Device] radius-server group shiva

    # Configure an IP address and a port number for the master RADIUS authentication server.

    [*Device-radius-shiva] radius-server authentication 10.7.66.66 1812

    # Configure an IP address and a port number for the backup RADIUS authentication server.

    [*Device-radius-shiva] radius-server authentication 10.7.66.67 1812

    # Configure a shared key and the number of retransmissions for the RADIUS server group.

    [*Device-radius-shiva] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-shiva] radius-server retransmit 2
    [*Device-radius-shiva] commit
    [~Device-radius-shiva] quit

    # Configure dynamic ACL delivery through the RADIUS server.

    [~Device] aaa
    [~Device-aaa] remote-download acl enable

    # Configure authentication scheme 1, with RADIUS as the authentication mode.

    [~Device-aaa] authentication-scheme 1
    [*Device-aaa-authen-1] authentication-mode radius
    [*Device-aaa-authen-1] commit
    [~Device-aaa-authen-1] quit

  2. Configure a domain named huawei and bind authentication scheme 1 and RADIUS server group shiva to the domain.

    [~Device-aaa] domain huawei
    [*Device-aaa-domain-huawei] authentication-scheme 1
    [*Device-aaa-domain-huawei] radius-server group shiva
    [*Device-aaa-domain-huawei] commit
    [*Device-aaa-domain-huawei] quit

  3. Configure user templates and BAS interfaces.

    [~Device-aaa] default-password template huawei cipher huawei123
    [~Device-aaa] default-user-name template huawei include sysname
    [*Device-aaa] commit
    [*Device-aaa] quit

    [~Device] interface GigabitEthernet 1/0/1.1 
    [*Device-GigabitEthernet1/0/1.1] commit
    [~Device-GigabitEthernet1/0/1.1] user-vlan 1
    [~Device-GigabitEthernet1/0/1.1-vlan-1-1] quit
    [~Device-GigabitEthernet1/0/1.1] bas
    [~Device-GigabitEthernet1/0/1.1-bas] access-type layer2-subscriber default-domain authentication huawei
    [~Device-GigabitEthernet1/0/1.1-bas] authentication-method bind
    [*Device-GigabitEthernet1/0/1.1-bas] user detect retransmit 2 interval 0 
    [*Device-GigabitEthernet1/0/1.1-bas] default-user-name-template huawei
    [*Device-GigabitEthernet1/0/1.1-bas] commit
    [~Device-GigabitEthernet1/0/1.1-bas] default-password-template huawei 
    [~Device-GigabitEthernet1/0/1.1-bas] quit
    [~Device-GigabitEthernet1/0/1.1] quit

  4. Verify the configuration.

    Run the display aaa remote-download acl item verbose command on the router to check RADIUS server group configurations.

    <HUAWEI> display aaa remote-download acl item verbose
    -------------------------------------------------------------------------------
     ClassifierName                    ReferedNumByUser  RuleNumber  ClassifierType
    -------------------------------------------------------------------------------
     c1                                1                 1           remote
    -------------------------------------------------------------------------------
     rc=c1;
       rule:(number: 1)
         ipv4;ruleid=5;dir=in;su-group=huawei;dipv4=3.1.0.1/24;
     rb=b1;
         deny;
     The used user-id table are : 
      0
    -------------------------------------------------------------------------------
     Total Classifier-Behavior Number : 1 

Configuration Files

#
sysname HUAWEI
#
user-group huawei
#                                                                                
radius-server group shiva                                                       
 radius-server authentication 10.7.66.66 1812 weight 0                         
 radius-server authentication 10.7.66.67 1812 weight 0                                                    
 radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^%                                       
 radius-server retransmit 2                                                  
#                                                                               
aaa 
 remote-download acl enable
 default-password template huawei cipher %^%#M*p1,itN!4kQo5%Dc1s(whyJCM@xt0u[,,XMWG/O%^%
 default-user-name template huawei include sysname                                                                            
 #
 authentication-scheme 1                                                        
 #                                                                              
 authorization-scheme default                                                                                                      
 #                                                                              
 domain huawei                                                                   
  authentication-scheme 1                                                                                                                    
  radius-server group shiva   
  ip-pool huawei
  user-group huawei 
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/1.1
 user-vlan 1
 bas
 #
  access-type layer2-subscriber default-domain authentication huawei
  authentication-method bind
  user detect retransmit 2 interval 0
  default-user-name-template huawei
  default-password-template huawei
#
#  
return                                                                                              
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17318

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next