No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS Proxy Authentication

Example for Configuring RADIUS Proxy Authentication

This section provides an example for configuring RADIUS proxy authentication, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

On the network shown in Figure 6-15, to allow WLAN users to access the network, configure RADIUS proxy authentication to allow EAP authentication on the AC and RADIUS accounting on the router. The user access process is as follows:
  1. A WLAN user sends an EAP packet to the AC. Upon receipt, the AC terminates the EAP packet, converts it to a RADIUS packet, and sends the RADIUS packet to the router.
  2. The router functions as a RADIUS proxy to listen to and forward authentication packets sent by the AC to the RADIUS server and authentication response packets replied by the RADIUS to the AC. During this process, the router saves the authorization information delivered by the RADIUS server to the WLAN user.
  3. After being authenticated, the WLAN user sends DHCP packets to the router to obtain an IP address. The router first searches for the authorization information of the WLAN user based on the MAC address. If the matching authorization information exists, the router assigns an available IP address to the WLAN user and uses the saved authorization information to authorize the user. In the meantime, the router sends an Accounting Start packet to the RADIUS server to perform accounting for the WLAN user.
  4. The router responds to the accounting packets sent by the AC, without sending them to the RADIUS server.
Figure 6-15 Networking diagram for configuring RADIUS proxy authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an address pool.
  2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address pool to the domain.
  3. Configure RADIUS proxy.
  4. Configure BAS access.
  5. Configure an IP address to be accessed by the AC.
NOTE:

Five ports are available to listen to RADIUS packets by default: ports 1812, 1813, 1645, 1646, and 3799. To allow another port to listen to RADIUS packets, run the radius-server extended-source-ports port-number port-number command in the system view to specify a listening port.

Data Preparation

  • IP address of the RADIUS authentication server
  • IP address of the RADIUS accounting server
  • IP address of the AC interface that sends RADIUS packets

Procedure

  1. Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an address pool.

    # Configure a RADIUS server group named shiva.

    <HUAWEI> system-view
    [~HUAWEI] radius-server group shiva
    [~HUAWEI] radius-server group shiva
    [*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
    [*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
    [*HUAWEI-radius-shiva] commit
    [~HUAWEI-radius-shiva] quit

    # Configure a local address pool named pool1.

    [~HUAWEI] ip pool pool1 bas local
    [*HUAWEI-ip-pool-pool1] gateway 172.30.0.1 24
    [*HUAWEI-ip-pool-pool1] section 0 172.30.0.2 172.30.0.254
    [*HUAWEI-ip-pool-pool1] commit
    [~HUAWEI-ip-pool-pool1] quit
    

    # Configure an authentication scheme named rdp, with RADIUS proxy as the authentication mode.

    [~HUAWEI] aaa
    [~HUAWEI-aaa] authentication-scheme rdp
    [*HUAWEI-aaa-authen-rdp] authentication-mode radius-proxy
    [*HUAWEI-aaa-authen-rdp] commit
    [~HUAWEI-aaa-authen-rdp] quit
    

    # Configure an accounting scheme named rds, with RADIUS as the accounting mode.

    [~HUAWEI-aaa] accounting-scheme rds
    [*HUAWEI–aaa-accounting-rds] accounting-mode radius
    [*HUAWEI–aaa-accounting-rds] commit
    [~HUAWEI–aaa-accounting-rds] quit
    

  2. Configure a domain named radiusproxy and bind the authentication scheme rdp, accounting scheme rds, and RADIUS server group shiva to the domain.

    [~HUAWEI-aaa] domain radiusproxy
    [*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
    [*HUAWEI-aaa-domain-radiusproxy] accounting-scheme rds
    [*HUAWEI-aaa-domain-radiusproxy] radius-server group shiva
    [*HUAWEI-aaa-domain-radiusproxy] ip-pool pool1
    [*HUAWEI-aaa-domain-radiusproxy] commit
    [~HUAWEI-aaa-domain-radiusproxy] quit
    [~HUAWEI-aaa] quit

  3. Configure RADIUS proxy.

    [~HUAWEI] radius-client 10.1.0.201 server-group shiva shared-key-cipher !QAZ2wsx
    [*HUAWEI] commit
    NOTE:

    The IP address specified following radius-client is the IP address of the AC interface that sends RADIUS packets. In this example, the RADIUS server group bound to the domain is the same as that used for RADIUS proxy. In actual applications, the two RADIUS server groups can be different.

  4. Configure an IP address to be accessed by the AC.

    [~HUAWEI] interface GigabitEthernet 5/0/3
    [*HUAWEI-GigabitEthernet5/0/3] ip address 10.1.0.197 8
    [*HUAWEI-GigabitEthernet5/0/3] commit
    [~HUAWEI-GigabitEthernet5/0/3] quit
    NOTE:

    This IP address is configured for communication with the AC. The RADIUS authentication packets initiated on the AC are sent to this IP address. If the router has another IP address to communicate with the AC, this configuration is not needed.

  5. Configure BAS access on an interface.

    [~HUAWEI] interface GigabitEthernet 5/0/4
    [*HUAWEI-GigabitEthernet5/0/4] bas
    [*HUAWEI-GigabitEthernet5/0/4-bas] access-type layer2-subscriber default-domain authentication radiusproxy
    [*HUAWEI-GigabitEthernet5/0/4-bas] authentication-method bind
    [*HUAWEI-GigabitEthernet5/0/4-bas] commit
    NOTE:

    RADIUS proxy applies only to IPoE users and not PPPoE users.

  6. Verify the configuration.

    Run the display radius-server configuration group shiva command on the router to check RADIUS server group configurations.

    <HUAWEI> display radius-server configuration group shiva
      -------------------------------------------------------
      Server-group-name    :  shiva
      Authentication-server:  IP:10.1.123.151 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Accounting-server    :  IP:10.1.123.151 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Protocol-version     :  radius
      Shared-secret-key    :  ******
      Retransmission       :  3
      Timeout-interval(s)  :  5
      Acct-Stop-Packet Resend  :  NO
      Acct-Stop-Packet Resend-Times  :  0
      Traffic-unit         :  B
      ClassAsCar           :  NO
      User-name-format     :  Domain-included
      Option82 parse mode  :  -
      Attribute-translation:  NO
      Packet send algorithm:  Master-Backup
      Tunnel password      :  cipher 
    

    Run the display domain command on the router to check domain configurations.

    <HUAWEI> display domain radiusproxy
      ------------------------------------------------------------------------------
      Domain-name                     : radiusproxy
      Domain-state                    : Active
      Authentication-scheme-name      : rdp
      Accounting-scheme-name          : rds
      Authorization-scheme-name       : -
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Primary-DNS-IPV6-address        : -
      Second-DNS-IPV6-address         : -
      Web-server-URL-parameter        : No
      Portal-server-URL-parameter     : No
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      Time-range                      : Disable
      Idle-cut direction              : Both
      Idle-data-attribute (time,flow) : 0, 60
      User detect interval            : 0s
      User detect retransmit times    : 0
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : default
      User-access-limit               : 283648
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Web-auth-server                 : -
      Web-auth-state                  : -
      Web-server-mode                 : get
      Slave Web-IP-address            : -
      Slave Web-URL                   : -
      Slave Web-auth-server           : -
      Slave Web-auth-state            : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      Service-policy(Portal)          : -
      PPPoE-user-URL                  : Disable
      AdminUser-priority              : 16
      IPUser-ReAuth-Time              : 300s
      mscg-name-portal-key            : -
      Portal-user-first-url-key       : -
      User-session-limit              : 4294967295
      Ancp auto qos adapt             : Disable
      L2TP-group-name                 : -
      User-lease-time-no-response     : 0s
      RADIUS-server-template          : shiva
      Two-acct-template               : -
      RADIUS-server-pre-template      : -
                                        -
                                        -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disable
      Qos-profile-name inbound        : -
      Qos-profile-name outbound       : -
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      IP-warning-threshold(Low)       : -
      IPv6-warning-threshold          : -
      IPv6-warning-threshold(Low)     : -
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Multicast-profile ipv6          : -
      IP-address-pool-name            : pool1
      Quota-out                       : Offline
      Service-type                    : -
      User-basic-service-ip-type      : -/-/-
      PPP-ipv6-address-protocol       : Ndra
      IPv6-information-protocol       : Stateless dhcpv6
      IPv6-PPP-assign-interfaceid     : Disable
      IPv6-PPP-NDRA-halt              : Disable
      IPv6-PPP-NDRA-unicast           : Disable
      Trigger-packet-wait-delay       : 60s
      Peer-backup                     : Enable
      Reallocate-ip-address           : Disable
      Cui  enable                     : Disable
      Igmp enable                     : Enable
      L2tp-user radius-force          : Disable
      Accounting dual-stack           : Separate
      Radius server domain-annex      : -
      Dhcp-option64-service           : Disable
      Parse-separator                 : -
      Parse-segment-value             : -
      Dhcp-receive-server-packet      : -
      Http-hostcar                    : Disable
      Public-address assign-first     : Disable
      Public-address nat              : Enable
      Dhcp-user auto-save             : Disable
      IP-pool usage-status threshold  : 255 , 255
      Select-Pool-Rule                : gateway + local priority
      AFTR name                       : -
      Traffic-rate-mode               : Separate
      Traffic-statistic-mode          : Separate
      Rate-limit-mode-inbound         : Car
      Rate-limit-mode-outbound        : Car
      Service-change-mode             : Stop-start
      DAA Direction                   : both
      ------------------------------------------------------------------------------
    

    Run the display radius-client configuration command on the router to check RADIUS proxy configurations.

    [HUAWEI] display radius-client configuration
      -----------------------------------------------------------------------------
      IP-Address      VPN-instance         Shared-key         Group
      Domain-authorization   Roam-domain
      -----------------------------------------------------------------------------
      10.1.0.201       --                   ******            shiva
      NO                     --
    
      -----------------------------------------------------------------------------
      1 Radius client(s) in total   
    

    Run the display radius-client statistics command to check statistics about RADIUS packets exchanged between a RADIUS client and proxy.

    <HUAWEI> display radius-client statistics client-ip 10.1.123.151
    Authentication packets:
      Access Requests    : 0          Access Accepts     : 0
      Access Challenges  : 0          Access Rejects     : 0
      Bad Authenticators : 0          Packets Dropped    : 0
    Accouting packets:
      Account Requests   : 0          Account Responses  : 0
      Bad Authenticators : 0          Packets Dropped    : 0
    DM packets:
      Author Requests    : 0          Author Acks        : 0
      Author Naks        : 0
    Abnormal Attribute Length packets:
      Access Requests    : 0          Account Requests   : 0
      Author Acks        : 0          Author Naks        : 0
      Corrected Access Requests    : 0

Configuration Files

#
sysname HUAWEI
#
radius-server group shiva
 radius-server authentication 10.1.123.151 1812 weight 0
radius-server accounting 10.1.123.151 1813 weight 0
#
aaa
  authentication-scheme rdp
  authentication-mode radius-proxy
 #
  accounting-scheme rds
  accounting-mode radius
 #
 domain radiusproxy
  authentication-scheme rdp
  accounting-scheme rds
  radius-server group shiva 
  ip-pool pool1
#
interface GigabitEthernet 5/0/3
  undo shutdown
  ip address 10.1.0.197 255.0.0.0
#
interface GigabitEthernet 5/0/4
  undo shutdown
  bas
  #
  access-type layer2-subscriber default-domain authentication radiusproxy
  authentication-method bind
  #
#
ip pool pool1 bas local
 gateway 172.30.0.1 255.255.255.0
 section 0 172.30.0.2 188.0.0.254   
#
return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 19395

Downloads: 87

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next