No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Examples for Configuring Local User Authentication and Accounting Based on the RADIUS Protocol

Examples for Configuring Local User Authentication and Accounting Based on the RADIUS Protocol

The configuration examples refer to the applications of RADIUS authentication and authorization on the actual network. The users in the huawei domain use the RADIUS server to implement authentication and accounting.

Networking Requirements

As shown in Figure 2-5, users in the huawei domain access the network through Device A. Device B serves as the access server of the destination network. To access the destination network, users need to pass through the networks where Device A and Device B are located and then access the destination network based on remote authentication of the server through Device B. The remote authentication mode on Device B is as follows:

  • The RADIUS server implements authentication and accounting for the access users.

  • The RADIUS server 192.168.66.66/24 serves as the primary authentication and accounting server, and the RADIUS server 192.168.66.67/24 serves as the secondary authentication and accounting server. The default authentication port number is 1812, and the default accounting port number is 1813.

Figure 2-5 Networking for user authentication and accounting based on the RADIUS protocol

Configuration Roadmap

Configure user authentication and accounting based on the RADIUS protocol as follows:

  1. Configure the RADIUS server template, authentication scheme, and accounting scheme.

  2. Apply the RADIUS server template, authentication scheme, and accounting scheme to the domain.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of the primary (secondary) RADIUS authentication server

  • IP address of the primary (secondary) RADIUS accounting server

Procedure

  1. Starts the RADIUS client services and configure the RADIUS server group, authentication scheme, and accounting scheme.

    # Starts the RADIUS client services and configure the RADIUS server group named John.

    <HUAWEI> system-view
    [~HUAWEI] radius enable
    [~HUAWEI] radius-server group John

    # Configure the IP address and port number of the primary RADIUS authentication and accounting server.

    [*HUAWEI-radius-John] radius-server authentication 192.168.66.66 1812
    [*HUAWEI-radius-John] radius-server accounting 192.168.66.66 1813

    # Configure the IP address and port number of the secondary RADIUS authentication and accounting server.

    [*HUAWEI-radius-John] radius-server authentication 192.168.66.67 1812 secondary
    [*HUAWEI-radius-John] radius-server accounting 192.168.66.67 1813 secondary

    # Configure the shared key and the number of retransmission times of the RADIUS server.

    [*HUAWEI-radius-John] radius-server shared-key-cipher it-is-my-secret123
    [*HUAWEI-radius-John] radius-server retransmit 2
    [*HUAWEI-radius-John] commit
    [~HUAWEI-radius-John] quit

    # Enter the AAA view.

    [~HUAWEI] aaa

    # Configure authentication scheme 1, with the authentication mode as RADIUS.

    [~HUAWEI-aaa] authentication-scheme 1
    [*HUAWEI-aaa-authen-1] authentication-mode radius
    [*HUAWEI-aaa-authen-1] commit
    [~HUAWEI-aaa-authen-1] quit

    # Configure accounting scheme 1, with the accounting mode as RADIUS.

    [~HUAWEI-aaa] accounting-scheme 1
    [*HUAWEI-aaa-accounting-1] accounting-mode radius
    [*HUAWEI-aaa-accounting-1] commit
    [~HUAWEI-aaa-accounting-1] quit

  2. Configure the domain huawei and apply authentication scheme 1, accounting scheme 1, and the RADIUS group John to the domain.

    [~HUAWEI-aaa] domain huawei
    [*HUAWEI-aaa-domain-huawei] authentication-scheme 1
    [*HUAWEI-aaa-domain-huawei] accounting-scheme 1
    [*HUAWEI-aaa-domain-huawei] radius-server group John
    [*HUAWEI-aaa-domain-huawei] commit

  3. Verify the configuration.

    After running the display radius-server configuration group command on the router, you can check the configuration of the group on the RADIUS server.

    <HUAWEI> display radius-server configuration group John
    -----------------------------------------------------------------------------
    Server-group-name                   :  john
    Protocol-version                    :  standard
    Shared-secret-key                   :  ****************
    Timeout-interval(in second)         :  5
    Primary-authentication-server       :  192.168.66.66-1812:-
    Primary-accounting-server           :  192.168.66.66-1813:-
    Secondary-authentication-server     :  192.168.66.67-1812:-
    Secondary-accounting-server         :  192.168.66.67-1813:-
    Retransmission                      :  2
    Domain-included                     :  YES
    Mode                                :  Pri-secondary
    Probe-interval(in minute)           :  5
    -----------------------------------------------------------------------------

    After running the display domain domain-name command on the router, you can view the domain configuration.

    <HUAWEI> display domain huawei
    ---------------------------------------------------------------
    Domain-name                 : huawei
    Domain-state                : Active
    Authentication-scheme-name  : 1
    Authorization-scheme-name   : default
    Accounting-scheme-name      : 1
    User-access-limit           : No
    Online-number               : 0
    HWTACACS-server-template    : -
    RADIUS-server-group         : john
    ---------------------------------------------------------------

Configuration Files

  • Device B configuration file
    #
    sysname HUAWEI
    #
    radius enable      
    #
    radius-server group john
     radius-server shared-key-cipher %#%#}U{MFG/u!C(,2v2WxS7GM4ve'|0eP#/JE|IDPS=F%#%#
     radius-server authentication 192.168.66.66 1812
     radius-server authentication 192.168.66.67 1812 secondary
     radius-server accounting 192.168.66.66 1813
     radius-server accounting 192.168.66.67 1813 secondary
     radius-server retransmit 2
    #
    aaa
     #
     authentication-scheme default
     #
     authentication-scheme 1
      authentication-mode radius
     #
     authorization-scheme default
     #
     accounting-scheme default
     #
     accounting-scheme 1
      accounting-mode radius
     #
     domain default
     #
     domain huawei
      authentication-scheme 1
      accounting-scheme 1
    ..radius-server group john
     #
    return 
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21943

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next