No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the RADIUS Server

Configuring the RADIUS Server

RADIUS related information must be configured when a remote RADIUS server is used to perform authentication and accounting for users.

Context

NOTE:

This configuration task is supported only on the Admin-VS.

Configuring the RADIUS Authentication and Accounting Servers

If one server is used for both authentication and accounting, different interfaces should be used for authentication and accounting.

Context

To configure Remote Authentication Dial-In User Service (RADIUS) authentication and accounting servers, configure the following parameters:

  • IP addresses of the authentication and accounting servers

  • VPN instance to which the authentication and accounting servers belong

  • Interface numbers of the authentication and accounting servers (1812 and 1813 by default)

  • Weights of the authentication and accounting servers (applicable only to the load balancing mode with the default value 0)

NOTE:

The RADIUS authentication and accounting servers can use the same IP address. This means that a server can function as both an authentication server and an accounting server.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server group group-name

    The RADIUS server group view is displayed.

  3. Run radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weight weight-value ]

    A RADIUS authentication server is configured.

    If PPP users do not use the default interface for authentication, run the radius-server authentication ip-address [ vpn-instance instance-name ] ppp-user-port port command.

  4. (Optional) Run radius-server authentication rollover-on-reject

    The function of polling RADIUS servers for authentication after receiving a RADIUS Access-Reject packet is enabled.

  5. (Optional) Run radius-server { retransmitretry-times | timeouttimeout-value } *

    The command configures the number of transmission times and retransmission timeout period used by the NE20E to send request packets to RADIUS servers.

    If you do not specify authentication or accounting in the radius-server retransmit timeout command, the command sets the number of transmission times or the retransmission timeout period for all RADIUS authentication servers and RADIUS accounting servers in the RADIUS server group view. If authentication is specified in the command, the configurations of this command apply to all RADIUS authentication servers in the RADIUS server group. If accounting is specified in the command, the configurations of this command applies to all RADIUS accounting servers in the RADIUS server group.

  6. Run radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weight weight-value ]

    A RADIUS accounting server is configured.

    If PPP users do not use the default interface for accounting, run the radius-server accounting ip-address [ vpn-instance instance-name ] ppp-user-port port command.

  7. (Optional) Run radius-server accounting-start-packet resend [ resend-times ]

    The number of times that cached accounting start packets are retransmitted to the RADIUS accounting server is configured.

  8. (Optional) Run radius-server accounting-stop-packet resend [ resend-times ]

    The number of times the Accounting-Stop packet that is retransmitted is configured.

  9. (Optional) Run radius-server accounting-stop-packet send force

    Generally, the RADIUS server generates a user entry only after the accounting succeeds. However, some RADIUS server users who have passed the authentication generate user entries in the database before the accounting, when they apply for an IP address, for example. If the accounting fails due to some reasons, the IP address fails to be released, causing the users fail to go online. To address this problem, configure the radius-server accounting-stop-packet send force command to force the NE20E to send an Accounting-Stop packet to the RADIUS server to release the IP address.

    The command takes effect only when the accounting for the authenticated user fails and there is a user entry in the database.

  10. (Optional) Run radius-server accounting-interim-packet resend [ resend-times ]

    RADIUS real-time accounting packet caching is enabled, and the number of retransmissions is specified for real-time accounting packets entering a cache queue.

  11. (Optional) Run radius-server accounting cache max-packet-number

    The maximum number of accounting packets that can be cached is configured.

    NOTE:

    If the value specified by max-packet-number is not 8192, the system limits the number of accounting packets specified by max-packet-number and does not limit the number of users.

  12. (Optional) Run radius-server accounting cache retransmit retransmit timeout timeout

    An interval at which cached RADIUS accounting packets are retransmitted and the number of users for each packet retransmission are configured.

  13. (Optional) Run radius-server accounting cache memory-threshold memory-threshold-value

    A memory usage threshold is configured for the master main control board.

  14. (Optional) Run radius-server accounting cache-warning-threshold upper-limit upper-limit lower-limit lower-limit

    The accounting packet cache alarm function is enabled, and an alarm threshold and a clear alarm threshold are configured. If the accounting packet cache usage reaches the configured alarm threshold, an alarm is reported.

    Accounting packet cache usage = Number of cached accounting packets/Maximum number of accounting packets that can be cached

  15. (Optional) Run radius-server cache keep packet

    The device is disabled from deleting cached accounting packets after the number of retransmissions reaches the specified upper limit.

  16. (Optional) Run radius-server cache resend packet

    The sending of cached accounting packets is triggered.

(Optional) Configuring the Algorithm for Selecting the RADIUS Server

When there are more than one authentication or accounting server in a RADIUS server group, you can specify either the load balancing or master/backup mode for these RADIUS servers.

Context

The algorithm for selecting a RADIUS server functions as follows:
  • If the radius-server algorithm master-backup command is run or the default master/backup mode is used, the RADIUS authentication server or accounting server configured first is the master server, and the others are backup servers. A backup server is selected only after the master server goes Down.

    • When packets are sent for the first time:

      If the master server is Up, it is selected. If no server is in the Up state, the first configured server is selected.

    • When packets are retransmitted due to a timeout:
      • If a server has already been selected and the number of retransmission times has not reached the limit, packets are still retransmitted to this server.

      • If the number of retransmission times has reached the limit and the master server times out, packets are retransmitted to the server that has most recently received packets. If no such server is available or packets have already been sent to this server, the polling mechanism is used to select another backup server in the Up state. If no backup server is in the Up state, the next configured backup server is selected.
      • If the number of retransmission times has reached the limit and the backup server times out, the polling mechanism is used to select another backup server in the Up state. If no backup server is in the Up state, the next configured backup server is selected.
  • If the radius-server algorithm loading-share command has been configured to set the load balancing mode, traffic is load-balanced based on the weights of servers.

    • If the sum of weights of RADIUS servers is 0, each RADIUS server is considered to have the same weight. Then a server in the Up state is selected at random.

      For example, if a RADIUS server group has six servers, in which four are Up, one is selected from the four servers in the Up state at random. These four servers have the same chance of being selected. If no server is Up, one is selected from the six servers at random. These six servers have the same chance of being selected.

    • If the sum of weights of RADIUS servers is greater than 0, all RADIUS servers that are in the Up state and have not been used are selected at random based on the proportion by weight. If no RADIUS server is in the Up state, servers are selected at random based on the proportion by weight.

      For example, if a RADIUS server group has four servers, at a weight of 10, 20, 30, and 40, respectively. If the four servers are all Up or Down, they will be selected at a probability of 10%, 20%, 30%, and 40%. If the first server is Down, but the other three servers are Up, a server is selected from the three servers in the Up state at a probability of 20/(20+30+40), 30/(20+30+40), and 40/(20+30+40).

    NOTE:

    Each time a RADIUS server is selected, the selection result is independent of previous selection results. For example, two servers have the selection probability of 50% each. If 100 consecutive users select the first server, the 101th user still has 50% probability to select the first server. It is similar to flipping a coin. The probability for getting a head or tail is 50% each. If you only flip a coin few times, the probability for each is not necessarily 50%. However, if you flip the coin multiple times, the probability for getting a head or tail is 50% eventually.

  • By default, the RADIUS accounting server is selected based on the authentication server selection result. After a user selects a RADIUS server for authentication, it will also use this RADIUS server for accounting. If the radius-server algorithm master-backup [ strict ] command is run, the accounting server is selected based on the configured algorithm. The master accounting server is preferentially selected, irrelevant to the authentication server.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server group group-name

    The RADIUS server group view is displayed.

  3. Run radius-server algorithm { loading-share | master-backup [ strict ] }

    The algorithm for selecting the RADIUS server is configured.

    If strict is configured, the accounting server is selected based on the configured algorithm. The master accounting server is preferentially selected, irrelevant to the authentication server.

(Optional) Configuring the Negotiated Parameters of the RADIUS Server

A RADIUS server and the NE20E must use the same RADIUS parameters and message format to communicate.

Context

The negotiated parameters specify the conventions of the RADIUS protocol and message format used for communication between the RADIUS server and the NE20E. The negotiated parameters are as follows:

  • RADIUS protocol version

    The NE20E supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS+1.1.

    • The standard RADIUS protocol is based on RFC2865.

    • RADIUS+1.0 is a Huawei private RADIUS protocol, compatible with the early versions in which the standard vendor-ID is not defined. For the RADIUS attributes supported by this version.

    • RADIUS+1.1 is an extension of RFC2865, supporting more Huawei private RADIUS attributes. For the RADIUS attributes supported by this version.

  • Key

    The key is used to encrypt user passwords and generate the response authenticator. The RADIUS server encrypts the user password into an authentication packet by using the MD5 algorithm before sending the packet. This ensures the security of authentication data over the network.

    The key on the NE20E must be the same as that on the RADIUS server so that both parties of the authentication identify each other. The key is case sensitive.

  • User name format

    On the NE20E, a user name is in the format of user@domain. Certain RADIUS servers do not support the user names that contain domain names. Therefore, you must set the format of the user name that the NE20E sends to the RADIUS server according to whether the user name containing the domain name is supported on the RADIUS server.

  • Traffic unit

    The traffic units used by different RADIUS servers may be different. The NE20E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of various RADIUS servers.

  • Retransmission parameters

    After sending a packet to the RADIUS server, if no response is returned within the specified time, the NE20E resends the packet. In this manner, authentication or accounting information will not be lost due to temporary congestion on the network.

    Retransmission parameters of the RADIUS server include the timeout period and the number of retransmission times.

  • RADIUS attribute names case-sensitive or case-insensitive

    Some RADIUS servers support case-sensitive attributes of the RADIUS attributes, and only the HW-QoS-Profile-Name attribute is case-sensitive at present.

  • Number of pending packets

    Pending packets refer to those packets that have been sent but are not responded to. The RADIUS server can concurrently process only a certain number of pending packets. Therefore, the number of pending packets must be restricted.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run radius-server packet statistics algorithm { version1 | version2 }

    The mode for collecting statistics about RADIUS authentication request and response packets is configured.

    If version1 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about authentication request packets and retransmitted authentication request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the number of authentication request packets, and the Access Accepts field indicates the number of authentication success packets.

    If version2 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about authentication request packets and retransmitted authentication request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the sum number of authentication request packets and retransmitted authentication request packets, and the Access Accepts field indicates the sum number of all authentication response packets, including authentication success, failure, and challenge packets and incorrect response packets.

  3. Run radius-server group group-name

    The RADIUS server group view is displayed.

  4. Run radius-server type { standard | plus10 | plus11 }

    The protocol version of the RADIUS server is configured.

  5. Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher } [ { authentication | accounting } ip-address [ vpn-instance instance-name ] port-number [ weight weight ] ]

    The key of the RADIUS server is configured.

    You can configure a key on the NE20E for each RADIUS server.

  6. Run radius-server user-name { domain-included | original }

    The format of the user name contained in the RADIUS packets is configured.

  7. Run radius-server admin-user domain-exclude enable

    The device is enabled to apply the undo radius-server user-name domain-included command configuration to the default management domain or the domain with the adminuser-priority level command configured.

  8. Run radius-attribute apply user-name match user-type { ipoe | pppoe }

    The router replaces the user name with the user name delivered by the RADIUS server.

  9. Run radius-server traffic-unit { byte | gbyte | kbyte | mbyte }

    The traffic unit of the RADIUS packets is configured.

    This command is invalid for the RADIUS servers that do not measure traffic by bytes and the RADIUS servers that use the standard RADIUS protocol.

  10. Run radius-server { retransmitretry-times | timeouttimeout-value }*

    If you want to configure the number of transmission times and retransmission timeout period for either all RADIUS authentication servers or RADIUS accounting servers, run the radius-server { authentication | accounting } retransmit retry-times timeout timeout-value command.

  11. Run radius-attribute agent-circuit-id format { cn | tr-101 }

    The ID format of the circuit through which RADIUS packets are transmitted to the upstream device is set.

  12. Run radius-server called-station-id include { ap-ip account-request | [ delimiter delimiter ] { ap-mac [ mac-format type1 ] [ delimiter delimiter ] | ssid [ delimiter delimiter] }* }

    The method of constructing the No. 30 RADIUS public attribute is set.

  13. Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter delimiter ] | mac [ mac-format type1 ] [ delimiter delimiter ] | interface [ delimiter delimiter ] | sysname [ delimiter delimiter | option82 [ delimiter delimiter ] ] }*

    The method of constructing the No. 31 RADIUS public attribute is set.

  14. Run radius-server attribute case-sensitive attribute-name

    NOTE:
    • At present, only the HW-QoS-Profile-Name attribute is case-sensitive.

    • The QoS profile name on the router must be the same as the QoS profile name that a RADIUS server delivers. If they use different cases, inconsistency causes the router to use QoS policies incorrectly.

  15. Run radius-server { accounting | authentication } [ip-address [ vpn-instance vpn-instance-name ] ] [ port ] pending-limit max-number

    The maximum number of pending packets that can be sent to the RADIUS server is set.

  16. Run radius-server accounting-start-packet send after-ppp

    The NE20E is configured to send Accounting Start packets to the RADIUS server after NCP goes Up for PPPv6 users that use DHCPv6 to obtain IPv6 addresses.

(Optional) Disabling RADIUS Attributes

You must enable RADIUS attribute translation before disabling RADIUS attributes.

Context

This function is configured for a RADIUS server group and takes effect on only the RADIUS servers in this group. You can disable up to 64 attributes in a RADIUS server group.

You can disable the RADIUS attributes of both the sender and receiver on the NE20E.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server group group-name

    The RADIUS server group view is displayed.

  3. Run radius-server attribute translate

    RADIUS attribute translation is enabled.

  4. Run either of the following commands to disable basic or extended RADIUS attributes:
    1. Run the radius-attribute disable attribute-name { receive | send } * command to disable basic RADIUS attributes for request or response packets.
    2. Run the radius-attribute disable attribute-name { access-accept | access-request | account [ start ] } * command to disable basic RADIUS attributes for Access-Accept, Access-Request, or accounting packets.
    3. Run the radius-attribute disable extend attribute-description { access-accept | { access-request | account } * } command to disable extended RADIUS attributes for Access-Accept, Access-Request, or accounting packets.
    4. Run the radius-attribute disable extend { attribute-description | vendor-specific src-vendor-id src-sub-attr-id }access-accept command to disable extended or user-defined RADIUS attributes for packets.
    5. Run the radius-attribute disable attribute-name { ip ip-address | string string | bin string | integer integer } receive command to disable RADIUS attributes with specified data types and carried in response packets.
    6. Run the radius-attribute disable { hw-acct-update-address | flow-attributes } integer integer account commamnd to disable RADIUS attributes with specified integral values and carried in accounting packets. Currently, the integer parameter can be set to 0 only.

      If you specify the flow-attributes parameter in the radius-attribute disable command, the following flow attributes are all disabled: Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets, Acct-Output-Packets, Acct-Input-Gigawords, Acct-Output-Gigawords, HW-Acct-IPV6-Input-Octets, HW-Acct-IPV6-Output-Octets, HW-Acct-IPV6-Input-Packets, HW-Acct-IPV6-Output-Packets, HW-Acct-IPV6-Input-Gigawords, and HW-Acct-IPV6-Output-Gigawords.

(Optional) Configuring RADIUS Attribute Translation

The NE20E can communicate with RADIUS servers from different vendors through the RADIUS attribute translation function.

Context

RADIUS servers from various vendors support different RADIUS attributes, and the vendors also define RADIUS attributes in different manners. This makes interconnection between the NE20E and RADIUS servers more difficult.

To address this problem, the NE20E provides the attribute translation function. After the attribute translation function is configured, the NE20E can encapsulate or parse src-attribute by using the format of dest-attribute when transmitting or receiving RADIUS packets. By doing this, the NE20E can communicate with different types of RADIUS servers.

This function is applied when one attribute has multiple formats. For example, the nas-port-id attribute has a new format and an old format. The NE20E uses the new format. If the RADIUS server uses the old format, you can run the radius-attribute translate nas-port-id nas-port-identify-old receive send command on the NE20E. Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server group group-name

    The RADIUS server group view is displayed.

  3. Run radius-server attribute translate

    RADIUS attribute translation is enabled.

  4. Perform any of the following operations to configure RADIUS attribute translation:
    1. Run the radius-attribute translate src-attr-description dest-attr-description { { receive | send } * } command to configure RADIUS attribute translation for request or response packets.
    2. Run the radius-attribute translate src-attr-description dest-attr-description { access-accept | { access-request | account }* } command to configure RADIUS attribute translation for Access-Accept, Access-Request, or accounting packets.
    3. Run the radius-attribute translate extend src-attr-description dest-attr-description { access-accept | { access-request | account} * } command to configure extended RADIUS attribute translation for Access-Request or accounting packets.
    4. Run the radius-attribute translate extend src-attr-description vendor-specific src-vendor-id src-sub-attr-id { access-request | account } * command to configure vendor-specific extended RADIUS attribute translation for Access-Request or accounting packets.
    5. Run the radius-attribute translate extend vendor-specific src-vendor-id src-sub-attr-id dest-attr-description access-accept command to configure vendor-specific extended RADIUS attribute translation for Access-Accept packets.

(Optional) Configuring the Source Interface of the RADIUS Server Group

When the NE20E connects to multiple RADIUS servers, you can configure the source interface of each RADIUS server on the NE20E to identify the route between the NE20E and each RADIUS server.

Context

On the NE20E, you can configure the interface that connects to a RADIUS server as the source interface of the RADIUS server. On the NE20E, you can configure the source interface in the system view or in the view of a RADIUS server group. Therefore, the RADIUS servers in the RADIUS server group use this source interface to interact with the NE20E. If the source interface of the RADIUS server group is not configured, the RADIUS servers use the global source interface.

Perform the following steps on the router:

Procedure

  • Configure the global source interface of all RADIUS servers in all RADIUS server groups.
    1. Run system-view

      The system view is displayed.

    2. Run radius-server source interface interface-type interface-number

      The global source interface of all the RADIUS servers is configured.

  • Configure the source interface of a specified RADIUS server group.
    1. Run system-view

      The system view is displayed.

    2. Run radius-server group group-name

      The RADIUS server group view is displayed.

    3. Run radius-server source interface interface-type interface-number

      The source interface of the RADIUS server group is configured.

(Optional) Configuring the Status Parameters of the RADIUS Server

You can configure the status parameters of a RADIUS server on the NE20E to monitor the RADIUS server status.

Context

RADIUS clients can detect the status of RADIUS servers and determine the real-time status of RADIUS servers based on responses from the RADIUS servers. This helps identify which servers are in the Up state so as to process user request packets in real time.

The configuration is valid for all RADIUS servers.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server { dead-count dead-count [ fail-rate count ] | dead-interval interval }*

    The parameters for determining the status change of a RADIUS server from Up to Down are configured.

    If the NE20E sends RADIUS packets to the RADIUS server consecutively for a specified number of times but receives no response packet and the interval between the first ignored packet and the nth ignored packet where n is equal to dead-count is longer than the value of dead-interval, the NE20E considers that the RADIUS server is abnormal and sets its status to Down.

  3. Configure a mode for restoring the Up state of the RADIUS server after its status is set to Down.

    After the status of the RADIUS server is set to Down, two modes are available for restoring the Up state of the RADIUS server. Run either of the following command as required.

    • Run the radius-server dead-time dead-time [ recover-count invalid ] command to configure a period after which the status of the RADIUS server is automatically restored to Up.

      After the NE20E sets the status of a RADIUS server to Down, the NE20E waits a period specified by dead-time. Then, the NE20E sets the status of the RADIUS server to Up and attempts to set up a connection with it. If the connection cannot be set up, the NE20E sets the status of the RADIUS server to Down again.

      If recover-count invalid is configured, the NE20E sets the RADIUS server status to Up only after the Up timer expires, irrespective of whether response packets are received from the RADIUS server during connection re-establishment.

    • Run the radius-server state-recovery-detect { authentication | accounting } username username [ detect-interval detect-interval ] [ detect-threshold detect-threshold ] command to enable RADIUS server status detection and restoration.

      After the status of a RADIUS server is set to Down, the status of the RADIUS server is automatically restored to Up after a specified period of time by default. However, the NE20E does not know the actual status of the RADIUS server and only assumes that the server is Up. To allow the NE20E to accurately determine the status of the RADIUS server, run the radius-server state-recovery-detect { authentication | accounting } username username [ detect-interval detect-interval ] [ detect-threshold detect-threshold ] command to enable RADIUS server status detection and restoration.

      Then, the NE20E sends detection packets to the RADIUS server at an interval specified by detect-interval using a user name specified by username. If detection succeeds for a consecutive number of times specified by detect-threshold, the NE20E sets the RADIUS server status to Up again.

      NOTE:
      After the radius-server state-recovery-detect command is run, the radius-server dead-time dead-time [ recover-count invalid ] command configuration fails to take effect. In other words, the status of the RADIUS server will not be automatically restored to Up after a period specified by dead-time elapses.

(Optional) Configuring the Extended Source Ports of RADIUS

If you do not want to use the default extended source interface to send and receive RADIUS packets, you can change the default extended source interface of the RADIUS server.

Context

After you configure the extended source interfaces of the RADIUS server, the NE20E increases the number of packets sent to the RADIUS server in a certain period of time.

After the configuration, the NE20E sends RADIUS packets by using the extended source interfaces. The former half of extended source interfaces are used to send and receive RADIUS authentication packets, and the latter half of extended source interfaces are used to send and receive RADIUS accounting packets. If an odd number of extended source interfaces are configured, the authentication interfaces outnumber the accounting interfaces by one.

Perform the following steps on the router:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server extended-source-ports [start-port start-port-number ] port-number port-number

    The extended source interfaces of the RADIUS server are configured.

    NOTE:

    If you do not specify the start interface number when configuring the extended source interfaces, the system assigns a configured number of valid extended source interfaces.

  3. Run radius-server extended-source-ports algorithm round-robin

    The NE20E is enabled to use the round-robin algorithm to select an extended source port.

Configuring DSCP Priorities for RADIUS Packets

To prevent RADIUS packets sent by the NE20E from being discarded in the case of network congestion, you can configure DSCP values for the RADIUS Packets.

Context

You can configure DSCP values for RADIUS packets, including the RADIUS packets sent by the NE20E to a RADIUS server and the RADIUS packets sent by the NE20E to an AP/AC.

Perform the following steps on the NE20E:

Procedure

  • Configure DSCP values of RADIUS packets sent by the NE20E to a RADIUS server. DSCP priorities of RADIUS packets sent by the NE20E to a RADIUS server can be configured in two modes. The DSCP value of RADIUS packets configured in the RADIUS server group view has a higher priority.

    In the system view, configure a DSCP value for RADIUS packets.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server packet dscp dscp

      A DSCP value is configured for RADIUS packets sent by the NE20E.

    In the RADIUS server group view, configure a DSCP value for RADIUS packets.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server group group-name

      The RADIUS server group view is displayed.

    3. Run radius-server packet dscp dscp

      A DSCP value is configured for RADIUS packets sent by the NE20E.

Verifying the RADIUS Configuration

After configuring a RADIUS server, you can view the server configurations, RADIUS attributes supported by the system, and statistics on RADIUS packets.

Prerequisites

RADIUS server has been configured.

Procedure

  • Run the display radius-server authorization configuration command to check the configuration of the RADIUS authorization server.
  • Run the display radius-server configuration [ group groupname ] command to check the configuration of the RADIUS server group.

    NOTE:
    Configuring the ui-mode type1 command in the system view influences the output format of the display command.

  • Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei | microsoft | redback | standard } attribute-number ] command to check the RADIUS attributes supported by the system.
  • Run the display radius-attribute [ server-group server-group-name packet { access-request | access-accept | access-reject | accounting-request | accounting-response | coa-request | coa-ack | coa-nak | dm-request | dm-ack | dm-nak | accounting-on | accounting-off } ] command to check attributes carried in packets sent by the RADIUS server group.
  • Run the display radius-server packet { ip-address | ipv6-address } ip-address [ vpn-instance vpn-instance ] { accounting | authentication | coa | dm } command to check the statistics about the packets on the RADIUS server of a specified IP address.
  • Run the display radius-attribute packet-count command to check the number of times an attribute occurs in a RADIUS packet.
  • Run the display radius-client statistics client-ip client-ip-address [ vpn-instance vpn-instance-name ] command to check statistics about RADIUS packets exchanged between the RADIUS client and proxy.
  • Run the display aaa remote-download acl item [ user-id user-id | classifier classifier-name ] * [ verbose ] command to check information about the traffic classifier-behavior pair in dynamic ACLs delivered by the RADIUS server.
  • Run the display aaa remote-download acl statistics classifier classifier-name [ slot slot-id ] command to check statistics about the traffic classifier-behavior pair in dynamic ACLs delivered by the RADIUS server on a specific board.

Example

Run the display radius-server authorization configuration command to view the configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
  -----------------------------------------------------------------------------
  IP-Address         Secret-key         Group                              Ack-r
Reserved-interval
  -----------------------------------------------------------------------------
  192.168.7.100      huawei             rd1                                20
    Vpn : --
  -----------------------------------------------------------------------------
  1 Radius authorization server(s) in total

Run the display radius-server configuration command, and you can view the configuration of the RADIUS server group.

<HUAWEI> display radius-server configuration
  RADIUS source interface            : LoopBack20                               
  RADIUS no response packet count    : 30                                       
  RADIUS auto recover time(Min)      : 100                                      
  RADIUS authentication source ports :                                          
         IPv4: 1812                                                             
         IPv6: 1812                                                             
  RADIUS accounting source ports     :                                          
         IPv4: 1813                                                             
         IPv6: 1813                                                             
  -------------------------------------------------------                       
  Server-group-name    :  chen                                                  
  Authentication-server:  IP:10.3.4.144 Port:1812 Weight[0] [UP]                 
                          Vpn: -                                                
  Accounting-server    :  IP:10.3.4.144 Port:1814 Weight[0] [UP]                 
                          Vpn: -                                                
  Protocol-version     :  radius        
  Shared-secret-key    :  ******                                                
  Retransmission       :  3                                                     
  Timeout-interval(s)  :  5                                                     
  Acct-Stop-Packet Resend  :  NO                                                
  Acct-Stop-Packet Resend-Times  :  0                                           
  -------------------------------------------------------                       
  Are you sure to display next (y/n)[y]:y                                       
  -------------------------------------------------------                       
  Server-group-name    :  huawei                                                
  Authentication-server:  IP:10.1.1.1 Port:1820 Weight[50] [UP]                 
                          Vpn: -                                                
  Accounting-server    :  IP:10.1.1.1 Port:1823 Weight[0] [UP]                  
                          Vpn: -                                                
  Accounting-server    :  IP:10.1.1.2 Port:20 Weight[20] [UP]                   
                          Vpn: -                                                
                          share-key:  huawei                                    
  Protocol-version     :  radius        
  Shared-secret-key    :  ******                                                
  Retransmission       :  2                                                     
  Timeout-interval(s)  :  8                                                     
  Acct-Stop-Packet Resend  :  YES                                               
  Acct-Stop-Packet Resend-Times  :  100                                         
  -------------------------------------------------------                       
  Total 2,2 printed                                                             

Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei | microsoft | redback | standard } attribute-number ]command, and you can view the RADIUS attributes supported by the NE20E of the current version.

<HUAWEI> display radius-attribute type standard 1
 Radius Attribute Type        : 1                                               
 Radius Attribute Name        : User-Name                                       
 Radius Attribute Description : This Attribute indicates the name of the user to
 be authenticated.                                                              
 Supported Packets            : Auth Request, Acct Request, Session Control, COA
 Request, COA Ack                                                               
Run the display radius-attribute server-group server-group-name packet access-request command, and you can view the attributes of Access-Request packets in the RADIUS server group named group 2.
<HUAWEI> display radius-attribute server-group group2 packet access-request
-------------------------------------------------------------------------------
  Radius Packet Type     : Access-Accept
  Attribute Type           Attribute Name                   Translate From
-------------------------------------------------------------------------------
  1                        User-Name
  6                        Service-Type
  7                        Framed-Protocol
  8                        Framed-IP-Address
  9                        Framed-IP-Netmask
  11                       Filter-Id
  12                       Framed-MTU
  14                       Login-IP-Host
  15                       Login-Service
  18                       Reply-Message
  19                       Callback-Number
  22                       Framed-Route
  24                       State
  25                       Class
  27                       Session-Timeout
  28                       Idle-Timeout
  29                       Termination-Action
  62                       Port-Limit
  64                       Tunnel-Type
  65                       Tunnel-Medium-Type
  66                       Tunnel-Client-Endpoint
  67                       Tunnel-Server-Endpoint
  69                       Tunnel-Password
  75                       Password-Retry
  79                       EAP-Message
  80                       Message-Authenticator
  81                       Tunnel-Private-Group-ID
  82                       Tunnel-Assignment-ID
  83                       Tunnel-Preference
  85                       Acct-Interim-Interval
  88                       Framed-Pool
  89                       Chargeable-User-Identity
  90                       Tunnel-Client-Auth-ID
  96                       Framed-Interface-Id
  97                       Framed-IPv6-Prefix
  98                       Login-IPv6-Host
  99                       Framed-IPv6-Route
  100                      Framed-IPv6-Pool
  123                      Delegated-IPv6-Prefix
  135                      Ascend-Client-Primary-Dns
  136                      Ascend-Client-Secondary-Dns
  2011(HUAWEI),1           HW-Input-Committed-Burst-Size
  2011(HUAWEI),2           HW-Input-Committed-Information-Rate
  2011(HUAWEI),3           HW-Input-Peak-Information-Rate
  2011(HUAWEI),4           HW-Output-Committed-Burst-Size
  2011(HUAWEI),5           HW-Output-Committed-Information-Rate
  2011(HUAWEI),6           HW-Output-Peak-Information-Rate
  2011(HUAWEI),15          HW-Remanent-Volume
  2011(HUAWEI),17          HW-Subscriber-QoS-Profile
  2011(HUAWEI),22          HW-Priority
  2011(HUAWEI),27          HW-Portal-URL
  2011(HUAWEI),28          HW-FTP-Directory
  2011(HUAWEI),29          HW-Exec-Privilege
  2011(HUAWEI),30          HW-RADIUS-MP-VT-Number
  2011(HUAWEI),31          HW-QOS-Profile-Name
  2011(HUAWEI),32          HW-SIP-Server
  2011(HUAWEI),35          HW-Renewal-Time
  2011(HUAWEI),36          HW-Rebinding-Time
  2011(HUAWEI),37          HW-IGMP-Enable
  2011(HUAWEI),61          HW-Up-Priority
  2011(HUAWEI),62          HW-Down-Priority
  2011(HUAWEI),63          HW-Tunnel-Vpn-Instance
  2011(HUAWEI),64          HW-Virtual-Template
  2011(HUAWEI),65          HW-User-Date
  2011(HUAWEI),66          HW-User-Class
  2011(HUAWEI),70          HW-PPP-NCP-Type
  2011(HUAWEI),71          HW-VSI-Name
  2011(HUAWEI),72          HW-Subnet-Mask
  2011(HUAWEI),73          HW-Gateway-Address
  2011(HUAWEI),74          HW-Lease-Time
  2011(HUAWEI),75          HW-Ascend-Client-Primary-WINS
  2011(HUAWEI),76          HW-Ascend-Client-Second-WIN
  2011(HUAWEI),77          HW-Input-Peak-Burst-Size
  2011(HUAWEI),78          HW-Output-Peak-Burst-Size
  2011(HUAWEI),79          HW-Reduced-CIR
  2011(HUAWEI),80          HW-Tunnel-Session-Limit
  2011(HUAWEI),82          HW-Data-Filter
  2011(HUAWEI),83          HW-Access-Service
  2011(HUAWEI),85          HW-Portal-Mode
  2011(HUAWEI),87          HW-Policy-Route
  2011(HUAWEI),88          HW-Framed-Pool
  2011(HUAWEI),91          HW-Queue-Profile
  2011(HUAWEI),92          HW-Layer4-Session-Limit
  2011(HUAWEI),93          HW-Multicast-Profile-Name
  2011(HUAWEI),94          HW-VPN-Instance
  2011(HUAWEI),95          HW-Policy-Name
  2011(HUAWEI),96          HW-Tunnel-Group-Name
  2011(HUAWEI),97          HW-Multicast-Source-Group
  2011(HUAWEI),98          HW-Multicast-Receive-Group
  2011(HUAWEI),99          HW-Multicast-Type
  2011(HUAWEI),100         HW-Reduced-PIR
  2011(HUAWEI),135         HW-Client-Primary-DNS
  2011(HUAWEI),136         HW-Client-Secondary-DNS
  2011(HUAWEI),138         HW-Domain-Name
  2011(HUAWEI),140         HW-HTTP-Redirect-URL
  2011(HUAWEI),141         HW-PPP-Local-IP-Address
  2011(HUAWEI),142         HW-Qos-Profile-Type
  2011(HUAWEI),143         HW-Max-List-Num
  2011(HUAWEI),154         HW-DNS-Server-IPv6-Address
  2011(HUAWEI),155         HW-DHCPv4-Option121
  2011(HUAWEI),156         HW-DHCPv4-Option43
  2011(HUAWEI),157         HW-Framed-Pool-Group
  2011(HUAWEI),158         HW-Framed-IPv6-Address
  2011(HUAWEI),160         HW-Nat-Policy-Name
  2011(HUAWEI),164         HW-Nat-Port-Forwarding
  2011(HUAWEI),166         HW-DS-Lite-Tunnel-Name
  2011(HUAWEI),167         HW-PCP-Server-Name
  2011(HUAWEI),182         HW-Down-Qos-Profile-Name
  2011(HUAWEI),183         HW-Port-Mirror
  2011(HUAWEI),191         HW-Delegated-IPv6-Prefix-Pool
  2011(HUAWEI),194         HW-IPv6-Policy-Route
  2011(HUAWEI),253         HW-Web-URL
  311(MICROSOFT),16        MS-MPPE-Send-Key
  311(MICROSOFT),17        MS-MPPE-Recv-Key
  311(MICROSOFT),26        MS-CHAP2-Success
  311(MICROSOFT),28        MS-Primary-DNS-Server
  311(MICROSOFT),29        MS-Secondary-DNS-Server
  2352(RedBack),92         Forward-Policy
  2352(RedBack),106        NPM-Service-Id
  2352(RedBack),107        HTTP-Redirect-Profile-Name
  2352(RedBack),165        HTTP-Redirect-URL
  5535(3GPP2),7            Home-Agent-Address
  5535(3GPP2),81           Removal-Indication
-------------------------------------------------------------------------------

Run the display radius-server packet ip-address ip-address [ vpn-instance ] accounting command, and you can view the statistics about the accounting packets on the RADIUS server of a specified IP address.

<HUAWEI>display radius-server packet ip-address 10.1.1.2 accounting
Total radius server accounting packets: 
  Account Requests   : 1          Account Retransmissions     : 19      
  Account Responses  : 0          Malformed Account Responses : 0      
  Bad Authenticators : 0          Pending Requests            : 0      
  Timeouts           : 20              
   Speed Limit Block : 0          Pending Limit Block         : 0        
   Server Down Block : 0          No Source IP Block          : 0      
   Server Not Reply  : 20              
  Unknown Types      : 0          Packets Dropped             : 0 
Last 30 minutes radius server accounting packets: 
  Account Requests   : 0          Account Retransmissions     : 0      
  Account Responses  : 0          Malformed Account Responses : 0      
  Bad Authenticators : 0          Pending Requests            : 0      
  Timeouts           : 20               
   Speed Limit Block : 0          Pending Limit Block         : 0      
   Server Down Block : 0          No Source IP Block          : 0      
   Server Not Reply  : 20               
  Unknown Types      : 0          Packets Dropped             : 0  
Run the display radius offline-sub-reason [ subcode subcode-number ] command to check the user offline causes mapped to the numbers carried in the Accounting Stop packets sent to the RADIUS server.
<HUAWEI> display radius offline-sub-reason subcode 1
------------------------------------------------------------------------------
Subcode     description of offline sub reason
------------------------------------------------------------------------------
1           User request to offline
------------------------------------------------------------------------------
Run the display radius-client statistics command to view statistics about RADIUS packets exchanged between the RADIUS client and proxy.
<HUAWEI> display radius-client statistics client-ip 10.111.2.20
Authentication packets:
  Access Requests    : 0          Access Accepts     : 0
  Access Challenges  : 0          Access Rejects     : 0
  Bad Authenticators : 0          Packets Dropped    : 0
Accouting packets:
  Account Requests   : 0          Account Responses  : 0
  Bad Authenticators : 0          Packets Dropped    : 0
DM packets:
  Author Requests    : 0          Author Acks        : 0
  Author Naks        : 0
Abnormal Attribute Length packets:
  Access Requests    : 0          Account Requests   : 0
  Author Acks        : 0          Author Naks        : 0
  Corrected Access Requests    : 0
Run the display aaa remote-download acl item [ user-id user-id | classifier classifier-name ] * [ verbose ] command. The command output shows information about the traffic classifier-behavior pair in dynamic ACLs delivered by the RADIUS server.
<HUAWEI> display aaa remote-download acl item
-------------------------------------------------------------------------------                                                     
 ClassifierName                     ReferedNumByUser  RuleNumber   Classifiertype                                              
-------------------------------------------------------------------------------                                                     
 class6                             1             2            remote                                                     
 The used user-id table are :                                                                                                           
  1                                                                                                                                 
-------------------------------------------------------------------------------                                                     
 class5                             1             2            remote                                                      
 The used user-id table are :                                                                                                           
  1                                                                                                                                 
-------------------------------------------------------------------------------                                                     
 Total Classifier-Behavior Number : 2
Run the display aaa remote-download acl statistics classifier classifier-name [ slot slot-id ] command. The command output shows statistics about the traffic classifier-behavior pair in dynamic ACLs delivered by the RADIUS server on a specific board.
<HUAWEI> display aaa remote-download acl statistics classifier c2 slot 1
  -------------------------------------------------------------------------
  Classifier name: c2
  Classifier type: remote
    rule:(number: 1)       
     ipv4;ruleid=5;daaflag;permit;proto=6;dipv4=10.2.3.3/16;su-group=group1;  
     (IPv4, inbound: 0 packets, 0 bytes, outbound: 0 packets, 0 bytes)
Behavior name: b2

deny;
Behavior Type: remote
----------------------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21693

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next