No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA

Configuring AAA

Before configuring AAA, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and efficiently.

Usage Scenario

  • Local authentication and authorization

    If user authentication or authorization is required when no RADIUS or HWTACACS server is deployed on the network, user authentication or authorization can be implemented in local authentication or authorization mode. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device.

    Local authentication and authorization are often used for administrators. Local authentication is a backup of RADIUS authentication and HWTACACS authentication; local authorization is a backup of HWTACACS authorization.

  • HWTACACS authentication, authorization, and accounting: The authentication, authorization, and accounting in HWTACACS mode can prevent unauthorized users from attacking the network. In addition, the HWTACACS mode supports the authorization of command lines. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is more suitable for security control.
  • RADIUS authentication and accounting: The authentication and accounting in RADIUS mode can prevent unauthorized users from attacking the network. The RADIUS mode is often used in network environments requiring high security and remote access control.

Pre-configuration Tasks

Before configuring AAA, complete the following tasks:

  • Power on the router or switch and ensuring that the self-test is successful.

  • Ensure that the device is accessible.

Configuration Procedures

Figure 2-2 AAA configuration flowchart

Configuring AAA Schemes

Configuring AAA schemes involves the configurations of the authentication scheme, authorization scheme, and accounting scheme.

Context

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme authentication-scheme-name

      The authentication scheme is created, and the authentication scheme view is displayed.

      By default, there are three authentication schemes named default (local radius authentication), default0 (local authentication) and default1 (radius authentication). Default authentication schemes can be modified but cannot be deleted.

      A maximum of 32 authentication schemes can be configured.

    4. Run authentication-mode { hwtacacs | radius | local } *

      The authentication mode is configured.

      The default authentication mode is radius authentication.

      The parameter radius is supported only on the Admin-VS.

      If multiple authentication modes are configured in an authentication scheme, authentication modes are used in the sequence in which they were configured.

      NOTE:

      The next authentication mode can be used only when the current authentication mode does not respond (for example, the server does not respond). If the authentication is successful or fails, the next authentication mode will not be used.

    5. Run commit

      The configuration is committed.

  • Configure an authorization scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authorization-scheme authorization-scheme-name

      The authorization scheme is created, and the authorization scheme view is displayed.

      By default, the authorization scheme named default is used in the system. default is the local authorization mode. default can be modified but cannot be deleted.

      A maximum of 32 authorization schemes can be configured.

    4. Run authorization-mode { hwtacacs | if-authenticated | local } * [ none ]

      The authorization mode is configured.

      The default authorization mode is local authorization.

      If multiple authorization modes are configured in an authorization scheme, authorization modes are used in the sequence in which they were configured.

      NOTE:

      The next authorization mode can be used only when the current authorization mode provides no response (for example, the server provides no response). If the authorization is successful or fails, the next authorization mode will not be used.

    5. Run commit

      The configuration is committed.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      The accounting scheme is created, and the accounting scheme view is displayed.

      By default, there are two accounting schemes named default0 and default1, and the accounting modes are none and radius, respectively. Default accounting schemes can be modified but cannot be deleted.

      A maximum of 256 accounting schemes can be configured.

    4. Run accounting-mode { hwtacacs | radius | none }

      The accounting mode is configured.

      The parameter radius is supported only on the Admin-VS.

      By default, the accounting mode is none, namely non-accounting.

    5. Run commit

      The configuration is committed.

Follow-up Procedure

Implement one of the following configurations according to the configured authentication, authorization, and accounting modes.

(Optional) Configuring Local Users

When the authentication and authorization are implemented in local mode, the authentication and authorization information (such as the user name, password, level, maximum number of user accesses, and maximum number of continuous authentication failures).

Procedure

  • Configuring local users in AAA view.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]

      A local user is created, and the password of the user is configured.

      • If the user name contains the at sign (@), the characters before the at sign (@) are the user name, and the characters after the at sign (@) are the domain name
      • If the user name does not contain the at sign (@), the entire character string is the user name, and the domain name is default_admin.
      • The user name cannot contain two or more at signs (@).
      • When bein g input in simple text, When the user security policy is configured, the password cannot be the same as the user name, or in reverse order with the user name. The password must contain the following characters: upper-case character, lower-case character, digit, and special character.
        NOTE:
        • The question mark (?) is not counted as a special character.
        • A space contained can only be located in the middle but not the beginning or end of the password. Use double quotation marks (") around the password.
        • If the local-user service-type command has been run to configure a user as an administrator by specifying the user type as the Telnet, FTP, SSH, SNMP, or terminal user, the system automatically changes the user password to an irreversible ciphertext key.

    4. (Optional) Run local-user user-name service-type { { terminal | telnet | ftp | ssh | snmp | qx | mml | http } * | ppp | none }

      The access type of the local user is configured.

      By default, a local user cannot use any access type

    5. (Optional) Run local-user user-name ftp-directory directory

      The FTP directory right of the local user is configured.

      By default, the FTP directory of the local user is empty.

      NOTE:

      If the access type of the local user is set to FTP, the FTP directory of the local user must be configured and the level of local user cannot be lower than management level. Otherwise, FTP user login will fail.

    6. Configure the level of the local user or the group to which the local user belongs according to the command-line authorization mode.

      • Run the local-user level command to configure the level of the local user.
        NOTE:
        The configured level of the local user cannot be higher than that of the login-in user.
      • Run the local-user user-name user-group user-group-name command to add the local user to the specified user group.

    7. (Optional) Run local-user user-name state { active | block }

      The status of the local user is configured.

      By default, a local user is in the Block state.

      The system processes the authentication requests of the users are as follows:

      • If a local user is in the active state, the system accepts the authentication request from the user and performs further processing.

      • If a local user is in the block state, the system rejects the authentication request from the user.

    8. (Optional) Run local-user change-password

      The password of the local user is changed.

    9. (Optional) Run local-user user-name access-limit max-number

      The maximum number of user accesses is set.

      By default, the number of user accesses is not limited.

    10. (Optional) Run user-block failed-times failed-times period period

      The maximum times of continuous authentication failures for the local user are configured.

      NOTE:

      If a local user is in the locked state, you need to unlock it. Two ways are available for you to choose:

      • In the AAA view, run the user-block reactive reactive-time command to configure the interval at which a user will be automatically unlocked. If the locking time for a user exceeds the time set in the configuration, the user will be automatically unlocked.
      • In the user view, run the activate aaa local-user user-name command to manually unlock the specified local user.

    11. (Optional) Run aaa abnormal-offline-record

      The abnormal logout events are recorded.

      By default, the abnormal logout events are recorded.

      After this function is enabled, information about abnormal logout events can be provided for administrators to manage and maintain user information.

    12. Run commit

      The configuration is committed.

  • Configuring a local user in the local AAA server view.
    1. Run system-view

      The system view is displayed.

    2. Run local-aaa-server

      The local AAA server view is displayed.

    3. Run user username { password { cipher cipher-password | irreversible-cipher irreversible--password } | authentication-type type-mask | { active | block [ fail-times fail-times-value interval interval-value ] } | ftp-directory ftp-directory | level level | user-group user-group-name } *

      A local user account is added.

      By default, no local user account is added. If a local user account is added, the default attributes of the local user account are as follows:
      • authentication-type: The value is "-", allowing none of the access types.
      • level: The value is determined by the management module, such as Telnet, and SSH.
      • ftp-directory: No FTP file directory is configured.
      NOTE:
      If the user usr-name authentication-type authentication-type command has been run to configure a user as an administrator by specifying the user type as the Telnet, FTP, SSH, SNMP, or terminal user, the system automatically changes the user password to an irreversible ciphertext key.

    4. (Optional) Run user user-name block [ fail-times fail-times-value interval interval-value ]

      The local user is blocked.

      The parameters terminal, qx and mml are supported only on the Admin-VS.

      By default, the local user is initially active.

    5. Run commit

      The configuration is committed.

(Optional) Configuring the HWTACACS Server Template

In an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Default configurations are available for the configurations such as configuring whether the user name of the HWTACACS server contains the domain name and configuring the time for the primary server to return to the active state. The user can change the default configurations according to the actual requirements.

Context

Configuring the HWTACACS server template involves the following configurations:

NOTE:

To prevent risks in communication between the device and the HWTACACS server, deploy the communication network between the device and the HWTACACS server in a security zone.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run hwtacacs enable

    The HWTACACS protocol is enabled.

    By default, the HWTACACS protocol is enabled.

  3. Run hwtacacs-server service-name service-name

    A HWTACACS service name is configured.

    On an HWTACACS server, a user name can be allocated different rights based on different service names. After the hwtacacs-server service-name command is run, a user logging in to the device is allocated a right based on the configured HWTACACS service name.

  4. Run hwtacacs-server template template-name

    The HWTACACS server template is created, and the HWTACACS server template view is displayed.

  5. Run hwtacacs-server shared-key { cipher cipher-string | key-string }

    The shared key for the communication with the HWTACACS server is configured.

    By default, the HWTACACS shared key is not configured.

    The shared key can improve the security of the communication between the NE20E and the HWTACACS server.

    NOTE:

    To ensure the valid identities of both parties, the key on the NE20E must be the same as that configured for the HWTACACS server.

  6. You can use either of the following methods to configure IP address and shared key of the primary/secondary HWTACACS server.

    NOTE:
    The priority of the HWTACACS common server is higher than that of the HWTACACS authentication/accounting/authorization server. If you configure the common server as the master server, configurations of the other servers (authentication, accounting, and authorization servers) cannot take effect.
    • Run the following command to configure the address and shared key of the primary/secondary HWTACACS common server.

      For IPv4 server: hwtacacs-server ip-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

      For IPv6 server: hwtacacs-server ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

    • Configure the addresses and shared keys for the primary/secondary HWTACACS authentication server, HWTACACS authorization server, and HWTACACS accounting server.

      1. For IPv4 server, run:

        hwtacacs-server authentication { ip-address  } [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ]* [ secondary ]

        For IPv6 server, run:

        hwtacacs-server authentication ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS authentication server are configured.

      2. For IPv4 server, run:

        hwtacacs-server authorization { ip-address  } [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ]* [ secondary ]

        For IPv6 server, run:

        hwtacacs-server authorization ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS authorization server are configured.

      3. For IPv4 server, run:

        hwtacacs-server accounting ip-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | { vpn-instance vpn-instance-name | public-net } ] * [ secondary ]

        For IPv6 server, run:

        hwtacacs-server accounting ipv6-address [ port ] [ shared-key { key-string | cipher cipher-string } | mux-mode | vpn-instance vpn-instance-name ] * [ secondary ]

        The address and shared key of the primary (secondary) HWTACACS accounting server are configured.

  7. (Optional) Run hwtacacs-server source-ip ip-address

    The source IP address for the communication between the device and the HWTACACS server is configured.

  8. (Optional) Run hwtacacs-server timer response-timeout value

    The response timeout period of the HWTACACS server is configured.

    By default, the response timeout period for an HWTACACS server is 5s.

    If the device does not receive any response from the HWTACACS server within the timeout period, it considers that the HWTACACS server is faulty. Then the device tries to perform authentication and authorization by using other methods.

  9. (Optional) Run hwtacacs-server timer quiet value

    The time for the primary server to return in the active state is specified.

  10. (Optional) Run hwtacacs-server user-name domain-included

    Whether the user name of the HWTACACS server contains the domain name is determined.

    By default, the user name of the HWTACACS server contains the domain name.

    If the HWTACACS server does not accept the user name that contains the domain name, you can delete the domain name and then send the user name without the domain name to the HWTACACS server.

    NOTE:

    The user name is usually in the format of "user name@domain name".

  11. (Optional) Run hwtacacs-user change-password hwtacacs-server template-name

    The HWTACACS user password is changed.

  12. Run commit

    The configuration is committed.

(Optional) Configuring the RADIUS Server Group

Context

NOTE:

To prevent risks in communication between the device and the RADIUS server, deploy the communication network between the device and the RADIUS server in a security zone.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius enable

    The RADIUS service is disabled.

    By default, the RADIUS service is enabled.

  3. (Optional) Run radius-server { dead-count dead-count [ fail-rate fail-rate-value ] | dead-interval dead-interval | dead-time dead-time [ recover-count invalid ] } *

    The parameters used to determine the status of the RADIUS server are set.

    By default, the router considers that the RADIUS server is abnormal when the RADIUS server fails to respond to 10 consecutive packets sent from the router within 5 seconds. The router waits for 3 minutes before restoring the status of the RADIUS server.

    If the router does not receive any response packets after sending RADIUS packets for the number of times configured in this command, and the interval between the first packet and the last packet (specified by dead-count) that the RADIUS server fails to respond to is longer than dead-interval, the router determines that the RADIUS server works abnormally and changes the status of the RADIUS server to Down.

    After setting the status of the RADIUS server to Down, the router waits for a certain period configured in this command before setting the status of the RADIUS server to Up. At the same time, the router attempts to reestablish a connection with the RADIUS server. If the connection cannot be established, the router sets the status of the RADIUS server to Down again.

  4. Run radius-server group group-name

    The RADIUS server group is created, and the RADIUS server group view is displayed.

  5. Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher } [ { authentication | accounting } { ipv4-address [ vpn-instance instance-name ] | ipv6-address } [ source {ip-address source-ip-address | interface-type interface-num } ] ] port-number [ weight weight ] ]

    The shared key for the communication with the RADIUS server is configured.

    By default, the shared key for the radius server is not configured.

  6. Run radius-server authentication ip- address [ vpn-instance instance- name | source { interface- name | interface-type interface- number | ip-address source-ip- address } | { shared-key key- string | shared-key-cipher cipher- string } ] * port [ weight weight-value ]

    Or run radius-server authentication ip-address port { vpn-instance instance-name | { shared-key key-string | shared-key-cipher cipher-string } | source { { interface-name | interface-type interface-number } | ip-address source-ip-address } } * [ weight weight-value ]

    The address and shared key of the primary (secondary) RADIUS authentication server are configured.

  7. Run radius-server user-name { domain-included | original }

    Whether the user name of the RADIUS server contains the domain name is determined.

    By default, the user name contains the domain name.

  8. Run radius-server source interface interface-type interface-number

    The source interface of the RADIUS server is configured. The router uses the IP address of this source interface to send packets to the RADIUS server.

    By default, source interface is not configured.

    When a RADIUS server is deployed in a VPN and the router sends a packet to the RADIUS server, the IP address of the source interface configured using the radius-server source interface command is preferentially selected. If no source interface is configured, select the outbound interface with reachable route based on the VPN ID and destination IP address as the source IP address. If the required route is not found, select the IP address of any interface within the VPN as the source IP address.

  9. Run radius-server nas-ip-address ip-address

    The IP address of NAS (Network Access Server ) for the group is configured.

    A device's NAS-IP address is used as the destination IP address of a response packet to be sent from the RADIUS server.

  10. (Optional) Configure the transmission reliability of RADIUS packets.
    1. Run radius-server retransmit retry-times

      The number of retransmission times of the RADIUS server is configured.

      By default, the retransmission value is 3.

      After the number of times for retransmitting a request packet exceeds the configured number of packet retransmission times, the router considers that the RADIUS server is faulty.

    2. (Optional) Run radius-server timeout time-value

      The response timeout period of the RADIUS server is configured.

      By default, the server response timeout value is 5 seconds.

      To check whether a RADIUS server is valid, the router periodically sends request packets to the RADIUS server. If the router receives no response within the timeout period, it retransmits request packets.

  11. Run commit

    The configuration is committed.

Configuring AAA Schemes for the Domain

Associate the remote authentication, authorization, and accounting schemes of the domain user with the server template by configuring a domain. Then, corresponding authentication, authorization, and accounting will be implemented for the users accessing the domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    A domain is created and the AAA domain view is displayed.

    By default, there is a domain named default on the system. The default domain cannot be deleted but can be modified.

  4. Run quit

    Return to the AAA view.

  5. (Optional) Run service-type terminal force-domain domain-name

    A forced domain is configured for a console interface.

    When users logging in through the console interface and users logging in using other login methods must be distinguished, run the service-type terminal force-domain command to specify a forced domain for the console interface. After the configuration becomes effective, users logging in through the console interface automatically enter the forced domain and are not allocated any other domain based on the user names. In this manner, users logging in through the console interface and users logging using other methods are distinguished and allocated different rights.

    This command is supported only on the Admin-VS.

  6. (Optional) Run default-domain { admin | access } domain-name

    The domain name created in the preceding step is configured as the default domain name.

    By default, a domain name does not automatically become the default domain name after it is configured.

    After you manually create a domain name, for example, first_domain, you must suffix @first_domain to the user name during authentication, which is inconvenient. To facilitate user authentication, run the default-domain command to set the domain name first_domain as the default domain name. With this configuration, @first_domain is automatically suffixed to user names.

  7. Run authentication-scheme authentication-scheme-name

    The authentication scheme is configured for the domain.

    By default, the default authentication scheme is applied to a domain.

  8. Run authorization-scheme authorization-scheme-name

    The authorization scheme is configured for the domain.

    By default, the default authentication scheme is applied to a domain.

  9. Run accounting-scheme authorization-scheme-name

    The accounting scheme is configured for the domain.

    By default, the default authentication scheme is applied to a domain.

  10. Select the server template according to the configured authentication, authorization, and accounting modes.

    • Run the radius-server group (AAA domain view) group-name command to configure the RADIUS server group for the domain.

      This command is supported only on the Admin-VS.

      By default, the RADIUS server template of a domain is empty.

    • Run the hwtacacs-server template-name command to configure the HWTACACS server template for the domain.

      By default, the HWTACACS server template of a domain is empty.

  11. Run block

    The status of the domain is configured.

    By default, a domain is in active state after being created.

    When a domain is in block state, users of the domain cannot access the network.

  12. (Optional) Run access-limit max-number

    The maximum number of access users for the domain is set.

    By default, the number of access users is not limited.

  13. (Optional) Run adminuser-priority level

    The default user level for administrators in a specific AAA domain is configured.

    By default, no default user level is configured for administrators in an AAA domain.

    If a user level is not assigned by the local device (using the local-user level command) or by a remote server, administrators are not allowed to access a specific domain in management mode. To resolve this issue, run the adminuser-priority command to configure a default level for administrators in a specific AAA domain. Then, the administrators will take this user level for login.

    A user level assigned by the local device or a remote server takes precedence over a user level configured using the adminuser-priority command. When the user is added to a user group, the configuration of user group takes precedence over a user level configured using the adminuser-priority command.

    NOTE:
    The configured default level of the local user cannot be higher than that of the login-in user.

  14. (Optional) Run domain-name-delimiter delimiter

    The domain name delimiter is configured.

    By default, the domain name delimiter is @.

  15. (Optional) Run domain-location { after-delimiter | before-delimiter }

    The domain name location is configured so that the system can correctly parse the user name and domain name.

    By default, the domain name is located after the delimiter.

    By default, a user uses user name@domain name to log in to a device. To configure a user to use domain name@user name to log in, run the domain-location command to configure the domain name to be located before the delimiter.

  16. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

    The direction in which the domain name is parsed is configured so that the system can correctly parse the user name and domain name.

    By default, the domain name is parsed from left to right.

    When a user name contains multiple domain name delimiters, run the domainname-parse-direction command to configure the direction in which the domain name is parsed.Use user1@abcd@domain1 as an example. When the domain name is parsed from left to right, the first delimiter @ from the left is considered the domain name delimiter. When the domain name is parsed from right to left, the first delimiter @ from the right is considered the domain name delimiter. The other delimiters are considered part of the user name or domain name.

  17. Run commit

    The configuration is committed.

Verifying the AAA Configuration

After configuring AAA, check the configurations.

Prerequisites

AAA has been configured.

Procedure

  1. Run the display aaa configurationcommand to check brief information about AAA.
  2. Run the display accounting-scheme [ scheme-name ]command to check the configuration about the accounting scheme.
  3. Run the display authentication-scheme [ cheme-name ]command to check the configuration about the authentication scheme.
  4. Run the display authorization-scheme [ scheme-name ]command to check the configuration about the authorization scheme.
  5. Run the display domain domain-namecommand to check the configuration of the domain.
  6. Run the display hwtacacs current-statuscommand displays the HWTACACS current status information.
  7. Run the display hwtacacs-server templatecommand displays the detailed template configuration of all configured HWTACACS server templates.
  8. Run the display radius-attribute [ name attribute-name | type { 3gpp | dsl | huawei | microsoft | redback | standard } attribute-number ]command displays the RADIUS attributes supported by the system.
  9. Run the display radius-server configuration [ group group-name ]command displays the configuration of RADIUS server groups on the system.
  10. Run the display recording-scheme [ recording-scheme-name ]command displays the configuration information about a recording scheme.

Example

Run the display aaa configuration command to check the AAA summary.

  ---------------------------------------------------------------------------
  AAA configuration information :
  ---------------------------------------------------------------------------
  Parse Priority                   : Domain first
  Domain Name Delimiter            : @ 
  Domainname parse direction       : Left to right
  Domainname location              : After-delimiter
  Realm name delimiter             : -
  Realmname parse direction        : Left to right
  Realmname location               : Before-delimiter
  Domain                           : total: 1024  used: 9     
  Authentication-scheme            : total: 32    used: 3    
  Authorization-scheme             : total: 32    used: 1    
  Accounting-scheme                : total: 256   used: 2    
  Recording-scheme                 : total: 128   used: 0    
  AAA-access-user                  : total: 279552 used: 3    
  Access-user-state                : authen: 0    author: 0    accounting: 3   
  Transition-step                  : -
  Min-Delay-time                   : -
  Max-Delay-time                   : -
  Access speed                     : -
  Offline speed                    : 256(/s)
  Account-session-id-version       : Version1
  Remote-download configuration:
    Remote user-group:enable
    Remote user-group check interval:10 minutes
    Remote acl: enable
  User no-family user-max-session           : 0
  Access-trigger lease original    : enable   
  BGP over PPPoE                   : enable   
  BGP over LNS                     : enable     
  Said switch                               : enable
  Said check-rule rule1(increase)           : 10000
  Said diag-rule(increase,reduce,rate)      : 10000,1000,30
  Said recover interval                     : 0
  Said check-rule user-number(reduce-ratio) : 50
  Said check-rule flow-speed(reduce-ratio)  : 50
  
  ---------------------------------------------------------------------------

Run the display accounting-scheme command to check the configuration of the accounting scheme.

<HUAWEI> display accounting-scheme
  -------------------------------------------------------------------
  Accounting-scheme-name              Accounting-method
  -------------------------------------------------------------------
  default0                            No accounting
  default1                            RADIUS accounting
  default                             No accounting
  acct1                               RADIUS accounting
  -------------------------------------------------------------------
  Total 3,4 printed

Run the display authentication-scheme command to check the summary of all authentication schemes.

<HUAWEI> display authentication-scheme
  ---------------------------------------------------------------------------
  Authentication-scheme-name          Authentication-method
  ---------------------------------------------------------------------------
  default0                            local
  default1                            radius
  default                             local radius
  auth1                               local
  ---------------------------------------------------------------------------
  Total 4,4 printed

Run the display authorization-scheme command to check the summary of all authorization schemes.

<HUAWEI> display authorization-scheme
  ---------------------------------------------------------------------------
  Authorization-scheme-name          Authorization-method
  ---------------------------------------------------------------------------
  default                            Local
  author1                            HWTACACS
  ---------------------------------------------------------------------------
  Total 2,2 printed

Run the display domain command to check the domain configuration.

------------------------------------------------------------------------------
  Domain name           State        CAR Access-limit   Online  BODNum RptVSMNum
  ------------------------------------------------------------------------------
  default0              Active         0       279552        0       0         0
  default1              Active         0       279552        0       0         0
  default_admin         Active         0       279552        0       0         0
  default               Active         0       279552        0       0         0
  isp1                  Active         0       279552        0       0         0
  ------------------------------------------------------------------------------
  Total 5,5 printed

Run the display hwtacacs current-status command to check the current status information about the HWTACACS.

<HUAWEI> display hwtacacs current-status
----------------------------------------
 HWTACACS service status      : Enabled 
 Total templates configured   : 1       
 Total servers configured     : 3       
----------------------------------------

Run the display hwtacacs-server template command to check the configuration of the HWTACACS server.

<HUAWEI> display hwtacacs-server template
-------------------------------------------------
 Template Name                  :  tac
 Template ID                    :  0
 Primary Authentication Server  :  10.10.10.2-1000:-
 Primary Authorization Server   :  10.10.10.4-1000:-
 Primary Accounting Server      :  10.10.10.6-1000:-
 Primary Common Server          :  10.10.10.6-1000:-
 Current Authentication Server  :  10.10.10.2-1000:-
 Current Authorization Server   :  10.10.10.4-1000:-
 Current Accounting Server      :  10.10.10.6-1000:-
 Source IP Address              :  10.10.10.12
 Shared Key                     :  ****************
 Quiet-interval (min)           :  5
 Response-timeout-Interval (sec):  5
 Domain-included                :  Yes
 Secondary Authen Server Count  :  1
 Secondary Author Server Count  :  1
 Secondary Account Server Count :  1
 Secondary Common Server Count  :  1
-------------------------------------------------

Run the display radius-attribute [ name attribute-name | type { 3gpp | dsl | huawei | microsoft | redback | standard } attribute-number ] command to check the RADIUS attributes supported by the NE20E.

<HUAWEI> display radius-attribute type standard 1
 Radius Attribute Type        : 1                                               
 Radius Attribute Name        : User-Name                                       
 Radius Attribute Description : This Attribute indicates the name of the user to
 be authenticated.                                                              
 Supported Packets            : Auth Request, Acct Request, Session Control, COA
 Request, COA Ack                                                               

Run the display radius-server configuration [ group group-name ] command to check the configuration of the RADIUS server.

<HUAWEI> display radius-server configuration
  RADIUS no response packet count    : 10
  RADIUS auto recover time(Min)      : 3
  RADIUS retransmit interval(Sec)    : 30
  RADIUS authentication source ports :
         IPv4: 1812
         IPv6: 1812
  RADIUS accounting source ports     :
         IPv4: 1813
         IPv6: 1813
  -------------------------------------------------------
  Server-group-name    :  rd1
  Authentication-server:  IP:10.93.4.16 Port:1812 Weight[0] [UP] [MASTER]       
                          Vpn: -                                                
                          share-key:  ******                                    
  Authentication-server:  IP:10.93.4.14 Port:1812 Weight[0] [UP]                
                          Vpn: -                                                
                          share-key:  ******                                    
  Authentication-server:  IP:1.1.1.1 Port:1812 Weight[0] [UP]                   
                          Vpn: -                                                
  Accounting-server    :  IP:10.93.4.16 Port:1813 Weight[0] [UNKNOWN] [MASTER]  
                          Vpn: -                                                
                          share-key:  ******                                    
  Accounting-server    :  IP:10.93.4.14 Port:1813 Weight[0] [UNKNOWN]           
                          Vpn: -                                                
                          share-key:  ****** 
  Protocol-version     :  radius 
  Shared-secret-key    :  ******
  Retransmission       :  2
  Timeout-interval(s)  :  8
  Acct-Start-Packet Resend  :  YES   
  Acct-Start-Packet Resend-Times  :  10   
  Acct-Stop-Packet Resend  :  YES
  Acct-Stop-Packet Resend-Times  :  100
  -------------------------------------------------------
  Are you sure to display next (Y/N)[Y]:Y
  -------------------------------------------------------
  Server-group-name    :  g1
  Protocol-version     :  radius 
  Shared-secret-key    :  ******
  Retransmission       :  3
  Timeout-interval(s)  :  5
  Acct-Start-Packet Resend  :  NO   
  Acct-Start-Packet Resend-Times  :  0   
  Acct-Stop-Packet Resend  :  NO
  Acct-Stop-Packet Resend-Times  :  0
  Nasport Bypass enable  :0   
  -------------------------------------------------------
  Total 2,2 printed

Run the display recording-scheme command to check the configuration of the recording scheme.

<HUAWEI> display recording-scheme currentscheme
-----------------------------------------------------------------
Recording-scheme-name           : currentscheme
HWTACACAS-template-name          : NO SET
---------------------------------------------------------------- 
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20464

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next