No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
radius-server authorization

radius-server authorization

Function

The radius-server authorization command configures the RADIUS authorization server.

The undo radius-server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius-server authorization ip-address { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ protect enable ]

undo radius-server authorization { all | ip-address }

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of a RADIUS authorization server.

The value is a unicast address in dotted decimal notation.

server-group group-name

Specifies the name of a RADIUS group corresponding to a RADIUS server template.

The value is a string of 1 to 32 characters, including letters (case-sensitive), numerals (0 to 9), punctuation mark (.), dash (-), and underline (_). The value cannot be - or --.

shared-key cipher key-string

Specifies the shared key of a RADIUS server.

The value is a case-sensitive character string without spaces or question marks (?). The key-string may be a plain text consisting of 1 to 128 characters or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

protect enable

Enables the security hardening function.

-

all

Deletes all RADIUS authorization servers.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An independent RADIUS authorization server can be used to authorize online users. RADIUS provides two authorization methods: Change of Authorization (CoA) and Disconnect Message (DM).
  • CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
  • DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.

After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.

After the security hardening function is enabled by specifying the protect enable parameter, the following occurs:
  • When a CoA or DM request packet carries the Message-Authenticator attribute, the device checks the Message-Authenticator attribute. If the check fails, the device discards the request packet and does not respond the packet. If the check succeeds, the device sends a CoA or DM response packet (ACK or NAK) that carries the Message-Authenticator attribute.
  • When a CoA or DM request packet does not carry the Message-Authenticator attribute, the device does not check the attribute and sends a CoA or DM response packet (ACK or NAK) that does not carry the Message-Authenticator attribute.
When a CoA or DM request packet carries the Message-Authenticator attribute, if the radius-attribute disable message-authenticator receive command is configured, the device does not check the attribute and sends a response packet that does not carry the Message-Authenticator attribute; if the radius-attribute disable message-authenticator send command is configured, the device sends a response packet that does not carry the Message-Authenticator attribute even if the attribute check succeeds.

Precautions

To improve security, it is recommended that the password contains at least three types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.

Example

# Specify a RADIUS authorization server.

<Huawei> system-view
[Huawei] radius-server authorization 10.1.1.116 shared-key cipher Huawei@2012
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 202346

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next