No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an AAA Scheme

Configuring an AAA Scheme

Context

An AAA scheme defines the authentication, authorization, and accounting modes used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in the authentication scheme, and set the accounting mode to RADIUS in the accounting scheme. RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. If RADIUS authentication is used, you do not need to configure an authorization scheme.

To prevent authentication failures caused by no response from a single authentication mode, configure local authentication or non-authentication as the backup authentication mode in the authentication scheme.

NOTE:

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two schemes can only be modified, but cannot be deleted.

    4. Run authentication-mode radius

      The authentication mode is set to RADIUS.

      By default, local authentication is used, and the names of local users are case-insensitive.

      To configure local authentication as the backup authentication mode, run the authentication-mode radius { local | local-case } command.

    5. (Optional) Run radius-reject local

      The administrator is configured to be authenticated using the local authentication mode after the administrator's RADIUS authentication request is rejected.

      By default, an administrator is not authenticated using the local authentication mode after the administrator's RADIUS authentication request is rejected. After the RADIUS authentication request is rejected, that is, the RADIUS server responds with an Access-Reject packet, the authentication process ends and the administrator fails to be authenticated.

      NOTE:
      • This function takes effect only for the administrators.
      • To implement this function, the authentication mode must be RADIUS + local authentication.

    6. (Optional) Run authentication-super [ hwtacacs | radius | super ] * none

      The authentication mode used to upgrade user levels in the current authentication scheme is configured.

      By default, the super mode is used. That is, local authentication is used.

    7. (Optional) Run authentication-type radius chap access-type admin [ ftp | ssh | telnet | terminal | http ] *

      PAP authentication is replaced with CHAP authentication when RADIUS authentication is performed on administrators.

      By default, PAP authentication is used when RADIUS authentication is performed on administrators.

    8. Run quit

      Return to the AAA view.

    9. (Optional) Configure the account locking function.

      1. Run remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time

        The remote AAA authentication account locking function is enabled, and the authentication retry interval, maximum number of consecutive authentication failures, and account locking period are configured.

        By default, the remote AAA account locking function is enabled, the authentication retry interval is 50 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 5 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    10. (Optional) Run aaa-author session-timeout invalid-value enable

      The device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers the Session-Timeout attribute with value 0.

      By default, when the RADIUS server delivers the Session-Timeout attribute with value 0, this attribute does not take effect.

    11. Run quit

      Return to the system view.

    12. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication timeout interval is configured.

      By default, the bypass authentication function is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. This scheme can only be modified, but cannot be deleted.

    4. Run accounting-mode radius

      The accounting mode is set to RADIUS.

      By default, the accounting mode is none.

    5. (Optional) Configure policies for accounting failures.

      • Configure a policy for accounting-start failures.

        Run accounting start-fail { offline | online }

        A policy for accounting-start failures is configured.

        By default, users cannot go online if accounting-start fails.

      • Configure a policy for real-time accounting failures.

        1. Run accounting realtime interval

          The real-time accounting function is enabled, and the interval for real-time accounting is configured.

          By default, the device performs accounting based on the user online duration, and the real-time accounting function is disabled.

        2. Run accounting interim-fail [ max-times times ] { offline | online }

          The maximum number of real-time accounting failures and a policy used after the number of real-time accounting failures exceeds the maximum are configured.

          By default, the maximum number of real-time accounting failures is 3, and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

      • Configure a policy for accounting-stop failures.

        1. Run quit

          Return to the AAA view.

        2. Run quit

          Return to the system view.

        3. Run radius-server template template-name

          The RADIUS server template view is displayed.

        4. Run radius-server accounting-stop-packet resend [ resend-times ]

          Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted each time is configured.

          By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

    6. (Optional) Run quit

      Return to the system view.

    7. (Optional) Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

      By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

      NOTE:

      Only the NAC unified mode supports this command.

    8. (Optional) Run authentication { update-info-accounting | update-ip-accounting } * enable

      The device is configured to send accounting packets upon terminal information updating and address updating.

      By default, the device sends accounting packets upon terminal information updating and address updating.

      NOTE:

      Only the NAC unified mode supports this command.

Verifying the Configuration

  • Run the display authentication-scheme [ authentication-scheme-name ] command to view the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to view the accounting scheme configuration.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 27569

Downloads: 7

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next