No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring RADIUS Attributes

(Optional) Configuring RADIUS Attributes

Disabling or Translating RADIUS Attributes

Context

RADIUS attributes supported by different vendors are incompatible with each other, so RADIUS attributes must be disabled or translated in interoperation and replacement scenarios.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-server attribute translate

    The RADIUS attribute disabling and translation functions are enabled.

    By default, the RADIUS attribute disabling and translation functions are disabled.

  4. Run radius-attribute disable attribute-name { receive | send } *

    A RADIUS attribute is disabled.

    By default, no RADIUS attribute is disabled.

  5. Configure the RADIUS attribute to be translated.

    • radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *
    • radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *
    • radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

    By default, no RADIUS attribute is translated.

Verifying the Configuration
  • Run the display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ] command to check the RADIUS attributes supported by the device.
  • Run the display radius-attribute [ template template-name ] disable command to check the disabled RADIUS attributes.
  • Run the display radius-attribute [ template template-name ] translate command to check the RADIUS attribute translation configuration.

Configuring the RADIUS Attribute Check Function

Context

After the RADIUS attribute check function is configured, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If so, the device considers that authentication is successful; if not, the device considers that authentication fails and discards the packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute check attribute-name

    The device is configured to check whether the received RADIUS Access-Accept packets contain the specified attribute.

    By default, the device does not check whether RADIUS Access-Accept packets contain the specified attribute.

Modifying the Value of a RADIUS Attribute

Context

The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Run radius-attribute set attribute-name attribute-value [ auth-type mac | user-type ipsession ]

    The value of a RADIUS attribute is modified.

    By default, values of RADIUS attributes are not modified.

Configuring Standard RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some standard RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure standard RADIUS attributes.

    • Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-Address).

      • Run radius-attribute nas-ip ip-address

        RADIUS attribute 4 (NAS-IP-Address) is configured.

        By default, the source IP address of the NAS is the value of the NAS-IP-Address attribute.

      • Run radius-attribute nas-ipv6 ipv6-address

        RADIUS attribute 95 (NAS-IPv6-Address) is configured.

        By default, the NAS-IPv6-Address attribute is not configured.

    • Configure RADIUS attribute 5 (NAS-Port).

      1. Run radius-server nas-port-format { new | old }

        The format of the NAS port is configured.

        By default, the new NAS port format is used.

        When the new NAS port format is used, you can perform the following operation to configure the specific format.

      2. Run radius-server format-attribute nas-port nas-port-sting

        The new NAS port format is configured.

        By default, the default new NAS port format is used.

    • Configure RADIUS attribute 30 (Called-Station-Id).

      1. Run called-station-id mac-format { dot-split | hyphen-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

        Or run called-station-id mac-format unformatted [ lowercase | uppercase ]

        The encapsulation format of the MAC address in the Called-Station-Id (30) attribute is configured.

        By default, the MAC address format in the Called-Station-Id (30) attribute is XX-XX-XX-XX-XX-XX, in uppercase.

    • Configure RADIUS attribute 31 (Calling-Station-Id).

      Run calling-Station-Id mac-format { dot-split | hyphen-split | colon-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

      Or run calling-Station-Id mac-format { unformatted [ lowercase | uppercase ] | bin }

      The encapsulation format of the MAC address in the Calling-Station-Id (31) attribute is configured.

      By default, the MAC address format in the Calling-Station-Id (31) attribute is xxxx-xxxx-xxxx, in lowercase

    • Configure RADIUS attribute 32 (NAS-Identifier).

      Run radius-server nas-identifier-format { hostname | vlan-id }

      The encapsulation format of the NAS-Identifier attribute is configured.

      By default, the NAS-Identifier encapsulation format is the user's hostname.

    • Configure RADIUS attribute 80 (Message-Authenticator).

      Run radius-server attribute message-authenticator access-request

      The device is configured to carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

      By default, the device does not carry RADIUS attribute 80 (Message-Authenticator) in RADIUS authentication packets.

    • Configure RADIUS attribute 87 (NAS-Port-Id).

      Run radius-server nas-port-id-format { new [ client-option82 ] | old | vendor vendor-id }

      The format of the NAS-Port-Id attribute is configured.

      By default, the new format of the NAS-Port-Id attribute is used.

    • Configure RADIUS attribute 89 (Chargeable-User-Identity).

      Run radius-server support chargeable-user-identity [ not-reject ]

      The device is configured to support the CUI attribute.

      By default, the device does not support the CUI attribute.

Configuring Huawei Proprietary RADIUS Attributes

Context

For details about RADIUS attributes supported by the device, see RADIUS Attributes. The content or format of some Huawei proprietary RADIUS attributes can be configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server template template-name

    The RADIUS server template view is displayed.

    By default, the RADIUS server template named default is available on the device. This template can only be modified, but cannot be deleted.

  3. Configure Huawei proprietary RADIUS attributes.

    • Run radius-server hw-dhcp-option-format { new | old }

      The format of Huawei proprietary attribute 26-158 (HW-DHCP-Option) is configured.

      By default, the format of Huawei proprietary attribute 26-158 (HW-DHCP-Option) is old.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 20272

Downloads: 6

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next