No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the RADIUS CoA or DM Function

Configuring the RADIUS CoA or DM Function

Context

The device supports the RADIUS CoA and DM functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure an authorization server.

    Step

    Command

    Remarks

    Configure a RADIUS authorization server.

    radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ protect enable ]

    By default, no RADIUS authorization server is configured.

    Configure the port number of the RADIUS authorization server.

    radius-server authorization port port-id

    By default, the port number of the RADIUS authorization server is 3799.

  3. (Optional) Run radius-server authorization match-type { any | all }

    The device is configured to match RADIUS attributes in the received CoA or DM Request packets against user information on the device.

    By default, a device matches RADIUS attributes in the received CoA or DM Request packets against user information on the device in any mode. That is, the device matches an attribute with a high priority in a Request packet against user information on the device.

  4. (Optional) Run authorization-info check-fail policy { online | offline }

    The policy to be enforced after the authorization information check fails is configured.

    By default, the device allows users to go online after the authorization information check fails.

  5. (Optional) Run radius-server session-manage { ip-address [ vpn-instance vpn-instance-name ] shared-key cipher share-key | any }

    Session management is enabled for the RADIUS server.

    By default, session management is disabled for the RADIUS server.

  6. (Optional) Configure the format of a RADIUS attribute to be parsed.

    • Run radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }

      The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is configured.

      By default, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets is xxxxxxxxxxxx, in lowercase.

    • Run radius-server authorization attribute-decode-sameastemplate

      The device is configured to parse the MAC address format in RADIUS attribute 31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server template configurations.

      By default, the device is not configured to parse RADIUS attribute 31 in RADIUS CoA or DM packets based on RADIUS server template configurations.

      In a RADIUS server template, the MAC address format in RADIUS attribute 31 (Calling-Station-Id) is configured using the calling-station-id mac-format command.

  7. (Optional) Configure the format of a RADIUS attribute to be encapsulated.

    Run radius-server authorization attribute-encode-sameastemplate

    The device is configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.

    By default, the device is not configured to encapsulate the attributes in RADIUS CoA or DM Response packets based on RADIUS server template configurations.

    Table 1-34 lists the RADIUS attributes that can be configured in this step.

    Table 1-34  Supported RADIUS attributes

    RADIUS Attribute

    Description

    Command for Configuring the Attribute in a RADIUS Server Template

    RADIUS attribute 1 (User-Name)

    User name

    radius-server user-name domain-included

    RADIUS attribute 4 (NAS-IP-Address)

    NAS IP address

    radius-attribute nas-ip

    RADIUS attribute 31 (Calling-Station-Id)

    MAC address format

    calling-station-id mac-format

  8. (Optional) Configure the function of ignoring the authorization attribute indicating that the port goes Down intermittently or is disabled in a CoA packet.

    • Run radius-server authorization hw-ext-specific command bounce-port disable

      The function of ignoring the authorization attribute indicating that the port goes Down intermittently in a CoA packet is configured.

    • Run radius-server authorization hw-ext-specific command down-port disable

      The function of ignoring the authorization attribute indicating that the port is disabled in a CoA packet is configured.

    By default, the device supports the authorization attributes indicating that the port goes Down intermittently or is disabled in CoA packets.

  9. (Optional) Configure the update mode of user authorization information.

    1. Run aaa

      The AAA view is displayed.

    2. Run authorization-modify mode { modify | overlay }

      The update mode of user authorization information delivered by the authorization server is configured.

      By default, the update mode of user authorization information delivered by the authorization server is overlay.

Verifying the Configuration

Run the display radius-server authorization configuration command to check the RADIUS authorization server configuration.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 23447

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next