No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a RADIUS Server Group

Configuring a RADIUS Server Group

Context

In a RADIUS server group, you must specify the IP address, port number, and shared key of a specified RADIUS server. Other settings, such as the RADIUS user name format and number of times RADIUS request packets are retransmitted, have default values and can be changed based on network requirements.

The RADIUS server group settings such as the RADIUS user name format and shared key must be the same as those on the RADIUS server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius enable

    The RADIUS function is enabled.

    By default, the RADIUS function is disabled.

  3. (Optional) Run radius server { dead-count dead-count [ fail-rate fail-rate-value ] | dead-interval dead-interval | dead-time dead-time [ recover-count invalid ] } *

    The interval at which a RADIUS server alternates between Up and Down is set.

    The default parameters settings are as follows:
    • dead-count: 10
    • dead-interval: 5 seconds
    • dead-time: 3 minutes
    That is, if a RADIUS server does not respond to 10 consecutive packets from the device within 5 seconds, the device considers that the RADIUS server is abnormal, and the device will try to communicate with the RADIUS server again after 3 minutes.

  4. Run radius server group group-name

    A RADIUS server group is created and the RADIUS server group view is displayed.

  5. Run radius server { shared-key key-string | shared-key-cipher cipher-string }

    The shared key is set for RADIUS servers.

    By default, no shared key is set for RADIUS servers.

  6. Run any of the following commands to configure the primary RADIUS authentication server.
    • radius server authentication ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] *

    • radius server authentication ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ]

    • radius server authentication hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] *

    By default, no primary RADIUS authentication server is configured.

  7. (Optional) Run any of the following commands to configure the secondary RADIUS authentication server.
    • radius server authentication ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary

    • radius server authentication ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] secondary

    • radius server authentication hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary

    By default, no secondary RADIUS authentication server is configured.

  8. Run any of the following commands to configure the primary RADIUS accounting server.
    • radius server accounting ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] *

    • radius server accounting ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ]

    • radius server accounting hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] *

    By default, no primary RADIUS accounting server is configured.

  9. (Optional) Run any of the following commands to configure the secondary RADIUS accounting server.
    • radius server accounting ip-address port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary

    • radius server accounting ipv6-address port [ shared-key key-string | shared-key-cipher cipher-string ] secondary

    • radius server accounting hostname hostname port [ vpn-instance vpn-instance-name | source { interface-type interface-number | ip-address ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * secondary

    By default, no secondary RADIUS accounting server is configured.

  10. (Optional) Run radius server accounting retransmit retransmit-number timeout timeout-value

    The number of retransmission times and timeout period are set for RADIUS accounting request packets.

  11. (Optional) Run radius server authentication retransmit retransmit-number timeout timeout-value

    The number of retransmission times and timeout period are set for RADIUS authentication request packets.

  12. (Optional) Run radius server user-name domain-excluded

    Or run radius server user-name original

    The RADIUS user name format is specified.

    By default, the device encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.

  13. (Optional) Run radius server { retransmit retry-times | timeout time-value } *

    The number of times that RADIUS request packets are retransmitted and timeout period are set.

    The default number of retransmission times is 3 and the timeout period is 5 seconds.

  14. (Optional) Run radius server nas-ip-address ip-address

    The NAS IP address is specified for the RADIUS server group.

    By default, no NAS IP address is specified for a RADIUS server group. The IP address of the interface for sending packets is used as the NAS IP address.

  15. (Optional) Run radius server source interface interface-type interface-number

    The source interface used by the device to send RADIUS packets is specified.

    By default, the source interface used by the device to send RADIUS packets is not specified.

  16. (Optional) Run mode load-balance

    The working mode of RADIUS servers is changed from active/standby to load balancing.

    By default, the RADIUS servers in a RADIUS server group work in active/standby mode.

  17. (Optional) Configure RADIUS attributes.
    1. Run radius server attribute translate

      The RADIUS attribute translation is enabled.

      By default, the RADIUS attribute translation is disabled.

    2. Disable RADIUS attributes.

      • Run the radius attribute disable attribute-name { receive | send } * command to disable basic RADIUS attributes in request or response packets.
      • Run the radius attribute disable attribute-name { access-accept | access-request | account [ start ] } * command to disable basic RADIUS attributes in Access-Accept, Access-Request, or accounting packets.
      • Run the radius attribute disable attribute-name { bin string | integer integer | ip ip-address | string string } receive command to disable RADIUS attributes with the specified data type in response packets.

      By default, all RADIUS attributes are enabled.

  18. (Optional) Run radius attribute set attribute-name attribute-value

    RADIUS attribute values are set.

    By default, RADIUS attribute values remain unchanged.

  19. Run quit

    The system view is displayed.

  20. (Optional) Run radius server authorization ip-address [ vpn-instance vpn-instance-name ] { shared-key key-string | shared-key-cipher cipher-string } [ ack-reserved-interval interval ]

    Or run radius server authorization ipv6-address { shared-key key-string | shared-key-cipher cipher-string } [ ack-reserved-interval interval ]

    A RADIUS authorization server is configured.

    By default, no RADIUS authorization server is configured.

  21. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 29396

Downloads: 97

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next