No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS Authentication and Accounting

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 1-19, users belong to the domain huawei. Switch functions as the network access server of the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:

  • The RADIUS server performs authentication and accounting for access users.

  • The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

Figure 1-19 Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group.
  2. Configure an authentication scheme and an accounting scheme.
  3. Apply the RADIUS server group, authentication scheme, and accounting scheme to a domain.
NOTE:

Ensure that there are reachable routes between Switch and the RADIUS server.

Procedure

  1. Configure a RADIUS server group.

    # Configure a RADIUS group named shiva.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] radius enable
    [*Switch] radius server group shiva

    # Set the IP address and port numbers for the primary RADIUS authentication and accounting server.

    [*Switch-radius-shiva] radius server authentication 10.7.66.66 1812 
    [*Switch-radius-shiva] radius server accounting 10.7.66.66 1813 

    # Set the IP address and port numbers for the secondary RADIUS authentication and accounting server.

    [*Switch-radius-shiva] radius server authentication 10.7.66.67 1812 secondary
    [*Switch-radius-shiva] radius server accounting 10.7.66.67 1813 secondary

    # Set the shared key and retransmission count for the RADIUS server.

    NOTE:

    Ensure that the shared key in the RADIUS server group is the same as that set on the RADIUS server.

    [*Switch-radius-shiva] radius server shared-key-cipher Huawei@2012
    [*Switch-radius-shiva] radius server retransmit 2
    [*Switch-radius-shiva] commit
    [~Switch-radius-shiva] quit

  2. Configure authentication and accounting schemes.

    # Create an authentication scheme named auth, and configure the authentication scheme to use the RADIUS authentication mode.

    [~Switch] aaa
    [~Switch-aaa] authentication-scheme auth
    [*Switch-aaa-authen-auth] authentication-mode radius
    [*Switch-aaa-authen-auth] commit
    [~Switch-aaa-authen-auth] quit

    # Create an accounting scheme named abc, and configure the accounting scheme to use the RADIUS accounting mode.

    [~Switch-aaa] accounting-scheme abc
    [*Switch-aaa-accounting-abc] accounting-mode radius
    [*Switch-aaa-accounting-abc] commit
    [~Switch-aaa-accounting-abc] quit

  3. Create a domain named huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server group shiva to the domain.

    [~Switch-aaa] domain huawei
    [*Switch-aaa-domain-huawei] authentication-scheme auth
    [*Switch-aaa-domain-huawei] accounting-scheme abc
    [*Switch-aaa-domain-huawei] radius server group shiva
    [*Switch-aaa-domain-huawei] commit
    [~Switch-aaa-domain-huawei] quit
    [~Switch-aaa] quit
    [~Switch] quit

  4. Verify the configuration.

    # Run the display radius server configuration group command on Switch B to verify the RADIUS server group configuration.

    <Switch> display radius server configuration group shiva
    -----------------------------------------------------------------------------   
    Server group name                   :  shiva                                    
    Protocol version                    :  standard                                 
    Shared secret key                   :  ****************                         
    Timeout interval(in second)         :  5                                        
    Primary authentication server       :  10.7.66.66-1812:-:-:-                   
    Primary accounting server           :  10.7.66.66-1813:-:-:-                   
    Secondary authentication server     :  10.7.66.67-1812:-:-:-                   
    Secondary accounting server         :  10.7.66.67-1813:-:-:-                   
    Retransmission                      :  2                                        
    Domain included                     :  YES                                      
    Mode                                :  Pri-secondary                            
    -----------------------------------------------------------------------------   

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
radius server group shiva                                                    
 radius server shared-key-cipher %^%#!{{K=Y2lo>*\L5A=e}P%vBhqTJbsQ3$S^9<bb`i8%^%# 
 radius server authentication 10.7.66.66 1812                                  
 radius server authentication 10.7.66.67 1812 secondary                        
 radius server accounting 10.7.66.66 1813                                      
 radius server accounting 10.7.66.67 1813 secondary                            
 radius server retransmit 2                                                     
# 
aaa
 authentication-scheme auth
  authentication-mode radius
 # 
 accounting-scheme abc
  accounting-mode radius
 # 
 domain default     
 # 
 domain default_admin 
 # 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius server group shiva
#
return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 19018

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next