No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring RADIUS Authentication and Accounting

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 1-19, users belong to the domain user. Switch functions as the network access server of the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:

  • The RADIUS server performs authentication and accounting for access users.

  • The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

Figure 1-19 Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group.
  2. Configure an authentication scheme and an accounting scheme.
  3. Apply the RADIUS server group, authentication scheme, and accounting scheme to a domain.
  • Ensure that there are reachable routes between Switch and the RADIUS server.

  • If the RADIUS server does not accept the user name containing the domain name, run the radius server user-name domain-excluded command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.

  • After the domain is set to the global default administrative domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default administrative domain.

Procedure

  1. Configure a RADIUS server group.

    # Configure a RADIUS group named shiva.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] radius enable
[*Switch] radius server group shiva

    # Set the IP address and port numbers for the primary RADIUS authentication and accounting server.

    [*Switch-radius-shiva] radius server authentication 10.7.66.66 1812 
[*Switch-radius-shiva] radius server accounting 10.7.66.66 1813

    # Set the IP address and port numbers for the secondary RADIUS authentication and accounting server.

    [*Switch-radius-shiva] radius server authentication 10.7.66.67 1812 secondary
[*Switch-radius-shiva] radius server accounting 10.7.66.67 1813 secondary

    # Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.

    Ensure that the shared key in the RADIUS server group is the same as that set on the RADIUS server.

    [*Switch-radius-shiva] radius server shared-key-cipher Huawei@2012
[*Switch-radius-shiva] radius server retransmit 2
[*Switch-radius-shiva] radius server user-name domain-excluded
[*Switch-radius-shiva] commit
[~Switch-radius-shiva] quit

  2. Configure authentication and accounting schemes.

    # Create an authentication scheme named auth, and configure the authentication scheme to use the RADIUS authentication mode.

    [~Switch] aaa
[~Switch-aaa] authentication-scheme auth
[*Switch-aaa-authen-auth] authentication-mode radius
[*Switch-aaa-authen-auth] commit
[~Switch-aaa-authen-auth] quit

    # Create an accounting scheme named abc, and configure the accounting scheme to use the RADIUS accounting mode.

    [~Switch-aaa] accounting-scheme abc
[*Switch-aaa-accounting-abc] accounting-mode radius
[*Switch-aaa-accounting-abc] commit
[~Switch-aaa-accounting-abc] quit

  3. Create a domain named user, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server group shiva to the domain.

    [~Switch-aaa] domain user
[*Switch-aaa-domain-user] authentication-scheme auth
[*Switch-aaa-domain-user] accounting-scheme abc
[*Switch-aaa-domain-user] radius server group shiva
[*Switch-aaa-domain-user] commit
[~Switch-aaa-domain-user] quit

  4. Configure user as the global default administrative domain.

    [~Switch-aaa] default-domain admin user
[*Switch-aaa] commit
[~Switch-aaa] quit
[~Switch] quit

  5. Verify the configuration.

    # Run the display radius server configuration group command on Switch B to verify the RADIUS server group configuration.

    <Switch> display radius server configuration group shiva
-----------------------------------------------------------------------------   
Server group name                   :  shiva                                    
Protocol version                    :  standard                                 
Shared secret key                   :  ****************                         
Timeout interval(in second)         :  5                                        
Primary authentication server       :  10.7.66.66-1812:-:-:-                   
Primary accounting server           :  10.7.66.66-1813:-:-:-                   
Secondary authentication server     :  10.7.66.67-1812:-:-:-                   
Secondary accounting server         :  10.7.66.67-1813:-:-:-                   
Retransmission                      :  2                                        
Domain included                     :  YES                                      
Mode                                :  Pri-secondary                            
-----------------------------------------------------------------------------

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
radius server group shiva                                                    
 radius server shared-key-cipher %^%#!{{K=Y2lo>*\L5A=e}P%vBhqTJbsQ3$S^9<bb`i8%^%# 
 radius server authentication 10.7.66.66 1812                                  
 radius server authentication 10.7.66.67 1812 secondary                        
 radius server accounting 10.7.66.66 1813                                      
 radius server accounting 10.7.66.67 1813 secondary                            
 radius server retransmit 2  
 radius server user-name domain-excluded                                                   
# 
aaa
 default-domain admin user
 authentication-scheme auth
  authentication-mode radius
 # 
 accounting-scheme abc
  accounting-mode radius
 # 
 domain default     
 # 
 domain default_admin 
 # 
 domain user
  authentication-scheme auth
  accounting-scheme abc
  radius server group shiva
#
return
Translation
简体中文
Download
Updated: 2021-09-17

Document ID: EDOC1100075347

Views: 220467

Downloads: 89

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :