NetEngine AR1000V V300R022 Command Reference

RADIUS Configuration Commands

Support for RADIUS Feature Name
called-station-id mac-format
calling-station-id mac-format
display radius-attribute
display radius-attribute check
display radius-attribute disable
display radius-attribute translate
display radius-server accounting-stop-packet
display radius-server authorization configuration
display radius-server configuration
display radius-server dead-interval dead-countdetect-cycle
display radius-server session-manage configuration
display radius-server item
display radius-server max-unresponsive-interval
display snmp-agent trap feature-name radius all
radius-attribute check
radius-attribute cut hw-portal-url
radius-attribute encap optimize
radius-attribute disable
radius-attribute nas-ip
radius-attribute nas-ipv6
radius-attribute set
radius-attribute service-type with-authenonly-reauthen
radius-attribute translate
radius-reject local
radius-server (aaa domain view)
radius-server accounting
radius-server accounting-stop-packet resend
radius-server algorithm
radius-server attribute message-authenticator access-request
radius-server attribute translate
radius-server authentication
radius-server authorization
radius-server authorization server-source
radius-server authorization attribute-decode-sameastemplate
radius-server authorization attribute-encode-sameastemplate
radius-server authorization calling-station-id decode-mac-format
radius-server authorization match-type
radius-server dead-interval dead-countdetect-cycle
radius-server detect-server interval
radius-server detect-server timeout
radius-server detect-server up-server interval
radius-server format-attribute
radius-server framed-ip-address no-user-ip enable
radius-server hw-ap-info-format include-ap-ip
radius-server max-unresponsive-interval
radius-server nas-identifier-format
radius-server nas-port-format
radius-server nas-port-id-format
radius-server retransmit timeout
radius-server dead-time
radius-server session-manage
radius-server session-manage server-source
radius-server shared-key (RADIUS server template view)
radius-server shared-key (system view)
radius-server support chargeable-user-identity
radius-server template
radius-server testuser
radius-server traffic-unit
radius-server user-name domain-included
reset radius-server accounting-stop-packet
snmp-agent trap enable feature-name radius
test-aaa
radius-server dead-detect-condition by-server-ip

Support for RADIUS Feature Name

Hardware Requirements

This section is applicable to all models. For details about differences for specific models, see the description in the corresponding section.

called-station-id mac-format

Function

The called-station-id mac-format command sets the encapsulation format of the MAC address in the called-station-id (Type 30) attribute of RADIUS packets.

The undo called-station-id mac-format command restores the default encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets.

By default, the encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets is XX-XX-XX-XX-XX-XX, in uppercase.

Format

called-station-id mac-format { dot-split | hyphen-split | colon-split} [ mode1 | mode2 ] [ lowercase | uppercase ]

called-station-id mac-format unformatted [ lowercase | uppercase ]

undo called-station-id mac-format

Parameters

Parameter	Description	Value
dot-split	Indicates that the dot (.) is used as the separator in a MAC address.	-
hyphen-split	Indicates that the hyphen (-) is used as the separator in a MAC address.	-
colon-split	Indicates that the colon (:) is used as the separator in a MAC address.	-
unformatted	Indicates that no separator is used in a MAC address.	-
mode1	Indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX, XXXX:XXXX:XXXX, or XXXX.XXXX.XXXX format.	-
mode2	Indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, or XX.XX.XX.XX.XX.XX format.	-
lowercase	Indicates that the MAC address in the called-station-id attribute uses the lowercase.	-
uppercase	Indicates that the MAC address in the called-station-id attribute uses the uppercase.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The Called-station-id (Type 30) attribute indicates the MAC address and SSID of an AP. The default format of the MAC address in the called-station-id attribute of RADIUS packets from the device is XX-XX-XX-XX-XX-XX. If the RADIUS server does not support the default format, run the called-station-id mac-format command to change the format.

Example

# Set the dot as the separator in a MAC address and the encapsulation format of the MAC address in the called-station-id attribute to XX.XX.XX.XX.XX.XX in uppercase.

<Huawei> system-view
[Huawei] radius-server template test
[Huawei-radius-test] called-station-id mac-format dot-split mode2 uppercase

calling-station-id mac-format

Function

The calling-station-id mac-format command sets the encapsulation format of the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.

The undo calling-station-id mac-format command restores the default encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets.

By default, the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets is xxxx-xxxx-xxxx, in lowercase.

Format

calling-station-id mac-format { dot-split | hyphen-split | colon-split } [ mode1 | mode2 ] [ lowercase | uppercase ]

calling-station-id mac-format unformatted [ lowercase | uppercase ]

calling-station-id mac-format bin

undo calling-station-id mac-format

Parameters

Parameter	Description	Value
dot-split	Indicates that the dot (.) is used as the separator in a MAC address.	-
hyphen-split	Indicates that the hyphen (-) is used as the separator in a MAC address.	-
colon-split	Indicates that the colon (:) is used as the separator in a MAC address.	-
unformatted	Indicates that no separator is used in a MAC address.	-
mode1	Indicates that the MAC address in the calling-station-id attribute uses the XXXX-XXXX-XXXX, XXXX:XXXX:XXXX, or XXXX.XXXX.XXXX format.	-
mode2	Indicates that the MAC address in the calling-station-id attribute uses the XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, or XX.XX.XX.XX.XX.XX format.	-
lowercase	Indicates that the MAC address in the calling-station-id attribute uses the lowercase.	-
uppercase	Indicates that the MAC address in the calling-station-id attribute uses the uppercase.	-
bin	Indicates that the MAC address in the calling-station-id attribute uses the binary form.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The default format of the MAC address in the calling-station-id (Type 31) attribute of RADIUS packets from the device is xxxx-xxxx-xxxx. If the RADIUS server does not support the default format, run the calling-station-id mac-format command to change the format.

Example

# Set the dot as the separator in a MAC address and the encapsulation format of the MAC address in the calling-station-id attribute to XX.XX.XX.XX.XX.XX in uppercase.

<Huawei> system-view
[Huawei] radius-server template test
[Huawei-radius-test] calling-station-id mac-format dot-split mode2 uppercase

display radius-attribute

Function

The display radius-attribute command displays the RADIUS attributes supported by the device.

Format

display radius-attribute [ name attribute-name | type { attribute-number1 | huawei attribute-number2 | microsoft attribute-number3 | dslforum attribute-number4 } ]

Parameters

Parameter	Description	Value
name attribute-name	Displays a specified RADIUS attribute.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.
type { attribute-number1 \| huawei attribute-number2 \| microsoft attribute-number3 \| dslforum attribute-number4 }	Displays the RADIUS attribute of a specified type: attribute-number1 specifies the standard attribute. huawei attribute-number2 specifies a Huawei attribute. microsoft attribute-number3 specifies a Microsoft attribute. dslforum attribute-number4 specifies a Digital Subscriber Line Forum attribute.	The value of attribute-number1, attribute-number2, attribute-number3, or attribute-number4 is an integer that ranges from 1 to 2048.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Before connecting the device to a RADIUS server, run the display radius-attribute command to view the RADIUS attributes supported by the device. If the device and RADIUS server support different RADIUS attributes according to the command output, run the radius-attribute disable command on the device to disable RADIUS attributes that are not supported by the RADIUS server or run the radius-attribute translate command to translate RADIUS attributes.

Example

# Display the RADIUS attributes supported by the device.

<Huawei> display radius-attribute
  Codes: Auth(Authentication), Acct(Accounting)
         Req(Request), Accp(Accept), Rej(Reject)
         Resp(Response), COA(Change-of-Authorization)
         0(Can not exist in this packet)
         1(Can exist in this packet)
--------------------------------------------------------------------------------
Attribute                       Service    Auth Auth Auth Acct Acct COA COA
Name(Type)                       Type      Req  Accp Rej  Req  Resp Req Ack
--------------------------------------------------------------------------------
User-Name(1)                     All       1    0    0    1    0    1    1
User-Password(2)                 All       1    0    0    0    0    0    0
CHAP-Password(3)                 All       1    0    0    0    0    0    0
NAS-IP-Address(4)                All       1    0    0    1    0    1    1
NAS-Port(5)                      All       1    0    0    1    0    1    1
Service-Type(6)                  All       1    1    0    0    0    0    0
......

The preceding information is an example. The displayed attribute type depends on the actual situation.

Table 16-21 Description of the display radius-attribute command output

Item	Description
0(Can not exist in this packet)	Attribute not supported in packets.
1(Can exist in this packet)	Attribute supported in packets.
Attribute Name(Type)	Attribute name and type.
Service Type	Protocol type of the attribute.
Auth Req	Authentication request packet.
Auth Accp	Authentication accept packet.
Auth Rej	Authentication reject packet.
Acct Req	Accounting request packet.
Acct Resp	Accounting response packet.
COA Req	Change of Authorization (COA) request packet.
COA Ack	COA acknowledgement packet.

# Display the RADIUS attribute numbered 2.

<Huawei> display radius-attribute type 2
 Radius Attribute Type        : 2
 Radius Attribute Name        : User-Password
 Radius Attribute Description : This Attribute indicates the password of the user to be authenticated. Only valid for the PAP authentication.
 Supported Packets            : Auth Request

Table 16-22 Description of the display radius-attribute type command output

Item	Description
Radius Attribute Type	Type of the RADIUS attribute.
Radius Attribute Name	Name of the RADIUS attribute.
Radius Attribute Description	Description of the RADIUS attribute.
Supported Packets	Packets that support the RADIUS attribute.

display radius-attribute check

Function

The display radius-attribute check command displays the attributes to be checked in RADIUS Access-Accept packets.

Format

display radius-attribute [ template template-name ] check

Parameters

Parameter	Description	Value
template template-name	Displays the RADIUS attribute check configuration of a specified RADIUS server template.	The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the radius-attribute check command is executed to configure the attributes to be checked in RADIUS Access-Accept packets, you can use the display radius-attribute check command to view these attributes.

Example

# Check the attributes to be checked in RADIUS Access-Accept packets.

<Huawei> display radius-attribute check
Server-template-name: test1                                                     
--------------------------------------------------                              
check-attr                                                                      
--------------------------------------------------                              
Framed-Protocol                                                                 
--------------------------------------------------

Table 16-23 Description of the display radius-attribute check command output

Item	Description
Server-template-name	Name of the RADIUS server template.
check-attr	Attributes to be checked in RADIUS Access-Accept packets.
Framed-Protocol	Encapsulation protocol for services of the Frame type.

display radius-attribute disable

Function

The display radius-attribute disable command displays the disabled RADIUS attributes.

Format

display radius-attribute [ template template-name ] disable

Parameters

Parameter	Description	Value
template template-name	Displays the disabled RADIUS attributes in a specified RADIUS server template. If this parameter is not specified, the disabled RADIUS attributes in all the RADIUS server templates are displayed.	The value must be an existing RADIUS server template name.

Parameter

Description

Value

template template-name

Displays the disabled RADIUS attributes in a specified RADIUS server template.

If this parameter is not specified, the disabled RADIUS attributes in all the RADIUS server templates are displayed.

The value must be an existing RADIUS server template name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the display radius-attribute disable command to view the RADIUS attributes disabled by using the radius-attribute disable command.

To enable a RADIUS attribute, run the undo radius-attribute disable command in the RADIUS server template view.

Example

# Display the disabled RADIUS attributes on the device.

<Huawei> display radius-attribute disable
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 ind
icates invalid. Bit 1 to bit 4 indicate the authentication request, authenticati
on accept, accounting request, and accounting response packets.                 
                                                                                
Server-template-name: d                                                         
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
0                7             0              0            send       0 0 0 0   
--------------------------------------------------------------------------------

Table 16-24 Description of the display radius-attribute disable command output

Item	Description
Server-template-name	RADIUS server template name.
Source-Vendor-ID	Vendor ID of the source attribute.
Source-Sub-ID	ID of the source attribute's sub-attribute.
Dest-Vendor-ID	Vendor ID of the destination attribute.
Dest-Sub-ID	ID of the destination attribute's sub-attribute.
Direct	Direction in which the attribute is translated. receive: Translates RADIUS attributes for received packets. send: Translates RADIUS attributes for sent packets.
Packet-Type	Type of RADIUS packets. 0: The RADIUS attributes of this type of packets are not translated. 1: The RADIUS attributes of this type of packets are translated.

display radius-attribute translate

Function

The display radius-attribute translate command displays the RADIUS attribute translation configuration.

Format

display radius-attribute [ template template-name ] translate

Parameters

Parameter	Description	Value
template template-name	Displays the RADIUS attribute translation configuration of a specified RADIUS server template. template-name specifies the name of the RADIUS server template that is created using the radius-server template command. If this parameter is not specified, the disabled RADIUS attributes translation configuration in all the RADIUS server templates are displayed.	The value must be an existing RADIUS server template name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After running the radius-attribute translate command to configure the device to translate RADIUS attributes, run the display radius-attribute translate command to check the configuration.

Example

# Display the RADIUS attribute translation configuration.

<Huawei> display radius-attribute translate
Packet-Type: Type of the RADIUS packets to be modified. 1 indicates valid; 0 indicates invalid. Bit 1 to bit 4 indicate the authentication request, authentication accept, accounting request, and accounting response packets.   

Server-template-name: rds                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
0                6             0              40           receive    0 0 0 0   
--------------------------------------------------------------------------------
Server-template-name: eee                                                       
--------------------------------------------------------------------------------
Source-Vendor-ID Source-Sub-ID Dest-Vendor-ID Dest-Sub-ID  Direct    Packet-Type
--------------------------------------------------------------------------------
234567           123           2011           20           --         0 1 0 1   
--------------------------------------------------------------------------------

Table 16-25 Description of the display radius-attribute translate command output

Item	Description
Server-template-name	Server template name.
Source-Vendor-ID	Vendor ID of the source attribute.
Source-Sub-ID	ID of the source attribute's sub-attribute.
Dest-Vendor-ID	Vendor ID of the destination attribute.
Dest-Sub-ID	ID of the destination attribute's sub-attribute.
Direct	Direction in which the attribute is translated. receive: Translates RADIUS attributes for received packets. send: Translates RADIUS attributes for sent packets.
Packet-Type	Type of RADIUS packets. 0: The RADIUS attributes of this type of packets are not translated. 1: The RADIUS attributes of this type of packets are translated.

display radius-server accounting-stop-packet

Function

The display radius-server accounting-stop-packet command displays information about accounting-stop packets on the RADIUS server.

Format

display radius-server accounting-stop-packet { all | ip { ip-address | ipv6-address } }

Parameters

Parameter	Description	Value
all	Displays all the accounting-stop packets.	-
ip ip-address	Displays the accounting-stop packets with the specified IP address.	The value of ip-address is in dotted decimal notation.
ip ipv6-address	Displays the accounting-stop packets with the specified IPv6 address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius-server accounting-stop-packet command output helps you check configurations or isolate faults.

Example

# Display the accounting-stop packets with the IP address being 10.138.104.32.

<Huawei> display radius-server accounting-stop-packet ip 10.138.104.32
 ------------------------------------------------------------------------------ 
 Time Stamp  Resend Times  Session Time  Username                               
 ------------------------------------------------------------------------------ 
 1980409     6             22            g@rds                                  
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1

Table 16-26 Description of the display radius-server accounting-stop-packet command output

Item	Description
Time Stamp	Timestamp of an accounting-stop packet.
Resend Times	Number of times that accounting-stop packets have been retransmitted. NOTE: In active/standby mode, the number of retransmission times on the standby control board is not updated.
Session Time	Session time, in seconds.
Username	User name.

display radius-server authorization configuration

Function

The display radius-server authorization configuration displays the configuration of a RADIUS authorization server.

Format

display radius-server authorization configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check whether the configuration of a RADIUS authorization server is correct.

Example

# Display the configuration of RADIUS authorization servers.

<Huawei> display radius-server authorization configuration
------------------------------------------------------------------------------
 Attribute decode same as template    :  N
 Attribute encode same as template    :  Y
 User information match type          :  all
 Calling-station-id decode MAC-format :  xx-xx-xx-xx-xx-xx
         
------------------------------------------------------------------------------
 IP address        : -
 Shared-key        : ****************
 Group             : -
 Protect           : Y 
 VPN-instance      : -  
 ------------------------------------------------------------------------------
 1 RADIUS authorization server(s) in total

Table 16-27 Description of the display radius-server authorization configuration command output

Item	Description
Attribute decode same as template	Whether the device parses attributes in the RADIUS dynamic authorization packet based on the configuration in the RADIUS server template. To set this parameter, run the radius-server authorization attribute-decode-sameastemplate command.
Attribute encode same as template	Whether the device encapsulates attributes in the CoA or DM Response packet based on the configuration in the RADIUS server template. To set this parameter, run the radius-server authorization attribute-encode-sameastemplate command.
User information match type	Method in which a device checks whether the RADIUS attributes in the received CoA or DM Request packet match user information on the device: all: The device checks whether all RADIUS attributes in the received CoA or DM Request packet match user information on the device. any: The device checks whether a RADIUS attribute in the received CoA or DM Request packet matches user information on the device. To set this parameter, run the radius-server authorization match-type command.
Calling-station-id decode MAC-format	Format of the MAC address that can be parsed by the device and is configured in the system view in the Calling-Station-Id field of the CoA or DM Response packet. To set this parameter, run the radius-server authorization calling-station-id decode-mac-format command.
IP-Address	IP address of a RADIUS authorization server. To set this parameter, run the radius-server authorization command.
Shared-key	Shared key of the RADIUS authorization server. To set this parameter, run the radius-server authorization command.
Group	RADIUS server group matching the RADIUS authorization server. To set this parameter, run the radius-server authorization command.
Protect	Whether the security hardening function is enabled. To set this parameter, run the radius-server authorization command.
vpn-instance	Name of the VPN instance that the RADIUS authorization server is bound to. To set this parameter, run the radius-server authorization command.

display radius-server configuration

Function

The display radius-server configuration command displays configuration information about a RADIUS server template.

Format

display radius-server configuration [ template template-name ]

Parameters

Parameter	Description	Value
template template-name	Specifies the name of a RADIUS server template. If this parameter is not specified, configuration information of all RADIUS server templates is displayed.	The RADIUS server template must already exist.

Parameter

Description

Value

template template-name

Specifies the name of a RADIUS server template.

If this parameter is not specified, configuration information of all RADIUS server templates is displayed.

The RADIUS server template must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the configuration of a RADIUS server template is completed or a RADIUS fault needs to be rectified, you can run this command to check whether the configuration of the RADIUS server template is correct.

Example

# Display configuration information about the RADIUS server template named shiva.

<Huawei> display radius-server configuration template shiva
  ------------------------------------------------------------------------------
  Server-template-name          :  shiva
  Server-template-index         :  1
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  ******
  Group-filter                  :  class
  Timeout-interval(in second)   :  5
  Retransmission                :  2
  EndPacketSendTime             :  0
  Dead time(in minute)          :  5
  Domain-included               :  YES
  NAS-IP-Address                :  -
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  Called-station-id MAC-format  :  XX.XX.XX.XX.XX.XX
  NAS-Port-ID format            :  New 
  Service-type                  :  - 
  NAS-IPv6-Address              :  ::
  Server algorithm              :  master-backup 
  Detect-interval(in second)    :  60 
  Detect up-server(in second)   :  0  
  Detect timeout(in second)     :  3
  Testuser-username             :  test
  Testuser-ciperpwd             :  %^%#.5*EDl^j_WXg[#Z>plj8;k|8.s*ju<_F~g9k`0*9%^%#
  Chargeable-user-identity      :  Not Support  
  CUI Not reject                :  No
  Enable framed-ip-address      :  Yes 
  Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80  [up]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Authentication Server 2       :  10.7.66.67     Port:1812  Weight:80  [up]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80  [up]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     2       :  10.7.66.67     Port:1813  Weight:80  [up]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------

Table 16-28 Description of the display radius-server configuration template template-name command output

Item	Description
Server-template-name	Name of a RADIUS server template. To set this parameter, run the radius-server template command.
Server-template-index	Index of a RADIUS server template.
Protocol-version	RADIUS protocol version: standard huawei iphotel portal
Traffic-unit	Traffic unit in the RADIUS server template. B: Byte KB: Kilobyte MB: Megabyte GB: Gigabyte To set this parameter, run the radius-server traffic-unit command.
Shared-secret-key	Shared key in the RADIUS server template. To set this parameter, run the radius-server shared-key command.
Group-filter	Filtering field of a user group. Currently, only the class field can be used as the filtering field of a user group.
Timeout-interval(in second)	Response timeout period of a RADIUS server. To set this parameter, run the radius-server retransmit timeout command.
Retransmission	Number of times RADIUS packets are retransmitted. To set this parameter, run the radius-server retransmit timeout command.
EndPacketSendTime	Number of times RADIUS accounting-stop packets are retransmitted. To set this parameter, run the radius-server accounting-stop-packet resend command.
Dead time(in minute)	Interval for the primary RADIUS server to revert to the active state. To set this parameter, run the radius-server retransmit timeout command.
Domain-included	Whether the RADIUS user name contains the domain name. YES: The user name contains the domain name. NO: The user name does not contain the domain name. Original: The device does not modify the user name entered by the user. To set this parameter, run the radius-server user-name domain-included command.
NAS-IP-Address	NAS IP address in RADIUS packets.
Calling-station-id MAC-format	Encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets.
Called-station-id MAC-format	Encapsulation format of the MAC address in the called-station-id attribute of RADIUS packets. To set this parameter, run the called-station-id mac-format command.
NAS-Port-ID format	Format of the NAS-Port-ID attribute on the RADIUS server. New: Uses the new format of the NAS-Port-ID attribute. Old: Uses the old format of the NAS-Port-ID attribute. To set this parameter, run the radius-server nas-port-id-format command.
Service-type	Service type.
NAS-IPv6-Address	NAS IPv6 address in RADIUS packets.
Server algorithm	Algorithm for selecting RADIUS servers: master-backup: specifies the algorithm for selecting RADIUS servers as packet-based primary/secondary. master-backup based-user: specifies the algorithm for selecting RADIUS servers as single user-based primary/secondary. loading-share: specifies the algorithm for selecting RADIUS servers as packet-based load balancing. loading-share based-user: specifies the algorithm for selecting RADIUS servers as single user-based load balancing. To set this parameter, run the radius-server algorithm command.
Detect-interval(in second)	Automatic detection interval for RADIUS servers in Down state. To set this parameter, run the radius-server detect-server command.
Detect up-server(in second)	Automatic detection interval for RADIUS servers in Up state. To set this parameter, run the radius-server detect-server up-server interval command.
Detect timeout(in second)	Timeout period for automatic RADIUS server detection packets. To set this parameter, run the radius-server detect-server timeout command.
Chargeable-user-identity	Whether the device supports the CUI attribute. The value can be: Not Support: The device does not support the CUI attribute. Support: The device supports the CUI attribute. To set this parameter, run the radius-server support chargeable-user-identity command.
CUI Not reject	Whether the device does not process the CUI attribute. The value can be: No: The device processes the CUI attribute. Yes: The device does not process the CUI attribute. To set this parameter, run the radius-server support chargeable-user-identity command.
Enable framed-ip-address	Whether the device is enabled to encapsulate the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address. The value can be: No: disabled Yes: enabled To set this parameter, run the radius-server framed-ip-address no-user-ip enable command.
Testuser-username	User name for automatic RADIUS server detection. To set this parameter, run the radius-server testuser command.
Testuser-ciperpwd	User password for automatic RADIUS server detection. To set this parameter, run the radius-server testuser command.
Authentication Server 1	IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the primary RADIUS authentication server. To set this parameter, run the radius-server authentication command.
Authentication Server 2	IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the secondary RADIUS authentication server. To set this parameter, run the radius-server authentication command.
Accounting Server 1	IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the primary RADIUS accounting server. To set this parameter, run the radius-server accounting command.
Accounting Server 2	IP address, interface number, weight, status, VPN instance, source interface, and source IP address of the secondary RADIUS accounting server. To set this parameter, run the radius-server accounting command.

display radius-server dead-interval dead-count detect-cycle

Function

The display radius-server dead-interval dead-count detect-cycle command displays configuration information about the RADIUS server detection interval, number of times the RADIUS server detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval.

Format

display radius-server { dead-interval | dead-count | detect-cycle }

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the RADIUS server detection interval, number of times the RADIUS server detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval are configured using the radius-server dead-interval dead-count detect-cycle command, you can run the display radius-server { dead-interval | dead-count | detect-cycle } command to check configuration information about the RADIUS server detection interval, number of times the RADIUS server detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval.

Example

# Display configuration information about the RADIUS server detection interval.

<Huawei> display radius-server dead-interval
Radius server state detected internal is 5.

# Display configuration information about the maximum number of consecutive packets that are not acknowledged by the RADIUS server in each detection interval.

<Huawei> display radius-server dead-count
Radius server state detected count is 2.

# Display configuration information about the number of times the RADIUS server detection interval cycles.

<Huawei> display radius-server detect-cycle
Radius server down detect cycle is 2.

Table 16-29 Description of the display radius-server { dead-interval | dead-count | detect-cycle } command output

Item	Description
Radius server state detected internal is	Detection interval of the current RADIUS server.
Radius server state detected count is	Maximum number of consecutive packets that are not acknowledged by the RADIUS server.
Radius server down detect cycle is	Number of times the RADIUS server detection interval cycles.

display radius-server session-manage configuration

Function

The display radius-server session-manage configuration command displays session management configuration on the RADIUS server.

Format

display radius-server session-manage configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After session management is enabled using the radius-server session-manage command on the RADIUS server, you can run this command to view session management configuration.

Example

# Display session management configuration on the RADIUS server.

<Huawei> display radius-server session-manage configuration
 ------------------------------------------------------------------------------ 
 Session Manage Enable : True    Session Manage AnyServer : False               
 ------------------------------------------------------------------------------ 
 IP Address      VPN Instance                     Shared-key                    
 ------------------------------------------------------------------------------ 
 10.1.1.1        -                                ****************              
 ------------------------------------------------------------------------------ 
 1 Radius session manage server(s) in total

Table 16-30 Description of the display radius-server session-manage configuration command output

Item	Description
Session Manage Enable	Whether session management is enabled: True: enabled False: disabled To set this parameter, run the radius-server session-manage command.
Session Manage AnyServer	Whether any RADIUS session management server is configured: True: configured False: not configured
IP Address	IP address of the RADIUS session management server.
VPN Instance	Name of the VPN instance bound to the RADIUS session management server.
Shared-key	Shared key of the RADIUS session management server.
Radius session manage server(s) in total	Number of the RADIUS session management servers.

display radius-server item

Function

The display radius-server item command shows the RADIUS server configuration.

Format

display radius-server item { ip-address { ipv4-address | ipv6-address } { accounting | authentication } | template template-name }

Parameters

Parameter	Description	Value
ip-address { ipv4-address \| ipv6-address }	Specifies the IP address of the RADIUS server.	ipv4-address: The value is in dotted decimal notation. ipv6-address: The value is a 32-digit hexadecimal number.
accounting	Indicates the RADIUS accounting server.	-
authentication	Indicates the RADIUS authentication server.	-
template template-name	Specifies the RADIUS server template name.	The value must be an existing RADIUS server template name.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display radius-server item command shows the RADIUS server configuration.

Example

# Display the configuration of RADIUS server template rds.

<Huawei> display radius-server item template rds
 ------------------------------------------------------------------------------ 
  STState    = STState-up    
  STChgTime  = -
  Type       = auth-server                                                      
  State      = state-up                                                         
  AlarmFlag  = false                                                            
  STUseNum   = 1 
  IPAddress  = 192.168.30.1 
  AlarmTimer = 0xffffffff 
  Head       = 1057 
  Tail       = 1311
  ProbeID    = 255
  Type       = acct-server 
  State      = state-up 
  AlarmFlag  = false 
  STUseNum   = 1                                                                
  IPAddress  = 192.168.30.1                                                     
  AlarmTimer = 0xffffffff                                                       
  Head       = 1057                                                             
  Tail       = 1311                                                             
  ProbeID    = 255
                                                              
 ------------------------------------------------------------------------------

Table 16-31 Description of the display radius-server item template command output

Item	Description
STState	RADIUS server template status: STState-up: indicates that the RADIUS server template is UP status. STState-down: indicates that the RADIUS server template is DOWN status.
STChgTime	Time when the RADIUS server template status changes.
Type	RADIUS server type: authentication or accounting server. auth-server: indicates authentication server. acct-server: indicates accounting server.
State	RADIUS server status: state-up: indicates the Up state. state-down: indicates the Down state. state-force-up: indicates the forcible Up state. state-probe: indicates the detection state.
AlarmFlag	Alarm flag. true: indicates that an alarm about status change has been sent. false: indicates that an alarm about status change is not sent.
STUseNum	RADIUS server template ID.
IPAddress	RADIUS server IP address.
AlarmTimer	ID of the alarm timer.
Head	Head pointer used to allocate the ID to RADIUS packets.
Tail	Tail pointer used to allocate the ID to RADIUS packets.
ProbeID	ID of probe packets.

display radius-server max-unresponsive-interval

Function

The display radius-server max-unresponsive-interval command displays configuration information about the longest unresponsive interval of a RADIUS server.

Format

display radius-server max-unresponsive-interval

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the longest unresponsive interval of a RADIUS server is configured using the radius-server max-unresponsive-interval command, you can run the display radius-server max-unresponsive-interval command to display configuration information about the longest unresponsive interval of the RADIUS server.

Example

# Display configuration information about the longest unresponsive interval of the RADIUS server.

<Huawei> display radius-server max-unresponsive-interval
Radius server max non-response interval(in seconds) is 400.

Table 16-32 Description of the display radius-server max-unresponsive-interval command output

Item	Description
Radius server max non-response interval(in seconds) is	Longest unresponsive interval of the current RADIUS server.

display snmp-agent trap feature-name radius all

Function

The display snmp-agent trap feature-name radius all command displays the status of all traps for the RDS module.

Format

display snmp-agent trap feature-name radius all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After enabling the trap function for the RDS module, you can run the display snmp-agent trap feature-name radius all command to check the status of all traps for the RDS module. To enable the trap function for the RDS module, run the snmp-agent trap enable feature-name radius command.

Prerequisites

The SNMP function has been enabled on the device.

Example

# Display the status of all traps for the RDS module.

<Huawei>display snmp-agent trap feature-name radius all
------------------------------------------------------------------------------
Feature name: radius
Trap number : 6
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwRadiusAuthServerUp            off                     off
hwRadiusAuthServerDown          off                     off
hwRadiusAcctServerUp            off                     off
hwRadiusAcctServerDown          off                     off
hwRadiusAuthServerForceUp       off                     off
hwRadiusAcctServerForceUp       off                     off

Table 16-33 Description of the display snmp-agent trap feature-name radius all command output

Item	Description
Feature name	Name of the module that the trap belongs to.
Trap number	Number of traps.
Trap name	Name of a trap. Traps for the RDS module include: hwRadiusAuthServerUp: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is restored. hwRadiusAuthServerDown: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is interrupted. hwRadiusAcctServerUp: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is restored. hwRadiusAcctServerDown: The device sends a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is interrupted. hwRadiusAuthServerForceUp: The device sends a Huawei proprietary trap when it detects that the RADIUS authentication server is forced Up. hwRadiusAcctServerForceUp: The device sends a Huawei proprietary trap when it detects that the RADIUS accounting server is forced Up.
Default switch status	Default status of the trap function: on: The trap function is enabled by default. off: The trap function is disabled by default.
Current switch status	Status of the trap function: on: The trap function is enabled. off: The trap function is disabled.

radius-attribute check

Function

The radius-attribute check command enables the device to check the specified attributes in the received RADIUS Access-Accept packets.

The undo radius-attribute check command disables the device from checking the specified attributes in the received RADIUS Access-Accept packets.

By default, the device does not check whether a RADIUS Access-Accept packet contains the specified attributes.

Format

radius-attribute check attribute-name

undo radius-attribute check [ attribute-name ]

Parameters

Parameter	Description	Value
attribute-name	Specifies the name of the RADIUS attribute. If this parameter is specified, the RADIUS Access-Accept packets are checked based on attribute names.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the radius-attribute check command is executed, the device checks whether the received RADIUS Access-Accept packets contain the specified attributes. If yes, the device considers that authentication was successful; if not, the device considers that authentication failed and discards the packet. For example, after the radius-attribute check filter-id command is executed, the device checks the filter-id attribute in the received RADIUS Access-Accept packets. If a RADIUS packet does not contain this attribute, authentication fails.

Precautions

When you use the undo radius-attribute check command with parameters, the device checks the specified attributes in the RADIUS Access-Accept packets. When you use the undo radius-attribute check command without any parameter, the device does not check RADIUS Access-Accept packets.
The display radius-attribute can display RADIUS attribute names.

Example

# Check whether the RADIUS Access-Accept packets contain the framed-protocol attribute.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-attribute check framed-protocol

radius-attribute cut hw-portal-url

Function

The radius-attribute cut hw-portal-url command deletes the specified content from the URL contained in the Huawei RADIUS attribute 26-156 (HW-Portal-URL).

The undo radius-attribute cut hw-portal-url command configures the device not to process the URL contained in the Huawei RADIUS attribute 26-156 (HW-Portal-URL).

By default, the device does not process the URL contained in the Huawei RADIUS attribute 26-156 (HW-Portal-URL).

Format

radius-attribute cut hw-portal-url key-words [ end mark ]

undo radius-attribute cut hw-portal-url

Parameters

Parameter	Description	Value
key-words	Specifies the start keyword of the content to be deleted.	The value is a string of 3 to 64 characters. It must start with an ampersand (&) and end with an equal sign (=). Spaces are not allowed.
end mark	Specifies the end character of the content to be deleted. If no end character is configured, all the characters following key-words in the URL will be deleted.	Currently, the end character can only be an ampersand (&).

Parameter

Description

Value

key-words

Specifies the start keyword of the content to be deleted.

The value is a string of 3 to 64 characters. It must start with an ampersand (&) and end with an equal sign (=). Spaces are not allowed.

end mark

Specifies the end character of the content to be deleted.

If no end character is configured, all the characters following key-words in the URL will be deleted.

Currently, the end character can only be an ampersand (&).

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

This command is used to perform special processing on the URL delivered by the RADIUS server using the Huawei RADIUS attribute 26-156 (HW-Portal-URL) to meet interconnection requirements. Generally, this command does not need to be configured.

Example

# Delete the character string &portal= and the content following &portal= from the URL contained in the Huawei RADIUS attribute 26-156 (HW-Portal-URL).

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-attribute cut hw-portal-url &portal=

radius-attribute encap optimize

Function

The radius-attribute encap optimize disable command disables RADIUS attribute encapsulation optimization.

The radius-attribute encap optimize enable command enables RADIUS attribute encapsulation optimization.

By default, the RADIUS attribute encapsulation optimization function is enabled.

This function is supported in V300R022C00SPC100 and later versions.

Format

radius-attribute encap optimize { enable | disable }

undo radius-attribute encap optimize disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

During RADIUS attribute encapsulation, the device appends some variable-length attributes to packets to improve performance. However, the device may fail to communicate with RADIUS servers of some vendors. In this case, you can run the radius-attribute encap optimize disable command on the device to disable RADIUS attribute encapsulation optimization and then perform the interconnection test.

Example

# Disable RADIUS attribute encapsulation optimization.

<Huawei> system-view
[Huawei] radius-attribute encap optimize disable

radius-attribute disable

Function

The radius-attribute disable command disables a RADIUS attribute.

The undo radius-attribute disable command enables a disabled RADIUS attribute.

By default, no RADIUS attribute is disabled.

Format

radius-attribute disable attribute-name { receive | send } ^*

undo radius-attribute disable [ attribute-name ]

Parameters

Parameter	Description	Value
attribute-name	Specifies the name of a RADIUS attribute.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.
receive	Disables a RADIUS attribute for received packets.	-
send	Disables a RADIUS attribute for sent packets.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Generally, a RADIUS server connects to multiple network devices, which can be one vendor's devices or different vendors' devices. If some vendors' devices require the RADIUS server to deliver an attribute to support a specified feature but other vendors' device do not support the delivered attribute, the RADIUS attribute may fail to be parsed.

The device may communicate with RADIUS servers of different vendors. Some RADIUS servers require the device to send some attributes but other RADIUS servers cannot process the attributes. Errors may occur.

The radius-attribute disable command disables RADIUS attributes on the device. You can configure the device to ignore incompatible attributes when receiving RADIUS packets to prevent parsing failures. You can also configure the device to disable RADIUS attributes when sending RADIUS packets. When the device sends RADIUS packets, it does not encapsulate the disabled RADIUS attributes in the RADIUS packets.

Prerequisites

The RADIUS attribute translation function has been enabled using the radius-server attribute translate command.

Precautions

Before disabling RADIUS attributes, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Example

# Disable the Frame-Route attribute in sent packets.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate
[Huawei-radius-test1] radius-attribute disable framed-route send

radius-attribute nas-ip

Function

The radius-attribute nas-ip command sets the NAS-IP-Address attribute in a RADIUS packet sent from an NAS.

The undo radius-attribute nas-ip command deletes the configured NAS-IP-Address attribute.

By default, the source IP address of the NAS is the NAS-IP-Address attribute value.

Format

radius-attribute nas-ip { ip-address | ap-info }

undo radius-attribute nas-ip [ ap-info ]

Parameters

Parameter	Description	Value
ip-address	Specifies the NAS-IP-Address attribute value in RADIUS packets sent by the device. In wireless scenarios, when a device functions as an AC, the IP address of the AC is specified as the NAS-IP-Address attribute value in RADIUS packets sent by the device.	The value is a valid unicast address in dotted decimal notation.
ap-info	The IP address of the AP is specified as the NAS-IP-Address attribute value in RADIUS packets sent by the device when the device functions as an AC in a wireless scenario.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A RADIUS server uses the NAS-IP-Address attributes in RADIUS packets sent by NASs to identify NASs. You can run the radius-attribute nas-ip command in the RADIUS server template view to set the NAS-IP-Address attribute.

When the RADIUS server interconnected with the device requires that the NAS-IP-Address attribute value is the IP address of the AP when the device functions as an AC in a wireless scenario, you need to run the radius-attribute nas-ip ap-info command.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IP-Address attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute nas-ip 10.3.3.3

radius-attribute nas-ipv6

Function

The radius-attribute nas-ipv6 command sets the NAS-IPv6-Address attribute in a RADIUS packet sent from a network access server (NAS).

The undo radius-attribute nas-ipv6 command deletes the configured NAS-IPv6-Address attribute.

By default, no NAS-IPv6-Address attribute is configured.

Format

radius-attribute nas-ipv6 ipv6-address

undo radius-attribute nas-ipv6

Parameters

Parameter	Description	Value
ipv6-address	Specifies the NAS-IPv6-Address attribute in a RADIUS packet.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The RADIUS server uses IP addresses to identify different NASs. The NAS-IPv6-Address attribute in a RADIUS packet can be configured using the radius-attribute nas-ipv6 command in the RADIUS template.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Precautions

If the RADIUS NAS-IP-Address attribute is set to an invalid IP address, the configuration fails and an error message is displayed.

Example

# Set the RADIUS NAS-IPv6-Address attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute nas-ipv6 FC00::7

radius-attribute set

Function

The radius-attribute set command modifies the RADIUS attributes.

The undo radius-attribute set command restores the default RADIUS attributes.

By default, values of the RADIUS attributes are not modified.

Format

radius-attribute set attribute-name attribute-value [ auth-type { dot1x | mac | portal } | user-type ipsession ]

undo radius-attribute set attribute-name [ auth-type { dot1x | mac | portal } | user-type ipsession ]

Parameters

Parameter	Description	Value
attribute-name	Specifies the name of the attribute to be modified.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name. Common attribute names are as follows: NAS-Identifier NAS-Port NAS-Port-Id NAS-Port-Type NAS-Identifier NAS-Port NAS-Port-Id NAS-Port-Type NAS-Identifier NAS-Port For details about other attribute names and values, see RADIUS Attributes.
attribute-value	Indicates the value of the attribute to be modified.	The value of attribute-value is automatically displayed.
auth-type { dot1x \| mac \| portal }	Specifies the user authentication type: dot1x: 802.1X authentication mac: MAC address authentication portal: Portal authentication Only the Service-Type attribute supports this parameter.	-
user-type ipsession	Specifies the users with user type being IP session. Only the Service-Type attribute supports this parameter.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The RADIUS attribute values of different vendors are different. To ensure that Huawei device can successfully communicate with the devices of other vendors, run the radius-attribute set command to modify the RADIUS attribute values.

For example, the Huawei device uses Service-Type value 2 to indicate an authentication request from a common user by default, while a non-Huawei RADIUS server uses Service-Type value 1 to indicate an authentication request from a common user; you can run the radius-attribute set service-type 1 command to change the Service-Type value on the device so that the device can communicate with the RADIUS server.

Precautions

The radius-attribute set command can modify only the RADIUS attributes in the authentication or accounting request packets sent from a device to the RADIUS server, and cannot modify the RADIUS attributes in the packets sent from the RADIUS server to a device.

If you run the display radius-attribute command to check the RADIUS attributes supported by a device and the Auth Req or Acct Req field in the command output displays 1, the RADIUS attributes supported by the device can be carried in the authentication or accounting request packets sent from the device to the RADIUS server.

Among the RADIUS attributes that can be carried in the authentication or accounting packets sent from the device to the RADIUS server, you cannot run the radius-attribute set command to modify the following attributes: User-Password, NAS-IP-Address, NAS-IPv6-Address, CHAP-Password, CHAP-Challenge, EAP-Message, Framed-Interface-Id, Framed-IPv6-Prefix, Message-Authenticator, State, and Class.
The type of the attribute modified by the radius-attribute set command cannot be changed.
The radius-attribute set service-type attribute-value { auth-type { mac | dot1x | portal } | user-type ipsession } command has a higher priority than the radius-attribute set service-type attribute-value command.
A maximum of 8 attributes can be set in a RADIUS server template.

Example

# Create the template temp1 and set the Service-Type attribute value to 1.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-attribute set service-type 1

radius-attribute service-type with-authenonly-reauthen

Function

The radius-attribute service-type with-authenonly-reauthen command sets the reauthentication mode to reauthentication only.

The undo radius-attribute service-type with-authenonly-reauthen command restores the reauthentication mode to reauthentication and reauthorization.

By default, the reauthentication mode is reauthentication and reauthorization.

Format

radius-attribute service-type with-authenonly-reauthen

undo radius-attribute service-type with-authenonly-reauthen

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user needs to be reauthenticated, the device delivers authorization information to all online users after the user is successfully authenticated. If many online users and authorization configurations exist on the device, the device cannot promptly deliver authorization information, causing an authorization failure and user disconnection. After the radius-attribute service-type with-authenonly-reauthen command is run in the RADIUS server template view, the device only reauthenticates users during reauthentication, and does not redeliver authorization information, preventing users from going offline due to authorization failures.

Precautions

After the radius-attribute service-type with-authenonly-reauthen command is configured, users still use the original authorization information after being successfully reauthenticated even if the user authorization information changes.

This function takes effect only when the Service-Type attribute of a RADIUS server is Authenticate Only.

After the reauthentication mode is set to reauthentication only, the user name remains unchanged during reauthentication.

If server authorization packets carry the following attributes during reauthentication, this function does not take effect, but changes to the following authorization are still supported:

User-Name authorized by the server
CUI attribute authorized by the server
Maximum number of users who are allowed to access the network using the same user name

Example

# Set the reauthentication mode to reauthentication only.

<Huawei> system-view
[Huawei] radius-server template test
[Huawei-radius-test] radius-attribute service-type with-authenonly-reauthen

radius-attribute translate

Function

The radius-attribute translate command configures a RADIUS attribute to be translated.

The undo radius-attribute translate command cancels the configuration.

By default, no RADIUS attribute is translated.

Format

radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } ^*

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } ^*

radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } ^*

undo radius-attribute translate [ src-attribute-name ]

undo radius-attribute translate extend src-attribute-name

undo radius-attribute translate extend vendor-specific src-vendor-id src-sub-id

Parameters

Parameter	Description	Value
src-attribute-name	Specifies the name of the source attribute.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.
dest-attribute-name	Specifies the name of the destination attribute.	The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name.
receive	Translates RADIUS attributes for received packets.	-
send	Translates RADIUS attributes for sent packets.	-
access-request	Translates RADIUS attributes for Authentication Request packets.	-
account-request	Translates RADIUS attributes for Accounting Request packets.	-
access-accept	Translates RADIUS attributes for Authentication Accept packets.	-
account-response	Translates RADIUS attributes for Accounting Response packets.	-
extend	Translates extended RADIUS attributes.	-
vendor-specific src-vendor-id src-sub-id	Specifies the source extended attribute to be translated. src-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated. src-sub-id: The sub ID in the RADIUS attributes needs to be translated.	The value of src-vendor-id is an integer ranging from 1 to 4294967295. The value of src-sub-id is an integer ranging from 1 to 255.
vendor-specific dest-vendor-id dest-sub-id	Specifies the destination extended attribute to be translated. dest-vendor-id: The vendor ID in the extended RADIUS attributes needs to be translated. dest-sub-id: The sub ID in the extended RADIUS attributes needs to be translated.	The value of dest-vendor-id is an integer ranging from 1 to 4294967295. The value of dest-sub-id is an integer ranging from 1 to 255.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.

RADIUS attribute translation is used in the following modes:

Format translation for the same attribute

This mode is widely applied. It solves the problem of compatibility because different users have different requirements for the format of a RADIUS attribute.
Translation between different attributes

This mode is used because different vendors have different implementations of RADIUS attributes.

For example, the device delivers the priority of the administrator by using the Huawei proprietary attribute HW-Exec-Privilege (26-29), whereas another vendor's device delivers it by using the Login-service (15) attribute. When the device and the vendor's device use the same RADIUS server on a network, the device is required to deliver the priority of the administrator by using the Login-service (15) attribute. After the radius-attribute translate command is configured, the device automatically processes the Login-service attribute in the received RADIUS authentication response packet as the HW-Exec-Privilege attribute.

Prerequisites

RADIUS attribute translation has been enabled by using the radius-server attribute translate command.

Before configuring RADIUS attribute translation, run the display radius-attribute command to view the RADIUS attributes supported by the device.

Precautions

When the device sends packets, if attribute A is to be translated to attribute B, the type of the encapsulated attribute is the same as that of attribute B but the attribute content and format are the same as those of attribute A.
When the device receives packets, if attribute A is to be translated to attribute B, the device parses the received attribute A as attribute B.
When the device receives packets, it cannot translate the attributes of CoA packets.
Three commands are available to translate RADIUS attributes:
- To translate the attributes supported by the device to other attributes also supported by the device, run the radius-attribute translate command.
- To translate the non-Huawei attributes not supported by the device to the attributes supported by the device, run the radius-attribute translate extend vendor-specific command.
- To translate the attributes supported by the device to the non-Huawei attributes not supported by the device, run the radius-attribute translate extend command.
The RADIUS attribute consists of Type, Length, and Value fields. A device can translate a non-Huawei RADIUS attribute (specified using the src-sub-id and dest-sub-id parameters) only when the length of the Type field in the RADIUS attribute is 1 byte.
The device can translate the RADIUS attribute only when the type of the source RADIUS attribute is the same as that of the destination RADIUS attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively, they cannot be translated into each other.

Example

# Configure the device to translate NAS-Identifier into NAS-Port-Id when sending RADIUS packets.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate nas-identifier nas-port-id send

# Translate the Cisco No. 2 attribute (vendor ID 9) in Authentication Accept and Accounting Response packets to Huawei No. 155 extended attribute HW-URL-Flag.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate extend Vendor-Specific 9 2 HW-URL-Flag access-accept account-response

# Translate the Huawei No. 153 extended attribute HW-Access-Type in Authentication Request and Accounting Request packets to Cisco No. 11 attribute.

<Huawei> system-view
[Huawei] radius-server template temp1
[Huawei-radius-temp1] radius-server attribute translate
[Huawei-radius-temp1] radius-attribute translate extend HW-Access-Type vendor-specific 9 11 access-request account-request

radius-reject local

Function

The radius-reject local command configures the device to perform local authentication on administrators if administrators are rejected during RADIUS authentication.

The undo radius-reject local command restores the default configuration.

By default, the device does not perform local authentication on administrators if administrators are rejected during RADIUS authentication.

Format

radius-reject local

undo radius-reject local

Parameters

None

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, after the RADIUS server responds to a user with an Access-Reject packet, the authentication process ends and the user fails the authentication. If you want administrators to go online through local authentication after they are rejected during RADIUS authentication, run the radius-reject local command.

Precautions

This function takes effect only for administrators.
The authentication method must be RADIUS authentication+local authentication.

Example

# Configure the device to perform local authentication on administrators if administrators are rejected during RADIUS authentication.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] authentication-scheme authen1
[Huawei-aaa-authen-authen1] authentication-mode radius local
[Huawei-aaa-authen-authen1] radius-reject local

radius-server (aaa domain view)

Function

The radius-server command applies a RADIUS server template to a domain.

The undo radius-server command unbinds an RADIUS server template from a domain.

By default, the RADIUS server template default is bound to a configured domain and the domain default, and no RADIUS server template is bound to the domain default_admin.

Format

radius-server template-name

undo radius-server

Parameters

Parameter	Description	Value
template-name	Specifies the name of a RADIUS server template.	The RADIUS server template must already exist.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication and accounting for users in a domain, apply a RADIUS server template to the domain. A RADIUS server template takes effect only after the RADIUS server template is applied to a domain.

Prerequisites

A RADIUS server template has been created using the radius-server template command.

Example

# Apply the RADIUS server template template1 to the domain radius1.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] quit
[Huawei] aaa
[Huawei-aaa] domain radius1
[Huawei-aaa-domain-radius1] radius-server template1

radius-server accounting

Function

The radius-server accounting command configures the RADIUS accounting server.

The undo radius-server accounting command deletes the configuration.

By default, no RADIUS accounting server is configured.

Format

radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] ^*

radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] ^*

undo radius-server accounting [ ipv4-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight ] ^* ] ]

undo radius-server accounting [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address } | weight ] ] ]

Parameters

Parameter	Description	Value
ipv4-address	Specifies the IPv4 address of a RADIUS accounting server.	The value is in dotted decimal notation. It must be a valid unicast address.
ipv6-address	Specifies the IPv6 address of a RADIUS accounting server.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
port	Specifies the port number of a RADIUS accounting server.	The value is an integer that ranges from 1 to 65535.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance that the RADIUS accounting server is bound to.	The VPN instance must exist.
source loopback interface-number	Specifies the number of a loopback interface.	The loopback interface must exist.
source ip-address ipv4-address	Specifies the source IPv4 address of a RADIUS accounting server.	The value is a valid unicast address in dotted decimal notation.
source ip-address ipv6-address	Specifies the source IPv6 address of a RADIUS accounting server. This address cannot be a VRRP6 virtual address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
weight weight-value	Specifies the weight of a RADIUS accounting server. When multiple servers are available, the device uses the server with the highest weight to perform accounting. If the servers have the same weights, the device uses the server configured first to perform accounting.	The value is an integer that ranges from 0 to 100.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform accounting for users, configure a RADIUS accounting server. The device communicates with a RADIUS accounting server to obtain accounting information, and performs accounting for users based on the accounting information. The device sends accounting packets to the RADIUS accounting server only after the IP address and port number of the RADIUS accounting server are specified in the RADIUS server template.

Precautions

The IP address of the primary accounting server must be different from the IP address of the secondary accounting server; otherwise, the configuration fails.
When the radius-server algorithm master-backup command has been executed to set the algorithm for selecting RADIUS servers to primary/secondary and both the primary and secondary accounting servers have been configured, the device sends accounting request packets to the secondary accounting server when the following two conditions are met:
1. The primary server does not send any accounting response packet.
2. The maximum number of times that the device retransmits authentication and accounting packets is reached.
For the RADIUS server in Down status, if configuration parameters except weight of the RADIUS server are modified, the server status will change from Down to Up.
The modification of the weight parameter takes effect only for the users who go online after the modification. The users who go online before the modification still send authentication and accounting packets to the selected RADIUS server.

Example

# Configure the primary RADIUS accounting server.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server accounting 10.163.155.12 1813

# Configure the secondary RADIUS accounting server.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server accounting 10.163.155.15 1813 weight 50

radius-server accounting-stop-packet resend

Function

The radius-server accounting-stop-packet resend command enables retransmission of accounting-stop packets and sets the number of accounting-stop packets that can be retransmitted each time.

The undo radius-server accounting-stop-packet resend command disables retransmission of accounting-stop packets.

By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

The default settings are recommended. If accounting-stop packets need to be retransmitted many times, the RADIUS authentication performance of the switch will be affected and even cause a failure to send accounting-stop packets.

Format

radius-server accounting-stop-packet resend [ resend-times ]

undo radius-server accounting-stop-packet resend

Parameters

Parameter	Description	Value
resend-times	Specifies the number of accounting-stop packets that can be retransmitted each time.	The value is an integer that ranges from 0 to 300.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

When accounting-stop packets cannot be sent to the RADIUS server that is unreachable, you can run the radius-server accounting-stop-packet resend command to save the accounting-stop packets in the buffer and send them at the preset intervals until the number of allowed retransmission times is reached or the packets are sent successfully.

Example

# Enable the retransmission of accounting-stop packets and set the number of accounting-stop packets that can be retransmitted each time to 50.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server accounting-stop-packet resend 50

radius-server algorithm

Function

The radius-server algorithm command configures the algorithm for selecting RADIUS servers.

The undo radius-server algorithm command restores the default algorithm for selecting RADIUS servers.

By default, the algorithm for selecting RADIUS servers is the single user-based primary/secondary algorithm.

Format

radius-server algorithm { loading-share | master-backup } [ based-user ]

undo radius-server algorithm

Parameters

Parameter	Description	Value
loading-share	Sets the algorithm for selecting RADIUS servers to load balancing.	-
master-backup	Sets the algorithm for selecting RADIUS servers to primary/secondary.	-
based-user	Sets the algorithm for selecting RADIUS servers to the single user-based algorithm. If this parameter is not specified, the algorithm for selecting RADIUS servers is the packet-based algorithm.	-

Parameter

Description

Value

loading-share

Sets the algorithm for selecting RADIUS servers to load balancing.

master-backup

Sets the algorithm for selecting RADIUS servers to primary/secondary.

based-user

Sets the algorithm for selecting RADIUS servers to the single user-based algorithm.

If this parameter is not specified, the algorithm for selecting RADIUS servers is the packet-based algorithm.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When two or more than two RADIUS servers are available, you can use the radius-server algorithm command to set the algorithm for selecting RADIUS servers.

When master-backup is specified, the weight is used to determine the primary and secondary RADIUS authentication or accounting servers. The server with a larger weight value is the primary server. If devices have the same weight, the server that was first configured is the primary server.
When loading-share is specified, the device sends a packet to a server according to the weights configured on servers. For example, if the weights of RADIUS server A, RADIUS server B, and RADIUS server C are 80, 80, and 40 respectively, the probabilities of sending packets to RADIUS server A, RADIUS server B, and RADIUS server C are as follows:
- RADIUS server A: 80/(80 + 80 + 40) = 40%
- RADIUS server B: 80/(80 + 80 + 40) = 40%
- RADIUS server C: 40/(80 + 80 + 40) = 20%

Authentication server information is saved in the authentication phase. If the authentication server is also the accounting server, accounting requests are first sent to this server in the accounting phase. If the accounting packets of the authentication server are unreachable, the accounting server is reselected in the accounting phase. In this case, authentication and accounting of the same user may be performed on different servers.

Precautions

If you run the radius-server algorithm command multiple times in the same RADIUS server template view, only the latest configuration takes effect.

Example

# Set the algorithm for selecting RADIUS servers to load balancing.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server algorithm loading-share

radius-server attribute message-authenticator access-request

Function

The radius-server attribute message-authenticator access-request command carries the Message-Authenticator attribute in RADIUS authentication packets sent by the device.

The undo radius-server attribute message-authenticator access-request command cancels the Message-Authenticator attribute from RADIUS authentication packets sent by the device.

By default, RADIUS authentication packets do not carry the Message-Authenticator attribute.

Format

radius-server attribute message-authenticator access-request

undo radius-server attribute message-authenticator access-request

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The Message-Authenticator attribute is used to identify and verify authentication packets to prevent invalid packets.

This command is used when the PAP or CHAP authentication is enabled.
When EAP authentication is enabled, RADIUS packets contain the Message-Authenticator attribute by default. You do not need to run this command.

Example

# Configure the Message-Authenticator attribute to RADIUS authentication packets.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute message-authenticator access-request

radius-server attribute translate

Function

The radius-server attribute translate command enables RADIUS attribute translation.

The undo radius-server attribute translate command disables RADIUS attribute translation.

By default, RADIUS attribute translation is disabled.

Format

radius-server attribute translate

undo radius-server attribute translate

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Follow-up Procedure

After RADIUS attribute translation is enabled, perform either of the following operations to make the function to take effect:

Run the radius-attribute translate command to specify the RADIUS attributes that you want to translate.
Run the radius-attribute disable command to specify the RADIUS attributes that you do not want to translate.

Example

# Enable RADIUS attribute translation.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate

radius-server authentication

Function

The radius-server authentication command configures a RADIUS authentication server.

The undo radius-server authentication command deletes the configured RADIUS authentication server.

By default, no RADIUS authentication server is specified.

Format

radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight weight-value ] ^*

radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address } | weight weight-value ] ^*

undo radius-server authentication [ ipv4-address [ port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address } | weight ] ^* ] ]

undo radius-server authentication [ ipv6-address [ port [ source { loopback interface-number | ip-address ipv6-address } | weight ] ] ]

Parameters

Parameter	Description	Value
ipv4-address	Specifies the IPv4 address of a RADIUS authentication server.	The value is a valid unicast address in dotted decimal notation.
ipv6-address	Specifies the IPv6 address of a RADIUS authentication server.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
port	Specifies the port number of a RADIUS authentication server.	The value is an integer that ranges from 1 to 65535.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance that the RADIUS authentication server is bound to.	The VPN instance must already exist.
source loopback interface-number	Specifies the IP address of the loopback interface taken as the source IP address. interface-number specifies the number of a loopback interface.	The loopback interface must already exist.
source ip-address ipv4-address	Specifies the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server. If this parameter is not specified, the IPv4 address of the outbound interface is used as the source IPv4 address in RADIUS packets sent from the device to a RADIUS authentication server.	The value is a valid unicast address in dotted decimal notation.
source ip-address ipv6-address	Specifies the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server. If this parameter is not specified, the IPv6 address of the outbound interface is used as the source IPv6 address in RADIUS packets sent from the device to a RADIUS authentication server. This address cannot be a VRRP6 virtual address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
weight weight-value	Specifies the weight of a RADIUS authentication server. When multiple servers are available, the device uses the server with the highest weight to perform authentication. If the servers have the same weights, the device uses the server configured first to perform authentication.	The value is an integer that ranges from 0 to 100. The default value is 80.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. The device uses the RADIUS protocol to communicate with a RADIUS authentication server to obtain authentication information, and authenticates users based on the authentication information. The device sends authentication packets to the RADIUS authentication server only after the IP address and port number of the RADIUS authentication server are specified in the RADIUS server template.

When the radius-server algorithm master-backup command has been executed to set the algorithm for selecting RADIUS servers to primary/secondary and both the primary and secondary authentication servers have been configured, the device sends authentication request packets to the secondary authentication server when the following two conditions are met:

The primary authentication server does not send any authentication response packet.
The maximum number of times that the device retransmits authentication request packets is reached.

Precautions

For the RADIUS server in Down status, if configuration parameters except weight of the RADIUS server are modified, the server status will change from Down to Up.
If an interface connecting the device to a server has multiple IP addresses configured and can communicate with the server only through some of these IP addresses, one IP address among these reachable IP addresses needs to be specified as the source IP address based on the routing table to ensure that the device can communicate with the server.
The modification of the weight parameter takes effect only for the users who go online after the modification. The users who go online before the modification still send authentication and accounting packets to the selected RADIUS server.
You are advised to configure different RADIUS servers for the source VLANIF interface, source IP address, and source loopback interface and bind the servers to the same RADIUS template. Otherwise, the device creates multiple RADIUS servers even if the source and destination IP addresses of RADIUS request packets sent by different RADIUS templates are the same. As a result, only the first created RADIUS server receives RADIUS response packets, while other RADIUS servers cannot. To check the RADIUS server configuration, run the display radius-server item ip-address { ipv4-address | ipv6-address } authentication command.

Example

# Configure the IP address of the primary RADIUS authentication server to 10.163.155.13 and the port number to 1812.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server authentication 10.163.155.13 1812

# Configure the IP address of the secondary RADIUS authentication server to 10.163.155.15, the port number to 1812 and the weigh to 50.

<Huawei> system-view
[Huawei] radius-server template group1
[Huawei-radius-group1] radius-server authentication 10.163.155.15 1812 weight 50

radius-server authorization

Function

The radius-server authorization command configures the RADIUS authorization server.

The undo radius-server authorization command deletes the configured RADIUS authorization server.

By default, no RADIUS authorization server is configured.

Format

radius-server authorization ip-address [ vpn-instance vpn-instance-name ] { server-group group-name shared-key cipher key-string | shared-key cipher key-string [ server-group group-name ] } [ protect enable ]

undo radius-server authorization { all | ip-address [ vpn-instance vpn-instance-name ] }

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address of a RADIUS authorization server.	The value is a unicast address in dotted decimal notation.
vpn-instance vpn-instance-name	Specifies the name of a VPN instance that the RADIUS authorization server is bound to.	The value is a string of 1 to 31 case-sensitive characters.
server-group group-name	Specifies the name of a RADIUS group corresponding to a RADIUS server template.	The value is a string of 1 to 32 characters, including letters (case-sensitive), numerals (0 to 9), periods (.), hyphens (-), and underscores (_). The value cannot be - or --.
shared-key cipher key-string	Specifies the shared key of a RADIUS server.	The value is a case-sensitive character string without spaces or question marks (?). key-string can be a string of 1 to 128 characters in plaintext or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in ciphertext.
protect enable	Enables the security hardening function.	-
all	Deletes all RADIUS authorization servers.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An independent RADIUS authorization server can be used to authorize online users. RADIUS provides two authorization methods: Change of Authorization (CoA) and Disconnect Message (DM).

CoA: After a user is successfully authenticated, you can modify the rights of the online user through the RADIUS authorization server. For example, a VLAN ID can be delivered to access users of a certain department through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to.
DM: The administrator can forcibly disconnect a user through the RADIUS authorization server.

After the parameters such as IP address and shared key are configured for the RADIUS authorization server, the device can receive authorization requests from the server and grant rights to users according to the authorization information. After authorization is complete, the device returns authorization response packets carrying the results to the server.

After the security hardening function is enabled by specifying the protect enable parameter, the following occurs:

When a CoA or DM request packet carries the Message-Authenticator attribute, the device checks the Message-Authenticator attribute. If the check fails, the device discards the request packet and does not respond the packet. If the check succeeds, the device sends a CoA or DM response packet (ACK or NAK) that carries the Message-Authenticator attribute.
When a CoA or DM request packet does not carry the Message-Authenticator attribute, the device does not check the attribute and sends a CoA or DM response packet (ACK or NAK) that does not carry the Message-Authenticator attribute.

When a CoA or DM request packet carries the Message-Authenticator attribute, if the radius-attribute disable message-authenticator receive command is configured, the device does not check the attribute and sends a response packet that does not carry the Message-Authenticator attribute; if the radius-attribute disable message-authenticator send command is configured, the device sends a response packet that does not carry the Message-Authenticator attribute even if the attribute check succeeds.

Precautions

To improve security, it is recommended that the password contains at least three types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 16 characters.

You also need to run the radius-server authorization server-source command to configure an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.

During the configuration of this command, the weak password verification function is added to check whether a password is weak. If the password is weak, the command fails to be executed.

Example

# Specify a RADIUS authorization server.

<Huawei> system-view
[Huawei] radius-server authorization 10.1.1.116 shared-key cipher YsHsjx_202206

radius-server authorization server-source

Function

The radius-server authorization server-source command configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server.

The undo radius-server authorization server-source command restores the default setting.

By default, the device does not receive or respond to any request packet of a RADIUS authorization server.

Format

radius-server authorization server-source { ip-address ip-address | all-interface }

undo radius-server authorization server-source { ip-address ip-address | all-interface | all }

Parameters

Parameter	Description	Value
ip-address ip-address	Specifies an IPv4 address.	The value is in dotted decimal notation.
all-interface	Specifies the IPv4 address as 0.0.0.0. That is, the device receives and responds to request packets of a RADIUS authorization server through any IPv4 address.	-
all	Indicates all IPv4 addresses specified by ip-address ip-address.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, no IPv4 address can be used to receive or respond to request packets of the RADIUS authorization server. When the device needs to establish a connection with a RADIUS authorization server, you can run the radius-server authorization server-source command to specify an IPv4 address for the device to receive and respond to request packets of the RADIUS authorization server.

Precautions

After you run this command to configure an IPv4 address for the device to receive and respond to request packets of a RADIUS authorization server, the RADIUS authorization server can communicate with the device only through this IPv4 address. Ensure that the RADIUS authorization server can communicate with the device through this IPv4 address at Layer 3.
After the radius-server authorization server-source all-interface command is run, the device receives and responds to request packets of a RADIUS authorization through any IPv4 address, which increases system security risks. Therefore, you are advised not to run this command.
After the radius-server authorization server-source all-interface command is run, all the configurations of the radius-server authorization server-source ip-address ip-address command are cleared.
If the radius-server authorization server-source all-interface command has been configured on the device, the radius-server authorization server-source ip-address ip-address command configured later does not take effect.

Example

# Specify 10.1.1.1 as the IPv4 address used to receive and respond to request packets of a RADIUS authorization server.

<Huawei> system-view
[Huawei] radius-server authorization server-source ip-address 10.1.1.1

radius-server authorization attribute-decode-sameastemplate

Function

The radius-server authorization attribute-decode-sameastemplate command configures the device to parse RADIUS dynamic authorization packet attributes based on the configuration in RADIUS server template.

The undo radius-server authorization attribute-decode-sameastemplate command restores the default method of parsing RADIUS authorization packet attributes.

By default, the device parses the MAC address in the calling-station-id attribute carried in RADIUS dynamic authorization packets based on the MAC address length, without considering the MAC address format and delimiter.

Format

radius-server authorization attribute-decode-sameastemplate

undo radius-server authorization attribute-decode-sameastemplate

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device parses the MAC address in the Calling-Station-Id attribute in RADIUS dynamic authorization packets. By default, the MAC address format that can be parsed is configured using the radius-server authorization calling-station-id decode-mac-format command in the system view. When the device is connected to multiple RADIUS servers, the MAC address formats are different in the Calling-Station-Id attribute in dynamic authorization packets sent by different RADIUS servers. In this case, the MAC address may fail to be parsed if the same parse mode is used, resulting in that the device fails to be connected to some RADIUS servers. You can run the radius-server authorization attribute-decode-sameastemplate command to configure the device to parse RADIUS dynamic authorization packet attributes based on the Calling-Station-Id attribute encapsulation mode configured in each RADIUS server template, making the device be successfully connected to multiple RADIUS servers.

Prerequisites

This function is used to make the Calling-Station-Id attribute parse mode the same as the Calling-Station-Id attribute encapsulation mode configured in RADIUS server template. Therefore, make sure that the following steps have been performed before using this function.

The calling-station-id mac-format command has been run in the RADIUS server template view to configure the encapsulation mode of the MAC address in the Calling-Station-Id attribute.
The radius-server authorization command has been run in the system view to configure the authorization server to use the RADIUS server template server-group.

If the RADIUS server template used by the authorization server is not specified, this function cannot be implemented on a device. You can run the radius-server authorization calling-station-id decode-mac-format command in the system view to configure the Calling-Station-Id attribute parse mode.

Precautions

The configuration in a RADIUS server template has a higher priority than the global configuration.

Example

# Configure the RADIUS authorization server to parse attributes depending on the configuration in a RADIUS template.

<Huawei> system-view
[Huawei] radius-server authorization attribute-decode-sameastemplate

radius-server authorization attribute-encode-sameastemplate

Function

The radius-server authorization attribute-encode-sameastemplate command configures a device to encapsulate attributes in the COA or DM Response packet based on the configurations in the RADIUS server template.

The undo radius-server authorization attribute-encode-sameastemplate command restores the default setting.

By default, a device is not configured to encapsulate attributes in the COA or DM Response packet based on the configurations in the RADIUS server template.

Format

radius-server authorization attribute-encode-sameastemplate

undo radius-server authorization attribute-encode-sameastemplate

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The attribute match check function is configured on the RADIUS servers of some vendors. The attribute match check succeeds and the RADIUS server successfully interconnects with a device to implement dynamic authorization or offline operations only when the attribute encapsulation formats in the COA or DM Response packet received by the RADIUS server are the same as those parsed from the RADIUS authentication Response packets. The RADIUS server encapsulates the attributes parsed from the RADIUS Response packet based on the configurations in the RADIUS server template. To ensure that the attribute formats in the COA or DM Response packet are the same as those parsed by the RADIUS server from the RADIUS packet, you can run the radius-server authorization attribute-encode-sameastemplate command to configure the device to encapsulate attributes in the COA or DM Response packet based on the configurations in the RADIUS server template, so that the device is successfully interconnected with the RADIUS server.

Attributes whose encapsulation formats need to be configured in the COA or DM Response packet include Calling-Station-Id (31), NAS-IP-Address (4), and User-Name (1).

Precautions

This function is used to configure the encapsulation modes of the Calling-Station-Id (31), NAS-IP-Address (4), and User-Name (1) attributes in the COA or DM Response packet to be the same as those configured in the RADIUS server template. Therefore, perform the following steps before using this function.
1. Configure the encapsulation modes of attributes in the RADIUS server template view.
  - Run the calling-station-id mac-format command to configure the encapsulation mode of the MAC address in the Calling-Station-Id attribute.
  - Run the radius-attribute nas-ip command to configure the NAS-IP-Address attribute in a RADIUS packet sent from an NAS.
  - Run the radius-server user-name domain-included command to configure whether the user name carried in the RADIUS packet contains a domain name.
2. Run the radius-server authorization command in the system view to configure the authorization server to use the RADIUS server template server-group.
After this function is configured, the priority of the NAS IP address in the NAS-IP-Address (4) attribute is as follows: NAS IP address configured in the RADIUS server template>source IP address configured on the accounting server>source IP address configured on the authentication server>destination IP address of the Request packet
If the radius-server authorization attribute-encode-sameastemplate command is not configured, no RADIUS server template is bound to the authorization server, or no attribute format configuration exists in the RADIUS server template, the formats of COA or DM response packets are as follows:
- MAC address in the Calling-Station-Id (31) attribute: The MAC address is encapsulated in the default format XXXXXXXXXXXX.
- NAS IP address in the NAS-IP-Address (4) attribute: destination IP address in the Request packet
- User name in the User-Name (1) attribute: The user name in the Request packet is used.

Example

# Configure the RADIUS authorization server to parse attributes based on the configurations in the RADIUS server template.

<Huawei> system-view
[Huawei] radius-server authorization attribute-encode-sameastemplate

radius-server authorization calling-station-id decode-mac-format

Function

The radius-server authorization calling-station-id decode-mac-format command sets the format of MAC address that can be parsed by a device in the calling-station-id (Type 31) attribute carried in RADIUS authorization packets.

The undo radius-server authorization calling-station-id decode-mac-format command restores the default format of the MAC address in the calling-station-id (Type 31) attribute.

By default, the device parses the MAC address in the calling-station-id attribute carried in RADIUS dynamic authorization packets into ASCII format, and the MAC address does not contain separators. In addition, the device parses the MAC address in the calling-station-id attribute carried in RADIUS dynamic authorization packets based on the MAC address length, without considering the MAC address format and delimiter.

Format

radius-server authorization calling-station-id decode-mac-format { bin | ascii { unformatted | { dot-split | hyphen-split } [ common | compress ] } }

undo radius-server authorization calling-station-id decode-mac-format

Parameters

Parameter	Description	Value
bin	Indicates that the MAC address in the calling-station-id attribute uses the binary format.	-
ascii	Indicates that the MAC address in the calling-station-id attribute uses the ASCII format.	-
unformatted	Indicates that no separator is used in the MAC address in the calling-station-id field.	-
dot-split	Indicates that dots are used as the separators in MAC address.	-
hyphen-split	Indicates that the hyphens are used as the separators in MAC address.	-
common	Indicates that the MAC address in the calling-station-id attribute uses the xx-xx-xx-xx-xx-xx or xx.xx.xx.xx.xx.xx format.	-
compress	Indicates that the MAC address in the calling-station-id attribute uses the xxxx-xxxx-xxxx or xxxx.xxxx.xxxx format.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, the MAC address format in the calling-station-id attribute carried in RADIUS dynamic authorization packets is xxxxxxxxxxxx. If the MAC address format in the calling-station-id attribute sent by the RADIUS server is not the default format used on the device, run the radius-server authorization calling-station-id decode-mac-format command to change the MAC address format on the device.

When a device connects to multiple RADIUS servers, the RADIUS servers may send MAC addresses in different formats in the calling-station-id attribute to the device. You need to run the radius-server authorization attribute-decode-sameastemplate command to configure the device to parse the RADIUS authorization packet attributes based on the configuration in RADIUS server template, so that the device can work with these RADIUS servers.

Precautions

The configuration in a RADIUS server template has a higher priority than the global configuration.

Example

# Set the format of MAC address that can be parsed by the device in the calling-station-id attribute to binary.

<Huawei> system-view
[Huawei] radius-server authorization calling-station-id decode-mac-format bin

radius-server authorization match-type

Function

The radius-server authorization match-type command configures the method in which the device checks whether the RADIUS attributes in the received CoA or DM Request packet match user information on the device.

The undo radius-server authorization match-type command restores the default setting.

By default, a device checks whether the RADIUS attributes in the received CoA or DM Request packet match user information on the device using the any method, namely, the device checks whether a specific RADIUS attribute in the received CoA or DM Request packet matches user information on the device.

Format

radius-server authorization match-type { any | all }

undo radius-server authorization match-type

Parameters

Parameter	Description	Value
any	Indicates that the device checks whether a specified attribute matches user information on the device.	-
all	Indicates that the device checks whether all attributes match user information on the device.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A device checks whether the RADIUS attributes in the CoA or DM Request packet match user information on the device to identify users in the following two methods:

any method: The device checks whether an attribute matches user information on the device. The priority of identifying the RADIUS attributes used by the users is as follows: Acct-Session-ID (44) > Calling-Station-Id (31) > Framed-IP-Address (8). The device searches for the attributes in the Request packet based on the priority, and matches the first found attribute against user information on the device. If the attribute is successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.
all method: The device checks whether all attributes match user information on the device. It identifies the following RADIUS attributes used by users in the listed order: Acct-Session-ID (44), Calling-Station-Id (31), Framed-IP-Address (8), and User-Name (1). The device matches one or more of the preceding attributes in the Request packet against user information on the device. If all the attributes are successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

Precautions

When the RADIUS attribute translation function is configured in the RADIUS template using the radius-attribute translate command, the match will fail.

Currently, the any method supports only the Acct-Session-ID (44), Calling-Station-Id (31), and Framed-IP-Address (8) attributes. The device does not match other attributes against user information on the device.

Example

# Configure the device to check whether all RADIUS attributes in the received CoA or DM Request packet match user information on the device.

<Huawei> system-view
[Huawei] radius-server authorization match-type all

radius-server dead-interval dead-count detect-cycle

Function

The radius-server dead-interval dead-count detect-cycle command configures the RADIUS server detection interval, number of times the detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval.

The undo radius-server dead-interval dead-count detect-cycle command restores the default settings.

By default, the RADIUS server detection interval is 5 seconds, the number of times the detection interval cycles is 2, and the maximum number of consecutive unacknowledged packets in each detection interval is 2.

Format

radius-server { dead-interval dead-interval | dead-count dead-count | detect-cycle detect-cycle }

undo radius-server { dead-interval | dead-count | detect-cycle }

Parameters

Parameter	Description	Value
dead-interval	Specifies the RADIUS server detection interval.	The value is an integer that ranges from 1 to 300, in seconds.
dead-count	Specifies the maximum number of consecutive unacknowledged packets in each detection interval.	The value is an integer that ranges from 1 to 65535.
detect-cycle	Specifies the number of times the detection interval cycles.	The value is an integer that ranges from 1 to 5.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the system starts, the RADIUS server status detection timer runs. The device sets the RADIUS server status to Up. When the device sends a RADIUS request packet to the RADIUS server, if the conditions for setting the RADIUS server status to Down are met, the device sets the RADIUS server status to Down; if the conditions are not met, the RADIUS server status remains to be Up.

If the device does not receive any response packet from the RADIUS server after sending the first RADIUS Access-Request packet to the server and the condition that the number of times the device does not receive any response packet from the server (n) is greater than or equal to the maximum number of consecutive unacknowledged packets (dead-count) is met in a detection interval, a communication interruption is recorded. If the device still does not receive any response packet from the RADIUS server, the device sets the RADIUS server status to Down when recording the communication interruption for the same times as the detection interval cycles.

Precautions

If the device has reported a RADIUS server Up alarm and needs to report a RADIUS server Down alarm, the device will send the Down alarm 10 seconds after the Up alarm is sent, even if the RADIUS server Down detection interval is shorter than 10 seconds (for example, the value of dead-interval is set to 4 seconds, and the RADIUS server Down detection interval is 8 seconds). This function prevents frequent alarm sending.
You are advised to set the RADIUS server detection interval, maximum number of consecutive unacknowledged packets in each detection interval, and number of times the detection interval cycles to be greater than the default values on the device to prevent the RADIUS server status from being set to Down.
To check the RADIUS server status, run the display radius-server configuration command. If the RADIUS server status is Down, the device records logs and alarms. For details about logs, see RDS/4/RDAUTHDOWN. For details about alarms, see RDS_1.3.6.1.4.1.2011.5.25.40.15.2.2.1.2 hwRadiusAuthServerDown.

Example

# Set the RADIUS server detection interval to 10 seconds, number of times the detection interval cycles to 2, and maximum number of consecutive unacknowledged packets in each detection interval to 2.

<Huawei> system-view
[Huawei] radius-server dead-interval 10
[Huawei] radius-server dead-count 2 [Huawei] radius-server detect-cycle 2

radius-server detect-server interval

Function

The radius-server detect-server interval command configures an automatic detection interval for RADIUS servers in Down status.

The undo radius-server detect-server interval command restores the default settings.

The default automatic detection interval is 60 seconds.

Format

radius-server detect-server interval interval

undo radius-server detect-server interval

Parameters

Parameter	Description	Value
interval	Specifies the automatic detection interval for RADIUS servers in Down status.	The value is an integer that ranges from 5 to 3600, in seconds.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

After the automatic detection function is enabled using the radius-server testuser command, you can run the radius-server detect-server interval command to adjust the automatic detection interval for RADIUS servers in Down status.

Example

# Set the automatic detection interval for RADIUS servers in Down status to 100 seconds in the RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server detect-server interval 100

radius-server detect-server timeout

Function

The radius-server detect-server timeout command configures the timeout period for RADIUS detection packets.

The undo radius-server detect-server timeout command restores the default settings.

By default, the timeout period for RADIUS detection packets is 3 seconds.

Format

radius-server detect-server timeout timeout

undo radius-server detect-server timeout

Parameters

Parameter	Description	Value
timeout	Specifies the timeout period for RADIUS detection packets.	The value is an integer that ranges from 1 to 10, in seconds.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the automatic detection function is enabled using the radius-server testuser command and the device sends detection packets to the RADIUS server, the device determines whether to switch the RADIUS server status based on whether it receives response packets from the RADIUS server within the timeout period. The following table lists the switchover conditions.

After the automatic detection function is enabled, automatic detection is classified into the following conditions depending on differences of the RADIUS server status.

Server Status	Whether Automatic Detection Is Supported	Time When an Automatic Detection Packet Is Sent	Condition for Switching the Server Status
Down	Automatic detection is supported by default.	An automatic detection packet is sent after the automatic detection period expires.	If the device receives a response packet from the RADIUS server within the timeout period for detection packets, the device marks the RADIUS server status as Up; otherwise, the RADIUS server status remains Down.
Up	Automatic detection can be enabled using the radius-server detect-server up-server interval command.	An automatic detection packet is sent after the automatic detection period expires.	If the conditions for marking the RADIUS server status as Down are met, the device marks the RADIUS server status as Down; otherwise, the RADIUS server status remains Up.
Force-up	Automatic detection is supported by default.	An automatic detection packet is sent immediately.	If the device receives a packet from the RADIUS server within the timeout period, the device marks the RADIUS server status as Up; otherwise, the device marks the RADIUS server status as Down.

On a large-scale network, you are advised not to enable automatic detection for RADIUS servers in Up state. This is because if automatic detection is enabled on multiple NAS devices, the RADIUS server periodically receives a large number of detection packets when processing RADIUS Access-Request packets source from users, which may deteriorate processing performance of the RADIUS server.

After the radius-server testuser command is configured, the dead-time timer configured using the radius-server dead-time command does not take effect.

Precautions

You can run the radius-server detect-server timeout command to adjust the timeout period for RADIUS detection packets based on the actual response rate of the RADIUS server. You are advised to set a timeout period for RADIUS detection packets smaller than the automatic detection interval to prevent the device from sending a detection packet again before completing processing the response packet from the RADIUS server. If the configured timeout period for RADIUS detection packets is longer than the automatic detection interval, the smaller value of the two is used as the timeout period.

For the RADIUS server in Down state, the smaller one between the values configured using the radius-server detect-server timeout and radius-server detect-server interval commands is the timeout period for detection packets.
For the RADIUS server in Up state, the smaller one between the values configured using the radius-server detect-server timeout and radius-server detect-server up-server interval command is the timeout period for detection packets.

Example

# Set the timeout period for RADIUS detection packets to 5 seconds in the RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server detect-server timeout 5

radius-server detect-server up-server interval

Function

The radius-server detect-server up-server interval command enables automatic detection for RADIUS servers in Up status and configures the automatic detection interval.

The undo radius-server detect-server up-server interval command restores the default settings.

By default, a device does not automatically detect RADIUS servers in Up status.

Format

radius-server detect-server up-server interval interval

undo radius-server detect-server up-server interval

Parameters

Parameter	Description	Value
interval	Specifies the automatic detection interval for RADIUS servers in Up status.	The value is an integer that ranges from 0 or 2 to 3600, in seconds. The value 0 indicates that the device does not automatically detect RADIUS servers in Up status.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After automatic detection is enabled using the radius-server testuser command, the device automatically detects only RADIUS servers in Down status by default. To make the device automatically detect RADIUS servers in Up status, run the radius-server detect-server up-server interval command to enable automatic detection for RADIUS servers in Up status and configure the automatic detection interval.

Precautions

Example

# Enable automatic detection for RADIUS servers in Up status and set the automatic detection interval to 100 seconds in the RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server detect-server up-server interval 100

radius-server format-attribute

Function

The radius-server format-attribute command configures the format of the NAS-Port attribute.

The undo radius-server format-attribute command deletes the configured attribute format.

By default, the format of the NAS-Port attribute is new.

Format

radius-server format-attribute nas-port nas-port-sting [ decimal ]

undo radius-server format-attribute nas-port

Parameters

Parameter	Description	Value
nas-port nas-port-sting	Specifies the format of the NAS-Port attribute. In the nas-port-string parameter in binary format: The keywords s, t, p, o, and i indicate slot, subslot, port, out-vlan (qinqvlan)/vpi, and vlan (user-vlan)/vci respectively. The keywords n and z are used as paddings. The keyword n indicates 1 and the keyword z indicates 0. The keywords s, t, p, o, and i must be followed by numbers, and the numbers must range from 1 to 32. The keywords s, t, p, o, and i can appear in the format string only once. The keywords s, t, p, o, i, n, and z must range from 1 to 9. n and z can appear multiple times at any position. They are followed by numbers. For example, n12 indicates that this position is filled in with twelve 1s, and z12 indicates that this position is filled in with twelve 0s. The character string must contain 32 bits. The format string must start with s, t, p, o, i, n, or z and end with a number. If no VLAN exists, you can add n or z before o or i to indicate whether this position is filled in with 0s or 1s. That is, n and z can be followed by numbers, o, or i in this case, and the numbers must range from 1 to 32. To specify the format string, determine the interface type, and then determine the encapsulation type of the interface. If the format string does not contain o or i, the NAS-Port attribute does not contain the QinQ VLAN or user VLAN field. If the format string contains o or i but no outer VLAN exists, the outer VLAN field is filled in with 0s. If n is added before o or i, this field is filled in with 1s when no outer VLAN or inner VLAN exists. In the nas-port-string parameter in decimal format: The keywords s, t, p, o, and i indicate slot, subslot, port, out-vlan (qinqvlan)/vpi, and vlan (user-vlan)/vci respectively. The keywords s, t, p, o, and i must be followed by a number ranging from 1 to 9. Each keyword can appear only once. If s, t, p, o, and i is followed by a number, the first number must range from 1 to 9 and cannot be 0. The string can contain at most 9 digits. The string must start with s, t, p, o, or i and end with a number. If no VLAN exists, this field is filled in with 0. In the decimal string, this field cannot be filled in with 1. To specify the format string, determine the interface type, and then determine the encapsulation type of the interface. If the format string does not contain o or i, the NAS-Port attribute does not contain the QinQ VLAN or user VLAN field. If the format string contains o or i but no outer VLAN exists, the outer VLAN field is filled in with 0 by default. If no VLAN exists, both the inner and outer VLAN fields are filled in with 0 by default.	The value is a character string. When the nas-port-string parameter is in binary format, the value is a string of 1 to 32 characters. When the nas-port-string parameter is in decimal format, the value is a string of 1 to 9 characters.
decimal	Indicates that nas-port-string is in decimal format. If this parameter is not specified, nas-port-string is in binary format.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

The NAS port format affects the information about the physical port. The NAS port format can be used by the RADIUS server to process services, such as binding the user name and port. This attribute is developed by Huawei, which is used to ensure connectivity and service cooperation among Huawei devices.

If the radius-server nas-port-format command sets the format of the NAS-Port attribute to new (the default format is new), the device will check whether the radius-server format-attribute nas-port command configuration exists. If so, the device will assemble the NAS-Port attribute in the format configured by the radius-server format-attribute nas-port command. If no, the device will assemble the NAS-Port attribute in the new format. If the radius-server nas-port-format command sets the format of the NAS-Port attribute to old, the device will assemble the NAS-Port attribute in the old format, regardless of whether the radius-server format-attribute nas-port command configuration exists.

Example

# Configure the format of the NAS-Port attribute to s2t2p6no10ni12 in binary format. That is, the NAS-Port attribute consists of a 2-bit slot field, a 2-bit subslot field, a 6-bit port field, a 10-bit outer VLAN field, and a 12-bit inner VLAN field. If the outer VLAN does not exist, this field is filled in with ten 1s. If the inner VLAN does not exist, this field is filled in with twelve 1s. Therefore, the NAS-port attribute contains 32 bits.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server format-attribute nas-port s2t2p6no10ni12

# Configure the format of the NAS-Port attribute to s1t1p2o1i1 in decimal format. That is, the NAS-Port attribute consists of a 1-bit slot field, a 1-bit subslot field, a 2-bit port field, a 1-bit outer VLAN field, and a 1-bit inner VLAN field. If the outer VLAN does not exist, this field is filled in with 0. If the inner VLAN does not exist, this field is filled in with 0.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server format-attribute nas-port s1t1p2o1i1 decimal

radius-server framed-ip-address no-user-ip enable

Function

The radius-server framed-ip-address no-user-ip enable command enables the device to encapsulate the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address.

The undo radius-server framed-ip-address no-user-ip enable command disables the device from encapsulating the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address.

By default, the device does not encapsulate the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address.

Format

radius-server framed-ip-address no-user-ip enable

undo radius-server framed-ip-address no-user-ip enable

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

In MAC address authentication triggered through DHCP packets, a user can obtain an IP address only after being successfully authenticated. The RADIUS authentication request packet sent by the user does not carry the IP address of the user. By default, the device does not encapsulate the RADIUS attribute Framed-IP-Address into the RADIUS authentication request packet sent by the user when forwarding the packet. If the RADIUS server connected to the device requires that the received RADIUS authentication request packets contain the RADIUS attribute Framed-IP-Address, run the radius-server framed-ip-address no-user-ip enable command. Then the device uses the IP address 0.0.0.0 to encapsulate the RADIUS attribute Framed-IP-Address when receiving the RADIUS authentication request packets that do not contain the user IP address.

Example

# Enable the device to encapsulate the RADIUS attribute Framed-IP-Address into a RADIUS authentication request packet when the RADIUS authentication request packet sent by a user does not carry the user IP address.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server framed-ip-address no-user-ip enable

radius-server hw-ap-info-format include-ap-ip

Function

The radius-server hw-ap-info-format include-ap-ip command configures the AP's IP address carried in Huawei extended attribute HW-AP-Information.

The undo radius-server hw-ap-info-format command restores the default setting.

By default, Huawei extended attribute HW-AP-Information does not carry AP's IP address.

Format

radius-server hw-ap-info-format include-ap-ip

undo radius-server hw-ap-info-format

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

RADIUS is a fully extensible protocol. Device vendors can expand the No. 26 attribute defined in the protocol to implement functions not supported by standard RADIUS attributes. Huawei defines the No. 141 sub-attribute (HW-AP-Information) in the No. 26 attribute to indicate AP information, including the MAC and IP addresses of an AP. The HW-AP-Information attribute is carried in the authentication or accounting request packet send by a device, so that the RADIUS server can use the AP's MAC and IP addresses as the filter criterion to select a policy template to be delivered.

When an AP's IP address is carried in the HW-AP-Information attribute, the encapsulation format of the attribute is AP-MAC AP-IP.

Example

#Configure the AP's IP address in Huawei extended attribute HW-AP-Information.

<Huawei> system-view
[Huawei] radius-server template test
[Huawei-radius-test] radius-server hw-ap-info-format include-ap-ip

radius-server max-unresponsive-interval

Function

The radius-server max-unresponsive-interval command displays the maximum interval during which the RADIUS server does not respond.

The undo radius-server max-unresponsive-interval command restores the default setting.

By default, the maximum interval during which the RADIUS server does not respond is 300 seconds.

Format

radius-server max-unresponsive-interval interval

undo radius-server max-unresponsive-interval

Parameters

Parameter	Description	Value
interval	Specifies the maximum interval during which the RADIUS server does not respond.	The value is an integer in the range of 10 to 7200, in seconds.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the user access frequency is low and the device receives only a few authentication request packets sourced from users, the device cannot detect the RADIUS server status by periodically detecting authentication request packets. In this case, you can configure the function of setting the RADIUS server status to Down if no response is received from the server for a long period of time to ensure that users can obtain escape authorization. When the interval between two consecutive unresponded authentication request packets is greater than the interval configured using the max-unresponsive-interval command, the RADIUS server is set to Down.

Precautions

To check the RADIUS server status, run the display radius-server configuration command. If the RADIUS server status is Down, the device records logs and alarms. For details about logs, see RDS/4/RDAUTHDOWN. For details about alarms, see RDS_1.3.6.1.4.1.2011.5.25.40.15.2.2.1.2 hwRadiusAuthServerDown.

Example

# Set the maximum interval during which the RADIUS server does not respond to 100s.

<Huawei> system-view
[Huawei] radius-server max-unresponsive-interval 100

radius-server nas-identifier-format

Function

The radius-server nas-identifier-format command sets the encapsulation format of the NAS-Identifier attribute.

The undo radius-server nas-identifier-format command restores the default encapsulation format of the NAS-Identifier attribute.

By default, the NAS-Identifier attribute encapsulation format is the NAS device's hostname.

Format

radius-server nas-identifier-format { hostname | vlan-id | ap-info }

undo radius-server nas-identifier-format

Parameters

Parameter	Description	Value
hostname	Sets the encapsulation format of NAS-Identifier to the NAS device's host name.	-
vlan-id	Sets the encapsulation format of NAS-Identifier to a user's VLAN ID.	-
ap-info	Sets the encapsulation format of NAS-Identifier to the AP's MAC address.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

A RADIUS server uses the NAS-Identifier attributes to identify NASs. The NASs also use the NAS-Identifier attributes carried in the sent RADIUS packets to identify themselves.

When the RADIUS server interconnected with the device requires that the NAS-Identifier attribute value is the MAC address of the AP when the device functions as an AC in a wireless scenario, you need to run the radius-server nas-identifier-format ap-info command.

Example

# Set the NAS-Identifier encapsulation format to VLAN ID.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server nas-identifier-format vlan-id

radius-server nas-port-format

Function

The radius-server nas-port-format command sets the format of the NAS port attribute.

The undo radius-server nas-port-format command restores the default format of the NAS port attribute.

By default, the new NAS port format is used.

Format

radius-server nas-port-format { new | old }

undo radius-server nas-port-format

Parameters

Parameter	Description	Value
new	Uses the new format of an NAS port. The new format of the NAS port attribute is slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits).	-
old	Uses the old format of an NAS port. The old format of the NAS port attribute is slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Precautions

The difference between the two NAS port formats lies in the physical ports connected to Ethernet access users.

The new format of the NAS port attribute is slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits).
The old format of the NAS port attribute is slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).

Example

# Set the format of the NAS port attribute to new.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server nas-port-format new

radius-server nas-port-id-format

Function

The radius-server nas-port-id-format command sets the format of the NAS port ID attribute.

The undo radius-server nas-port-id-format command restores the default format of the NAS port ID attribute.

By default, the new format of the NAS port ID attribute is used.

Format

radius-server nas-port-id-format { new | old }

undo radius-server nas-port-id-format

Parameters

Parameter	Description	Value
new	Uses the new format of the NAS port ID.	-
old	Uses the old format of the NAS port ID.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The NAS port format and the NAS port ID format are developed by Huawei, which are used to ensure connectivity and service cooperation among Huawei devices.

Precautions

Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats:

New:

For Ethernet access users, the NAS-Port-Id is in the format "slot=xx; subslot=xx; port=xxx; vlanid=xxxx", in which "slot" is 64 or ranges from 0 to 15, "subslot" ranges from 0 to 15, "port" ranges from 0 to 255, "vlanid" ranges from 1 to 4094.

For ADSL access users, the NAS-Port-Id is in the format "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to 65535.
Old:

For Ethernet access users, the NAS-Port-Id is in the format "port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VLAN ID (9 characters)."

For ADSL access users: port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain fewer bytes than specified.

If this attribute carries Chinese characters, it cannot be delivered using the radius-attribute set attribute-name attribute-value command.

Example

# Set the format of the NAS port ID attribute to new.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server nas-port-id-format new

radius-server retransmit timeout

Function

The radius-server retransmit timeout command sets the number of times that RADIUS request packets are retransmitted, timeout period.

The undo radius-server retransmit timeout command restores the default number of retransmission times, the default timeout period.

By default, the number of retransmission times is 5, timeout period is 2 seconds.

Format

radius-server { retransmit retry-times | timeout time-value } ^*

undo radius-server { retransmit [ retry-times ] | timeout [ time-value ] } ^*

Parameters

Parameter	Description	Value
retransmit retry-times	Specifies the number of retransmission times. The value is the total number of times a packet is transmitted.	The value is an integer that ranges from 1 to 5.
timeout time-value	Specifies the timeout period.	The value is an integer that ranges from 1 to 10100, in seconds. The value is an integer that ranges from 1 to 100, in seconds. NOTE: In V300R022C00 version, the value ranges from 1 to 10. In V300R022C10 and later versions, the value ranges from 1 to 100.

Parameter

Description

Value

retransmit retry-times

Specifies the number of retransmission times. The value is the total number of times a packet is transmitted.

The value is an integer that ranges from 1 to 5.

timeout time-value

Specifies the timeout period.

The value is an integer that ranges from 1 to 10100, in seconds.

The value is an integer that ranges from 1 to 100, in seconds.

NOTE:

In V300R022C00 version, the value ranges from 1 to 10.

In V300R022C10 and later versions, the value ranges from 1 to 100.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The retransmission upon timeout mechanism is configured for a device to forward RADIUS Access-Request packets sourced from users to the server. The overall retransmission time depends on the retransmission interval, retransmission times, RADIUS server status, and number of servers configured in the RADIUS server template.

You can configure the number of times that RADIUS request packets are retransmitted and the timeout period using the radius-server retransmit retry-times and radius-server timeout time-value commands, respectively. If a device sends an authentication request packet to the RADIUS server and does not receive any response packet from the server during the timeout period, the device sends an authentication request packet again.

This command can improve the reliability of RADIUS authentication.

Precautions

The request packet retransmission time (number of retransmission times x timeout period) of the RADIUS server must be shorter than the request packet retransmission time of the Portal server.
If more than 8 authentication server IP addresses are configured in the RADIUS server template, reduce the number of retransmission times and timeout period.

Example

# Set the number of retransmission times to 3, the timeout period to 2s.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server retransmit 3 timeout 2

radius-server dead-time

Function

The radius-server retransmit timeout dead-time command sets the number of times that RADIUS request packets are interval for the server to revert to the active status.

The undo radius-server retransmit timeout dead-time command restores the default interval for the server to revert to the active status.

By default, the interval for the server to revert to the active status is 5 minutes.

Format

radius-server dead-time dead-time

undo radius-server dead-time [ dead-time ]

Parameters

Parameter	Description	Value
dead-time	Specifies the interval for the server to revert to the active status.	The value is an integer that ranges from 1 to 65535, in minutes.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the radius-server dead-time dead-time command to configure the duration for which the RADIUS server remains Down. After the device sets the RADIUS server status to Down and the interval specified by dead-time expires, the device resets the server status to Force-up. Servers in Force-up and Up states have the same priority and participate in RADIUS server selection based on the algorithm specified by radius-server algorithm. If a new user needs to be authenticated in RADIUS mode and no RADIUS server is available, the device attempts to re-establish a connection with a RADIUS server in Force-up status. The Force-up status is defined to prevent servers in Down status from remaining idle.

After the radius-server testuser command is configured, the dead-time timer configured using the radius-server dead-time command does not take effect.

This command can improve the reliability of RADIUS authentication.

Example

# Set the interval for the server to revert to the active status to 10 minutes.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server dead-time 10

radius-server session-manage

Function

The radius-server session-manage command enables session management on the RADIUS server.

The undo radius-server session-manage command disables session management on the RADIUS server.

By default, session management is disabled on the RADIUS server.

Format

radius-server session-manage { ip-address [ vpn-instance vpn-instance-name ] shared-key cipher share-key | any }

undo radius-server session-manage [ ip-address [ vpn-instance vpn-instance-name ] | all ]

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address of the RADIUS session management server.	The value is in dotted decimal notation.
vpn-instance vpn-instance-name	Specifies the name of the VPN instance bound to the RADIUS session management server.	The value must be the name of an existing VPN instance.
shared-key cipher share-key	Specifies the shared key of the RADIUS session management server.	The value is a string of case-sensitive characters that cannot contain spaces and question marks. share-key can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.
any	Indicates that no RADIUS session management server is specified.	-
all	Deletes all RADIUS session management servers.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve device security, run this command to enable session management on the RADIUS server. After this function is enabled, the device checks the source IP addresses and shared keys for the received session management packets. When the source IP addresses and shared keys match the configured values, the packets are processed; otherwise, the packets are discarded.

Precautions

When the any parameter is specified, there is a security risk. You are advised to configure the IP address and shared key for a specified RADIUS session management server.
You also need to run the radius-server session-manage server-source command to configure an IPv4 address for receiving and responding to request packets of a RADIUS session management server so that the session management function of the RADIUS server can take effect.

Example

# Enable session management on the RADIUS server, and set the IP address and shared key of the RADIUS session management server to 10.1.1.1 and YsHsjx_202206 respectively.

<Huawei> system-view
[Huawei] radius-server session-manage 10.1.1.1 shared-key cipher YsHsjx_202206

radius-server session-manage server-source

Function

The radius-server session-manage server-source command configures an IPv4 address for receiving and responding to request packets of a RADIUS session management server.

The undo radius-server session-manage server-source command restores the default setting.

By default, the device does not receive or respond to any request packet of a RADIUS session management server.

Format

radius-server session-manage server-source { ip-address ip-address | all-interface }

undo radius-server session-manage server-source { ip-address { ip-address | all } | all-interface }

Parameters

Parameter	Description	Value
ip-address ip-address	Specifies an IPv4 address.	The value is in dotted decimal notation. The value range depends on the device types.
all-interface	Specifies the IPv4 address as 0.0.0.0. That is, the device receives and responds to request packets of a RADIUS session management server through any IPv4 address.	-
all	Indicates all IPv4 addresses specified by ip-address ip-address.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, no IPv4 address can be used to receive or respond to request packets of a RADIUS session management server. When the device needs to establish a connection with a RADIUS session management server, you can run this command to specify an IPv4 address for receiving and responding to request packets of the RADIUS session management server.

Precautions

After you run this command to configure an IPv4 address for the device to receive and respond to request packets of a RADIUS session management server, the RADIUS session management server can communicate with the device only through this IPv4 address. Ensure that the RADIUS session management server can communicate with the device through this IPv4 address at Layer 3.
After the radius-server session-manage server-source all-interface command is run, the device receives and responds to request packets of a RADIUS session management through any IPv4 address, which increases system security risks. Therefore, you are advised not to run this command.
After the radius-server session-manage server-source all-interface command is run, all the configurations of the radius-server session-manage server-source ip-address ip-address command are cleared.
If the radius-server session-manage server-source all-interface command has been configured on the device, the radius-server session-manage server-source ip-address ip-address command configured later cannot be delivered.
If the device is upgraded from a version earlier than and the session management function is enabled for the RADIUS server, the device delivers the radius-server session-manage server-source all-interface command by default to enable the session management function for the RADIUS server with an all-zero address.
In versions earlier than , if the session management function of the RADIUS server is enabled, you need to enable the session management function when using the session management function of the RADIUS server in versions later than . That is, run the radius-server session-manage server-source all-interface command to enable the session management function of the RADIUS server with an all-zero IP address or run the radius-server session-manage server-source ip-address ip-address command to enable the session management function of the RADIUS server with a specified IP address.
You also need to run the radius-server session-manage server-source command to configure an IPv4 address for receiving and responding to request packets of a RADIUS session management server so that the session management function of the RADIUS server can take effect.

Example

# Specify 10.1.1.1 as the IPv4 address used to receive and respond to request packets of a RADIUS session management server.

<Huawei> system-view
[Huawei] radius-server session-manage server-source ip-address 10.1.1.1

radius-server shared-key (RADIUS server template view)

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

The undo radius-server shared-key command restores the default shared key of a RADIUS server.

Format

radius-server shared-key cipher key-string

undo radius-server shared-key

Parameters

Parameter	Description	Value
cipher	Indicates the shared key in cipher text.	-
key-string	Specifies the shared key of a RADIUS server.	The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). key-string can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

When exchanging authentication packets with a RADIUS server, the device uses MD5 to encrypt important data such as the password to ensure security of data transmission over the network. To ensure validity of both communication parties, the device and RADIUS server must be configured with the same shared key.

Precautions

For security purposes, change the default shared key immediately. It is recommended that the new shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 8 characters.

During the configuration of this command, the weak password verification function is added to check whether a password is weak. If the password is weak, the command fails to be executed.

Example

# Set the shared key of a RADIUS server to YsHsjx_202206 in cipher text.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server shared-key cipher YsHsjx_202206

radius-server shared-key (system view)

Function

The radius-server shared-key command configures the shared key of a RADIUS server.

The undo radius-server shared-key command deletes the shared key of a RADIUS server.

By default, no global shared key is configured for the RADIUS server.

Format

radius-server ip-address { ipv4-address | ipv6-address } shared-key cipher key-string

undo radius-server ip-address { ipv4-address | ipv6-address } shared-key

Parameters

Parameter	Description	Value
ip-address { ipv4-address \| ipv6-address }	Specifies the IPv4 or IPv6 address of the RADIUS server.	ipv4-address: The value is in dotted decimal notation. ipv6-address: The value is a 32-bit hexadecimal string in format X:X:X:X:X:X:X:X.
cipher key-string	Specifies the shared key in cipher text.	The value is a case-sensitive character string without spaces, single quotation marks ('), or question marks (?). key-string can be a string of 1-128 characters in plain text or a string of 48, 68, 88, 108, 128, 148, 168, or 188 characters in cipher text.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The shared key is used to encrypt the password and generate the response authenticator.

You can run the radius-server shared-key command in the RADIUS server template view to configure the shared keys. However, after this command is run, all RADIUS servers in the template use the same shared key. To configure different shared keys for RADIUS servers, run the radius-server shared-key command in the system view.

Precautions

To improve security, it is recommended that the shared key contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 8 characters.

When the shared keys are configured in both the RADIUS server template and system view, the configuration in the system view takes effect.

Example

# Set the shared key for RADIUS server to YsHsjx_202206.

<Huawei> system-view
[Huawei] radius-server ip-address 10.1.1.1 shared-key cipher YsHsjx_202206

radius-server support chargeable-user-identity

Function

The radius-server support chargeable-user-identity command configures a device to support the CUI attribute.

The undo radius-server support chargeable-user-identity command restores the default settings.

By default, a device does not support the CUI attribute.

Format

radius-server support chargeable-user-identity [ not-reject ]

undo radius-server support chargeable-user-identity

Parameters

Parameter	Description	Value
not-reject	Configures the device not to process the CUI attribute.	-

Views

RADIUS server template view

Default Level

2: Configuration level

Usage Guidelines

In a scenario where roaming accounting is performed on a carrier network, the same user may have register different user names in different network environments. Therefore, the user name cannot be used as the unique ID for accounting. In this case, you can use the RADIUS Chargeable-User-Identity (CUI) attribute defined in the RFC to resolve this issue. RADIUS authentication servers can provide users with unique CUI attribute values that function as the users' accounting IDs.

By default, RADIUS Access-Request packets sent by a device do not carry the CUI attribute. If Access-Accept packets responded by the RADIUS server carry the CUI attribute, the device retains this attribute in the Accounting-Request(Start), Accounting-Request(Interim-update), and Accounting-Request(Stop) packets without any processing.

After the radius-server support chargeable-user-identity [ not-reject ] command is configured, the RADIUS Access-Request packets sent by the device carry the CUI attribute and the attribute value is Null.

If Access-Accept packets responded by the RADIUS server carry the CUI attribute, the device retains this attribute in the Accounting-Request(Start), Accounting-Request(Interim-update), and Accounting-Request(Stop) packets without any processing; the previously delivered CUI attribute is carried in the Access-Request packets triggered by the subsequent reauthentication, authentication coverage, and roaming for users.
If Access-Accept packets responded by the RADIUS server does not carry the CUI attribute or carry the CUI attribute whose value is Null:
- If the not-reject parameter is not specified, user authentication fails.
- If the not-reject parameter is specified, the device ignores the CUI attribute and user authentication succeeds.

Example

# Configure a device to support the CUI attribute.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server support chargeable-user-identity

radius-server template

Function

The radius-server template command creates a RADIUS server template and displays the RADIUS server template view.

The undo radius-server template command deletes a RADIUS server template.

By default, the device contains the RADIUS server template default. The template can be modified, but cannot be deleted.

Format

radius-server template template-name

undo radius-server template template-name

Parameters

Parameter	Description	Value
template-name	Specifies the name of a RADIUS server template.	The value is a string of 1 to 32 case-sensitive characters, including letters (case-sensitive), numerals (0 to 9), periods (.), hyphens (-), and underscores (_).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Creating a RADIUS server template is the prerequisite for configuring RADIUS authentication and accounting. You can perform RADIUS configurations, such as the configuration of authentication servers, accounting servers, and shared key only after a RADIUS server template is created.

Follow-up Procedure

Configure an authentication server, an accounting server, and shared key in the RADIUS server template view, and then run the radius-server command to apply the RADIUS server template.

Example

# Create a RADIUS server template template1 and enter the RADIUS server template view.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1]

radius-server testuser

Function

The radius-server testuser command enables the automatic detection function and configures an automatic detection account.

The undo radius-server testuser command restores the default settings.

By default, the automatic detection function is disabled.

Format

radius-server testuser username user-name password cipher password

undo radius-server testuser

Parameters

Parameter	Description	Value
username user-name	Specifies a user name used for automatic detection.	The value is a string of 1 to 253 case-sensitive characters. If the user name contains spaces, you must enclose the name with double quotation marks ("), for example, "user for test".
password cipher password	Specifies the user password for automatic detection.	The value is a character string of 1 to 128 characters without spaces and question marks. It is case sensitive. If it is in cipher text, the password is a string of 48 to 188 characters.

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

After the RADIUS server status is set to Down, you can configure the automatic detection function to test the RADIUS server reachability.

For the automatic status detection function, only the automatic detection user name and password need to be configured in the RADIUS server template on the device, and the automatic detection account does not need to be configured on the RADIUS server. Authentication success is not mandatory. If the device can receive the authentication failure response packet, the RADIUS server is properly working.

You can run the radius-server detect-server timeout command to configure the timeout period for detection packets.

Example

# Create a user account with the user name test and password YsHsjx_202206 in RADIUS server template acs.

<Huawei> system-view
[Huawei] radius-server template acs
[Huawei-radius-acs] radius-server testuser username test password cipher YsHsjx_202206

radius-server traffic-unit

Function

The radius-server traffic-unit command sets the traffic unit used by a RADIUS server.

The undo radius-server traffic-unit command restores the default traffic unit used by a RADIUS server.

The default RADIUS traffic unit is byte on the device.

Format

radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

undo radius-server traffic-unit

Parameters

Parameter	Description	Value
byte	Indicates that the traffic unit is byte.	-
kbyte	Indicates that the traffic unit is kilobyte.	-
mbyte	Indicates that the traffic unit is megabyte.	-
gbyte	Indicates that the traffic unit is gigabyte.	-

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Different RADIUS servers may use different traffic units; therefore, you need to set the traffic unit for each RADIUS server group on the router and the traffic unit must be the same as that on the RADIUS server.

Example

# Set the traffic unit used by a RADIUS server to kilobyte.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] radius-server traffic-unit kbyte

radius-server user-name domain-included

Function

The radius-server user-name domain-included command configures the device to encapsulate the domain name in the user name in the packets sent to a RADIUS server.

The radius-server user-name original command configures the device not to modify the user name entered by the user in the packets sent to a RADIUS server.

The undo radius-server user-name domain-included command configures the device not to encapsulate the domain name in the user name in the packets sent to a RADIUS server.

The undo radius-server user-name domain-included except-eap command configures the device not to encapsulate the domain name in the user name in the packets sent to a RADIUS server (applicable to authentication modes except EAP authentication).

By default, the device does not modify the user name entered by the user in the packets sent to a RADIUS server.

Format

radius-server user-name domain-included

radius-server user-name original

undo radius-server user-name domain-included

undo radius-server user-name domain-included except-eap

Parameters

None

Views

RADIUS server template view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The format of a user name is user name@domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %.

If the RADIUS server does not accept the user name with the domain name, run the undo radius-server user-name domain-included command to delete the domain name from the user name.

Precautions

If the user names in the RADIUS packets sent from the device to RADIUS server contain domain names, ensure that the total length of a user name (user name + domain name delimiter + domain name) is not longer than 253 characters; otherwise, the user name cannot be contained in RADIUS packets. As a result, authentication will fail.

The [ undo ] radius-server user-name domain-included [ except-eap ] command is not recommended for the AR1000V because there is no applicable scenario for this product.

Example

# Configure the device not to encapsulate the domain name in the user name in the packets sent to a RADIUS server.

<Huawei> system-view
[Huawei] radius-server template template1
[Huawei-radius-template1] undo radius-server user-name domain-included

reset radius-server accounting-stop-packet

Function

The reset radius-server accounting-stop-packet command clears statistics on the remaining buffer information of RADIUS accounting-stop packets.

Format

reset radius-server accounting-stop-packet { all | ip { ipv4-address | ipv6-address } }

Parameters

Parameter	Description	Value
all	Clears statistics on the remaining buffer information of RADIUS accounting-stop packets.	-
ip ipv4-address	Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IPv4 address.	The value of ipv4-address is in dotted decimal notation.
ip ipv6-address	Clears statistics on the remaining buffer information of RADIUS accounting-stop packets with the specified IPv6 address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command can clear statistics on the remaining buffer information of RADIUS accounting-stop packets. The deleted statistics cannot be restored.

Example

# Clear statistics on the remaining buffer information of all RADIUS accounting-stop packets.

<Huawei> reset radius-server accounting-stop-packet all

snmp-agent trap enable feature-name radius

Function

The snmp-agent trap enable feature-name radius command enables the trap function for the RDS module.

The undo snmp-agent trap enable feature-name radius command disables the trap function for the RDS module.

By default, the trap function is disabled for the RDS module.

Format

snmp-agent trap enable feature-name radius [ trap-name { hwradiusacctserverdown | hwradiusacctserverup | hwradiusacctserverforceup | hwradiusauthserverdown | hwradiusauthserverup | hwradiusauthserverforceup } ]

undo snmp-agent trap enable feature-name radius [ trap-name { hwradiusacctserverdown | hwradiusacctserverup | hwradiusacctserverforceup | hwradiusauthserverdown | hwradiusauthserverup | hwradiusauthserverforceup } ]

Parameters

Parameter	Description	Value
trap-name	Indicates the trap function for a specified event of the RDS module.	-
hwradiusacctserverdown	Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is interrupted.	-
hwradiusacctserverup	Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS accounting server is restored.	-
hwradiusacctserverforceup	Enables the device to send a Huawei proprietary trap when it detects that the RADIUS accounting server is forced Up.	-
hwradiusauthserverdown	Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is interrupted.	-
hwradiusauthserverup	Enables the device to send a Huawei proprietary trap when it detects that communication with the RADIUS authentication server is restored.	-
hwradiusauthserverforceup	Enables the device to send a Huawei proprietary trap when it detects that the RADIUS authentication server is forced Up.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

After the trap function is enabled, the device generates traps during operation and sends the traps to the NMS through the SNMP module. If the trap function is disabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name as required to enable the trap function for one or more events.

Example

# Enable the hwradiusacctserverdown trap function for the RDS module.

<Huawei> system-view
[Huawei] snmp-agent trap enable feature-name radius trap-name hwradiusacctserverdown

test-aaa

Function

The test-aaa command tests the connectivity between the device and the authentication server or accounting server, and tests whether a user can be authenticated using authentication server and whether the accounting server can charge a user.

Format

test-aaa user-name user-password radius-template template-name [ chap | pap ]

test-aaa user-name user-password radius-template template-name [ accounting [ start | realtime | stop ] ]

test-aaa user-name user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]

Parameters

Parameter	Description	Value
user-name	Specifies a user name.	The value is a string of 1 to 253 case-insensitive characters. NOTE: When the HWTACACS, or RADIUS server is detected, the user name cannot contain spaces.
user-password	Specifies a user password.	The value is a string of 1 to 128 case-sensitive characters.
radius-template template-name	Specifies the name of a RADIUS server template.	The RADIUS server template must already exist.
chap	Indicates Challenge Handshake Authentication Protocol (CHAP) authentication. The NAS device sends the user name, password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user.	-
pap	Indicates Password Authentication Protocol (PAP) authentication. The NAS device adds the user name and encrypted password to the corresponding fields of authentication request packets, and then sends the packets to the RADIUS server. The NAS device determines whether to allow the user go online based on the result returned by the RADIUS server.	-
accounting	Indicates accounting. By default, an accounting-start packet is sent.	-
start	Indicates that the sent packet is an accounting-start packet.	-
realtime	Indicates that the sent packet is a real-time accounting packet.	-
stop	Indicates that the sent packet is an accounting-stop packet.	-
hwtacacs-template template-name	Specifies the name of an HWTACACS server template.	The HWTACACS server template must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The test-aaa command tests service reachability of the server. The device sends an authentication or accounting request packet to the server. If the server returns an authentication or accounting success packet, the device and server can communicate with each other. If the server's response times out, the device and server cannot communicate with each other.

When the controller functions as an authentication server and the test-aaa command is run to test accounts, authentication packets must carry the user name, password, device MAC address, and SSID (for wireless terminals) so that the controller can match the packets with the corresponding authentication template. This ensures that the function of the test-aaa command is working properly.

Prerequisites

The authentication server template or accounting server template has been created, and the authentication server or accounting server has been configured in the template. In addition, the authentication server or accounting server has been configured.

Follow-up Procedure

If the test result indicates that the user fails to be authenticated by using server authentication or the accounting server fails to charge the user, check whether the configuration of the authentication server template and the authentication server is correct, and check the connectivity between the device and the server.

Precautions

chap and pap are two authentication modes, CHAP authentication is used by default.

PAP: The NAS device adds the user name and encrypted password to the corresponding fields of authentication request packets, and then sends the packets to the RADIUS server. The NAS device determines whether to allow the user go online based on the result returned by the RADIUS server.
CHAP: The NAS device sends the user name, password, and 16-byte random code to the RADIUS server. The RADIUS server searches for the database according to the user name and obtains the password that is the same as the encrypted password at the user side. The RADIUS server then encrypts the received 16-byte random code and compares the result with the password. If they are the same, the user is authenticated. If they are different, the user fails to be authenticated. In addition, if the user is authenticated, the RADIUS server generates a 16-byte random code to challenge the user.

Before running the test-aaa command, you only need to create a RADIUS server template and specify an authentication server or accounting server in the RADIUS server template.

Example

# Test whether the user user1 can be authenticated using CHAP authentication in the RADIUS server template test.

<Huawei> test-aaa user1 userkey radius-template test chap
Info: The server template does not exist.

radius-server dead-detect-condition by-server-ip

Function

The radius-server dead-detect-condition by-server-ip command configures the device to perform keepalive detection on the RADIUS authentication and accounting servers with the same IP address.

The undo radius-server dead-detect-condition by-server-ip command configures the device to perform keepalive detection on only the RADIUS authentication server.

By default, keepalive detection is performed on the RADIUS authentication and accounting servers with the same IP address.

Format

radius-server dead-detect-condition by-server-ip

undo radius-server dead-detect-condition by-server-ip

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The device periodically sends authentication request packets to the RADIUS server in Down state. If the RADIUS server responds, the device sets the RADIUS authentication server status to Up. The device does not perform keepalive detection for RADIUS accounting servers in Down state. Instead, the device sets the RADIUS accounting server status to Up only when the server recovery time expires.

To allow the device to promptly detect the status of RADIUS accounting servers that are in Down state, run the radius-server dead-detect-condition by-server-ip command. After the command is executed, the device performs keepalive detection on RADIUS servers based on the RADIUS server IP address, so that the status of RADIUS accounting server is associated with the status of authentication server.

Precautions

After the radius-server dead-detect-condition by-server-ip command is executed, run the radius-server testuser command to configure automatic user detection.

After the radius-server dead-detect-condition by-server-ip command is executed, if the authentication and accounting servers sharing the same IP address are in the same VPN instance, the device accumulates the number of authentication and accounting packets sent by the servers. In addition, the status of RADIUS authentication server with the same IP address in the same VPN instance is updated.

Example

# Configure the device to perform keepalive detection on the RADIUS authentication and accounting servers with the same IP address.

<Huawei> system-view
[Huawei] radius-server dead-detect-condition by-server-ip

Support for RADIUS Feature Name
called-station-id mac-format
calling-station-id mac-format
display radius-attribute
display radius-attribute check
display radius-attribute disable
display radius-attribute translate
display radius-server accounting-stop-packet
display radius-server authorization configuration
display radius-server configuration
display radius-server dead-interval dead-countdetect-cycle
display radius-server session-manage configuration
display radius-server item
display radius-server max-unresponsive-interval
display snmp-agent trap feature-name radius all
radius-attribute check
radius-attribute cut hw-portal-url
radius-attribute encap optimize
radius-attribute disable
radius-attribute nas-ip
radius-attribute nas-ipv6
radius-attribute set
radius-attribute service-type with-authenonly-reauthen
radius-attribute translate
radius-reject local
radius-server (aaa domain view)
radius-server accounting
radius-server accounting-stop-packet resend
radius-server algorithm
radius-server attribute message-authenticator access-request
radius-server attribute translate
radius-server authentication
radius-server authorization
radius-server authorization server-source
radius-server authorization attribute-decode-sameastemplate
radius-server authorization attribute-encode-sameastemplate
radius-server authorization calling-station-id decode-mac-format
radius-server authorization match-type
radius-server dead-interval dead-countdetect-cycle
radius-server detect-server interval
radius-server detect-server timeout
radius-server detect-server up-server interval
radius-server format-attribute
radius-server framed-ip-address no-user-ip enable
radius-server hw-ap-info-format include-ap-ip
radius-server max-unresponsive-interval
radius-server nas-identifier-format
radius-server nas-port-format
radius-server nas-port-id-format
radius-server retransmit timeout
radius-server dead-time
radius-server session-manage
radius-server session-manage server-source
radius-server shared-key (RADIUS server template view)
radius-server shared-key (system view)
radius-server support chargeable-user-identity
radius-server template
radius-server testuser
radius-server traffic-unit
radius-server user-name domain-included
reset radius-server accounting-stop-packet
snmp-agent trap enable feature-name radius
test-aaa
radius-server dead-detect-condition by-server-ip

Translation

Favorite

Download

Update Date：2024-05-24

Document ID：EDOC1100271769

Downloads：238

Average rating：0.0Points

Digital Signature File

digtal sigature tool