No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

VSA File for J SBR RADIUS Authentication and Authorization Interworking with USG9520 (V200R001C00SPC700)

Publication Date:  2019-07-09  |   Views:  545  |   Downloads:  0  |   Document ID:  EKB1000038563

Contents

Issue Description

Version:
USG9520: V200R001C00SPC700
RADIUS: J Steel Belted RADIUS (SBR) enterprise edition
Networking:
RADIUS authentication is implemented by transmitting User Datagram Protocol (UDP) packets. Standard port 1812 is used for authorization, and port 1813 is used for accounting.
Background:
RADIUS messages carry attributes in the type-length-value (TLV) format. The detailed AAA authentication process and mechanism are provided in the firewall documentation, which are not mentioned here. Know RADIUS authentication packets during commissioning:
code:1 represents AUTH-RQT, which indicates a RADIUS authentication request packet sent by an AAA client. In this case, the firewall functions as an AAA client.
code:2 represents Auth-ACCT, which indicates a RADIUS authentication success packet sent by the AAA server. This packet also carries authorization attributes.
code:3 represents Auth-RJT, which indicates a RADIUS authentication failure packet sent by the AAA server.

Alarm Information

None

Handling Process

1. The VSA file is in .dct format and contains authorization attributes on the firewall using the J SBR enterprise edition.
Field 26 is the self-defined attribute field for device vendors. The firewall uses fields 26–107 to carry RADIUS authorization result attributes.
################################################################################
# Huawei.dct - Radius dictionary for Huawei Firewalls

# (See README.DCT for more details on the format of this file)
################################################################################
# Use the Radius specification attributes
#
@radius.dct

#
# Huawei specific parameters
#
MACRO Huawei-VSA(t,s) 26 [vid=2011 type1=%t% len1=+2 data=%s%]

ATTRIBUTE Huawei-Exec-Privilege       Huawei-VSA(107, integer) R

################################################################################
# Huawei.dct - Huawei Firewalls dictionary
################################################################################

2. Provide the VSA file for RADIUS maintenance personnel of the customer. After the RADIUS maintenance personnel upload the VSA file, complete relevant configurations, associate the client name (USG9520), IP address (USG9520 interface IP address), and VSA name, and configure the Huawei-Exec-Privilege attribute to carry the authorization result.
3. After RADIUS configurations are completed, initiate an authentication request. Check debugging information as follows. Information in red indicates that the RADIUS authorization result has been set to 15 in the Huawei-Exec-Privilege attribute.
10/10/2013 10:54:52 Authentication Response
10/10/2013 10:54:52 Packet : Code = 0x2 ID = 0x7
10/10/2013 10:54:52 Vector =
10/10/2013 10:54:52 000: 34516dc1 5f6b976e 19fdef11 56744b61 |4Qm._k.n....VtKa|
10/10/2013 10:54:52 Class : Value =
10/10/2013 10:54:52 000: 53425232 434c80a6 ab95d7dd eda7bfc0 |SBR2CL..........|
10/10/2013 10:54:52 010: 11802701 80038198 ce800280 0a81b0db |..'.............|
10/10/2013 10:54:52 020: 8c96c3b5 c2f3b9c0 12800e81 80a6ab95 |................|
10/10/2013 10:54:52 030: d7ddeda7 bfc08591 bac0              |..........      |
10/10/2013 10:54:52 Class : String Value = npmg
10/10/2013 10:54:52 Huawei-Exec-Privilege : Integer Value = 15
10/10/2013 10:54:52 Reply-Message : String Value = npmg
10/10/2013 10:54:52 Service-Type : Integer Value = 6
10/10/2013 10:54:52 -----------------------------------------------------------
10/10/2013 10:54:52 -----------------------------------------------------------
10/10/2013 10:54:52 Authentication Response
10/10/2013 10:54:52 Sent to: ip=10.10.147.41 port=1812
10/10/2013 10:54:52         
10/10/2013 10:54:52 Raw Packet :
10/10/2013 10:54:52 000: 02070070 34516dc1 5f6b976e 19fdef11 |...p4Qm._k.n....|
10/10/2013 10:54:52 010: 56744b61 193c5342 5232434c 80a6ab95 |VtKa.<SBR2CL....|
10/10/2013 10:54:52 020: d7ddeda7 bfc01180 27018003 8198ce80 |........'.......|
10/10/2013 10:54:52 030: 02800a81 b0db8c96 c3b5c2f3 b9c01280 |................|
10/10/2013 10:54:52 040: 0e8180a6 ab95d7dd eda7bfc0 8591bac0 |................|
10/10/2013 10:54:52 050: 19076e70 6d67001a 0c000007 db010600 |..npmg..........|
10/10/2013 10:54:52 060: 00000f12 076e706d 67000606 00000006 |.....npmg.......|
10/10/2013 10:54:52
10/10/2013 10:54:52 -----------------------------------------------------------
10/10/2013 10:54:52 Packet containing 112 bytes successfully sent
10/10/2013 10:54:52 ../radauthd.c radAuthHandleRequest() 3812 Exiting

Root Cause

AAA authorization on the USG9520 of V200R001C00SPC700 uses self-defined fields 26–107 to carry RADIUS authorization levels.
The J SBR enterprise edition uses a VSA file to identify self-defined attributes such as authorization attributes of devices from different vendors. This case describes the authorization VSA.

Suggestions

1. The VSA file of the J SBR enterprise edition is in .dct format and can be edited using Notepad++ or UltraEdit. Editing the VSA file using the Windows built-in Notepad may result in an incorrect file format.