No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

FAQ-Assign different privilege level for Radius users that login though SSH on device

Publication Date:  2019-07-23  |   Views:  2113  |   Downloads:  0  |   Author:  s84075117  |   Document ID:  EKB1002048964

Contents

Issue Description

Problem description: Customer needed to configure SSH authentication using Radius synchronized in Radius and assign different privilege according to company's needs. 

Version information: AR2220E  V200R008C50SPC500

Operation scenario: users that are created in Radius to be able to authenticate a device using SSH. Users don't need to be created locally. 


Solution

We did a quick test in our lab on the same device and after having some authentication issues using the default domain, we noticed that default_admin domain is needed to be used for SSH. 

  • The default domain is used for common access users (such as NAC). By default, this domain is activated and uses the default authentication scheme and accounting scheme.
    • The default_admin domain is used for administrators (such as HTTPS, SSH, Telnet, Terminal, and FTP). By default, this domain is activated and uses the default authentication scheme and accounting scheme.

    We can use the command below to query the failure for AAA failures. Here we can see the domain and user sent to the Radius to be checked:


     

    The configuration required for this scenario :

    #

    radius-server template test

    radius-server shared-key cipher XX

    radius-server authentication 10.220.7.129 1812 weight 80

    radius-server authorization 10.220.7.129 shared-key cipher XXX

    #

    aaa

    authentication-scheme default

      authentication-mode local radius

    authorization-scheme default

      authorization-mode  if-authenticated

    accounting-scheme default

    domain default

      authorization-scheme default

      radius-server test

    domain default_admin    //authentication scheme is added by default

      authorization-scheme default

      radius-server test

    local-user admin password irreversible-cipher XXX

    local-user admin privilege level 15

    local-user admin service-type telnet terminal ssh ftp http

    #

    ssh client first-time enable

    ssh user admin authentication-type password

    stelnet server enable

    #

    user-interface con 0

    authentication-mode aaa

    user-interface tty 33 48

    user-interface vty 0 4

    authentication-mode aaa

    #

    We can use the command below to test the connectivity with Radius and check if the users can authenticate succesfully before testing:


     

    For the privilege level settings, it is required to adjust the authorization rule of the Radius and send an attribute to the router: 


    And we can use the command below to check if the router receive the privilege for those users matching the authorization rules:


    And in the debugging the router processed this attribute :

     


    Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.

    This is the radius attribute to be used :

     

    Below there are other Huaei proprietary attributes to be sent to the router: 

    Table 2 Huawei proprietary RADIUS attributes

    Attribute No.

    Attribute Name

    Attribute Type

    Description

    26-1

    HW-Input-Peak-Information-Rate

    integer

    Peak rate at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

    26-2

    HW-Input-Committed-Information-Rate

    integer

    Average rate at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

    26-3

    HW-Input-Committed-Burst-Size

    integer

    Committed burst size at which the user accesses the NAS, in bit/s. The value is a 4-byte integer.

    26-4

    HW-Output-Peak-Information-Rate

    integer

    Peak rate at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

    26-5

    HW-Output-Committed-Information-Rate

    integer

    Average rate at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

    26-6

    HW-Output-Committed-Burst-Size

    integer

    Committed burst size at which the NAS connects to the user, in bit/s. The value is a 4-byte integer.

    26-15

    HW-Remanent-Volume

    integer

    Remaining traffic. The unit is KB.

    26-22

    HW-Priority

    integer

    Priority of user service.

    NOTE:

    If the RADIUS server has delivered this attribute, the HW-Up-Priority and HW-Down-Priority attributes are invalid.

    26-26

    HW-Connect-ID

    integer

    Index of a user connection.

    26-28

    HW-FTP-Directory

    string

    Initial directory of an FTP user.

    26-29

    HW-Exec-Privilege

    integer

    Management user (such as Telnet user) priority, ranging from 0 to 16. The value 16 indicates that the user does not have the administrator rights.

    26-31

    HW-Qos-Data

    string

    Name of the QoS profile. The maximum length of the name is 31 bytes. The RADIUS server uses this field to deliver the QoS profile. The QoS profile must exist on the device.

    26-59

    HW-NAS-Startup-Time-Stamp

    integer

    NAS start time, which is the number of seconds elapsed since 00:00:00 of January 1, 1970.

    26-60

    HW-IP-Host-Address

    string

    User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space.

    If the user's IP address is detected invalid during authentication, A.B.C.D is set to 255.255.255.255.

    26-61

    HW-Up-Priority

    integer

    Upstream priority of user service.

    26-62

    HW-Down-Priority

    integer

    Downstream priority of user service.

    26-75

    HW-Primary-WINS

    ipaddr

    Primary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

    26-76

    HW-Second-WINS

    ipaddr

    Secondary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

    26-77

    HW-Input-Peak-Burst-Size

    integer

    Upstream peak rate, in bit/s.

    26-78

    HW-Output-Peak-Burst-Size

    integer

    Downstream peak rate, in bit/s.

    26-82

    HW-Data-Filter

    string

    ACL rule delivered by the RADIUS server when a user goes online. Attribute format: acl acl-number key1 key-value1... keyN key-valueN permit/deny, for example, acl 10006 dest-ip 11.11.11.2 dest-ipmask 32 udp-dstport 5070 deny.

    • acl: indicates that ACL content is delivered.
    • acl-number: specifies an ACL number, ranging from 10000 to 10999.
    • keyN: specifies the IP address, IP address mask, and port number.
    • permit: permits the packets that match a rule.
    • deny: rejects the packets that match a rule.
    • dest-ipmask: integer format for NAC users and dotted decimal notation format for VM users.
    NOTE:

    For wireless users, an ACL rule can be delivered through standard RADIUS attribute 11, but cannot be delivered through this attribute.

    26-94

    HW-VPN-Instance

    string

    VPN instance name delivered by the RADIUS server after a user is successfully authenticated. It specifies the VPN to which the user belongs.

    26-135

    HW-Client-Primary-DNS

    ipaddr

    Primary DNS address delivered by the RADIUS server after a user is successfully authenticated.

    26-136

    HW-Client-Secondary-DNS

    ipaddr

    Secondary DNS address delivered by the RADIUS server after a user is successfully authenticated.

    26-142

    HW-User-Information

    string

    User security check information delivered by the RADIUS server to an Extensible Authentication Protocol over LAN (EAPoL) user to notify the user of check items.

    26-143

    HW-Web-Proxy-Name

    string

    Web proxy resource name of Secure Sockets Layer virtual private network (SSL VPN).

    26-144

    HW-Port-Forward-Name

    string

    Port forwarding resource name of SSL VPN.

    26-145

    HW-IP-Forwarding-Name

    string

    IP forwarding resource name of SSL VPN.

    26-146

    HW-Service-Scheme

    string

    Service scheme name. A service scheme contains user authorization information and policy.

    26-153

    HW-Access-Type

    integer

    User access type carried in the authentication and accounting request packets sent by the device to the RADIUS server:
    • 1: Dot1x user
    • 2: MAC address authentication user or MAC address bypass authentication
    • 3: Portal authentication user
    • 4: Static user
    • 6: Management user
    • 7: PPP users

    26-155

    HW-URL-Flag

    integer

    Whether a Uniform Resource Locator (URL) is forcibly pushed when it is used together with another attribute, for example, HW-Portal-URL:
    • 0: no
    • 1: yes

    26-156

    HW-Portal-URL

    string

    Forcibly pushed URL.

    If information delivered by the RADIUS server matches the configured URL template, the URL configured in the template is used. Otherwise, the character string delivered by the RADIUS server is used.

    26-201

    HW-User-Extend-Info

    string

    Extended user information. This field is contained in authentication and accounting request packets, and multiple fields can be included. The definitions are as follows:

    • HW-Access-Time: user access time. The value is the number of seconds elapsed since 00:00:00 of January 1, 1970.
    NOTE:

    Only V200R008C50 and later versions support this attribute.

    26-237 HW-Web-Authen-Info

    string

    Information sent from the Portal server to the RADIUS server. The device transparently transmits the information to the RADIUS server. For example, the RADIUS server saves the MAC address of a user for a period of time based on authentication-free option and time information for next login selected by the user. MAC address authentication is preferentially used the next time the user logs in and the login page is not displayed. This attribute can be used for transparent transmission in complex modes such as EAP.

    26-241

    HW-User-Addr-Network

    ipaddr

    User's address segment.

    26-242

    HW-DNS-Domain-Name

    string

    DNS domain name.

    26-243

    HW-Auto-Update-URL

    string

    URL address for version upgrade.

    26-244

    HW-Reachable-Detect

    string

    Server reachability detection information. Authentication packets carrying this attribute are server detection packets.

    26-247

    HW-Tariff-Input-Octets

    string

    Number of upstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit is Byte, KByte, MByte, or GByte. The format is Tariff level:Number of upstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

    26-248

    HW-Tariff-Output-Octets

    string

    Number of downstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit is Byte, KByte, MByte, or GByte. The format is Tariff level:Number of downstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

    26-249

    HW-Tariff-Input-Gigawords

    string

    Number of times the number of upstream bytes at the specified tariff level is larger than 4G. This field and the HW-Tariff-Input-Octets field specify the number of upstream bytes at the specified tariff level.

    26-250

    HW-Tariff-Output-Gigawords

    string

    Number of times the number of downstream bytes at the specified tariff level is larger than 4G. This field and the HW-Tariff-Output-Octets field specify the number of downstream bytes at the specified tariff level.

    26-251

    HW-IPv6-Filter-ID

    string

    User IPv6 ACL ID. The value ranges from 3000 to 3999.

    26-254

    HW-Version

    string

    Software version running on the device.

    26-255

    HW-Product-ID

    string

    NAS product name.