7163984 aaa radius configuration issue1

8/2/2019 7163984 Aaa Radius Configuration Issue1

1/26

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

www.huawei.com

Internal

ISSUE 1.0

AAA & RADIUS

Configuration


2/26

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 2

Objectives

Upon completion of this course, you will be able to:

Understand the AAA services

Master the basic principles of RADIUS


3/26


Course Contents

AAA & RADIUS Configuration (VRP 1.74)



4/26


AAA Basic Configuration (VRP 1.74)

Relative commands aaa-enable

aaa accounting-scheme optional

aaa authentication-scheme login { default | methods-list }

{ method1 [ method2 ... ] }

aaa authentication-scheme ppp { default | methods-list }

{ method1 } [ method2 ... ]

Method table 5 effective combinations radius, local, none, radius local,

radius none


5/26


Local User Database (VRP 1.74)

Local user databaseUser name

Password

Services

Calling number

Callback number

FTP directory

Relative commands

Local-user

Display aaa user

Userinformation


6/26


AAA Configuration Commands (VRP 1.74)

Startup AAA service

[Quidway] aaa-enable

Configure the default authentication method table for PPP user

[Quidway] aaa authentication-scheme login defaultlocal

User access is still available when the configuration is "charging

impossible" to realize no charging:

[Quidway] aaa accounting-scheme optional

Apply the default method table to the interface encapsulated

PPP:

[Quidway-Serial0]ppp authentication-mode papschemedefault


7/26HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 7

Debugging Information (VRP 1.74)

Display active user

display aaa user

Primitive debugging information

debugging radiusprimitive

Event debugging information

debugging radiusevent


8/26


RADIUS Basic Configuration (VRP 1.74)

Configure RADIUS server

radius server { hostname | ip-address } [authentication-port

port-number] [accouting-port port-number]

radius shared-keystring

Configure retransmission parameter

radius-server retransmit

radius-server timeout

Configure real-time accounting function

radius-server realtime-acct-timeout


9/26


RADIUS Configuration Commands (VRP 1.74) - I

Startup AAA [Quidway] aaa-enable

Configure PPP user default authentication method table:

[Quidway] aaa authentication-scheme login default radius

local

Configure the RADIUS server IP address and port, and use

the default port number:

[Quidway]radius server 129.7.66.68

[Quidway]radius server 129.7.66.66 accouting-port 0

[Quidway]radius server 129.7.66.67 authentication-port 0


10/26


RADIUS Configuration Commands (VRP 1.74) Cont.

Configure the RADIUS server key, number of retransmissions,duration of the timeout timer:

[Quidway] radius shared-key this-is-my-secret

[Quidway] radius retry 2

[Quidway] radius timer response-timeout 5

Apply the default method table to the PPP-encapsulated

interface:

[Quidway-Serial0]ppp authentication-mode pap scheme

default


11/26


RADIUS Packet Debugging Command (VRP 1.74)

Packet debugging information switch

debugging radiuspacket

Used to help fault diagnosis of Radius

It can be used for observing the packet transmission and

receiving and the contents of the entire RADIUS packet


12/26


Course Contents




13/26


Configure AAA (VRP 3.40) - I

Create/Delete ISP Domain userid@isp-name

domain [ isp-name| default { disable | enable isp-name}]

One access device might access users of different ISPs

A per-ISP domain can be configured the domain attributes of itself.

the default domain


14/26


Configure AAA (VRP 3.40) - II

Configure Relevant Attributes of ISP Domain the adopted RADIUS server group

radius-schemeradius-scheme-name

Every ISP has active/block states

state { active | block }

Maximum number of supplicants

access-limit { disable | enablemax-user-number}

The idle cut function

idle-cut { disable | enableminutesflow}


15/26


Configure AAA (VRP 3.40) - III

Add a Local User

[undo] local-useruser-name

password { simple | cipher } password

service-type { telnet [ level level ] | ftp [ ftp-directorydirectory ] | lan-

access }

attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlanid | location [ nas-ip ip-address ] port

portnum}

state { active | block }

Disconnect a User by Force

cut connection{all|access-type{ dot1x |gcm} |domain domain-name

| interface portnum | ip ip-address | mac mac-address | radius-scheme

radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name

user-name }


16/26


Configure RADIUS Protocol (VRP 3.40) - I

Attributes of every RADIUS server group

IP addresses of primary and second servers

shared key

RADIUS server type

Create a RADIUS server Group

radius scheme radius-server-name

Set IP Address and Port Number of RADIUS Server

primary {authentication | accounting} ip-address [ port-number ]

secondary {authentication | accounting} ip-address [ port-number ]


17/26


Configure RADIUS Protocol (VRP 3.40) - II

Configure the shared key of RADIUS server group

local-servernas-ip ip-address key password

Set the supported type of RADIUS server

server-type { huawei | iphotel | portal | standard }

Set RADIUS server state

state primary { accounting | authentication } { block | active }

state secondary{ accounting | authentication } { block | active }

Set username format transmitted to RADIUS server

user-name-format { with-domain | without-domain }


18/26


Display and Debugging (VRP 3.40) - I

Display the information of the ISP domains.

displaydomain [ isp-name]

Display related information of users connection

display connection [ access-type { dot1x | gcm } | domain

domain-name | interface portnum | ip ip-address | mac mac-

address | radius-scheme radius-scheme-name | vlan vlanid |

ucibindex ucib-index| user-name user-name]

Display the information of the RADIUS server groups

display radius [ radius-server-name]


19/26


Display and Debugging (VRP 3.40) - II

Enable RADIUS packet debugging

debugging radiuspacket

Enable debugging of local RADIUS server group

debugging local-server { all | error| event| packet}


20/26


AAA/RADIUS Configuration Example (VRP 3.40) - I

To access to the VRP CLI, router RTA is configured with

RADIUS configuration

All the supplicants belong to the default domain huawei.com

Supplicant

Authentication Servers

(RADIUS Server Cluster

IP Address: 10.11.1.1

10.11.1.2)

Internet

Supplicant

Authentication Servers

(RADIUS Server Cluster

IP Address: 10.11.1.1

10.11.1.2)

Internet Authenticator

RTA


21/26


RADIUS authentication is performed first, then, in case of

RADIUS server failure, Local authentication

RADIUS Parameters:

Encryption key for authentication: name

Encryption key for accounting: money

Retransmit packets (5 seconds/time; no more than 5 times)

Real-time accounting : every 15 minutes.

Domain: huawei

Local authentication

User: localuser

Password: localpass

AAA/RADIUS Configuration Example (VRP 3.40) - II


22/26


Create the RADIUS group radius1 and enters its configuration

mode.

[Quidway] radius scheme radius1

Set IP address of the primary RADIUS servers.

[Quidway-radius-radius1] primary authentication 10.11.1.1

[Quidway-radius-radius1] primary accounting 10.11.1.2

Set the IP address of the second RADIUS servers.

[Quidway-radius-radius1] secondary authentication 10.11.1.2

[Quidway-radius-radius1] secondary accounting 10.11.1.1

AAA/RADIUS Configuration Example (VRP 3.40) - III


23/26


Set the encryption key (with the authentication RADIUS server.)

[Quidway-radius-radius1] key authentication name

Set the encryption key( with the accounting RADIUS server)

[Quidway-radius-radius1] key accounting money

Set the timeouts and times (to the RADIUS server)

[Quidway-radius-radius1] timer 5

[Quidway-radius-radius1] retry 5

the interval (transmit real-time accounting packets to RADIUS server)

[Quidway-radius-radius1] timer realtime-accounting 15

Configure user to the RADIUS server after removing domain name.

[Quidway-radius-radius1] user-name-format without-domain

[Quidway-radius-radius1] quit

AAA/RADIUS Configuration Example (VRP 3.40) - IV


24/26


Create the user domain huawei.com

[Quidway] domain huawei.com

Specify radius1 as RADIUS server group for the users

[Quidway-isp-huawei.com] radius-scheme radius1

Specify the authentication modes for this domain (RADIUS and local):

[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local

Add a local supplicant and sets its parameter.

[Quidway] local-user [email protected]

[[email protected]] password simple localpass

[[email protected]] service-type telnet terminal

Then set huawei.com as the default domain to use for authentication:

[Quidway]domain default enable huawei.com

AAA/RADIUS Configuration Example (VRP 3.40) - V


25/26


Finally, set the authentication mode for the Telnet lines:

[Quidway] user-interface vty 0 4

[Quidway-ui-vty0-4] authentication-mode scheme

AAA/RADIUS Configuration Example (VRP 3.40) - VI


26/26

www.huawei.com

Thank You

7163984 aaa radius configuration issue1

Documents