aaa & radius configuration issue1
TRANSCRIPT
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
www.huawei.com
Internal
ISSUE 1.0
AAA & RADIUS Configuration
HUAWEI TECHNOLOGIES CO., LTD. Page 2All rights reserved
Objectives
Upon completion of this course, you will be able to:
Understand the AAA services
Master the basic principles of RADIUS
HUAWEI TECHNOLOGIES CO., LTD. Page 3All rights reserved
Course Contents
AAA & RADIUS Configuration (VRP 1.74)
AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD. Page 4All rights reserved
AAA Basic Configuration (VRP 1.74)
Relative commands
aaa-enable
aaa accounting-scheme optional
aaa authentication-scheme login { default | methods-list } { m
ethod1 [ method2 ... ] }
aaa authentication-scheme ppp { default | methods-list } { met
hod1 } [ method2 ... ]
Method table
5 effective combinations : radius, local, none, radius local, radiu
s none
HUAWEI TECHNOLOGIES CO., LTD. Page 5All rights reserved
Local User Database (VRP 1.74)
Local user databaseUser name
Password
Services
Calling number
Callback number
FTP directory
Relative commands
Local-userDisplay aaa user
Use
r in
form
atio
n
HUAWEI TECHNOLOGIES CO., LTD. Page 6All rights reserved
AAA Configuration Commands (VRP 1.74)
Startup AAA service
[Quidway] aaa-enable
Configure the default authentication method table for PPP user
[Quidway] aaa authentication-scheme login default local
User access is still available when the configuration is "charging
impossible" to realize no charging:
[Quidway] aaa accounting-scheme optional
Apply the default method table to the interface encapsulated PP
P:
[Quidway-Serial0]ppp authentication-mode pap scheme default
HUAWEI TECHNOLOGIES CO., LTD. Page 7All rights reserved
Debugging Information (VRP 1.74)
Display active user
display aaa user
Primitive debugging information
debugging radius primitive
Event debugging information
debugging radius event
HUAWEI TECHNOLOGIES CO., LTD. Page 8All rights reserved
RADIUS Basic Configuration (VRP 1.74)
Configure RADIUS server
radius server { hostname | ip-address } [authentication-port po
rt-number ] [accouting-port port-number ]
radius shared-key string
Configure retransmission parameter
radius-server retransmit
radius-server timeout
Configure real-time accounting function
radius-server realtime-acct-timeout
HUAWEI TECHNOLOGIES CO., LTD. Page 9All rights reserved
RADIUS Configuration Commands (VRP 1.74) - I
Startup AAA
[Quidway] aaa-enable
Configure PPP user default authentication method table:
[Quidway] aaa authentication-scheme login default radius lo
cal
Configure the RADIUS server IP address and port, and use th
e default port number:
[Quidway] radius server 129.7.66.68
[Quidway] radius server 129.7.66.66 accouting-port 0
[Quidway] radius server 129.7.66.67 authentication-port 0
HUAWEI TECHNOLOGIES CO., LTD. Page 10All rights reserved
RADIUS Configuration Commands (VRP 1.74) – Cont.
Configure the RADIUS server key, number of retransmissions,
duration of the timeout timer:
[Quidway] radius shared-key this-is-my-secret
[Quidway] radius retry 2
[Quidway] radius timer response-timeout 5
Apply the default method table to the PPP-encapsulated interf
ace:
[Quidway-Serial0]ppp authentication-mode pap scheme defa
ult
HUAWEI TECHNOLOGIES CO., LTD. Page 11All rights reserved
RADIUS Packet Debugging Command (VRP 1.74)
Packet debugging information switch
debugging radius packet
Used to help fault diagnosis of Radius
It can be used for observing the packet transmission and
receiving and the contents of the entire RADIUS packet
HUAWEI TECHNOLOGIES CO., LTD. Page 12All rights reserved
Course Contents
AAA & RADIUS Configuration (VRP 1.74)
AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD. Page 13All rights reserved
Configure AAA (VRP 3.40) - I
Create/Delete ISP Domain userid@isp-name
domain [ isp-name | default { disable | enable isp-name }]
One access device might access users of different ISPs
A per-ISP domain can be configured the domain attributes of itself.
the default domain
HUAWEI TECHNOLOGIES CO., LTD. Page 14All rights reserved
Configure AAA (VRP 3.40) - II
Configure Relevant Attributes of ISP Domain
the adopted RADIUS server group
radius-scheme radius-scheme-name
Every ISP has active/block states
state { active | block }
Maximum number of supplicants
access-limit { disable | enable max-user-number }
The idle cut function
idle-cut { disable | enable minutes flow}
HUAWEI TECHNOLOGIES CO., LTD. Page 15All rights reserved
Configure AAA (VRP 3.40) - III
Add a Local User
[undo] local-user user-name
password { simple | cipher } password
service-type { telnet [ level level ] | ftp [ ftp-directory directory ] | lan-acc
ess }
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limi
t max-user-number | vlan vlanid | location [ nas-ip ip-address ] port portnu
m }
state { active | block }
Disconnect a User by Force
cut connection { all | access-type { dot1x | gcm } | domain domain-name
| interface portnum | ip ip-address | mac mac-address | radius-scheme rad
ius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-na
me }
HUAWEI TECHNOLOGIES CO., LTD. Page 16All rights reserved
Configure RADIUS Protocol (VRP 3.40) - I
Attributes of every RADIUS server group IP addresses of primary and second servers
shared key
RADIUS server type
Create a RADIUS server Group radius scheme radius-server-name
Set IP Address and Port Number of RADIUS Server
primary {authentication | accounting} ip-address [ port-number ]
secondary {authentication | accounting} ip-address [ port-number ]
HUAWEI TECHNOLOGIES CO., LTD. Page 17All rights reserved
Configure RADIUS Protocol (VRP 3.40) - II
Configure the shared key of RADIUS server group local-server nas-ip ip-address key password
Set the supported type of RADIUS server
server-type { huawei | iphotel | portal | standard }
Set RADIUS server state
state primary { accounting | authentication } { block | active }
state secondary{ accounting | authentication } { block | active }
Set username format transmitted to RADIUS server
user-name-format { with-domain | without-domain }
HUAWEI TECHNOLOGIES CO., LTD. Page 18All rights reserved
Display and Debugging (VRP 3.40) - I
Display the information of the ISP domains.
display domain [ isp-name ]
Display related information of user’s connection
display connection [ access-type { dot1x | gcm } | domain do
main-name | interface portnum | ip ip-address | mac mac-addre
ss | radius-scheme radius-scheme-name | vlan vlanid | ucibind
ex ucib-index | user-name user-name ]
Display the information of the RADIUS server groups
display radius [ radius-server-name ]
HUAWEI TECHNOLOGIES CO., LTD. Page 19All rights reserved
Display and Debugging (VRP 3.40) - II
Enable RADIUS packet debugging
debugging radius packet
Enable debugging of local RADIUS server group
debugging local-server { all | error| event| packet}
HUAWEI TECHNOLOGIES CO., LTD. Page 20All rights reserved
AAA/RADIUS Configuration Example (VRP 3.40) - I
To access to the VRP CLI, router RTA is configured with RADI
US configuration
All the supplicants belong to the default domain huawei.com
Supplicant
Authentication Servers(RADIUS Server Cluster
IP Address: 10.11.1.110.11.1.2)
Internet
Supplicant
Authentication Servers(RADIUS Server Cluster
IP Address: 10.11.1.110.11.1.2)
Internet Authenticator
RTA
HUAWEI TECHNOLOGIES CO., LTD. Page 21All rights reserved
RADIUS authentication is performed first, then, in case of RA
DIUS server failure, Local authentication
RADIUS Parameters:
Encryption key for authentication: “name”
Encryption key for accounting: “money”
Retransmit packets (5 seconds/time; no more than 5 times)
Real-time accounting : every 15 minutes.
Domain: huawei
Local authentication
User: “localuser”
Password: localpass
AAA/RADIUS Configuration Example (VRP 3.40) - II
HUAWEI TECHNOLOGIES CO., LTD. Page 22All rights reserved
Create the RADIUS group radius1 and enters its configuration
mode.
[Quidway] radius scheme radius1
Set IP address of the primary RADIUS servers.
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
Set the IP address of the second RADIUS servers.
[Quidway-radius-radius1] secondary authentication 10.11.1.2
[Quidway-radius-radius1] secondary accounting 10.11.1.1
AAA/RADIUS Configuration Example (VRP 3.40) - III
HUAWEI TECHNOLOGIES CO., LTD. Page 23All rights reserved
Set the encryption key (with the authentication RADIUS server.)
[Quidway-radius-radius1] key authentication name
Set the encryption key( with the accounting RADIUS server)
[Quidway-radius-radius1] key accounting money
Set the timeouts and times (to the RADIUS server)
[Quidway-radius-radius1] timer 5
[Quidway-radius-radius1] retry 5
the interval (transmit real-time accounting packets to RADIUS server)
[Quidway-radius-radius1] timer realtime-accounting 15
Configure user to the RADIUS server after removing domain name.
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
AAA/RADIUS Configuration Example (VRP 3.40) - IV
HUAWEI TECHNOLOGIES CO., LTD. Page 24All rights reserved
Create the user domain huawei.com
[Quidway] domain huawei.com
Specify radius1 as RADIUS server group for the users
[Quidway-isp-huawei.com] radius-scheme radius1
Specify the authentication modes for this domain (RADIUS and local):
[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local
Add a local supplicant and sets its parameter.
[Quidway] local-user [email protected]
[[email protected]] password simple localpass
[[email protected]] service-type telnet terminal
Then set huawei.com as the default domain to use for authentication:
[Quidway]domain default enable huawei.com
AAA/RADIUS Configuration Example (VRP 3.40) - V
HUAWEI TECHNOLOGIES CO., LTD. Page 25All rights reserved
Finally, set the authentication mode for the Telnet lines:
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode scheme
AAA/RADIUS Configuration Example (VRP 3.40) - VI
www.huawei.com
Thank You