Professional Documents
Culture Documents
Ethernet Switches
Configuration Guide - User Access and
Authentication 1 AAA Configuration
1 AAA Configuration
Definition
AAA is an architectural framework for configuring a set of three independent
security functions in a consistent manner. AAA provides a modular way of
performing the following services:
Purpose
AAA provides authentication, authorization, and accounting functions for users,
preventing unauthorized users from logging in to a switch and improving system
security.
As shown in Table 1-1, AAA divides users into administrators and access users to
provide more refined and differentiated authentication, authorization, and
accounting services. An NAS has two global default domains, namely, the global
default administrative domain default_admin and the global default common
domain default. The two domains are used as the global default domains for
administrators and access users, respectively. Default configurations in the two
domains are different.
NOTE
The accounting scheme default is bound to the two global default domains. Modifying the
accounting scheme may affect configurations of the two domains.
The two global default domains cannot be deleted and can only be modified.
Administr Is also called a login user and default defau defaul N/A
ator refers to the user who can log in to _admi lt t
NAS through FTP, HTTP, SSH, n (local (non-
Telnet, and the console port. authe accou
nticat nting)
ion)
The global default domain can be customized based on actual requirements. The
customized global default domain can be the global default common domain and
the global default management domain at the same time.
You can run the display aaa configuration command to check the current global
default common domain and the global default management domain on the NAS.
The command output is as follows:
<HUAWEI> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default management domain
Normal user default domain : default //Global default common domain
For some access modes, you can specify the domain to which a user belongs using
the command provided in the corresponding authentication profile to meet
requirements of the user authentication management policy. For example, you can
configure a default domain and a forcible domain for NAC access users on the
NAS based on the authentication profile and specify the user type (802.1X, MAC
address, or Portal authenticated user), achieving flexible configuration. The
forcible domain, default domain, and domain carried in the user name are listed in
descending order of the priority.
● Only RADIUS authentication supports modification of the user-entered original user names.
● You can change the user-entered original user name based on the RADIUS server template.
An NAS can determine whether a user name sent to the RADIUS server contains
the domain name based on the RADIUS server requirements. By default, an NAS
directly sends the user-entered original user name to the RADIUS server without
changing it.
You can set the format of user names sent by an NAS to the RADIUS server using
the commands in Table 1-2.
The following commands modify only the user name format in RADIUS packets
sent to the RADIUS server and do not modify the user name format in EAP
packets. During 802.1X authentication, the RADIUS server checks whether the user
name carried in EAP packets is the same as that on the RADIUS server. Therefore,
you cannot modify the original user name using the radius-server user-name
domain-included or undo radius-server user-name domain-included command
during 802.1X authentication; otherwise, authentication may fail.
Table 1-2 Setting the format of user names sent by an NAS to the RADIUS server
user-name user-name@default
Assume that users use
the default domain
default.
user-name user-name
During AAA implementation, you can define a set of AAA configuration policies
using an AAA scheme. An AAA scheme contains a collection of authentication,
authorization, and accounting methods defined on an NAS. Such methods can be
used in combination depending on access features of users and security
requirements.
The NAS attempts authentication with the next listed authentication method only when there is
no response from the previous method. If authentication fails at any point in this cycle —
meaning that the AAA server responds by denying the user access — the authentication process
stops and no other authentication methods are attempted.
An authorization scheme is used to define methods for user authorization and the
order in which authorization methods take effect. An authorization scheme is
applied to a domain. It is combined with the authentication scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
authorization in case the initial method does not respond. The first method listed
in the scheme is used to authorize users; if that method does not respond, the
next authorization method in the authentication scheme is selected. If the initial
method responds with an authorization failure message, the AAA server refuses to
provide services for the user. In this case, authorization ends and the next listed
method is not used.
Authorization Information
Authorization information can be delivered by a server or configured in a domain.
Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-5.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
Table 1-3 shows authorization information typically used by a server. Table 1-4
shows authorization information that can be configured in a domain.
Authorization Description
Information
ACL number Is delivered by the server. You need to configure ACL number-
related rules on the NAS.
Authorization Description
Information
ACL rule Is directly delivered by the server. As defined in the rule, users
can access all network resources included in the ACL. You do
not need to configure the corresponding ACL on the NAS.
User The server delivers the user group name, UCL group name, or
group/UCL UCL group ID to the NAS. You need to configure the
group corresponding group and network resources in the group on
the NAS.
Idle-cut Idle-cut time delivered by the server. After a user goes online, if
the consecutive non-operation period or the duration when
traffic is lower than a specified value exceeds the idle-cut time,
the user is disconnected.
User group A user group consists of users (terminals) with the same
(common mode) attributes such as the role and rights. For example, you
can divide users on a campus network into the R&D
group, finance group, marketing group, and guest group
based on the enterprise department structure, and grant
different security policies to different departments.
You need to configure a user group and corresponding
network resources in the group on the NAS.
UCL group (unified UCL groups identify the user types. The administrator can
mode) add the users requiring the same network access policy
to the same UCL group, and configure a set of network
access policies for the group.
You need to configure a UCL group and corresponding
network resources in the group on the NAS.
authentication and authorization speed of a local AAA server is faster than that of
a remote AAA server, which reduces operation costs. However, the information
storage capacity of a local AAA server is subject to the device hardware.
When an administrator creates local users on a device, the length and complexity
of local users' passwords have been controlled by commands on the device. The
complexity check requires that the password must be a combination of at least
two of the following: digits, lowercase letters, uppercase letters, and special
characters. In addition, a password must consist of at least eight characters.
After the local administrator password policy is enabled, the local administrator
can set the password validity period. The default validity period is 90 days and can
be changed.
If the password of a local user expires and the local user still uses this password to
log in to the device, the device prompts the user that the password has expired,
and asks the user whether to change the password. The device then performs the
following operations depending on the user selection:
● If the user enters Y, the user needs to enter the old password, new password,
and confirm password. The password can be successfully changed only when
the old password is correct and the new password and confirm password are
the same and meet password length and complexity requirements.
● If the user enters N or fails to change the password, the device does not allow
the user to log in.
The device also supports the password expiration prompt function. When a user
logs in to the device, the device checks how many days the password is valid for. If
the number of days is less than the prompt days set in the command, the device
notifies the user how long the password will expire and asks the user whether to
change the password.
● If the user changes the password, the device records the new password and
modification time.
● If the user does not change the password or fails to change the password, the
user can still log in to the device as long as the password has not expired.
During password modification, you are not advised to use old passwords. By
default, the new password cannot be the same as those used for the last five
times.
The local administrator can change the password of an equal- or lower-level local
user.
Client/Server Model
● RADIUS client
RADIUS clients run on the NAS to transmit user information to a specified
RADIUS server and process requests (for example, permit or reject user access
requests) based on the responses from the server. RADIUS clients can locate
at any node on a network.
As a RADIUS client, a device supports:
– standard RADIUS protocol and its extensions, including RFC 2865 and RFC
2866
– Huawei extended RADIUS attributes
– RADIUS server status detection
– retransmission of Accounting-Request(Stop) packets in the local buffer
– active/standby and load balancing functions between RADIUS servers
● RADIUS server
RADIUS servers typically run on central computers and workstations to
maintain user authentication and network service access information. The
servers receive connection requests from users, authenticate the users, and
send all required information (such as permitting or rejecting authentication
requests) to the clients. A RADIUS server generally needs to maintain three
databases, as shown in Figure 1-6.
Fine Scalability
A RADIUS packet consists of a packet header and a certain number of attributes.
The protocol implementation remains unchanged even if new attributes are added
to a RADIUS packet.
The device stops packet retransmission if any of the following conditions is met:
● The device receives a response packet from the RADIUS server. It then stops
packet retransmission and marks the RADIUS server status as Up.
● The device detects that the RADIUS server status is Down. After the device
marks the RADIUS server status as Down:
– If the number of retransmitted packets has reached the upper limit, the
device stops packet retransmission and retains the RADIUS server status
to Down.
– If the number of retransmitted packets has not reached the upper limit,
the device retransmits an Access-Request packet once again to the
RADIUS server. If the device receives a response packet from the server, it
stops packet retransmission and restores the RADIUS server status to Up.
Otherwise, it still stops packet retransmission and retains the RADIUS
server status to Down.
● The number of retransmitted packets has reached the upper limit. The device
then stops packet retransmission and performs the following:
– If the device receives a response packet from the RADIUS server, it marks
the RADIUS server status as Up.
– If the device has detected that the RADIUS server status is Down, it
marks the server status as Down.
– If the device receives no response packet from the RADIUS server and
does not detect that the server status is Down, the device does not
change the server status. Actually, the server does not respond.
NOTE
The device does not definitely mark the status of the server that does not respond as
Down. The device marks the server status as Down only if the corresponding
conditions are met.
For the RADIUS server status introduction and conditions for a device to mark the
server status as Down, see 1.2.4.6 RADIUS Server Status Detection.
RADIUS packet retransmission discussed here applies only to a single server. If
multiple servers are configured in a RADIUS server template, the overall
retransmission period depends on the retransmission interval, retransmission
times, RADIUS server status, number of servers, and algorithm for selecting the
servers.
You can set the timer using the following commands:
Command Description
Figure 1-11 Diagram for the RADIUS server load balancing algorithm
issue, the device supports the user escape function upon transition of the RADIUS
server status to Down. To be specific, if the RADIUS server goes Down, users
cannot be authorized by the server but still have certain network access rights.
The user escape function upon transition of the RADIUS server status to Down can
be enabled only after the device marks the RADIUS server status as Down. If the
RADIUS server status is not marked as Down and the device cannot communicate
with the RADIUS server, users cannot be authorized by the server and the escape
function is also unavailable. As a result, users have no network access rights.
Therefore, the device must be capable of detecting the RADIUS server status in a
timely manner. If the device detects that the RADIUS server status transitions to
Down, users can obtain escape rights; if the device detects that the RADIUS server
status reverts to Up, escape rights are removed from the users and the users are
reauthenticated.
This section contains the following contents:
● RADIUS Server Status
● Conditions for Marking the RADIUS Server Status as Down
● Automatic Detection
● Consecutive Processing After the RADIUS Server Status Is Marked as
Down
The RADIUS server status is initially marked as Up. After a RADIUS Access-Request
packet is received and the conditions for marking the RADIUS server status as
Down are met, the RADIUS server status transitions to Down. The RADIUS Access-
Request packet that triggers the server status transition can be sent during user
authentication or constructed by the administrator. For example, the RADIUS
Access-Request packet can be a test packet sent when the test-aaa command is
run or detection packet sent during automatic detection.
The device changes toe RADIUS server status from Down to Up or to Force-up in
the following scenarios:
● Down to Force-up: The timer specified by dead-time starts after the device
marks the RADIUS server status as Down. The timer indicates the duration for
which the server status remains Down. After the timer expires, the device
marks the RADIUS server status as Force-up. If a new user needs to be
authenticated in RADIUS mode and no RADIUS server is available, the device
attempts to re-establish a connection with a RADIUS server in Force-up
status.
● Down to Up: After receiving packets from the RADIUS server, the device
changes the RADIUS server status from Down to Up. For example, after
automatic detection is configured, the device receives response packets from
the RADIUS server.
The device marks the RADIUS server status as Down as long as either of the
following conditions is met. Figure 1-12 shows the logic flowchart for marking the
RADIUS server status as Down. In this example, the detection interval cycles two
times:
● The device marks the RADIUS server status as Down during the RADIUS
server status detection.
After the system starts, the RADIUS server status detection timer runs. If the
device does not receive any packet from the RADIUS server after sending the
first RADIUS Access-Request packet to the server and the condition that the
number of times the device does not receive any packet from the server (n) is
greater than or equal to the maximum number of consecutive
unacknowledged packets (dead-count) is met in a detection interval, a
communication interruption is recorded. If the device still does not receive any
packet from the RADIUS server, the device marks the RADIUS server status as
Down when recording the communication interruption for the same times as
the detection interval cycles.
NOTE
If the device does not record any communication interruption in a detection interval, all
the previous communication interruption records are cleared.
● The device marks the status of a RADIUS server as Down if no response is
received from the server for a long period of time.
If the user access frequency is low, the device receives only a few RADIUS
Access-Request packets from users, conditions for marking the RADIUS server
status as Down during the RADIUS server status detection cannot be met, and
the interval for sending two consecutive unacknowledged RADIUS Access-
Request packets is greater than the value of max-unresponsive-interval, the
device marks the RADIUS server status as Down. This mechanism ensures that
users can obtain escape authorization.
If multiple servers are configured in the RADIUS server template, the overall status
detection time is related to the number of servers and the server selection
algorithm. If a user terminal uses the client software for authentication and the
timeout period of the terminal client software is less than the summary of all the
status detection time, the terminal client software may dial up repeatedly and
cannot access the network. If the user escape function is configured, the summary
of all the status detection time must be less than the timeout period of the
terminal client software to ensure that escape rights can be added to the users.
Figure 1-12 Logic flowchart for marking the RADIUS server status as Down
Command Description
Automatic Detection
After the RADIUS server status is marked as Down, you can configure the
automatic detection function to test the RADIUS server reachability.
The automatic detection function needs to be manually enabled. The automatic
server status detection function can be enabled only if the user name and
password for automatic detection are configured in the RADIUS server template
view on the device rather than on the RADIUS server. Authentication success is not
mandatory. If the device can receive the authentication failure response packet,
the RADIUS server is properly working.
After the automatic detection function is enabled, automatic detection is classified
into the following conditions depending on differences of the RADIUS server
status.
NOTE
On a large-scale network, you are not advised to enable automatic detection for RADIUS servers
in Up status. This is because if automatic detection is enabled on multiple NAS devices, the
RADIUS server periodically receives a large number of detection packets when processing
RADIUS Access-Request packets source from users, which may deteriorate processing
performance of the RADIUS server.
After the radius-server testuser command is configured, the dead-time timer configured using
the radius-server dead-time command does not take effect.
Command Description
NOTE
For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server
status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal
authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection
authorization and can be redirected to the Portal server for authentication only if the users
attempt to access network resources.
After the radius-server testuser command is configured, the dead-time timer configured using
the radius-server dead-time command does not take effect.
Figure 1-13 Consecutive processing after the RADIUS server status is marked as
Down
The following table lists the commands for configuring the escape rights upon
transition of the RADIUS server status to Down and configuring the
reauthentication function, respectively.
Command Description
Command Description
The device supports the RADIUS Change of Authorization (CoA) and Disconnect
Message (DM) functions. CoA provides a mechanism to change the rights of
online users, and DM provides a mechanism to forcibly disconnect users. This
section contains the following contents:
● RADIUS CoA/DM packet
● Exchange Procedure
● Session Flag
● Error Code Description
Exchange Procedure
CoA allows the administrator to change the rights of an online user or perform
reauthentication for the user through RADIUS after the user passes authentication.
Figure 1-14 shows the CoA interaction process.
Session Identification
Each service provided by the NAS to a user constitutes a session, with the
beginning of the session defined as the point where service is first provided and
the end of the session defined as the point where service is ended.
After the device receives a CoA-Request or DM-Request packet from the RADIUS
server, it identifies the user depending on some RADIUS attributes in the packet.
The following RADIUS attributes can be used to identify users:
● User-Name (IETF attribute #1)
● Acct-Session-ID (IETF attribute #44)
● Framed-IP-Address (IETF attribute #8)
● Calling-Station-Id (IETF attribute #31)
The match methods are as follows:
● any method
The device performs a match check between an attribute and user
information on the device. The priority for identifying the RADIUS attributes
used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) >
Framed-IP-Address (8). The device searches for the attributes in the request
packet based on the priority, and performs a match check between the first
found attribute and user information on the device. If the attribute is
successfully matched, the device responds with an ACK packet; otherwise, the
device responds with a NAK packet.
● all method
The device performs a match check between all attributes and user
information on the device. The device identifies the following RADIUS
attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31),
Framed-IP-Address (8), and User-Name (1). The device performs a match
check between all the preceding attributes in the Request packet and user
information on the device. If all the preceding attributes are successfully
matched, the device responds with an ACK packet; otherwise, the device
responds with a NAK packet.
11 Filter-Id strin UCL group name, user group name, or IPv4 Access
g Control List (ACL) ID.
NOTE
● When this attribute carries the IPv4 ACL ID, the IPv4
ACL IDs must range from 2000 to 3999 for wired
users or 2000 to 3031 for wireless users.
● A RADIUS packet cannot carry the user group name,
UCL group name, or IPv4 ACL ID simultaneously.
● When only the RADIUS server performs
authorization, the local device does not perform ACL
authorization, and the corresponding user group,
ACL, and ACL rules are configured on the local
device:
● If the server simultaneously delivers the user
group name or UCL group name carried in the
Filter-Id (11) attribute and IPv6 ACL ID carried in
the HW-IPv6-Filter-ID (26–251) attribute, only
the user group name takes effect.
● If the server simultaneously delivers the IPv4 ACL
ID carried in the Filter-Id (11) attribute and IPv6
ACL ID carried in the HW-IPv6-Filter-ID (26–
251) attribute, both the IPv4 and IPv6 ACL IDs
take effect.
● An ACL can be configured with a maximum of 128
rules. In wireless scenarios, ACLs need to be delivered
to APs, and a maximum of 128 rules can be
configured for an ACL on an AP.
29 Termination- inte What action the NAS should take when the
Action ger specified service is completed:
● 0: forcible disconnection
● 1: reauthentication
NOTE
This attribute is only valid for 802.1X and MAC address
authentication users. When the authentication point is
deployed on a VLANIF interface, MAC address
authenticated users do not support the authorization of
Termination-Action=1.
When the RADIUS server delivers only this attribute, the
value of attribute 27 Session-Timeout is set to 3600s (for
802.1X authentication users) or 1800s (for MAC address
authentication users) by default.
46 Acct-Session- inte How long (in seconds) the user has received
Time ger service.
NOTE
If the administrator modifies the system time after the
user goes online, the online time calculated by the
device may be incorrect.
NOTE
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei
is 2011.
26- HW-Input- inte Peak information rate (PIR) at which the user
1 Peak- ger accesses the NAS, which is the maximum rate of
Information- traffic that can pass through an interface. The
Rate value is a 4-byte integer, in bit/s. The minimum
value is 64. The HW-Input-Peak-Information-Rate
must be higher than or equal to the HW-Input-
Committed-Information-Rate. The default HW-
Input-Peak-Information-Rate is equal to the HW-
Input-Committed-Information-Rate.
26- HW-Input- inte Committed burst size (CBS) at which the user
3 Committed- ger accesses the NAS, which is the average volume of
Burst-Size burst traffic that can pass through an interface.
The value is a 4-byte integer, in bits. The
minimum value is 10000.
26- HW-Output- inte Peak information rate at which the NAS connects
4 Peak- ger to the user. The value is a 4-byte integer, in bit/s.
Information- The minimum value is 64. The HW-Output-Peak-
Rate Information-Rate must be higher than or equal to
the HW-Output-Committed-Information-Rate. The
default HW-Output-Peak-Information-Rate is
equal to the HW-Output-Committed-Information-
Rate.
26- HW-Output- inte Committed burst size at which the NAS connects
6 Committed- ger to the user. The value is a 4-byte integer, in bits.
Burst-Size The minimum value is 10000.
26- HW-Qos-Data stri Name of the QoS profile. The maximum length of
31 ng the name is 31 bytes. The RADIUS server uses this
field to deliver the QoS profile for traffic policing.
The QoS profile must exist on the device and
traffic policing has been configured using the car
(QoS profile view) command.
NOTE
This attribute is only supported by the S5731-H,S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S, S6735-S, S6720-EI, and S6720S-EI.
If the server delivers both the uplink or downlink
bandwidth limit (equivalent to the RADIUS attribute
HW-Input-Committed-Information-Rate or HW-Output-
Committed-Information-Rate) and the RADIUS attribute
HW-Qos-Data for user authorization, only the uplink or
downlink bandwidth limit take effect.
26- HW-Input- inte Upstream peak rate, in bit/s. The minimum value
77 Peak-Burst- ger is 10000.
Size NOTE
This attribute is only supported by the S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
26- HW-Data- stri Used by the RADIUS server to deliver IPv4 or IPv6
82 Filter ng ACL rules to users. ACL rules can be delivered in
two modes: delivering ACL rules through DACL
groups and delivering ACL rules directly. There are
old and new attribute formats for ACL rules.
Compared with the old attribute format, the new
attribute format shortens the length of an ACL
rule. Using a DACL group to deliver ACL rules
saves more ACL resources than delivering ACL
rules directly. The users in the same DACL group
share the ACL resources in the group, whereas
each user occupies ACL resources when ACL rules
are directly delivered.
26- HW-Domain- stri Name of the domain used for user authentication.
138 Name ng This attribute can be the domain name contained
in a user name or the name of a forcible domain.
26- HW-AP- stri AP's MAC address used for STA authentication, in
141 Information ng H-H-H format. H is a 4-digit hexadecimal number.
NOTE
This attribute is only supported by the S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
26- HW-Portal- stri Forcibly pushed URL. The maximum length is 247
156 URL ng bytes.
If information delivered by the RADIUS server
matches the configured URL template, the URL
configured in the template is used. Otherwise, the
character string delivered by the RADIUS server is
used.
26- HW- stri Delivers the Internet Service Provider (ISP) VLAN
161 Forwarding- ng for user packet forwarding.
VLAN NOTE
This attribute is only supported by the S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S.
26- HW-Acct- inte This attribute specifies the number of times that
170 ipv6-Input- ger more than 4 GB upstream packets are carried in
Gigawords an IPv6 flow. This attribute is usually used with
the HW-Acct-ipv6-Input-Octets attribute.
26- HW-Acct- inte This attribute specifies the number of times that
171 ipv6-Output- ger more than 4 GB downstream packets are carried
Gigawords in an IPv6 flow. This attribute is usually used with
the HW-Acct-ipv6-Output-Octets attribute.
26- HW-Web- stri Information sent from the portal server via the
237 Authen-Info ng device (which transparently transmits the
information) to the RADIUS server. For example, a
user selects the authentication-free option and
time information for next login, based on which
the RADIUS server saves the MAC address of the
user for a period of time. Upon the next login of
the user, the login page is not displayed. Instead,
MAC address authentication is preferentially used.
This attribute can be used for transparent
transmission in complex modes such as EAP.
26- HW-IPv6- stri ID of a user IPv6 ACL. The value ranges from 2000
251 Filter-ID ng to 3999 (wired users) or 2000 to 3031 (wireless
users).
NOTE
● When only the RADIUS server performs
authorization, the local device does not perform ACL
authorization, and the corresponding user group,
ACL, and ACL rules are configured on the local
device:
● If the server simultaneously delivers the user
group name or UCL group name carried in the
Filter-Id (11) attribute and IPv6 ACL ID carried in
the HW-IPv6-Filter-ID (26–251) attribute, only
the user group name takes effect.
● If the server simultaneously delivers the IPv4 ACL
ID carried in the Filter-Id (11) attribute and IPv6
ACL ID carried in the HW-IPv6-Filter-ID (26–
251) attribute, both the IPv4 and IPv6 ACL IDs
take effect.
● IPv6 ACL authorization is supported only by the
S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300,
S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S,
S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-
EI.
● If the deny IPv6 rule is configured during IPv6 ACL
authorization, run the rule rule-id permit icmpv6
icmp6-type neighbor-advertisement, rule rule-id
permit icmpv6 icmp6-type neighbor-solicitation,
and rule rule-id permit udp destination-port eq
port commands to allow IPv6 ND and DHCP packets
to pass through. Otherwise, services may be
interrupted.
NOTE
User-Name(1) 1 0-1 0 0
User-Password(2) 0-1 0 0 0
CHAP-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Filter-Id(11) 0 0-1 0 0
Framed-Mtu(12) 0-1 0 0 0
Login-Service(15) 0 0-1 0 0
Callback-Number(19) 0 0-1 0 0
Class(25) 0 0-1 0 0
Idle-Timeout(28) 0 0-1 0 0
Called-Station-Id(30) 0-1 0 0 0
Calling-Station-Id(31) 1 0-1 0 0
NAS-Identifier(32) 1 0 0 0
Acct-Session-id(44) 1 0 0 0
CHAP-Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
Acct-Interim-Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 0-1 0 0 0
NAS-IPv6-Address(95) 0-1 0 0 0
Framed-Interface-Id(96) 0+ 0 0 0
Framed-IPv6-Prefix(97) 0+ 0 0 0
HW-SecurityStr(195) 0-1 0 0 0
HW-Input-Peak- 0 0-1 0 0
Information-Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
Information-Rate(26-2)
HW-Input-Committed- 0 0-1 0 0
Burst-Size(26-3)
HW-Output-Peak- 0 0-1 0 0
Information-Rate(26-4)
HW-Output-Committed- 0 0-1 0 0
Information-Rate(26-5)
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Remanent- 0 0-1 0 0
Volume(26-15)
HW-Subscriber-QoS- 0 0-1 0 0
Profile(26-17)
HW-UserName-Access- 0 0-1 0 0
Limit(26-18)
HW-Connect-ID(26-26) 1 0 0 0
Ftp-directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0
HW-Qos-Data(26-31) 0 0-1 0 0
HW-VoiceVlan(26-33) 0 0-1 0 0
HW-ProxyRdsPkt(26-35) 0 0-1 0 0
HW-NAS-Startup-Time- 1 0 0 0
Stamp(26-59)
HW-IP-Host- 1 0 0 0
Address(26-60)
HW-Up-Priority(26-61) 0 0-1 0 0
HW-Down-Priority(26-62) 0 0-1 0 0
HW-Primary-WINS(26-75) 0 0-1 0 0
HW-Second-WINS(26-76) 0 0-1 0 0
HW-Input-Peak-Burst- 0 0-1 0 0
Size(26-77)
HW-Output-Peak-Burst- 0 0-1 0 0
Size(26-78)
HW-Client-Primary- 0 0-1 0 0
DNS(26-135)
HW-Client-Secondary- 0 0-1 0 0
DNS(26-136)
HW-Domain- 1 0 0 0
Name(26-138)
HW-AP- 1 0 0 0
Information(26-141)
HW-User- 0 0-1 0 0
Information(26-142)
HW-User-Policy(26-146) 0 0-1 0 0
HW-Access-Type(26-153) 1 0-1 0 0
HW-URL-Flag(26-155) 0 0-1 0 0
HW-Portal-URL(26-156) 0 0-1 0 0
HW-Terminal- 0-1 0 0 0
Type(26-157)
HW-DHCP- 0+ 0 0 0
Option(26-158)
HW-UCL-Group(26-160) 0 0-1 0 0
HW-Forwarding- 0 0-1 0 0
VLAN(26-161)
HW-Forwarding- 0 0-1 0 0
Interface(26-162)
HW-LLDP(26-163) 0-1 0 0 0
HW-Redirect-ACL(26-173) 0 0-1 0 0
HW-IPv6-Redirect- 0 1 0 0
ACL(26-178)
HW-User-Extend- 0-1 0 0 0
Info(26-201)
HW-MUD-URL(26-202) 0-1 0 0 0
HW-VIP-Level-ID(26-203) 0 0-1 0 0
HW-SAC-Profile(26-204) 0 0-1 0 0
HW-Web-Authen- 1 0 0 0
Info(26-237)
HW-Ext-Specific(26-238) 0 0-1 0 0
HW-User-Access- 1 0 0 0
Info(26-239)
HW-Access-Device- 0-1 0 0 0
Info(26-240)
HW-Reachable- 0 0 0 0
Detect(26-244)
HW-Framed-IPv6- 0-1 0 0 0
Address(26-253)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
MS-MPPE-Send- 0 0-1 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0-1 0 0
Key(MICROSOFT-17)
Cisco-avpair(CISCO-1) 0 0-1 0 0
Agent-Circuit- 0-1 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0
Id(DSLFORUM-2)
User-Name(1) 1 1 1 0 0 0
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP- 1 1 1 0 0 0
Address(8)
Called-Station- 1 1 1 0 0 0
Id(30)
NOTE
For users who access
the network through
PPP authentication,
this attribute is
optional. If the
authentication
request packet does
not carry this
attribute, then
neither does the
accounting request
packet.
Calling-Station- 1 1 1 0 0 0
Id(31)
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status- 1 1 1 0 0 0
Type(40)
Acct-Delay-Time(41) 0-1 1 1 0 0 0
Acct-Session-Id(44) 1 1 1 0 0 0
Acct-Authentic(45) 1 1 1 0 0 0
Acct-Session- 0 1 1 0 0 0
Time(46)
Acct-Terminate- 0 0 1 0 0 0
Cause(49)
Event- 1 1 1 0 0 0
Timestamp(55)
NAS-Port-Type(61) 1 1 1 0 0 0
NAS-Port-Id(87) 1 1 1 0 0 0
HW-Input- 1 1 1 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output- 1 1 1 0 0 0
Committed-
Information-
Rate(26-5)
HW-Connect- 1 1 1 0 0 0
ID(26-26)
HW-IP-Host- 1 1 1 0 0 0
Address(26-60)
HW-Domain- 1 1 1 0 0 0
Name(26-138)
HW-DHCP- 0+ 0+ 0+ 0 0 0
Option(26-158)
HW-MUD- 0 0 0 0 0 0
URL(26-202)
HW-VIP-Level- 0 0 0 0 0 0
ID(26-203)
HW-SAC- 0 0 0 0 0 0
Profile(26-204)
HW-Reachable- 0 0 0 0 0 0
Detect(26-244)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16
)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17
)
Cisco- 0 0 0 0 0 0
avpair(CISCO-1)
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0
Idle-Timeout(28) 0-1 0 0 0 0 0
Termination- 0-1 0 0 0 0 0
Action(29)
Acct-Session-Id(44) 1 1 1 1 1 1
Tunnel-Type(64) 0-1 0 0 0 0 0
Tunnel-Medium- 0-1 0 0 0 0 0
Type(65)
Tunnel-Private- 0-1 0 0 0 0 0
Group-ID(81)
Acct-Interim- 0-1 0 0 0 0 0
Interval(85)
HW-Input-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-1)
HW-Input- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-4)
HW-Output- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-5)
HW-Output- 0-1 0 0 0 0 0
Committed-Burst-
Size(26-6)
HW-Subscriber-QoS- 0-1 0 0 0 0 0
Profile(26-17)
HW-Qos- 0-1 0 0 0 0 0
Data(26-31)
HW-Up- 0-1 0 0 0 0 0
Priority(26-61)
HW-Down- 0-1 0 0 0 0 0
Priority(26-62)
HW-Input-Peak- 0-1 0 0 0 0 0
Burst-Size(26-77)
HW-Output-Peak- 0-1 0 0 0 0 0
Burst-Size(26-78)
HW-Data- 0-1 0 0 0 0 0
Filter(26-82)
HW-User- 0-1 0 0 0 0 0
Policy(26-146)
HW-URL- 0-1 0 0 0 0 0
Flag(26-155)
HW-Portal- 0-1 0 0 0 0 0
URL(26-156)
HW-UCL-Group 0-1 0 0 0 0 0
(26-160)
HW-Forwarding- 0-1 0 0 0 0 0
VLAN(26-161)
HW-Forwarding- 0-1 0 0 0 0 0
Interface(26-162)
HW-Redirect- 0-1 0 0 0 0 0
ACL(26-173)
HW-IPv6-Redirect- 1 0 0 0 0 0
ACL(26-178)
HW-MUD- 0 0 0 0 0 0
URL(26-202)
HW-VIP-Level- 0-1 0 0 0 0 0
ID(26-203)
HW-SAC- 0-1 0 0 0 0 0
Profile(26-204)
HW-Ext- 1 0 0 0 0 0
Specific(26-238)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16
)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17
)
Cisco- 0-1 0 0 0 0 0
avpair(CISCO-1)
Agent-Circuit- 0-1 0 0 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0 0 0
Id(DSLFORUM-2)
The delivered VLAN does not change or affect the interface configuration. The
delivered VLAN, however, takes precedence over the VLAN configured on the
interface. That is, the delivered VLAN takes effect after the authentication
succeeds, and the configured VLAN takes effect after the user goes offline.
The following standard RADIUS attributes are used for dynamic VLAN delivery:
● (064) Tunnel-Type (It must be set to VLAN or 13.)
● (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
● (081)Tunnel-Private-Group-ID
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-
Medium-Type attributes must be set to the specified values.
The following example describes how to install the freeRADIUS server of the Linux
SUSE 12.
Configura
Step Description
tion
NOTE
● The RADIUS attribute dictionary contains the attributes supported on all S switch series
products. For details about the attributes supported by each product, see the RADIUS
attribute list of the specific product.
● The attachment is the RADIUS attribute dictionary in FreeRADIUS format.
RADIUS_Attribute.txt
NOTE
● The device can translate a RADIUS attribute of another vendor only if the length of the Type
field in the attribute is 1 octet.
● The device can translate the RADIUS attribute only when the type of the source RADIUS
attribute is the same as that of the destination RADIUS attribute. For example, the types of
NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each
other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively,
they cannot be translated into each other.
Unlike RADIUS packets with the same format, HWTACACS packets (including
Authentication Packet, Authorization Packet, and Accounting Packet) are
formatted differently. HWTACACS packets all share the same HWTACACS Packet
Header.
Field Description
Field Description
Field Description
user_msg Character string entered by a login user. This field carries the
user login password to respond to the server_msg field in the
Authentication Reply packet.
● The following figure shows the HWTACACS Authentication Reply packet body.
Field Description
server_ms Optional field. This field is sent by the server to the user to
g provide additional information.
Field Description
The following figure shows the HWTACACS Authorization Request packet body.
● HWTACACS Authorization Request packet
NOTE
The meanings of the following fields in the Authorization Request packet are the same
as those in the HWTACACS Authentication Start packet, and are therefore not
described here: priv_lvl, authen_type, authen_service, user len, port len, rem_addr len,
port, and rem_addr.
● The following figure shows the HWTACACS Authentication Reply packet body.
NOTE
Meanings of the following fields are the same as those in the HWTACACS
Authentication Reply packet, and are therefore not described here: server_msg len,
data len, and server_msg.
Field Description
The following figure shows the HWTACACS Accounting Request packet body.
● The following figure shows the HWTACACS Accounting Request packet body.
NOTE
Meanings of the following fields in the Accounting Request packet are the same as
those in the HWTACACS Authorization Request packet, and are therefore not
described here: authen_method, priv_lvl, authen_type, user len, port len, rem_addr len,
port, and rem_addr.
Field Description
● The following figure shows the HWTACACS Accounting Response packet body.
NOTE
1. A user enters a user name and PIN code. The client then sends the user name
and PIN code to the device.
2. The device sends the user name and PIN code to the HWTACACS server.
3. The HWTACACS server verifies the user name and PIN code based on its
database and returns the verification result to the device.
– If the user name and PIN code are incorrect, the HWTACACS server sends
an authentication failure message to the device.
– If both the user name and PIN code are correct, the HWTACACS server
sends a Challenge message to the device to request a dynamic
verification code.
4. The device sends the user name and PIN code verification result to the client.
– If the user name and PIN code are incorrect, the message "Access denied"
is displayed on the client. The authentication process ends, and the login
attempt of the user fails.
– If the user name and PIN code are correct, the dynamic verification code
authentication process starts.
5. The user enters the dynamic verification code.
6. The device sends the dynamic verification code to the HWTACACS server.
7. The HWTACACS server verifies the dynamic verification code and sends the
verification result to the device.
– If the dynamic verification code is correct, the HWTACACS server sends an
authentication success message to the device.
– If the dynamic verification code is incorrect, the HWTACACS server sends
an authentication failure message to the device.
8. The device sends the authentication result to the client.
Attribute Description
Name
gw- Password for the gateway during the L2TP tunnel authentication.
password The value is a string of 1 to 248 characters. If the value contains
more than 248 characters, only the first 248 characters are valid.
Attribute Description
Name
idletime Period after which an idle session is terminated. If a user does not
perform any operation within this period, the system disconnects
the user.
NOTE
FTP users do not support this attribute.
l2tp-hello- Interval for sending L2TP Hello packets. This attribute is currently
interval not supported.
l2tp- Attribute value pair (AVP) of L2TP. This attribute is currently not
hidden-avp supported.
l2tp- L2TP group number. Other L2TP attributes take effect only if this
group-num attribute is delivered. Otherwise, other L2TP attributes are ignored.
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect
l2tp-udp- Whether L2TP should perform UDP checksums for data packets.
checksum
protocol A protocol that is a subset of a service. It is valid only for PPP and
connection services. Legal values matching service types are as
follows:
● Connection service type: pad, telnet
● PPP service type: ip, vpdn
● Other service types: This attribute is not used.
Attribute Description
Name
task_id Task ID. The task IDs recorded when a task starts and ends must
be the same.
tunnel- Tunnel type. The device supports only L2TP tunnels. For L2TP
type tunnels, the value is 3.
commands to access a remote server and obtain files from the server. The
device sends an accounting start packet when the user connects to the
remote server and an accounting stop packet when the user disconnects from
the remote server.
● EXEC accounting packets: Used when users log in to the device through Telnet
or FTP. When a user connects to a network, the server sends an accounting
start packet; when the user is using network services, the server periodically
sends interim accounting packets; when the user goes offline, the server sends
an accounting stop packet.
● System accounting packets: Used during fault diagnosis. The server records
the system-level events to help administrators monitor the device and locate
network faults.
● Command accounting packets: When an administrator runs any command on
the device, the device sends the command to the HWTACACS server through a
command accounting stop packet so that the server can record the operations
performed by the administrator.
NOTE
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_ou N Y Y N Y N Y Y N N
t
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ N Y Y N Y N Y Y Y N
time
paks_in N Y Y N Y N Y Y N N
Attribut Net Net Net Con Con EXE EXE EXE Syst Com
e wor wor wor nect nect C C C em man
k k k ion ion Acco Acco Inte Acco d
Acco Acco Inte Acco Acco unti unti rim unti Line
unti unti rim unti unti ng ng Acco ng Acco
ng ng Acco ng ng Star Stop unti Stop unti
Star Stop unti Star Stop t Pac ng Pac ng
t Pac ng t Pac Pac ket Pac ket Stop
Pac ket Pac Pac ket ket ket Pac
ket ket ket ket
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezon Y Y Y Y Y Y Y Y Y Y
e
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type
NOTE
Authentication (HACA) allows the device and server to establish a connection for
Portal authentication. Currently, only iMaster NCE-Campus can be used as an
HACA server.
Logout 9 If the HACA server logs out the user, the device
notification sends a logout notification packet and the
packet HACA server does not need to reply. If
accounting has been performed for the user,
the packet carries accounting information.
iMaster NCE-Campus deployed on the cloud acts as an external Portal server and
an HACA server to provide authentication and accounting services. A switch acts
as a user authentication point to provide the user authentication function together
with the HACA server. User authorization information is configured on the HACA
server. After a user passes authentication, the HACA server authorizes network
access rights to the user. Figure 1-26 shows the HACA authentication,
authorization, and accounting process.
1. An access device sets up a persistent connection and register with the HACA
server using HTTP/2.
2. The client and device set up a pre-connection before authentication.
3. The client initiates an authentication request using HTTP. The HACA server
provides a web page for the client to enter the user name and password for
authentication.
4. The device and HACA server exchange authentication packets.
5. After the client passes authentication, the HACA server sends an authorization
packet to authorize network access rights to the client.
6. When the client starts to access network resources, the access device sends an
accounting-start request packet to the HACA server.
7. The HACA server sends an accounting response packet to the access device
and starts accounting.
8. (Optional) If real-time accounting is enabled, the access device periodically
sends real-time accounting request packets to the HACA server, preventing
incorrect accounting results caused by unexpected user disconnection.
9. (Optional) The HACA server returns real-time accounting response packets
and performs real-time accounting.
10. The client sends a logout request.
11. The HACA server sends a logout request packet to the access device.
12. The access device sends a logout response packet to the HACA server.
13. The access device sends an accounting-stop request packet to the HACA
server.
14. The HACA server sends an accounting-stop response packet to the access
device and stops accounting.
As shown in Figure 1-27, the Switch functions as the network access server. Users
on the enterprise network need to connect to the Internet. To ensure network
security, the administrator controls the Internet access rights of the users.
The administrator configures AAA on the Switch to allow the Switch to
communicate with the AAA server. The AAA server then can manage users
centrally. After a user enters the user name and password on the client, the Switch
forwards the authentication information including user name and password to the
AAA server, and the AAA server authenticates the user. After being successfully
authenticated, the user can access the Internet. The AAA server also records the
network resource usage of the user.
To improve reliability, two AAA servers can be deployed in active/standby mode. If
the active server fails, the standby server takes over the AAA services, ensuring
uninterrupted services.
Licensing Requirements
AAA is a basic feature of a switch and is not under license control.
NOTE
For details about software mappings, visit Info-Finder and search for the desired product
model.
Feature Limitations
● To prevent data transmission risks between the device and the RADIUS or
HWTACACS server, you are advised to deploy the device and RADIUS or
HWTACACS server in a security domain.
● The authorization scheme and UCL group are not supported in the traditional
NAC mode. The authorization user group is supported only in the traditional
NAC mode.
● If non-authentication is configured using the authentication-mode
(authentication scheme view) command, users can pass the authentication
using any user name or password. To protect the device and improve network
security, you are advised to enable authentication to allow only authenticated
users to access the device or network.
● By default, the global default common domain default and global default
management domain default_admin are bound to the accounting scheme
default. Modifying the accounting scheme default affects configurations of
the two domains. Exercise caution when modifying the accounting scheme to
prevent user accounting failures.
● After the NETCONF function is disabled, online HACA users will continue to
be online, but new HACA users cannot go online.
● When both DSCP priority mapping and 802.1p priority mapping are
authorized for uplink packets, DSCP priority mapping takes effect on the
S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-H, S6730S-H, S6730-
S, S6730S-S, and 802.1p priority mapping takes effect on the S6735-S, S6720-
EI, S6720S-EI ,S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I regardless of the
priority mapping mode trusted by interfaces.
● A specific VLAN cannot be specified as both the authorized VLAN and voice
VLAN.
● In versions earlier than V200R020C00, after a user is authorized with CAR, the
device collects the traffic statistics of the user. In V200R020C00 and later
versions, after a user is authorized with CAR, the device does not collect the
traffic statistics of the user until the traffic statistics collection is configured.
● The management interface of the device cannot send or receive RADIUS
packets.
In practice, the schemes in Table 1-32 are often used separately. Multiple
authentication or authorization modes can be used in a scheme. For example,
local authentication is used as a backup of RADIUS authentication and
HWTACACS authentication, and local authorization is used as a backup of
HWTACACS authorization.
Configuration Procedure
Configura
Procedure Description
tion
Configure
Configure authentication,
and apply
Configure AAA schemes. authorization, and accounting
AAA
schemes.
schemes.
Configura
Procedure Description
tion
Context
When configuring a local user, you can configure the number of connections that
can be established by the local user, local user level, idle timeout period, and login
time, and allow the local user to change the password.
NOTE
● For device security purposes, do not disable password complexity check, and change the
password periodically.
● After you change the local account's rights (including the password, access type, FTP
directory, and level), the rights of users who are already online remain unchanged, and
new users obtain new rights when they go online.
● Local users' access types include:
● Administrative: api, ftp, http, ssh, telnet, x25-pad, and terminal
● Common: 8021x, ppp and web
● Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the
user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated
self-signed certificate to support HTTPs. The self-signed certificate may bring risks.
Therefore, you are advised to replace it with the officially authorized digital certificate.
Procedure
Step 1 Run system-view
Procedur
Command Description
e
Procedur
Command Description
e
Step 4 (Optional) Set the user level, user group, access time range, idle-cut function, and
number of connections that can be established by the user.
Procedur
Command Description
e
Set the
local-user user-name privilege The default level of a local user is
local user
level level 0.
level.
Set the
access
By default, no access time range
time local-user user-name time-
is configured and the local user
range for range time-name
can access the network anytime.
the local
user.
Procedur
Command Description
e
Set the
maximum By default, the number of
number connections that can be
of established by a user is not
connectio local-user user-name access- limited.
ns that limit max-number
can be To configure the local account to
establishe log in through only one terminal,
d by the set max-number to 1.
local user.
Enable the
local account
lock function,
By default, the local account
and set the
local-aaa-user wrong- lock function is enabled, the
retry interval,
password retry-interval retry interval is 5 minutes, the
maximum
retry-interval retry-time maximum number of
number of
retry-time block-time block- consecutive authentication
consecutive
time failures is 3, and the account
authentication
lock period is 5 minutes.
failures, and
account lock
period.
Enable
the
passwor
d policy
for local
access
users By default, the password policy
local-aaa-user password
and for local access users is
policy access-user
enter disabled.
the local
Conf access
igur user
e passwor
the d policy
pas view.
swo
rd Set the
poli maximu
cy m
for number
loca of
By default, a maximum of five
l historica password history record
historical passwords are
acc l number number
recorded for each user.
ess passwor
use ds
rs. recorded
for each
user.
Exit the
local
access
user quit -
passwor
d policy
view.
When the device starts with the default configurations, it automatically performs
the following configurations and saves the configurations to the configuration file:
● Run the local-aaa-user password policy administrator command to enable
the password policy for local administrators.
● Run the password expire 0 command to configure the passwords of local
administrators to be permanently valid.
● Run the password history record number 0 command to configure the
device not to check whether a changed password of a local administrator is
the same as any historical password.
Step 6 (Optional) Set parameters of access rights for the local user.
Procedur
Command Description
e
Configure
the HTTP
By default, the HTTP directory
directory local-user user-name http-
that HTTP users can access is not
that HTTP directory directory
configured.
users can
access.
Set the
expiration
local-user user-name expire- By default, a local account is
date for
date expire-date permanently valid.
the local
account.
Procedur
Command Description
e
Step 7 Run the undo local-aaa-user change-password verify command to disable the
function of verifying the original password when local administrators change their
own passwords.
By default, when local administrators change their passwords using the local-user
user-name privilege level level command in the AAA view, the administrators
need to enter the original password for verification.
Step 8 (Optional) Change the login password of a local user.
Procedur
Command Description
e
Return to return -
the user
view.
Step 9 (Optional) When a web user logs in to the device for the first time, the browser
jumps to the page for creating a user interface.
navigator first-login enable
----End
Context
Table 1-33 describes authorization parameters that can be set locally during local
authorization configuration.
Procedure
● Configure an authorization VLAN.
Configure a VLAN and the network resources in the VLAN on the device.
● Configure a service scheme.
For details on how to configure a service scheme, see 1.7.4 Configuring a
Service Scheme.
● Configure an authorization user group.
Procedur
Command Description
e
Procedur
Command Description
e
Return to quit –
the
system
view.
Procedur
Command Description
e
Configur For details, see Configuring a The ACL filters packets based
e a user User ACL or User ACL6 under on the UCL group.
ACL or "ACL Configuration" in the
user S300, S500, S2700, S5700,
ACL6. and S6700 V200R021C00,
C01 Configuration Guide -
Security.
Configur traffic-filter inbound acl By default, ACL-based packet
e ACL- [ ipv6 ] acl-number filtering is not configured.
based
packet
filtering.
----End
Context
To use local authentication and authorization, set the authentication mode in an
authentication scheme to local authentication and the authorization mode in an
authorization scheme to local authorization.
By default, the device performs local authentication and authorization for access
users.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view
is displayed, or an existing authentication scheme view is displayed.
Two default authentication schemes named default and radius are
available on the device. These two authentication schemes can be
modified but not deleted.
d. Run authentication-mode { local | local-case }
The authentication mode is set to local.
By default, local authentication is used. The names of local users are
case-insensitive.
e. (Optional) Run authentication-super [ hwtacacs | radius | super ] *
none
An authentication mode for upgrading user levels is set.
The default mode is super (local authentication).
f. Run quit
The AAA view is displayed.
g. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the domain name is parsed is specified.
By default, a domain name is parsed from left to right.
h. Run quit
The system view is displayed.
NOTE
When the device is switched to the NAC common mode, only the administrator level, number of
users who can access the network using the same user name, and redirection ACL can be
configured in the service scheme.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
NOTE
The ipv6 parameter is supported only by the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1,
S300, S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI,
S6735-S and S6720S-EI.
Only wired users support IPv6 ACL redirection.
The idle-cut function is enabled for domain users and the idle-cut parameters are
set.
By default, the idle-cut function is disabled for domain users.
NOTE
The idle-cut command configured in the service scheme view takes effect only for wireless
users.
NOTE
Only users who are successfully authenticated support the configurations for limiting the
number of access users based on the same user name, and pre-connection users do not support
such configurations.
This command does not take effect in inter-AC roaming scenarios.
Only the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L, S5735S-L, S5735S-L-M,
S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-EI support the ipv6
parameter.
Before running this command, ensure that an ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device
> ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-
Filter numbered 26-82 > UCL group index delivered by the RADIUS server > UCL group
configured on the local device
IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore,
according to the preceding priority, when the server delivers the IPv4 ACL number, the
locally configured IPv6 ACL number does not take effect.
2. Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the
user category has been created and configured.
▪ Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
{ inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
If both remark dscp dscp-value and voice-vlan remark dscp dscp-value are
configured, the DSCP priority of the former is higher.
By default, the action of re-marking DSCP priorities of IP packets is
not configured in a QoS profile.
NOTE
Only the S5731-S, S5731S-S, S5731-H, and S5731S-H support the HQoS
scheduling.
6. Run sac-profile profile-name
An SAC profile is bound to the service scheme.
By default, no SAC profile is bound to a service scheme.
NOTE
For details about authorization HQoS configuration and guidelines, see Configuring a
Subscriber Queue.
Before running this command, ensure that an SAC profile has been
configured. To configure an SAC profile, perform the following operations:
a. Run sac-profile name profile-name
An SAC profile is created and the SAC profile view is displayed; or the
existing SAC profile view is displayed.
b. Run acl { ucl-number | name acl-name } remark local-precedence local-
precedence-value
The internal priority used for user-ACL-based remarking is configured.
By default, no internal priority is configured for user-ACL-based
remarking in an SAC profile.
7. Run quit
The AAA view is displayed.
8. Run quit
The system view is displayed.
----End
Context
The created authentication and authorization schemes take effect only after being
applied to a domain. When local authentication and authorization are used, the
default accounting scheme non-accounting is used.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Step 6 (Optional) Specify the domain state and enable traffic statistics collection for the
domain.
Procedure Command Description
A Exit
A from
A the
quit -
vi doma
e in
w view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
g parsed from left to right.
direct
ion.
Set
the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name The default domain name
delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter By default, the security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
A Exit
ut from
he the
nt AAA
ic view.
ati
on quit -
pr
ofi
le
vi
e
w
Creat
e an
authe
nticat
By default, the device has six
ion
built-in authentication profiles:
profil
default_authen_profile,
e and
authentication-profile name dot1x_authen_profile,
enter
authentication-profile-name mac_authen_profile,
the
portal_authen_profile,
authe
dot1xmac_authen_profile, and
nticat
multi_authen_profile.
ion
profil
e
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name
g parsing direction is not specified.
direct
ion.
Set
the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name By default, no domain name
delim delimiter is set.
iter.
Specif
y the
doma
domain-location { after- By default, the domain name
in
delimiter | before-delimiter } location is not specified.
name
locati
on.
Set
the
securi
security-name-delimiter By default, no security string
ty
delimiter delimiter is set.
string
delim
iter.
Step 9 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
----End
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
● To verify information about access users, run the following commands:
– display access-user [ domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | ipv6-address ipv6-address
| access-slot slot-id | wired | wireless ] [ detail ]
– display access-user username user-name [ detail ]
----End
Configuration Procedure
Context
An AAA scheme defines the authentication, authorization, and accounting modes
used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in
the authentication scheme, and set the accounting mode to RADIUS in the
accounting scheme. RADIUS authentication is combined with authorization and
cannot be separated. If authentication succeeds, authorization also succeeds. If
RADIUS authentication is used, you do not need to configure an authorization
scheme.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme scheme-name
An authentication scheme is created and the authentication scheme view
is displayed, or the view of an existing authentication scheme is
displayed.
By default, two authentication schemes named default and radius are
available on the device. The two schemes can only be modified, but
cannot be deleted.
d. Run authentication-mode radius
The authentication mode is set to RADIUS.
By default, local authentication is used, and the names of local users are
case-insensitive.
To configure local authentication as the backup authentication mode, run
the authentication-mode radius { local | local-case } command.
e. (Optional) Run undo server no-response accounting
The device is configured not to send accounting packets when the server
does not respond to a user's authentication request and the user then is
authenticated using the local authentication mode.
By default, when the accounting function is configured, the device does
not send accounting packets when the server does not respond to a
user's authentication request and the user then is authenticated using the
local authentication mode.
f. (Optional) Run radius-reject local
The administrator is configured to be authenticated using the local
authentication mode after the administrator's RADIUS authentication
request is rejected.
By default, an administrator is not authenticated using the local
authentication mode after the administrator's RADIUS authentication
request is rejected. After the RADIUS authentication request is rejected,
that is, the RADIUS server responds with an Access-Reject packet, the
authentication process ends and the administrator fails to be
authenticated.
NOTE
none
By default, the super mode is used. That is, local authentication is used.
h. (Optional) Run authentication-type radius chap access-type admin
[ ftp | ssh | telnet | terminal | http ] *
NOTE
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified and cannot be deleted.
Step 3 Configure RADIUS authentication and accounting servers.
Step Command Remarks
NOTE
By default, the algorithm for selecting RADIUS servers is the single user-based
primary/secondary algorithm.
Step 7 (Optional) Configure the format of the user name in packets sent from the device
to the RADIUS server.
● Run radius-server user-name domain-included
The device is configured to encapsulate the domain name in the user name in
the RADIUS packets sent to a RADIUS server.
● Run radius-server user-name original
The device is configured not to modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included except-eap
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server (applicable to other
authentication modes except EAP authentication).
By default, the device does not modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
Step 8 (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by the RADIUS server is configured.
By default, the RADIUS traffic unit is byte on the device.
Step 9 (Optional) Run radius-attribute service-type with-authenonly-reauthen
The reauthentication mode is set to reauthentication only.
By default, the reauthentication mode is reauthentication and reauthorization.
This function takes effect when the Service-Type attribute on the RADIUS server is
set to Authenticate Only.
Step 10 (Optional) Run radius-server framed-ip-address no-user-ip enable
The device is enabled to encapsulate the RADIUS attribute Framed-IP-Address into
RADIUS authentication request packets when the RADIUS authentication request
packets sent by users do not carry user IP addresses.
By default, the device does not encapsulate the RADIUS attribute Framed-IP-
Address into a RADIUS authentication request packet when the RADIUS
authentication request packet sent by a user does not carry the user IP address.
----End
Procedure
● Configure conditions for setting the RADIUS server status to Down. Two
scenarios are involved in this configuration.
– Conditions for setting the RADIUS server status to Down during the
RADIUS server status detection.
i. Run system-view
The system view is displayed.
ii. Run radius-server { dead-interval dead-interval | dead-count dead-
count | detect-cycle detect-cycle }
The RADIUS server detection interval, number of times the detection
interval cycles, and maximum number of consecutive
unacknowledged packets in each detection interval are configured.
By default, the RADIUS server detection interval is 5 seconds, the
number of times the detection interval cycles is 2, and the maximum
number of consecutive unacknowledged packets in each detection
interval is 2.
iii. Run the return command to return to the user view.
– Set the status of a RADIUS server to Down if no response is received from
the server for a long period of time. With this function enabled, you can
run the following commands to adjust the maximum unresponsive
interval of the RADIUS server.
i. Run system-view
The system view is displayed.
ii. Run radius-server max-unresponsive-interval interval
The longest unresponsive interval for the RADIUS server is
configured.
By default, the longest unresponsive interval for a RADIUS server is
300 seconds.
iii. Run the return command to return to the user view.
On a large-scale network, you are not advised to enable automatic detection for
RADIUS servers in Up status. This is because if automatic detection is enabled on
multiple NAS devices, the RADIUS server periodically receives a large number of
detection packets when processing RADIUS Access-Request packets source from users,
which may deteriorate processing performance of the RADIUS server.
f. (Optional) Run radius-server detect-server timeout timeout
The timeout period for RADIUS detection packets is configured.
By default, the timeout period for RADIUS detection packets is 3 seconds.
g. Run the return command to return to the user view.
● (Optional) Configure the duration for which a RADIUS server remains Down,
namely, configure the Force-up timer.
NOTE
After setting the RADIUS server status to Force-up and automatic detection is enabled, the
device immediately sends a detection packet. If the device receives a response packet from
the RADIUS server within the timeout period, the device sets the RADIUS server status to
Up; otherwise, the device sets the RADIUS server status to Down.
a. Run system-view
The system view is displayed.
b. Run radius-server template template-name
The RADIUS server template view is displayed.
----End
Follow-up Procedure
1. Run the authentication event authen-server-down action authorize
command in the authentication profile view to configure the user escape
function if the authentication server goes Down. For details, see 2.9.3
(Optional) Configuring Authentication Event Authorization Information
in NAC Configuration (Unified Mode).
2. Run the authentication event authen-server-up action re-authen
command in the authentication profile view to configure the reauthentication
function after the authentication server reverts to the Up status. For details,
see 2.9.8 (Optional) Configuring Re-authentication for Users in NAC
Configuration (Unified Mode).
Context
RADIUS attributes supported by different vendors are incompatible with each
other, so RADIUS attributes must be disabled or translated in interoperation and
replacement scenarios.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-server attribute translate
The RADIUS attribute disabling and translation functions are enabled.
By default, the RADIUS attribute disabling and translation functions are disabled.
----End
Context
After the RADIUS attribute check function is configured, the device checks whether
the received RADIUS Access-Accept packets contain the specified attributes. If so,
the device considers that authentication is successful; if not, the device considers
that authentication fails and discards the packets.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-attribute check attribute-name
The device is configured to check whether the received RADIUS Access-Accept
packets contain the specified attribute.
By default, the device does not check whether RADIUS Access-Accept packets
contain the specified attribute.
----End
Context
The value of the same RADIUS attribute may vary on RADIUS servers from
different vendors. Therefore, RADIUS attribute values need to be modified, so that
a Huawei device can successfully communicate with a third-party RADIUS server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-attribute set attribute-name attribute-value [ auth-type { mac |
dot1x | portal } | user-type ipsession ]
The value of a RADIUS attribute is modified.
NOTE
When the Access-Challenge packet sent by the RADIUS server contains EAP information
longer than 1200 bytes, the terminal may fail to receive the EAP Request/Challenge packet.
In this case, you can run this command to set attribute-name to Framed-Mtu and reduce
the value of the Frame-Mtu attribute in the authentication request packet sent by the
device to the RADIUS server. The default value of the Frame-Mtu attribute is 1500. You can
change it to 1000.
----End
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some standard RADIUS attributes can be
configured.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified and cannot be deleted.
Step 3 Configure standard RADIUS attributes.
● Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-
Address).
– Run radius-attribute nas-ip { ip-address | ap-info }
RADIUS attribute 4 (NAS-IP-Address) is configured.
By default, the source IP address of the NAS is the value of the NAS-IP-
Address attribute.
– Run radius-attribute nas-ipv6 ipv6-address
RADIUS attribute 95 (NAS-IPv6-Address) is configured.
By default, the NAS-IPv6-Address attribute is not configured.
● Configure RADIUS attribute 5 (NAS-Port).
a. Run radius-server nas-port-format { new | old }
The format of the NAS port is configured.
By default, the new NAS port format is used.
When the new NAS port format is used, you can perform the following
operation to configure the specific format.
b. Run radius-server format-attribute nas-port nas-port-sting [ decimal]
The new NAS port format is configured.
Only the S5731-H, S5731S-H, S6730S-H, S5732-H, and S6730-H support this
command.
b. Run called-station-id mac-format { dot-split | hyphen-split | colon-
split} [ mode1 | mode2 ] [ lowercase | uppercase ]
Or run called-station-id mac-format unformatted [ lowercase |
uppercase ]
The encapsulation format of the MAC address in the Called-Station-Id
(30) attribute is configured.
By default, the MAC address format in the Called-Station-Id (30)
attribute is XX-XX-XX-XX-XX-XX, in uppercase.
● Configure RADIUS attribute 31 (Calling-Station-Id).
Run calling-Station-Id mac-format { dot-split | hyphen-split | colon-split }
[ mode1 | mode2 ] [ lowercase | uppercase ]
Or run calling-Station-Id mac-format { unformatted [ lowercase |
uppercase ] | bin }
The encapsulation format of the MAC address in the Calling-Station-Id (31)
attribute is configured.
By default, the MAC address format in the Calling-Station-Id (31) attribute is
xxxx-xxxx-xxxx, in lowercase
● Configure RADIUS attribute 32 (NAS-Identifier).
Run radius-server nas-identifier-format { hostname | vlan-id | ap-info }
The encapsulation format of the NAS-Identifier attribute is configured.
By default, the NAS-Identifier encapsulation format is the NAS device's
hostname.
● Configure RADIUS attribute 80 (Message-Authenticator).
Run radius-server attribute message-authenticator access-request
The device is configured to carry RADIUS attribute 80 (Message-
Authenticator) in RADIUS authentication packets.
By default, the device does not carry RADIUS attribute 80 (Message-
Authenticator) in RADIUS authentication packets.
● Configure RADIUS attribute 87 (NAS-Port-Id).
----End
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some Huawei proprietary RADIUS attributes
can be configured.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified and cannot be deleted.
Step 3 Configure Huawei proprietary RADIUS attributes.
● Run radius-server hw-ap-info-format include-ap-ip
The device is configured to carry the AP's IP address in Huawei proprietary
attribute 26-141 (HW-AP-Information).
By default, the device does not carry the AP's IP address in Huawei
proprietary attribute 26-141 (HW-AP-Information).
NOTE
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
NOTE
When the device is switched to the NAC common mode, only the administrator level, number of
users who can access the network using the same user name, and redirection ACL can be
configured in the service scheme.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
NOTE
The ipv6 parameter is supported only by the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1,
S300, S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI,
S6735-S and S6720S-EI.
Only wired users support IPv6 ACL redirection.
NOTE
The idle-cut command configured in the service scheme view takes effect only for wireless
users.
NOTE
Only users who are successfully authenticated support the configurations for limiting the
number of access users based on the same user name, and pre-connection users do not support
such configurations.
This command does not take effect in inter-AC roaming scenarios.
Only the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L, S5735S-L, S5735S-L-M,
S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-EI support the ipv6
parameter.
Before running this command, ensure that an ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device
> ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-
Filter numbered 26-82 > UCL group index delivered by the RADIUS server > UCL group
configured on the local device
IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore,
according to the preceding priority, when the server delivers the IPv4 ACL number, the
locally configured IPv6 ACL number does not take effect.
2. Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the
user category has been created and configured.
3. Run user-vlan vlan-id
A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the
vlan command.
4. Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
For this configuration to take effect, ensure that a VLAN has been specified as
the voice VLAN using the voice-vlan enable command and the voice VLAN
function has been enabled on the interface.
5. Run qos-profile profile-name
A QoS profile is bound to the service scheme.
▪ Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
{ inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
If both remark dscp dscp-value and voice-vlan remark dscp dscp-value are
configured, the DSCP priority of the former is higher.
By default, the action of re-marking DSCP priorities of IP packets is
not configured in a QoS profile.
Only the S5731-S, S5731S-S, S5731-H, and S5731S-H support the HQoS
scheduling.
6. Run sac-profile profile-name
An SAC profile is bound to the service scheme.
For details about authorization HQoS configuration and guidelines, see Configuring a
Subscriber Queue.
Before running this command, ensure that an SAC profile has been
configured. To configure an SAC profile, perform the following operations:
a. Run sac-profile name profile-name
An SAC profile is created and the SAC profile view is displayed; or the
existing SAC profile view is displayed.
b. Run acl { ucl-number | name acl-name } remark local-precedence local-
precedence-value
The internal priority used for user-ACL-based remarking is configured.
By default, no internal priority is configured for user-ACL-based
remarking in an SAC profile.
7. Run quit
The AAA view is displayed.
8. Run quit
The system view is displayed.
----End
Context
Users must obtain authorization information before going online. You can
configure a user group to manage authorization information about users.
NOTE
Procedure
● Configure a user group.
Return to quit -
the
system
view.
----End
Context
Users must obtain authorization information before going online. You can
configure a UCL group to manage authorization information about users.
NOTE
Procedure
● Configure an authorization UCL group.
Step Command Remarks
Configur For details, see Configuring a The user ACL or user ACL6
e a user User ACL or User ACL6 under filters packets based on the UCL
ACL or "ACL Configuration" in the group.
user S300, S500, S2700, S5700,
ACL6. and S6700 V200R021C00,
C01 Configuration Guide -
Security.
----End
Context
A VLAN pool is a set of VLANs and is used to simplify network deployment.
Perform the following operations to configure a VLAN pool.
● Set the standard RADIUS attribute Tunnel-Private-Group-ID assigned to
users who pass authentication by the RADIUS server so that wired users can
be added to the specified VLAN pool.
● For wireless users, three methods are available to apply a VLAN pool:
– Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
service-vlan vlan-pool pool-name command to configure the specified
VLAN pool as the service VLAN of wireless users in the specified VAP
profile.
– Run the service-vlan vlan-pool pool-name command in the VAP profile
view to configure the VLAN pool as the service VLAN of wireless users in
the VAP profile.
– On the RADIUS server, configure the standard RADIUS attribute Tunnel-
Private-Group-ID for authenticated users to add the users to the
specified VLAN pool.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
VLANs are created in a batch.
Step 3 Run vlan pool pool-name
A specified VLAN pool is created and its view is displayed.
By default, no VLAN pool is created.
Step 4 Run vlan { start-vlan [ to end-vlan ] } &<1-10> [ max-user number ]
The specified VLANs are added to the VLAN pool.
By default, no VLAN is available in a VLAN pool.
NOTE
max-user number is valid only for users authorized a VLAN pool and takes effect only
when the VLAN assignment algorithm of a VLAN pool is hash.
NOTE
● The hash mac-vlan lease command takes effect only for users authorized a VLAN pool.
● The hash mac-vlan lease command takes effect only when the VLAN assignment
algorithm of a VLAN pool is hash.
● The aging time takes effect only for entries of offline users.
Step 7 (Optional) Configure the function of reassigning VLANs in a VLAN pool for wired
users.
NOTE
This function takes effect only when the VLAN assignment algorithm of a VLAN pool is
hash.
Before configuring this function, enable DHCP snooping on the interface through which
users go online.
This function takes effect only for wired users.
Authentication access devices in the policy association scenario do not support this
function.
1. Run dhcp update vlan assignment
The function of reassigning VLANs in a VLAN pool is enabled.
By default, the function of reassigning VLANs in a VLAN pool is disabled.
2. (Optional) Run vlan block-time
The lockout time of VLANs in a VLAN pool is configured.
By default, the lockout time of VLANs in a VLAN pool is 5 minutes.
3. (Optional) Run dhcp update vlan assignment threshold count
The number of times the VLAN pool module receives a notification from the
DHCP module is set. The notification indicates that users fail to obtain IP
addresses from the IP address pool for a specific VLAN.
By default, if the VLAN pool module receives the notification from the DHCP
module three times, the VLAN is locked.
Step 8 (Optional) Configure the function of reassigning VLANs in a VLAN pool for
wireless users.
NOTE
The number of times the VLAN pool module receives a notification from the
DHCP module is set. The notification indicates that users fail to obtain IP
addresses from the IP address pool for a specific VLAN.
2. Run dhcp update vlan assignment interval interval-value
The interval at which the VLAN pool module receives a notification from the
DHCP module is set. The notification indicates that users fail to obtain IP
addresses from the IP address pool for a specific VLAN.
By default, if the VLAN pool module receives the notification from the DHCP
module three times within 3 minutes, the VLAN is locked.
----End
Context
A NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
The device determines the domain to which a user belongs based on the user
name. Before performing authentication, authorization, and accounting on users,
you need to create the domain to which the users belong.
Procedure
Step 1 Run system-view
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 (Optional) Run state { active | block [ time-range time-name &<1-4> ] }
The domain state is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
Step 5 (Optional) Configure the traffic statistics collection function.
1. Run statistic enable
The traffic statistics collection function is enabled for domain users.
By default, the traffic statistics collection is disabled for domain users.
2. Run accounting dual-stack separate
Separate statistics collection or separate rate limiting of IPv4 and IPv6 traffic
is enabled.
By default, the device does not distinguish between IPv4 and IPv6 traffic when
collecting statistics or rate limiting IPv4 and IPv6 traffic.
Step 6 (Optional) Configure the DNS function, which takes effect for all domains on the
device.
1. Run quit
Return to the AAA view.
2. Run domainname-parse-direction { left-to-right | right-to-left }
The domain name resolution direction is configured.
By default, a domain name is parsed from left to right.
3. Run domain-name-delimiter delimiter
The domain name delimiter is configured.
By default, the domain name delimiter is @.
4. Run domain-location { after-delimiter | before-delimiter }
The position of a domain name is configured.
By default, a domain name is placed behind the domain name delimiter.
NOTE
The DNS function can also be configured in the authentication profile view. If the DNS function
is configured in both the AAA view and authentication profile view, the device preferentially
uses the configuration in the authentication profile, which applies only to wireless users.
NOTE
The security string delimiter can also be configured in the authentication profile view. If
the security string delimiter is configured in both the AAA view and authentication profile
view, the device preferentially uses the configuration in the authentication profile, which
applies only to wireless users.
Step 8 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure global default domains.
● Run domain domain-name
The global default common domain is configured.
● Run domain domain-name admin
The global default administrative domain is configured.
By default, two global default domains are available on the device: global default
common domain named default and global default administrative domain named
default_admin.
NOTE
The same domain name can be set for the global default common domain and global default
administrative domain.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
The RADIUS accounting packet copy function is enabled, and a RADIUS server
template for level-2 accounting is configured.
NOTE
● Ensure that the IP address of the configured level-2 RADIUS accounting server is different
from that of the level-1 RADIUS accounting server (including the active/standby RADIUS
accounting server).
● Ensure that the level-2 RADIUS accounting server template configured in the domain is
different from the RADIUS server template for authentication and accounting in the domain.
If they are the same, the accounting-copy radius-server command cannot be configured and
the system displays an error message during the command configuration.
----End
NOTE
If the accounting function is not configured for MAC address authentication and 802.1X
authentication users, the RADIUS CoA/DM function does not take effect when the users
roam between ACs after going online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server authorization server-source { ip-address ip-address | all-
interface }
An IPv4 address used by the device to receive and respond to request packets of a
RADIUS authorization server is configured.
By default, the device does not receive or respond to request packets of a RADIUS
authorization server.
Step 3 Configure an authorization server.
Step Command Remarks
Configure
the port
number By default, the port number of
radius-server authorization
of the the RADIUS authorization server
port port-id
RADIUS is 3799.
authorizat
ion server.
NOTE
In V200R020C10SPC100 and later versions, you must run both the radius-server session-
manage server-source and radius-server session-manage commands so that the session
management function of the RADIUS server can take effect.
By default, the device parses the MAC address in the calling-station-id attribute
carried in RADIUS dynamic authorization packets based on the MAC address
length, without considering the MAC address format and delimiter.
Table 1-34 lists the RADIUS attributes that can be configured in this step.
By default, the device supports the authorization attributes indicating that the
port goes Down intermittently or is disabled in CoA packets.
1. Run aaa
The AAA view is displayed.
2. Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the
authorization server is configured.
By default, the update mode of user authorization information delivered by
the authorization server is overlay.
----End
Context
To use HWTACACS authentication, authorization, and accounting, set the
authentication mode in the authentication scheme, authorization mode in the
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
The device is configured not to send accounting packets when the server
does not respond to a user's authentication request and the user then is
authenticated using the local authentication mode.
By default, when the accounting function is configured, the device does
not send accounting packets when the server does not respond to a
user's authentication request and the user then is authenticated using the
local authentication mode.
g. (Optional) Run authentication-super { hwtacacs | radius | super } *
[ none ]
The authentication mode for upgrading user levels is specified.
The default mode is super (local authentication).
h. Run quit
The AAA view is displayed.
i. (Optional) Configure the account locking function.
i. Run the access-user remote authen-fail retry-interval retry-interval
retry-time retry-time block-time block-time command to enable the
account locking function for access users who fail remote
authentication.
Or: run the administrator remote authen-fail retry-interval retry-
interval retry-time retry-time block-time block-time command to
enable the account locking function for administrators who fail
remote authentication.
By default, the account locking function is disabled for access users
who fail remote authentication, and the account locking function is
enabled for administrators who fail remote authentication. The
authentication retry interval is 5 minutes, the maximum number of
consecutive authentication failures is 30, and the account locking
period is 5 minutes.
ii. Run aaa-quiet administrator except-list { ipv4-address | ipv6-
address } &<1-32>
A user is configured to access the network using a specified IP
address if the user account is locked.
By default, a user cannot access the network if the user account is
locked.
You can run the display aaa-quiet administrator except-list
command to query the specified IP addresses.
iii. Run remote-user authen-fail unblock { all | username username }
A remote AAA authentication account that has failed authentication
is unlocked.
j. (Optional) Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
k. (Optional) Run security-name-delimiter delimiter
A security string delimiter is set.
The direction in which the user name and domain name are parsed is
specified.
By default, local authorization is used. The names of local users are case-
insensitive.
g. Run quit
----End
Context
When configuring an HWTACACS server template, you must specify the IP address,
port number, and shared key of a specified HWTACACS server. Other settings, such
as the HWTACACS user name format and traffic unit, have default values and can
be modified based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name
format and shared key must be the same as those on the HWTACACS server.
Procedure
Step 1 Run system-view
HWTACACS is enabled.
IPv4 and IPv6 servers are configured at the same time in the same HWTACACS server template.
The order for selecting servers is as follows: primary IPv4 server -> primary IPv6 server -> second
secondary IPv4 server -> second secondary IPv6 server -> third secondary IPv4 server -> third
secondary IPv6 server -> fourth secondary IPv4 server -> fourth secondary IPv6 server.
Configura
Command Description
tion
Configure
hwtacacs-server
an
authentication { ipv4-address
HWTACA By default, no HWTACACS
| ipv6-address } [ port ]
CS authentication server is
[ public-net | vpn-instance
authentic configured.
vpn-instance-name ]
ation
[ secondary | third | fourth ]
server.
Configure hwtacacs-server
an authorization { ipv4-address |
HWTACA ipv6-address } [ port ] By default, no HWTACACS
CS [ public-net | vpn-instance authorization server is configured.
authorizat vpn-instance-name ]
ion server. [ secondary | third | fourth ]
Configura
Command Description
tion
Configure
hwtacacs-server accounting
an
{ ipv4-address | ipv6-address }
HWTACA By default, no HWTACACS
[ port ] [ public-net | vpn-
CS accounting server is configured.
instance vpn-instance-name ]
accountin
[ secondary | third | fourth ]
g server.
Step 5 Set parameters for interconnection between the device and an HWTACACS server.
Step 6 (Optional) Set the response timeout interval and activation interval for the
HWTACACS server.
Set the
interval at
which the
The default interval at which the
primary
hwtacacs-server timer quiet primary HWTACACS server
HWTACAC
interval restores to the active state is 5
S server
minutes.
restores to
the active
state.
NOTE
NOTE
To ensure device security, you are advised to frequently change the password.
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
NOTE
When the device is switched to the NAC common mode, only the administrator level, number of
users who can access the network using the same user name, and redirection ACL can be
configured in the service scheme.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
NOTE
The ipv6 parameter is supported only by the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1,
S300, S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI,
S6735-S and S6720S-EI.
Only wired users support IPv6 ACL redirection.
NOTE
The idle-cut command configured in the service scheme view takes effect only for wireless
users.
NOTE
Only users who are successfully authenticated support the configurations for limiting the
number of access users based on the same user name, and pre-connection users do not support
such configurations.
This command does not take effect in inter-AC roaming scenarios.
Only the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L, S5735S-L, S5735S-L-M,
S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-EI support the ipv6
parameter.
Before running this command, ensure that an ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device
> ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-
Filter numbered 26-82 > UCL group index delivered by the RADIUS server > UCL group
configured on the local device
IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore,
according to the preceding priority, when the server delivers the IPv4 ACL number, the
locally configured IPv6 ACL number does not take effect.
2. Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the
user category has been created and configured.
3. Run user-vlan vlan-id
A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the
vlan command.
4. Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
For this configuration to take effect, ensure that a VLAN has been specified as
the voice VLAN using the voice-vlan enable command and the voice VLAN
function has been enabled on the interface.
5. Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
NOTE
▪ Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
{ inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
If both remark dscp dscp-value and voice-vlan remark dscp dscp-value are
configured, the DSCP priority of the former is higher.
By default, the action of re-marking DSCP priorities of IP packets is
not configured in a QoS profile.
Only the S5731-S, S5731S-S, S5731-H, and S5731S-H support the HQoS
scheduling.
6. Run sac-profile profile-name
An SAC profile is bound to the service scheme.
By default, no SAC profile is bound to a service scheme.
NOTE
For details about authorization HQoS configuration and guidelines, see Configuring a
Subscriber Queue.
Before running this command, ensure that an SAC profile has been
configured. To configure an SAC profile, perform the following operations:
a. Run sac-profile name profile-name
An SAC profile is created and the SAC profile view is displayed; or the
existing SAC profile view is displayed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.
By default, no recording scheme is configured on the device.
Step 4 Run recording-mode hwtacacs template-name
The recording scheme is associated with the HWTACACS server template.
By default, a recording scheme is not associated with any HWTACACS server
template.
Step 5 Run quit
The AAA view is displayed.
Step 6 Run cmd recording-scheme recording-scheme-name
A policy is configured to record the commands that have been executed on the
device.
By default, the commands used on the device are not recorded.
Step 7 Run outbound recording-scheme recording-scheme-name
----End
Context
The created authentication scheme, authorization scheme, accounting scheme,
and HWTACACS server template are in effect only when they are applied to a
domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Procedur
Command Description
e
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Step 5 Apply a service scheme and an HWTACACS server template to the domain.
Procedure Command Description
(Optional)
Apply a
service service-scheme service- By default, no service scheme is
scheme to scheme-name applied to a domain.
the
domain.
Apply an
HWTACAC
S server hwtacacs-server template- By default, no HWTACACS server
template name template is applied to a domain.
to the
domain.
Procedur
Command Description
e
Exit
from
the
quit -
doma
in
view.
Specif
y the
A doma The domain name can be parsed
A in from left to right, or from right to
domainname-parse-direction left.
A name
{ left-to-right | right-to-left }
vi parsin By default, the domain name is
e g parsed from left to right.
w direct
ion.
Set
the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name The default domain name
delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter By default, the security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
A Exit
ut from
he the quit -
nt AAA
ic view.
ati
on Creat
pr e an
ofi authe
le nticat
By default, the device has six
vi ion
built-in authentication profiles:
e profil
default_authen_profile,
w e and
authentication-profile name dot1x_authen_profile,
enter
authentication-profile-name mac_authen_profile,
the
portal_authen_profile,
authe
dot1xmac_authen_profile, and
nticat
multi_authen_profile.
ion
profil
e
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name
g parsing direction is not specified.
direct
ion.
Set
the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name By default, no domain name
delim delimiter is set.
iter.
Specif
y the
doma
domain-location { after- By default, the domain name
in
delimiter | before-delimiter } location is not specified.
name
locati
on.
Set
the
securi
security-name-delimiter By default, no security string
ty
delimiter delimiter is set.
string
delim
iter.
Step 9 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
Procedur
Command Description
e
----End
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to verify the accounting scheme configuration.
● Run the display recording-scheme [ recording-scheme-name ] command to
verify the recording scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display hwtacacs-server template [ template-name ] command to
verify the HWTACACS server template configuration.
● Run the display hwtacacs-server template template-name verbose
command to check statistics about HWTACACS authentication, accounting,
and authorization.
● Run the display hwtacacs-server accounting-stop-packet { all | number | ip
{ ipv4-address | ipv6-address } } command to verify information about
accounting-stop packets of the HWTACACS server.
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
● Run the display access-user user-name-table statistics { all | username
username } command to check statistics on users who are allowed to access
the network using the user name.
----End
Similar to the RADIUS protocol, the HACA protocol uses the client/server model to
authenticate access users.
Configuration Procedure
Context
When HACA authentication and authorization are used, the authentication and
authorization information must be configured on the HACA server.
When a user requests to access the Internet, the access device forwards
authentication information to the HACA server. The HACA server then decides
whether to allow the user to pass based on the configured information. If the user
is allowed, the HACA server sends an access-accept message carrying
authorization information to the access device. The access device then authorizes
network access rights to the user according to the access-accept message.
Procedure
Configure the HACA server according to the HACA server documentation.
Context
If HACA authentication and authorization are used, set the authentication mode in
the authentication scheme to HACA and the accounting mode in an accounting
scheme to HACA.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme scheme-name
An authentication scheme is created and its view is displayed, or the view
of an existing authentication scheme is displayed.
By default, two authentication schemes named default and radius are
available on the device. The two authentication schemes can be modified
but not deleted.
d. Run authentication-mode haca
The authentication method is set to HACA.
By default, local authentication is used. The names of local users are
case-insensitive.
To use local authentication as the backup authentication mode, run the
authentication-mode haca { local | local-case } command to configure
local authentication.
NOTE
Context
In an HACA server template, you must specify the server IP address and port
number. Other settings such as the HACA user name format and HACA server
response timeout interval have default values and can be changed based on
network requirements.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run haca-server template template-name
An HACA server template is created and its view is displayed.
By default, no HACA server template is created.
Step 3 Run haca-server server-address ip-address [ port ] pki-realm-name
The IP address and port number of the HACA server are configured.
By default, the IP address and port number of the HACA server are not configured
on the device.
Step 4 Run the following commands as required:
● To add the domain name to the user name in the packets sent to the HACA
server, run the haca-server user-name domain-included command.
● To retain the original user name in the packets sent to the HACA server, run
the haca-server user-name original command.
By default, the device does not modify the user name entered by the user in the
packets sent to the HACA server.
Step 5 Run haca-server source-ip ip-address
The source IP address is specified for HACA packets.
By default, no source IP address is specified for HACA packets. The device uses the
IP address of the actual outbound interface as the source IP address of HACA
packets.
Step 6 (Optional) Run haca-server timer response-timeout interval
The response timeout interval for the HACA server is set.
By default, the response timeout interval for the HACA server is 5 seconds.
Step 7 (Optional) Run haca-server timer down-delay interval
The delay after which an HACA server is disconnected is set.
By default, the delay after which an HACA server is disconnected is 30 seconds.
Step 8 (Optional) Run haca-server timer reconnection interval
The interval for reconnecting to the HACA server is set.
By default, the interval for reconnecting to the HACA server is 1 minute.
Step 9 (Optional) Run haca-server timer heart-beat interval
The interval for sending heartbeat packets is set.
By default, the interval for sending heartbeat packets is 5 minutes.
Step 10 (Optional) Run haca-server timer register-sync interval
The device is configured to send HACA registration synchronization packets to
iMaster NCE-Campus.
By default, a device sends HACA registration synchronization packets to iMaster
NCE-Campus at an interval of 15 minutes.
Step 11 (Optional) Run haca-server accounting-stop-packet resend [ resend-times ]
Retransmission of accounting-stop packets is enabled, and the number of
accounting-stop packets that can be retransmitted is set.
By default, retransmission of accounting-stop packets is enabled, and three
accounting-stop packets can be retransmitted.
Step 12 Run haca enable
HACA is enabled.
By default, HACA is disabled.
Step 13 Run quit
Return to the system view.
The interval for synchronizing user information to the HACA server is set.
By default, the interval for synchronizing user information to the HACA server is
10 minutes.
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
NOTE
When the device is switched to the NAC common mode, only the administrator level, number of
users who can access the network using the same user name, and redirection ACL can be
configured in the service scheme.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
NOTE
The ipv6 parameter is supported only by the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1,
S300, S5735-L, S5735S-L, S5735S-L-M, S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI,
S6735-S and S6720S-EI.
Only wired users support IPv6 ACL redirection.
NOTE
The idle-cut command configured in the service scheme view takes effect only for wireless
users.
NOTE
Only users who are successfully authenticated support the configurations for limiting the
number of access users based on the same user name, and pre-connection users do not support
such configurations.
This command does not take effect in inter-AC roaming scenarios.
Only the S2730S-S, S5735-L-I, S5735-L1, S5735S-L1, S300, S5735-L, S5735S-L, S5735S-L-M,
S500, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6735-S, and S6720S-EI support the ipv6
parameter.
Before running this command, ensure that an ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
The priorities of the following access policies are in descending order:
ACL number delivered by the RADIUS server > ACL number configured on the local device
> ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-
Filter numbered 26-82 > UCL group index delivered by the RADIUS server > UCL group
configured on the local device
IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore,
according to the preceding priority, when the server delivers the IPv4 ACL number, the
locally configured IPv6 ACL number does not take effect.
2. Run ucl-group { group-index | name group-name }
A UCL group is bound to the service scheme.
By default, no UCL group is bound to a service scheme.
Before running this command, ensure that a UCL group that identifies the
user category has been created and configured.
3. Run user-vlan vlan-id
A user VLAN is configured in the service scheme.
By default, no user VLAN is configured in a service scheme.
Before running this command, ensure that a VLAN has been created using the
vlan command.
4. Run voice-vlan
The voice VLAN function is enabled in the service scheme.
By default, the voice VLAN function is disabled in a service scheme.
For this configuration to take effect, ensure that a VLAN has been specified as
the voice VLAN using the voice-vlan enable command and the voice VLAN
function has been enabled on the interface.
5. Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
NOTE
▪ Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
{ inbound | outbound }
Traffic policing is configured in the QoS profile.
By default, traffic policing is not configured in a QoS profile.
If both remark dscp dscp-value and voice-vlan remark dscp dscp-value are
configured, the DSCP priority of the former is higher.
By default, the action of re-marking DSCP priorities of IP packets is
not configured in a QoS profile.
Only the S5731-S, S5731S-S, S5731-H, and S5731S-H support the HQoS
scheduling.
6. Run sac-profile profile-name
An SAC profile is bound to the service scheme.
By default, no SAC profile is bound to a service scheme.
NOTE
For details about authorization HQoS configuration and guidelines, see Configuring a
Subscriber Queue.
Before running this command, ensure that an SAC profile has been
configured. To configure an SAC profile, perform the following operations:
a. Run sac-profile name profile-name
An SAC profile is created and the SAC profile view is displayed; or the
existing SAC profile view is displayed.
----End
Context
The created authentication scheme and HACA server template take effect only
after being applied to a domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains named default and default_admin. The two
domains can be modified but not deleted.
Step 4 Run authentication-scheme authentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named radius is applied to the default
domain, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to other domains.
Step 5 Run accounting-scheme accounting-scheme-name
An accounting scheme is applied to the domain.
By default, the accounting scheme named default is applied to a domain. In this
default accounting scheme, non-accounting is used and the real-time accounting
function is disabled.
Step 6 Run service-scheme service-scheme-name
----End
Procedure
● Run the display haca-server configuration [ template template-name ]
command to check the HACA server template configuration.
● Run the display haca-server statistics { all | message | packet
[ authentication | authorization | accounting | cut-notify | cut-request |
register | user-syn ] } [ template template-name ] command to check HACA
packet statistics.
● Run the display haca-server accounting-stop-packet all command to view
information about all accounting-stop packets on the HACA server.
----End
Context
Enabling the recording of information related to normal logout, abnormal logout,
and login failure helps administrators locate and analyze problems.
Procedure
● Run the aaa offline-record command in the system view to record normal
logout information.
By default, the device is enabled to record normal logout information.
● Run the aaa abnormal-offline-record command in the system view to record
abnormal logout information.
By default, the device is enabled to record abnormal logout information.
● Run the aaa online-fail-record command in the system view to record login
failure information.
By default, the device is enabled to record login failure information.
----End
Follow-up Procedure
● Run the display aaa { offline-record | abnormal-offline-record | online-fail-
record } { all | reverse-order | domain domain-name | interface interface-
type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | mac-address mac-address |
access-slot slot-number | time start-time end-time [ date start-date end-
date ] | username user-name [ time start-time end-time [ date start-date
end-date ] ] } [ brief ] command to check normal logout, abnormal logout,
and login failure records.
● Run the display aaa statistics offline-reason command in any view to check
the reasons for users to go offline.
Context
You can force online users to go offline by specifying the domain name or
interface. This function is applicable to situations such as when the online users
are unauthorized, the number of online users reaches the maximum, or the AAA
configurations are modified. For example, when you modify the AAA
configurations of online users, the new AAA configurations take effect on these
users only after you force them to go offline.
NOTE
● If you delete the AAA configuration of online users, the users may be forced to go offline.
Procedure
● Run the cut access-user { domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address
[ vpn-instance vpn-instance-name ] | mac-address mac-address | access-slot
slot-id | user-id begin-number [ end-number ] | username user-name } or cut
access-user access-type { admin [ ftp | ssh | telnet | terminal | web ] |
ppp } [ username user-name ] command in the AAA view to disconnect one
or more sessions. After a session of a user is disconnected, the user is forced
to go offline.
● Run the cut access-user ssid ssid-name (supported by S5731-H, S5731S-H,
S6730S-H, S5732-H, and S6730-H) command in the AAA view to disconnect
one or more sessions based on SSIDs. After a session of a user is
disconnected, the user is forced to go offline.
● Run the cut access-user ucl-group { group-index | name group-name }
command in the AAA view to force UCL group users offline.
----End
Prerequisites
RADIUS authentication or accounting is configured.
Context
Test whether a user can pass RADIUS authentication or accounting, helping the
administrator locate faults.
Procedure
● Run the test-aaa user-name user-password radius-template template-name
[ chap | pap ] command in any view to test whether a specified user can pass
RADIUS authentication.
● Run the test-aaa user-name user-password radius-template template-name
[ accounting [ start | realtime | stop ] ] command in any view to check
whether RADIUS accounting can be performed for a specified user.
----End
Follow-up Procedure
● The test-aaa command returns an account test timeout message.
RADIUS authentication test for a single user times out.
<HUAWEI> test-aaa user1 test123 radius-template test
Info: Account test time out.
RADIUS accounting test for a single user times out.
<HUAWEI> test-aaa user1 test123 radius-template test accounting
Info: Account test time out.
– The possible causes are as follows:
▪ The NAS-IP in the RADIUS server template is different from the NAS-
IP configured on the RADIUS server.
▪ When the controller functions as the RADIUS server, run the netstat
-nao | findstr 1812 and netstat -nao | findstr 1813 commands on
the server to check whether the port is used by another program. If
so, close the program that uses the port.
▪ Run the display this command in the AAA view to check whether
the user authentication or accounting domain is the same as the
RADIUS authentication or accounting domain configured on the
device.
○ When the user name entered by the user contains a domain
name, check whether RADIUS authentication or accounting has
been configured in the domain. If not, configure RADIUS
authentication or accounting in the domain.
○ When the user name entered by the user does not contain a
domain name, check whether RADIUS authentication or
accounting has been configured in the global default domain
(administrator uses default_admin and common users use
default). If not, configure RADIUS authentication or accounting
in the domain.
▪ Run the display this command in the AAA view to check whether
the AAA authentication or accounting scheme and RADIUS server
template have been applied to the domain. If not, apply the AAA
authentication or accounting scheme and RADIUS server template to
the domain.
Context
You can configure the alarm report function, which helps you obtain real-time
running status of AAA (for example, the status of the communication with the
RADIUS server becomes Down) and facilitates O&M.
Procedure
Step 1 Run system-view
By default, the alarm report function is disabled for the RDS module.
----End
Context
NOTICE
The AAA statistics cannot be restored after being cleared. Clear AAA statistics with
caution.
Procedure
● Run the reset aaa { abnormal-offline-record | offline-record | online-fail-
record } command in the system view to clear records of abnormal logout,
logout, and login failures.
● Run the reset aaa statistics offline-reason command in any view to clear
the statistics on reasons why users go offline.
● Run the reset access-user statistics command in any view to clear the
statistics on access user authentication.
● Run the reset hwtacacs-server statistics { accounting | all | authentication
| authorization } command in the user view to clear the statistics on
HWTACACS authentication, accounting, and authorization.
● Run the reset hwtacacs-server accounting-stop-packet { all | ip { ipv4-
address | ipv6-address } } command in the user view to clear the statistics on
HWTACACS accounting-stop packets.
● Run the reset radius-server accounting-stop-packet { all | ip { ipv4-address |
ipv6-address } } command to clear remaining buffer information on RADIUS
accounting-stop packets.
● Run the reset local-user [ user-name ] password history record command in
the AAA view to clear historical passwords of local users.
● Run the reset aaa statistics access-type-authenreq command in any view to
clear the number of authentication requests.
----End
Networking Requirements
On the network shown in Figure 1-29, the network administrator of an enterprise
needs to remotely manage the device in an easy and secure manner. To achieve
this, local authentication can be configured for the administrator logging in
through Telnet. The requirements are as follows:
1. The administrator enters the correct user name and password to log in to the
device through Telnet.
2. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-15.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Assign an IP address to the interface on the switch that is connected to the
management network.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.10 24
[Switch-Vlanif100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default management domain default_admin. By default, the default_admin
domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: Uses the local authentication mode.
● Accounting scheme default: Uses the non-accounting mode.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
telnet server enable
telnet server-source -i Vlanif 100
#
aaa
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif100
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa protocol inbound telnet
#
return
Network Requirements
As shown in Figure 1-30, a RADIUS server is deployed on an enterprise network.
The enterprise requires that the administrator use RADIUS authentication and log
in to the device through STelnet.
1. The administrator can log in to the device through STelnet only after entering
a correct user name and password.
2. After the administrator logs in to the device through STelnet, the server
authorizes the privilege level 15 to the administrator, and the administrator
can execute all commands at levels 0 to 15.
3. If the link between the device and server is disconnected, the administrator
will be authenticated locally during a login to the device.
Configuration roadmap
1. Configure STelnet login on the switch: Set the authentication mode of
accessing VTY user interfaces to AAA, enable the STelnet service, and
configure the authentication mode and service type for SSH users.
2. Configure RADIUS authentication on the switch: Create a RADIUS server
template, configure an AAA scheme, and configure a global default
administrative domain.
3. Configure a local user on the switch: Configure a local user name, password,
and privilege level.
4. Configure a RADIUS server.
Precautions
● Ensure that there are reachable routes between devices.
● Ensure that the shared key in the RADIUS server template is the same as that
configured on the RADIUS server.
● If the login account is created on the switch but not on the RADIUS server,
RADIUS authentication will fail and local authentication will not be
performed. Local authentication will be performed only when the RADIUS
server is Down or does not respond.
● If the accounting mode is set to RADIUS in an accounting scheme, the
administrator will pass local authentication but fail to log in to the device
because starting accounting will fail after the link between the device and
server is disconnected. To prevent this problem, run the accounting start-fail
online command in the accounting scheme view to allow users to go online
after initial accounting fails.
● If the RADIUS server does not accept the user name containing the domain
name, run the undo radius-server user-name domain-included command in
the RADIUS server template view to configure the device to send packets that
do not contain the domain name to the RADIUS server.
● After the domain is set to the global default administrative domain, and the
user name of the administrator carries the domain name or does not carry
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dsa local-key-pair create
Info: The key name will be: Switch_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to
14 to AAA and SSH, respectively.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit
# Set the authentication mode of all SSH users to password authentication and
the service type to STelnet.
[Switch] ssh authentication-type default password
NOTE
If the authentication mode and service type of only a few SSH users are password
authentication and STelnet respectively, you can specify the SSH user name to set the
authentication mode and service type of a single SSH user. For example, set the
authentication mode and service type of an SSH user with the user name admin to
password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
# Configure an accounting scheme named acc1 and set the accounting mode to
RADIUS accounting.
[Switch-aaa] accounting-scheme acc1
[Switch-aaa-accounting-acc1] accounting-mode radius
[Switch-aaa-accounting-acc1] accounting start-fail online
[Switch-aaa-accounting-acc1] quit
# Apply the AAA authentication scheme and RADIUS server template to the
domain example.com.
[Switch-aaa] domain example.com
[Switch-aaa-domain-example.com] authentication-scheme sch1
[Switch-aaa-domain-example.com] accounting-scheme acc1
[Switch-aaa-domain-example.com] radius-server 1
[Switch-aaa-domain-example.com] quit
[Switch-aaa] quit
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:15:02
User accounting session ID : Switch255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege :
AAA:
User authentication type : Administrator authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
● When the link between the switch and RADIUS server is disconnected, run the
display access-user username user-name detail command on the switch to
check information about the user user1.
In the command output, the values of User access type, User Privilege, User
authentication type, Current authentication method, Current
authorization method, and Current accounting method indicate that the
login mode is SSH, the privilege level is 15, the authentication type is
administrator authentication, and the authentication mode is local
authentication.
<Switch> display access-user username user1 detail
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:20:02
User accounting session ID : Switch255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege :
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
radius-server template 1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 10.1.6.6 1812 weight 80
radius-server accounting 10.1.6.6 1813 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius local
accounting-scheme acc1
accounting-mode radius
accounting start-fail online
domain example.com
authentication-scheme sch1
accounting-scheme acc1
radius-server 1
local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!
N~mjNI$
local-user user1 privilege level 15
local-user user1 service-type ssh
#
user-interface vty 0 14
authentication-mode aaa
#
stelnet server enable
ssh server-source -i Vlanif 10
#
return
Network Requirements
As shown in Figure 1-31, an HWTACACS server is deployed on an enterprise
network. The enterprise requires that the administrator log in to the device
through STelnet.
1. The administrator can log in to the device through STelnet only after entering
a correct user name and password.
2. After the administrator logs in to the device through STelnet, the privilege
level 15 is authorized to the administrator.
3. If the link between the device and server is disconnected, the administrator
will be authenticated locally during a login to the device.
Configuration Roadmap
1. Configure STelnet login on the switch: Set the authentication mode of
accessing VTY user interfaces to AAA, enable the STelnet service, and
configure the authentication mode and service type for SSH users.
2. Configure HWTACACS authentication on the switch: Create an HWTACACS
server template, configure an AAA scheme, and configure a global default
administrative domain.
3. (Optional) Configure the mode in which the user privilege level is raised on
the switch.
4. Configure a local user on the switch.
5. Configure an HWTACACS server.
Precautions
● Ensure that there are reachable routes between devices.
● Ensure that the shared key in the HWTACACS server template is the same as
that configured on the HWTACACS server.
● If the login account is created on the switch but not on the HWTACACS server,
HWTACACS authentication will fail and local authentication will not be
performed. Local authentication will be performed only when the HWTACACS
server is Down or does not respond.
● If the accounting mode is set to HWTACACS in an accounting scheme, the
administrator will pass local authentication but fail to log in to the device
because starting accounting will fail after the link between the device and
server is disconnected. To prevent this problem, run the accounting start-fail
online command in the accounting scheme view to allow users to go online
after initial accounting fails.
● When you run the super command to change a user privilege level to a lower
level or the same level, no authentication is required. When you run the super
command to change a user privilege level to a higher level, authentication is
required. A user's privilege level can be raised only when the user is
authenticated successfully.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dsa local-key-pair create
Info: The key name will be: Switch_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to
14 to AAA and SSH, respectively.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
# Set the authentication mode of all SSH users to password authentication and
the service type to STelnet.
[Switch] ssh authentication-type default password
NOTE
If the authentication mode and service type of only a few SSH users are password
authentication and STelnet respectively, you can specify the SSH user name to set the
authentication mode and service type of a single SSH user. For example, set the
authentication mode and service type of an SSH user with the user name admin to
password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
# (Optional) Set the mode in which a user privilege level is raised to HWTACACS
Local.
[Switch-aaa-authen-sch1] authentication-super hwtacacs super
[Switch-aaa-authen-sch1] quit
# Configure an accounting scheme named sch3 and set the accounting mode to
HWTACACS accounting.
[Switch-aaa] accounting-scheme sch3
[Switch-aaa-accounting-sch3] accounting-mode hwtacacs
[Switch-aaa-accounting-sch3] accounting start-fail online
[Switch-aaa-accounting-sch3] quit
# Reference the HWTACACS server template and AAA schemes to the domain
example.com.
[Switch-aaa] domain example.com
[Switch-aaa-domain-example.com] hwtacacs-server template1
[Switch-aaa-domain-example.com] authentication-scheme sch1
[Switch-aaa-domain-example.com] authorization-scheme sch2
[Switch-aaa-domain-example.com] accounting-scheme sch3
[Switch-aaa-domain-example.com] quit
[Switch-aaa] quit
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:15:02
User accounting session ID : example255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege : 10
AAA:
User authentication type : Administrator authentication
Current authentication method : HWTACACS
Current authorization method : HWTACACS
Current accounting method : HWTACACS
------------------------------------------------------------------------------
● When the link between the switch and HWTACACS server is disconnected, run
the display access-user username user-name detail command on the switch
to check information about the user user1.
In the command output, the values of User access type, User Privilege, User
authentication type, Current authentication method, Current
authorization method, and Current accounting method indicate that the
login mode is SSH, the privilege level is 15, the authentication type is
administrator authentication, the authentication and authorization modes are
local, and the accounting mode is HWTACACS.
<Switch> display access-user username user1 detail
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:20:02
User accounting session ID : example255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege : 15
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : HWTACACS
------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
hwtacacs-server template template1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server authorization 10.1.6.6
hwtacacs-server accounting 10.1.6.6
hwtacacs-server shared-key cipher %^%#)@1e81]jJP9}9O9|W>MT|TWbI,\rL4[.BT&@);rU%^%#
#
aaa
authentication-scheme sch1
authentication-mode hwtacacs local
authentication-super hwtacacs super
authorization-scheme sch2
authorization-mode hwtacacs local
accounting-scheme sch3
accounting-mode hwtacacs
accounting start-fail online
domain example.com
authentication-scheme sch1
accounting-scheme sch3
authorization-scheme sch2
hwtacacs-server template1
local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!
N~mjNI$
local-user user1 privilege level 15
local-user user1 service-type ssh
#
user-interface vty 0 14
authentication-mode aaa
#
stelnet server enable
ssh server-source -i Vlanif 10
#
return
Networking Requirements
As shown in Figure 1-32, an HWTACACS server is deployed on an enterprise
network. The enterprise requires that the administrator log in to the device
through STelnet.
1. The administrator can log in to the device through STelnet only after entering
a correct user name and password.
2. After the administrator logs in to the device through STelnet, the privilege
level 15 is authorized to the administrator, the range of commands that the
administrator can execute is limited, and commands that the administrator
has executed are recorded.
3. If the link between the device and server is disconnected, the administrator
will be authenticated locally during a login to the device.
Configuration Roadmap
1. Configure STelnet login on the switch: Set the authentication mode of
accessing VTY user interfaces to AAA, enable the STelnet service, and
configure the authentication mode and service type for SSH users.
2. Configure HWTACACS authentication on the switch: Create an HWTACACS
server template, configure an AAA scheme, record the scheme, and enable
command authorization.
3. Configure a local user on the switch: Configure a local user name, password,
and privilege level.
4. Configure an HWTACACS server.
Precautions
● Ensure that there are reachable routes between devices.
● Ensure that the shared key in the HWTACACS server template is the same as
that configured on the HWTACACS server.
● If the login account is not created on the server but exists on the local host,
HWTACACS authentication is considered failed, and local authentication is not
performed. Local authentication will be performed only when the HWTACACS
server is Down or does not respond.
● If the accounting mode is set to HWTACACS in an accounting scheme, the
administrator will pass local authentication but fail to log in to the device
because starting accounting will fail after the link between the device and
server is disconnected. To prevent this problem, run the accounting start-fail
online command in the accounting scheme view to allow users to go online
after initial accounting fails.
● After the authorization scheme containing command authorization is applied
in the administrator view, executing the undo authorization-cmd command
will cause the administrator unable to execute any command except the quit
command. In this case, the administrator needs to log in again.
● When the authorization and command authorization modes are set to
hwtacacs local, HWTACACS authorization will be performed before
commands are executed if the link between the device and server is
disconnected. If the server does not respond, local authorization will be
performed. As a result, there is a delay in executing commands.
● The device sends TACACS accounting packets to report the commands that
have been executed by administrators through SSH, Telnet, or web NMS
console. Therefore, a TACACS accounting server needs to be configured on the
device.
● The device can use TACACS authorization packets to authorize administrators
who log in through SSH or Telnet to run commands related to the HWTACACS
server. On the web NMS console, the commands that can be executed can be
controlled only based on the administrator privilege level, and HWTACACS
server authorization is not supported.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dsa local-key-pair create
Info: The key name will be: Switch_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to
14 to AAA and SSH, respectively.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit
# Set the authentication mode and service type of all SSH users to password
authentication and STelnet, respectively.
[Switch] ssh authentication-type default password
NOTE
If the authentication mode and service type of only a few SSH users are password
authentication and STelnet respectively, you can specify the SSH user name to set the
authentication mode and service type of a single SSH user. For example, set the
authentication mode and service type of an SSH user with the user name admin to
password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
# Create an authentication scheme named sch1 and set the authentication mode
to HWTACACS+local authentication.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode hwtacacs local
[Switch-aaa-authen-sch1] quit
# Create an accounting scheme named sch3 and set the accounting mode to
HWTACACS accounting.
[Switch-aaa] accounting-scheme sch3
[Switch-aaa-accounting-sch3] accounting-mode hwtacacs
[Switch-aaa-accounting-sch3] accounting start-fail online
[Switch-aaa-accounting-sch3] quit
# Apply the HWTACACS server template and AAA scheme to the domain
example.com.
[Switch-aaa] domain example.com
[Switch-aaa-domain-example.com] hwtacacs-server template1
[Switch-aaa-domain-example.com] authentication-scheme sch1
[Switch-aaa-domain-example.com] authorization-scheme sch2
[Switch-aaa-domain-example.com] accounting-scheme sch3
[Switch-aaa-domain-example.com] quit
[Switch-aaa] quit
# Set the local account to user1, password to Example@123, and privilege level
to 15.
[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Example@123
[Switch-aaa] local-user user1 service-type ssh
[Switch-aaa] local-user user1 privilege level 15
[Switch-aaa] return
Step 4 Configure an HWTACACS server. Here, the Secure ACS is used as an example.
You can check logs recording command execution successes and failures of all
users including non-HWTACACS-authenticated users under Reports and Activity
> TACACS+ Administration.
● When the link between the switch and server is working properly, run the
display access-user username user-name detail command on the switch to
check information about the user user1.
In the command output, the values of User access type, User Privilege, User
authentication type, Current authentication method, Current
authorization method, and Current accounting method indicate that the
login mode is SSH, the privilege level is 15, the authentication type is
administrator authentication, and the authentication, authorization, as well as
accounting modes are HWTACACS.
<Switch> display access-user username user1 detail
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:15:02
User accounting session ID : example255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege : 15
AAA:
User authentication type : Administrator authentication
Current authentication method : HWTACACS
Current authorization method : HWTACACS
Current accounting method : HWTACACS
------------------------------------------------------------------------------
● After the administrator logs in to the switch, run the reset hwtacacs-server
statistics all command. The system displays the message "Error: Failed to
pass the authorization.", indicating command authorization succeeds.
<Switch> reset hwtacacs-server statistics all
Error: Failed to pass the authorization.
● When the link between the switch and RADIUS server is disconnected, run the
display access-user username user-name detail command on the switch to
check information about the user user1.
In the command output, the values of User access type, User Privilege, User
authentication type, Current authentication method, Current
authorization method, and Current accounting method indicate that the
login mode is SSH, the privilege level is 15, the authentication type is
administrator authentication, the authentication and authorization modes are
local, and the accounting mode is HWTACACS.
<Switch> display access-user username user1 detail
------------------------------------------------------------------------------
Basic:
User ID : 11
User name : user1
Domain-name : example.com
User MAC :-
User IP address : 10.1.1.10
User IPv6 address :-
User access time : 2019/07/10 09:20:02
User accounting session ID : example255255000000000f****2016009
Option82 information :-
User access type : SSH
User Privilege : 15
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : HWTACACS
------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
hwtacacs-server template template1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server authorization 10.1.6.6
hwtacacs-server accounting 10.1.6.6
hwtacacs-server shared-key cipher %^%#)@1e81]jJP9}9O9|W>MT|TWbI,\rL4[.BT&@);rU%^%#
#
aaa
authentication-scheme sch1
authentication-mode hwtacacs local
authorization-scheme sch2
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme sch3
accounting-mode hwtacacs
accounting start-fail online
recording-scheme sch0
recording-mode hwtacacs template1
cmd recording-scheme sch0
domain example.com
authentication-scheme sch1
accounting-scheme sch3
authorization-scheme sch2
hwtacacs-server template1
local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!
N~mjNI$
local-user user1 privilege level 15
local-user user1 service-type ssh
#
user-interface vty 0 14
authentication-mode aaa
#
stelnet server enable
ssh server-source -i Vlanif 10
#
return
Networking Requirements
As shown in Figure 1-33, users belong to the domain huawei. Switch functions as
the network access server on the destination network, providing access to users
only after they are remotely authenticated by the server. The remote
authentication on Switch is described as follows:
● The RADIUS server will authenticate access users for Switch. If RADIUS
authentication fails, local authentication is used.
● The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the
primary and secondary authentication and accounting servers, respectively.
The default authentication port and accounting port are 1812 and 1813,
respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server template.
2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting
scheme to a domain.
NOTE
Procedure
Step 1 Configure a RADIUS server template.
# Set the IP address and port numbers for the primary RADIUS authentication and
accounting server.
[Switch-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
[Switch-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80
# Set the IP address and port numbers for the secondary RADIUS authentication
and accounting server.
[Switch-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
[Switch-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40
# Set the shared key and retransmission count for the RADIUS server, and
configure the device not to encapsulate the domain name in the user name when
sending RADIUS packets to the RADIUS server.
[Switch-radius-shiva] radius-server shared-key cipher Example@2012
[Switch-radius-shiva] radius-server retransmit 2
[Switch-radius-shiva] undo radius-server user-name domain-included
[Switch-radius-shiva] quit
# Create an accounting scheme named abc, and configure the accounting scheme
to use the RADIUS accounting mode. Configure a policy for the device to keep
users online upon accounting-start failures.
[Switch-aaa] accounting-scheme abc
[Switch-aaa-accounting-abc] accounting-mode radius
[Switch-aaa-accounting-abc] accounting start-fail online [Switch-aaa-accounting-abc] quit
Step 3 Create a domain named huawei, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template shiva to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme auth
[Switch-aaa-domain-huawei] accounting-scheme abc
[Switch-aaa-domain-huawei] radius-server shiva
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei
domain huawei admin
#
radius-server template shiva
radius-server shared-key cipher %^%#HN!rP_Lc1<+L+H/&YUzN]CBy;_09Z>9T5\.k{T1/%^%#
radius-server authentication 10.7.66.66 1812 weight 80
radius-server authentication 10.7.66.67 1812 weight 40
radius-server accounting 10.7.66.66 1813 weight 80
radius-server accounting 10.7.66.67 1813 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included #
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
authentication-scheme auth
accounting-scheme abc
radius-server shiva
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
local-user user1 privilege level 15
local-user user1 service-type http
#
return
Networking Requirements
For the network shown in Figure 1-34, the customer requirements are as follows:
● The HWTACACS server will authenticate access users for Switch. If HWTACACS
authentication fails, local authentication is used.
● The HWTACACS server will authorize access users for Switch. If HWTACACS
authorization fails, local authorization is used.
● HWTACACS accounting is used by Switch for access users.
● Real-time accounting is performed every 3 minutes.
● The IP addresses of primary and secondary HWTACACS servers are
10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for
authentication, accounting, and authorization is 49.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Procedure
Step 1 Enable HWTACACS.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] hwtacacs enable
# Set the IP addresses and port numbers for the primary HWTACACS
authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49
[Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
[Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49
# Set the IP addresses and port numbers for the secondary HWTACACS
authentication, authorization, and accounting servers.
[Switch-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
[Switch-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
[Switch-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary
Step 4 Create a domain named huawei, and apply the authentication scheme l-h,
authorization scheme hwtacacs, accounting scheme hwtacacs, and the
HWTACACS server template ht to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme l-h
[Switch-aaa-domain-huawei] authorization-scheme hwtacacs
[Switch-aaa-domain-huawei] accounting-scheme hwtacacs
[Switch-aaa-domain-huawei] hwtacacs-server ht
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name :-
RADIUS-server-template : default
HWTACACS-server-template : ht
User-group :-
Push-url-address :-
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei admin
#
hwtacacs-server template ht
hwtacacs-server authentication 10.7.66.66
hwtacacs-server authentication 10.7.66.67 secondary
hwtacacs-server authorization 10.7.66.66
hwtacacs-server authorization 10.7.66.67 secondary
hwtacacs-server accounting 10.7.66.66
hwtacacs-server accounting 10.7.66.67 secondary
hwtacacs-server shared-key cipher %^%#VznDEFI11##ZC>1@:=xUO^!OP~*<c1$FoD*zXPGJ%^%#
#
aaa
authentication-scheme l-h
authentication-mode hwtacacs local
authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain huawei
authentication-scheme l-h
accounting-scheme hwtacacs
authorization-scheme hwtacacs
hwtacacs-server ht
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
local-user user1 privilege level 15
local-user user1 service-type http
#
return
Networking Requirements
As shown in Figure 1-35, enterprise users access the network through Switch. The
user names do not contain any domain names.
The enterprise requires that common users access the network and obtain rights
after passing RADIUS authentication and that administrators log in to the device
for management only after passing local authentication on Switch.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and a VLANIF interface for Switch to communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and
apply the schemes to the default domain to authenticate common users,
such as users using 802.1X or Portal authentication. The user names of the
users do not contain domain names.
3. Configure authentication and authorization schemes for administrators and
apply the schemes to the default_admin domain to authenticate
administrators, such as a user logging in through Telnet, SSH, or FTP. The user
names of administrators do not contain domain names.
NOTE
Ensure that users have been configured on the RADIUS server. In this example, the user
with the user name test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration for Switch. The configurations of the RADIUS
server are not described here.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Set the link type of GE0/0/2 of Switch that is connected to the RADIUS server to
access, and add GE0/0/2 to VLAN 11.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 11
[Switch-GigabitEthernet0/0/2] quit
# Create VLANIF 11, and configure the IP address of 192.168.2.29/24 for VLANIF
11.
[Switch] interface vlanif 11
[Switch-Vlanif11] ip address 192.168.2.29 24
[Switch-Vlanif11] quit
Step 2 Configure RADIUS AAA for common users who use 802.1X authentication.
NOTE
Ensure that the shared key in the RADIUS server template is the same as that set on the RADIUS
server.
# Create authentication and accounting schemes both named abc, and set the
authentication and accounting modes to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
[Switch-aaa] accounting-scheme abc
[Switch-aaa-accounting-abc] accounting-mode radius
[Switch-aaa-accounting-abc] quit
# Test connectivity between Switch and the RADIUS server. Ensure that the test1
user with the password 123456 has been configured on the RADIUS server.
[Switch-aaa] test-aaa test1 123456 radius-template rd1
# Apply the authentication scheme abc, accounting schemes abc, and RADIUS
server template rd1 to the default domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme abc
[Switch-aaa-domain-default] accounting-scheme abc
[Switch-aaa-domain-default] radius-server rd1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
NOTE
After the common mode is changed to unified mode, the device automatically restarts. By
default, the unified mode is used.
# Set the global default domain for common users to default. After common
users enter their user names in the format of user@default, the device performs
AAA authentication for the users in the default domain. If a user name does not
contain a domain name or contains a non-existing domain name, the device
authenticates the common user in the default domain for common users.
[Switch] domain default
Step 3 Configure local authentication and authorization for the administrator test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY
user interface.
[Switch] telnet server enable
[Switch] telnet server-source -i vlanif 10
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound telnet
[Switch-ui-vty0-14] quit
# Configure a local user named test with password admin@12345, and set the
user level to 3.
[Switch] aaa
[Switch-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3
# Configure local account locking. Set the retry interval to 5 minutes, the
maximum number of consecutive authentication failures to 3, and the local
account locking duration to 5 minutes.
[Switch-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
# Apply the authentication scheme auth and authorization scheme autho to the
default_admin domain.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] authentication-scheme auth
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# If you log in through Telnet, enter the user name test and password
admin@12345, and run the display access-user domain and display access-user
user-id commands to check the domain to which you belong and your access
type.
<Switch> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16009 test 10.135.18.217 - Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Switch> display access-user user-id 16009
Basic:
User id : 16009
User name : test
Domain-name : default_admin
User MAC :-
User IP address : 10.135.18.217
User IPv6 address :-
User access time : 2009/02/15 05:10:52
User accounting session ID : huawei255255000000000f****2016009
Option82 information :-
User access type : Telnet
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None
----End
Configuration File
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 11
#
telnet server enable
telnet server-source -i Vlanif 10
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
radius-server accounting 192.168.2.30 1813 weight 80
radius-server retransmit 2
#
aaa
authentication-scheme abc
authentication-mode radius
authentication-scheme auth
authorization-scheme autho
accounting-scheme abc
accounting-mode radius
domain default
authentication-scheme abc
accounting-scheme abc
radius-server rd1
domain default_admin
authentication-scheme auth
authorization-scheme autho
local-user test password irreversible-cipher $1a$|^<)!}4$IN$9BrKBRY#L:pEc{P#HQ=OI#p["6tY
%94gGg2#@FzP$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 11
#
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
dot1x-access-profile name d1
#
return
Figure 1-36 Networking diagram for configuring the user escape function if a
RADIUS server fault occurs
Data Plan
Configuration Item Data
Configuration Roadmap
1. Configure RADIUS authentication.
2. Configure the RADIUS server status detection function.
3. Configure 802.1X authentication.
4. Configure escape rights if a RADIUS server fault occurs and configure the
reauthentication function if the RADIUS server fault is rectified.
NOTE
Procedure
Step 1 Configure VLANs and configure the allowed VLANs on the interfaces.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type access
[SwitchA-GigabitEthernet0/0/2] port default vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
# Configure the automatic detection interval for RADIUS servers in Down status
and the timeout period for detection packets. (The default values are used.)
[SwitchA-radius-controller] radius-server detect-server interval 60
[SwitchA-radius-controller] radius-server detect-server timeout 3
Step 3 Configure conditions for setting the RADIUS server status to Down. (The default
values are used.)
[SwitchA] radius-server dead-interval 5
[SwitchA] radius-server dead-count 2
[SwitchA] radius-server detect-cycle 2
[SwitchA] radius-server max-unresponsive-interval 300
# Configure the accounting scheme acc and set the accounting mode to RADIUS
accounting.
[SwitchA-aaa] accounting-scheme acc
[SwitchA-aaa-accounting-acc] accounting-mode radius
[SwitchA-aaa-accounting-acc] quit
Step 5 Configure domain huawei and apply the authentication scheme auth, accounting
scheme acc, and RADIUS server template controller to the domain.
[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme auth
[SwitchA-aaa-domain-huawei] accounting-scheme acc
[SwitchA-aaa-domain-huawei] radius-server controller
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit
NOTE
By default, the unified mode is used. After the NAC mode is switched, the device automatically
reboots. You can run the display authentication mode command to check the current NAC
mode of the device.
[SwitchA] authentication unified-mode
NOTE
By default, an 802.1X access profile uses the EAP relay authentication mode. Ensure that
the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X
authentication request packets.
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, and specify the domain huawei as the forcible
authentication domain in the authentication profile.
NOTE
After a forcible domain is configured in the authentication profile, users using this
authentication profile are authenticated in the domain no matter whether the user names carry
domain names or carry what kind of domain names.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] quit
# Configure escape rights if a RADIUS server fault occurs and configure the
reauthentication function if the RADIUS server fault is rectified. The authorization
service scheme during user escape is used as an example. For details about other
authorization information, see 2.9.3 (Optional) Configuring Authentication
Event Authorization Information.
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule 1 permit ip source 192.168.2.0 0.0.0.255
[SwitchA-acl-adv-3001] quit
[SwitchA] aaa
[SwitchA-aaa] service-scheme s1
[SwitchA-aaa-service-s1] acl-id 3001
[SwitchA-aaa-service-s1] quit
[SwitchA-aaa] quit
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
s1
[SwitchA-authen-profile-p1] authentication event authen-server-up action re-authen
[SwitchA-authen-profile-p1] quit
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
access-domain huawei force
authentication event authen-server-down action authorize service-scheme s1
Fault Description
After local authentication is used, a user cannot log in to the device through
Telnet.
Common Causes
1. The user does not have an account on the device.
2. The user name or password entered by the user is incorrect.
3. No authentication mode is configured for the user interface.
Procedure
1. Run the display this command in the AAA view to check whether the user
has an account on the device.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] display this
#
aaa
local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-
vJG3-'3Dhyci;$ //The user name is user1, and displayed on the screen in cipher text. The
authentication password entered by the user is displayed in plain text.
#
– If the user does not have an account on the device, run the local-user
user-name password irreversible-cipher password command in the AAA
view to create a local user.
– If the user has an account on the device, ensure that the user name and
password entered by the user are the same as those configured on the
device.
The password is displayed in cipher text on the screen. If you forget the
password, run the local-user user-name password irreversible-cipher
password command in the AAA view to reconfigure the password.
2. Run the display this command in the user interface view to check whether
the authentication mode is set to aaa.
If not, run the authentication-mode aaa command in the user interface
view, for example, in the VTY user interface view.
<HUAWEI> system-view
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] display this
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
Context
A user is only authorized to run commands at the same level as or below the user
level. For example, a user at level 2 can run only the commands at levels 0, 1, and
2.
Fault Description
A user successfully logs in to the device through Telnet, but cannot run the
system-view command to enter the system view or run other commands at the
configuration level.
Common Causes
A common cause of the fault is that the user is not authorized to run commands
at the configuration level (level 2).
If this is the case, the user level may be lower than level 2. There is a possibility
that no user level is specified for the user, so the user level is set to the default
level.
NOTE
By default, the users on the console port are at level 15 and the users on the VTY user interface
are at level 0.
Procedure
The following procedures can be used to rectify this fault:
● If the administrator resets the user level for the user:
– The administrator can log in to the device from the VTY user interface
through Telnet, and then run the local-user user-name privilege level
level command to reset the user level.
– The administrator can log in to the device through the console port, and
then run the local-user user-name privilege level level command to
reset the user level.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15.
● If the user changes the user level online:
a. The administrator sets the password, which is used to change the user
level to 15.
<HUAWEI> system-view
[HUAWEI] super password level 15 cipher Test@5678
b. The user logs in to the device through Telnet and uses the password to
change the user level.
<HUAWEI> super 15
Password: //Enter the password Test@5678.
Now user privilege is 15 level, and only those commands whose level is equal to o
r less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE //User level is raised successfully.
Common Causes
If a user is authenticated in the global default domain (for which RADIUS
authentication is not configured) and enters a user name without the domain
name, the user cannot be authenticated.
NOTE
Procedure
Ensure that the domain configured for RADIUS authentication is the same as the
domain used for user authentication. You can use one of the following methods:
● As an administrator, configure the domain for RADIUS authentication as the
global default domain.
– If the user that failed authentication is an administrator, run the domain
domain-name admin command in the system view.
– If the user that failed authentication is a common user, run the domain
domain-name command in the system view.
● As an administrator, configure RADIUS authentication in the global default
domain.
– If the user that failed authentication is an administrator, configure
RADIUS authentication in default_admin.
– If the user that failed authentication is a common user, configure RADIUS
authentication in default.
● The user enters a user name containing the RADIUS authentication domain
name.
This rule also applies to HWTACACS authentication and local authentication. That
is, the device performs local authentication only when the connection with the
HWTACACS server times out.
When both RADIUS authentication and local authentication are configured, the
device performs local authentication if it does not receive any response from the
RADIUS server (for example, if the RADIUS server fails). As shown in the following
configuration file, RADIUS authentication and accounting are configured on the
device. Even though the user successfully logs in through local authentication,
RADIUS accounting fails because the RADIUS server does not respond. Therefore,
the user is disconnected.
#
radius-server template rad //Configure the RADIUS server template.
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 10.7.66.66 1812 weight 80
radius-server accounting 10.7.66.66 1813 weight 80
#
aaa
authentication-scheme default
authentication-mode radius local //In the authentication scheme named default, the authentication
mode is set to RADIUS authentication and local authentication.
authorization-scheme default
accounting-scheme default
accounting-mode radius //In the accounting scheme named default, the accounting mode is set to
RADIUS accounting.
domain default_admin
radius-server rad //Apply the RADIUS server template to the global default management domain. By
default, the domain uses the default authentication and accounting schemes.
local-user user1 password cipher %^%#9X%T3y\jN;_&5(FU-B4P;);/tc^%VI\mA1KeeH%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet terminal
#
Solution:
● For administrators (logging in through Telnet, SSH, FTP, HTTP, or console
port), accounting is not required, so RADIUS accounting configuration can be
deleted.
● For common users (logging in through MAC, Portal, 802.1X, or PPP
authentication), run the accounting start-fail online command in the
accounting scheme view to configure the device to keep the users online upon
accounting failures. However, executing this command can cause inaccurate
accounting results. Before using this method, ensure that services will not be
affected.
The device supports multiple user access types. A user can log in to the device
only when the user access type is the same as the access type configured for the
user on the device. If you want to restrict the user access type to Telnet, run the
local-user user-name service-type telnet command in the AAA view.