Aaa & Radius Configuration Issue1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Aaa & Radius Configuration Issue1 as PDF for free.
More details
- Words: 1,537
- Pages: 26
Internal
AAA & RADIUS Configuration ISSUE 1.0
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
All rights reserved
Objectives Upon completion of this course, you will be able to: Understand
Master
the AAA services
the basic principles of RADIUS
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 2
Course Contents
AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 3
AAA Basic Configuration (VRP 1.74) Relative
commands
aaa-enable
aaa accounting-scheme optional
aaa authentication-scheme login { default | methods-list } { method1 [ method2 ... ] }
aaa authentication-scheme ppp { default | methods-list } { method1 } [ method2 ... ]
Method
table
5 effective combinations : radius, local, none, radius local, radius none
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 4
Local User Database (VRP 1.74) User name Local user database
Relative commands
User information
Password Services Calling number Callback number Local-user Display aaa user
HUAWEI TECHNOLOGIES CO., LTD.
FTP directory
All rights reserved
Page 5
AAA Configuration Commands (VRP 1.74) Startup
AAA service
[Quidway] aaa-enable
Configure
the default authentication method table for PPP user
[Quidway] aaa authentication-scheme login default local
User
access is still available when the configuration is "charging
impossible" to realize no charging:
[Quidway] aaa accounting-scheme optional
Apply
the default method table to the interface encapsulated
PPP:
[Quidway-Serial0]ppp authentication-mode pap scheme default
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 6
Debugging Information (VRP 1.74) Display
active user
display aaa user
Primitive
debugging radius primitive
Event
debugging information
debugging information
debugging radius event
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 7
RADIUS Basic Configuration (VRP 1.74) Configure
RADIUS server
radius server { hostname | ip-address } [authentication-port port-number ] [accouting-port port-number ]
radius shared-key string
Configure
retransmission parameter
radius-server retransmit
radius-server timeout
Configure
real-time accounting function
radius-server realtime-acct-timeout
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 8
RADIUS Configuration Commands (VRP 1.74) - I Startup
AAA
[Quidway] aaa-enable
Configure
PPP user default authentication method table:
[Quidway] aaa authentication-scheme login default radius local
Configure
the RADIUS server IP address and port, and use
the default port number:
[Quidway] radius server 129.7.66.68
[Quidway] radius server 129.7.66.66 accouting-port 0
[Quidway] radius server 129.7.66.67 authentication-port 0
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 9
RADIUS Configuration Commands (VRP 1.74) – Cont. Configure
the RADIUS server key, number of retransmissions,
duration of the timeout timer:
[Quidway] radius shared-key this-is-my-secret
[Quidway] radius retry 2
[Quidway] radius timer response-timeout 5
Apply
the default method table to the PPP-encapsulated
interface:
[Quidway-Serial0]ppp
authentication-mode
pap
default
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 10
scheme
RADIUS Packet Debugging Command (VRP 1.74)
Packet
debugging radius packet
Used
It
debugging information switch
to help fault diagnosis of Radius
can be used for observing the packet transmission and
receiving and the contents of the entire RADIUS packet
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 11
Course Contents
AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 12
Configure AAA (VRP 3.40) - I Create/Delete
ISP Domain userid@isp-name
domain [ isp-name | default { disable | enable isp-name }] One access device might access users of different ISPs A per-ISP domain can be configured the domain attributes of itself. the default domain
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 13
Configure AAA (VRP 3.40) - II Configure
Relevant Attributes of ISP Domain
the adopted RADIUS server group radius-scheme radius-scheme-name
Every ISP has active/block states state { active | block }
Maximum number of supplicants access-limit { disable | enable max-user-number }
The idle cut function idle-cut { disable | enable minutes flow}
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 14
Configure AAA (VRP 3.40) - III
Add a Local User
[undo] local-user user-name
password { simple | cipher } password
service-type { telnet [ level level ] | ftp [ ftp-directory directory ] | lanaccess }
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlanid
| location [ nas-ip ip-address ] port
portnum }
state { active | block }
Disconnect a User by Force
cut connection { all | access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 15
Configure RADIUS Protocol (VRP 3.40) - I Attributes
of every RADIUS server group
IP addresses of primary and second servers
shared key
RADIUS server type
Create
Set
a RADIUS server Group
radius scheme radius-server-name
IP Address and Port Number of RADIUS Server
primary {authentication | accounting} ip-address [ port-number ]
secondary {authentication | accounting} ip-address [ port-number ]
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 16
Configure RADIUS Protocol (VRP 3.40) - II
Configure the shared key of RADIUS server group
Set the supported type of RADIUS server
local-server nas-ip ip-address key password
server-type { huawei | iphotel | portal | standard }
Set RADIUS server state
state primary { accounting | authentication } { block | active }
state secondary{ accounting | authentication } { block | active }
Set username format transmitted to RADIUS server
user-name-format { with-domain | without-domain }
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 17
Display and Debugging (VRP 3.40) - I Display
display domain [ isp-name ]
Display
the information of the ISP domains.
related information of user’s connection
display connection [ access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac macaddress | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ]
Display
the information of the RADIUS server groups
display radius [ radius-server-name ]
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 18
Display and Debugging (VRP 3.40) - II Enable
debugging radius packet
Enable
RADIUS packet debugging
debugging of local RADIUS server group
debugging local-server { all | error| event| packet}
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 19
AAA/RADIUS Configuration Example (VRP 3.40) - I To
access to the VRP CLI, router RTA is configured with
RADIUS configuration All
the supplicants belong to the default domain huawei.com
Authentication Servers (RADIUS Server Cluster IP Address: 10.11.1.1 10.11.1.2)
Authenticator
Internet RTA Supplicant HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 20
AAA/RADIUS Configuration Example (VRP 3.40) - II RADIUS
authentication is performed first, then, in case of
RADIUS server failure, Local authentication RADIUS
Parameters:
Encryption key for authentication: “name”
Encryption key for accounting: “money”
Retransmit packets (5 seconds/time; no more than 5 times)
Real-time accounting : every 15 minutes.
Domain: Local
huawei
authentication
User: “localuser”
Password: localpass
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 21
AAA/RADIUS Configuration Example (VRP 3.40) - III Create
the RADIUS group radius1 and enters its configuration
mode.
Set
[Quidway] radius scheme radius1
IP address of the primary RADIUS servers.
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
Set
the IP address of the second RADIUS servers.
[Quidway-radius-radius1] secondary authentication 10.11.1.2
[Quidway-radius-radius1] secondary accounting 10.11.1.1
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 22
AAA/RADIUS Configuration Example (VRP 3.40) - IV Set
Set
Set
the encryption key (with the authentication RADIUS server.) [Quidway-radius-radius1] key authentication name
the encryption key( with the accounting RADIUS server) [Quidway-radius-radius1] key accounting money
the timeouts and times (to the RADIUS server)
[Quidway-radius-radius1] timer 5
[Quidway-radius-radius1] retry 5
the
interval (transmit real-time accounting packets to RADIUS server) [Quidway-radius-radius1] timer realtime-accounting 15
Configure
user to the RADIUS server after removing domain name.
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 23
AAA/RADIUS Configuration Example (VRP 3.40) - V Create
the user domain huawei.com
[Quidway] domain huawei.com
Specify
[Quidway-isp-huawei.com] radius-scheme radius1
Specify
Add
radius1 as RADIUS server group for the users
the authentication modes for this domain (RADIUS and local):
[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local
a local supplicant and sets its parameter.
[Quidway] local-user [email protected]
[[email protected]] password simple localpass
[[email protected]] service-type telnet terminal
Then
set huawei.com as the default domain to use for authentication:
[Quidway]domain default enable huawei.com
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 24
AAA/RADIUS Configuration Example (VRP 3.40) - VI Finally,
set the authentication mode for the Telnet lines:
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode scheme
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 25
Thank You www.huawei.com
AAA & RADIUS Configuration ISSUE 1.0
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
All rights reserved
Objectives Upon completion of this course, you will be able to: Understand
Master
the AAA services
the basic principles of RADIUS
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 2
Course Contents
AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 3
AAA Basic Configuration (VRP 1.74) Relative
commands
aaa-enable
aaa accounting-scheme optional
aaa authentication-scheme login { default | methods-list } { method1 [ method2 ... ] }
aaa authentication-scheme ppp { default | methods-list } { method1 } [ method2 ... ]
Method
table
5 effective combinations : radius, local, none, radius local, radius none
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 4
Local User Database (VRP 1.74) User name Local user database
Relative commands
User information
Password Services Calling number Callback number Local-user Display aaa user
HUAWEI TECHNOLOGIES CO., LTD.
FTP directory
All rights reserved
Page 5
AAA Configuration Commands (VRP 1.74) Startup
AAA service
[Quidway] aaa-enable
Configure
the default authentication method table for PPP user
[Quidway] aaa authentication-scheme login default local
User
access is still available when the configuration is "charging
impossible" to realize no charging:
[Quidway] aaa accounting-scheme optional
Apply
the default method table to the interface encapsulated
PPP:
[Quidway-Serial0]ppp authentication-mode pap scheme default
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 6
Debugging Information (VRP 1.74) Display
active user
display aaa user
Primitive
debugging radius primitive
Event
debugging information
debugging information
debugging radius event
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 7
RADIUS Basic Configuration (VRP 1.74) Configure
RADIUS server
radius server { hostname | ip-address } [authentication-port port-number ] [accouting-port port-number ]
radius shared-key string
Configure
retransmission parameter
radius-server retransmit
radius-server timeout
Configure
real-time accounting function
radius-server realtime-acct-timeout
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 8
RADIUS Configuration Commands (VRP 1.74) - I Startup
AAA
[Quidway] aaa-enable
Configure
PPP user default authentication method table:
[Quidway] aaa authentication-scheme login default radius local
Configure
the RADIUS server IP address and port, and use
the default port number:
[Quidway] radius server 129.7.66.68
[Quidway] radius server 129.7.66.66 accouting-port 0
[Quidway] radius server 129.7.66.67 authentication-port 0
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 9
RADIUS Configuration Commands (VRP 1.74) – Cont. Configure
the RADIUS server key, number of retransmissions,
duration of the timeout timer:
[Quidway] radius shared-key this-is-my-secret
[Quidway] radius retry 2
[Quidway] radius timer response-timeout 5
Apply
the default method table to the PPP-encapsulated
interface:
[Quidway-Serial0]ppp
authentication-mode
pap
default
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 10
scheme
RADIUS Packet Debugging Command (VRP 1.74)
Packet
debugging radius packet
Used
It
debugging information switch
to help fault diagnosis of Radius
can be used for observing the packet transmission and
receiving and the contents of the entire RADIUS packet
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 11
Course Contents
AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 12
Configure AAA (VRP 3.40) - I Create/Delete
ISP Domain userid@isp-name
domain [ isp-name | default { disable | enable isp-name }] One access device might access users of different ISPs A per-ISP domain can be configured the domain attributes of itself. the default domain
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 13
Configure AAA (VRP 3.40) - II Configure
Relevant Attributes of ISP Domain
the adopted RADIUS server group radius-scheme radius-scheme-name
Every ISP has active/block states state { active | block }
Maximum number of supplicants access-limit { disable | enable max-user-number }
The idle cut function idle-cut { disable | enable minutes flow}
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 14
Configure AAA (VRP 3.40) - III
Add a Local User
[undo] local-user user-name
password { simple | cipher } password
service-type { telnet [ level level ] | ftp [ ftp-directory directory ] | lanaccess }
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlanid
| location [ nas-ip ip-address ] port
portnum }
state { active | block }
Disconnect a User by Force
cut connection { all | access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 15
Configure RADIUS Protocol (VRP 3.40) - I Attributes
of every RADIUS server group
IP addresses of primary and second servers
shared key
RADIUS server type
Create
Set
a RADIUS server Group
radius scheme radius-server-name
IP Address and Port Number of RADIUS Server
primary {authentication | accounting} ip-address [ port-number ]
secondary {authentication | accounting} ip-address [ port-number ]
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 16
Configure RADIUS Protocol (VRP 3.40) - II
Configure the shared key of RADIUS server group
Set the supported type of RADIUS server
local-server nas-ip ip-address key password
server-type { huawei | iphotel | portal | standard }
Set RADIUS server state
state primary { accounting | authentication } { block | active }
state secondary{ accounting | authentication } { block | active }
Set username format transmitted to RADIUS server
user-name-format { with-domain | without-domain }
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 17
Display and Debugging (VRP 3.40) - I Display
display domain [ isp-name ]
Display
the information of the ISP domains.
related information of user’s connection
display connection [ access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac macaddress | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ]
Display
the information of the RADIUS server groups
display radius [ radius-server-name ]
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 18
Display and Debugging (VRP 3.40) - II Enable
debugging radius packet
Enable
RADIUS packet debugging
debugging of local RADIUS server group
debugging local-server { all | error| event| packet}
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 19
AAA/RADIUS Configuration Example (VRP 3.40) - I To
access to the VRP CLI, router RTA is configured with
RADIUS configuration All
the supplicants belong to the default domain huawei.com
Authentication Servers (RADIUS Server Cluster IP Address: 10.11.1.1 10.11.1.2)
Authenticator
Internet RTA Supplicant HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 20
AAA/RADIUS Configuration Example (VRP 3.40) - II RADIUS
authentication is performed first, then, in case of
RADIUS server failure, Local authentication RADIUS
Parameters:
Encryption key for authentication: “name”
Encryption key for accounting: “money”
Retransmit packets (5 seconds/time; no more than 5 times)
Real-time accounting : every 15 minutes.
Domain: Local
huawei
authentication
User: “localuser”
Password: localpass
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 21
AAA/RADIUS Configuration Example (VRP 3.40) - III Create
the RADIUS group radius1 and enters its configuration
mode.
Set
[Quidway] radius scheme radius1
IP address of the primary RADIUS servers.
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
Set
the IP address of the second RADIUS servers.
[Quidway-radius-radius1] secondary authentication 10.11.1.2
[Quidway-radius-radius1] secondary accounting 10.11.1.1
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 22
AAA/RADIUS Configuration Example (VRP 3.40) - IV Set
Set
Set
the encryption key (with the authentication RADIUS server.) [Quidway-radius-radius1] key authentication name
the encryption key( with the accounting RADIUS server) [Quidway-radius-radius1] key accounting money
the timeouts and times (to the RADIUS server)
[Quidway-radius-radius1] timer 5
[Quidway-radius-radius1] retry 5
the
interval (transmit real-time accounting packets to RADIUS server) [Quidway-radius-radius1] timer realtime-accounting 15
Configure
user to the RADIUS server after removing domain name.
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 23
AAA/RADIUS Configuration Example (VRP 3.40) - V Create
the user domain huawei.com
[Quidway] domain huawei.com
Specify
[Quidway-isp-huawei.com] radius-scheme radius1
Specify
Add
radius1 as RADIUS server group for the users
the authentication modes for this domain (RADIUS and local):
[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local
a local supplicant and sets its parameter.
[Quidway] local-user [email protected]
[[email protected]] password simple localpass
[[email protected]] service-type telnet terminal
Then
set huawei.com as the default domain to use for authentication:
[Quidway]domain default enable huawei.com
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 24
AAA/RADIUS Configuration Example (VRP 3.40) - VI Finally,
set the authentication mode for the Telnet lines:
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode scheme
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
Page 25
Thank You www.huawei.com
Related Documents
Aaa & Radius Configuration Issue1
November 2019 14
Free Radius Configuration
June 2020 19
Basic Aaa Configuration On Ios.docx
December 2019 13
Aaa
May 2020 10
Aaa
August 2019 17