7163984 aaa radius configuration issue1
TRANSCRIPT
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
1/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
www.huawei.com
Internal
ISSUE 1.0
AAA & RADIUS
Configuration
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
2/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 2
Objectives
Upon completion of this course, you will be able to:
Understand the AAA services
Master the basic principles of RADIUS
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
3/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 3
Course Contents
AAA & RADIUS Configuration (VRP 1.74)
AAA & RADIUS Configuration (VRP 3.40)
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
4/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 4
AAA Basic Configuration (VRP 1.74)
Relative commands aaa-enable
aaa accounting-scheme optional
aaa authentication-scheme login { default | methods-list }
{ method1 [ method2 ... ] }
aaa authentication-scheme ppp { default | methods-list }
{ method1 } [ method2 ... ]
Method table 5 effective combinations radius, local, none, radius local,
radius none
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
5/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 5
Local User Database (VRP 1.74)
Local user databaseUser name
Password
Services
Calling number
Callback number
FTP directory
Relative commands
Local-user
Display aaa user
Userinformation
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
6/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 6
AAA Configuration Commands (VRP 1.74)
Startup AAA service
[Quidway] aaa-enable
Configure the default authentication method table for PPP user
[Quidway] aaa authentication-scheme login defaultlocal
User access is still available when the configuration is "charging
impossible" to realize no charging:
[Quidway] aaa accounting-scheme optional
Apply the default method table to the interface encapsulated
PPP:
[Quidway-Serial0]ppp authentication-mode papschemedefault
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
7/26HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 7
Debugging Information (VRP 1.74)
Display active user
display aaa user
Primitive debugging information
debugging radiusprimitive
Event debugging information
debugging radiusevent
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
8/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 8
RADIUS Basic Configuration (VRP 1.74)
Configure RADIUS server
radius server { hostname | ip-address } [authentication-port
port-number] [accouting-port port-number]
radius shared-keystring
Configure retransmission parameter
radius-server retransmit
radius-server timeout
Configure real-time accounting function
radius-server realtime-acct-timeout
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
9/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9
RADIUS Configuration Commands (VRP 1.74) - I
Startup AAA [Quidway] aaa-enable
Configure PPP user default authentication method table:
[Quidway] aaa authentication-scheme login default radius
local
Configure the RADIUS server IP address and port, and use
the default port number:
[Quidway]radius server 129.7.66.68
[Quidway]radius server 129.7.66.66 accouting-port 0
[Quidway]radius server 129.7.66.67 authentication-port 0
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
10/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 10
RADIUS Configuration Commands (VRP 1.74) Cont.
Configure the RADIUS server key, number of retransmissions,duration of the timeout timer:
[Quidway] radius shared-key this-is-my-secret
[Quidway] radius retry 2
[Quidway] radius timer response-timeout 5
Apply the default method table to the PPP-encapsulated
interface:
[Quidway-Serial0]ppp authentication-mode pap scheme
default
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
11/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 11
RADIUS Packet Debugging Command (VRP 1.74)
Packet debugging information switch
debugging radiuspacket
Used to help fault diagnosis of Radius
It can be used for observing the packet transmission and
receiving and the contents of the entire RADIUS packet
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
12/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 12
Course Contents
AAA & RADIUS Configuration (VRP 1.74)
AAA & RADIUS Configuration (VRP 3.40)
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
13/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 13
Configure AAA (VRP 3.40) - I
Create/Delete ISP Domain userid@isp-name
domain [ isp-name| default { disable | enable isp-name}]
One access device might access users of different ISPs
A per-ISP domain can be configured the domain attributes of itself.
the default domain
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
14/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 14
Configure AAA (VRP 3.40) - II
Configure Relevant Attributes of ISP Domain the adopted RADIUS server group
radius-schemeradius-scheme-name
Every ISP has active/block states
state { active | block }
Maximum number of supplicants
access-limit { disable | enablemax-user-number}
The idle cut function
idle-cut { disable | enableminutesflow}
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
15/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 15
Configure AAA (VRP 3.40) - III
Add a Local User
[undo] local-useruser-name
password { simple | cipher } password
service-type { telnet [ level level ] | ftp [ ftp-directorydirectory ] | lan-
access }
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlanid | location [ nas-ip ip-address ] port
portnum}
state { active | block }
Disconnect a User by Force
cut connection{all|access-type{ dot1x |gcm} |domain domain-name
| interface portnum | ip ip-address | mac mac-address | radius-scheme
radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name
user-name }
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
16/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 16
Configure RADIUS Protocol (VRP 3.40) - I
Attributes of every RADIUS server group
IP addresses of primary and second servers
shared key
RADIUS server type
Create a RADIUS server Group
radius scheme radius-server-name
Set IP Address and Port Number of RADIUS Server
primary {authentication | accounting} ip-address [ port-number ]
secondary {authentication | accounting} ip-address [ port-number ]
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
17/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 17
Configure RADIUS Protocol (VRP 3.40) - II
Configure the shared key of RADIUS server group
local-servernas-ip ip-address key password
Set the supported type of RADIUS server
server-type { huawei | iphotel | portal | standard }
Set RADIUS server state
state primary { accounting | authentication } { block | active }
state secondary{ accounting | authentication } { block | active }
Set username format transmitted to RADIUS server
user-name-format { with-domain | without-domain }
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
18/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 18
Display and Debugging (VRP 3.40) - I
Display the information of the ISP domains.
displaydomain [ isp-name]
Display related information of users connection
display connection [ access-type { dot1x | gcm } | domain
domain-name | interface portnum | ip ip-address | mac mac-
address | radius-scheme radius-scheme-name | vlan vlanid |
ucibindex ucib-index| user-name user-name]
Display the information of the RADIUS server groups
display radius [ radius-server-name]
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
19/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 19
Display and Debugging (VRP 3.40) - II
Enable RADIUS packet debugging
debugging radiuspacket
Enable debugging of local RADIUS server group
debugging local-server { all | error| event| packet}
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
20/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 20
AAA/RADIUS Configuration Example (VRP 3.40) - I
To access to the VRP CLI, router RTA is configured with
RADIUS configuration
All the supplicants belong to the default domain huawei.com
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet Authenticator
RTA
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
21/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 21
RADIUS authentication is performed first, then, in case of
RADIUS server failure, Local authentication
RADIUS Parameters:
Encryption key for authentication: name
Encryption key for accounting: money
Retransmit packets (5 seconds/time; no more than 5 times)
Real-time accounting : every 15 minutes.
Domain: huawei
Local authentication
User: localuser
Password: localpass
AAA/RADIUS Configuration Example (VRP 3.40) - II
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
22/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 22
Create the RADIUS group radius1 and enters its configuration
mode.
[Quidway] radius scheme radius1
Set IP address of the primary RADIUS servers.
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
Set the IP address of the second RADIUS servers.
[Quidway-radius-radius1] secondary authentication 10.11.1.2
[Quidway-radius-radius1] secondary accounting 10.11.1.1
AAA/RADIUS Configuration Example (VRP 3.40) - III
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
23/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 23
Set the encryption key (with the authentication RADIUS server.)
[Quidway-radius-radius1] key authentication name
Set the encryption key( with the accounting RADIUS server)
[Quidway-radius-radius1] key accounting money
Set the timeouts and times (to the RADIUS server)
[Quidway-radius-radius1] timer 5
[Quidway-radius-radius1] retry 5
the interval (transmit real-time accounting packets to RADIUS server)
[Quidway-radius-radius1] timer realtime-accounting 15
Configure user to the RADIUS server after removing domain name.
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
AAA/RADIUS Configuration Example (VRP 3.40) - IV
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
24/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24
Create the user domain huawei.com
[Quidway] domain huawei.com
Specify radius1 as RADIUS server group for the users
[Quidway-isp-huawei.com] radius-scheme radius1
Specify the authentication modes for this domain (RADIUS and local):
[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local
Add a local supplicant and sets its parameter.
[Quidway] local-user [email protected]
[[email protected]] password simple localpass
[[email protected]] service-type telnet terminal
Then set huawei.com as the default domain to use for authentication:
[Quidway]domain default enable huawei.com
AAA/RADIUS Configuration Example (VRP 3.40) - V
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
25/26
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 25
Finally, set the authentication mode for the Telnet lines:
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode scheme
AAA/RADIUS Configuration Example (VRP 3.40) - VI
-
8/2/2019 7163984 Aaa Radius Configuration Issue1
26/26
www.huawei.com
Thank You