Internal

AAA & RADIUS Configuration

ISSUE 1.0
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Objectives
Upon completion of this course, you will be able to:

Understand the AAA services Master the basic principles of RADIUS

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 2

Course Contents

AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 3

AAA Basic Configuration (VRP 1.74)

Relative commands

aaa-enable aaa accounting-scheme optional

aaa authentication-scheme login { default | methods-list }

{ method1 [ method2 ... ] }

aaa authentication-scheme ppp { default | methods-list } { method1 } [ method2 ... ]

Method table

5 effective combinations radius, local, none, radius local, radius none

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 4

Local User Database (VRP 1.74)

User name Local user database Password User information Services Calling number Callback number
Local-user Display aaa user

Relative commands

FTP directory

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 5

AAA Configuration Commands (VRP 1.74)

Startup AAA service

[Quidway] aaa-enable

Configure the default authentication method table for PPP user

[Quidway] aaa authentication-scheme login default local

User access is still available when the configuration is "charging impossible" to realize no charging:

[Quidway] aaa accounting-scheme optional

Apply the default method table to the interface encapsulated PPP:

[Quidway-Serial0]ppp authentication-mode pap scheme default

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 6

Debugging Information (VRP 1.74)

Display active user

display aaa user

Primitive debugging information

debugging radius primitive

Event debugging information

debugging radius event

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 7

RADIUS Basic Configuration (VRP 1.74)

Configure RADIUS server

radius server { hostname | ip-address } [authentication-port port-number ] [accouting-port port-number ]

radius shared-key string

Configure retransmission parameter

radius-server retransmit

radius-server timeout

Configure real-time accounting function

radius-server realtime-acct-timeout

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 8

RADIUS Configuration Commands (VRP 1.74) - I

Startup AAA

[Quidway] aaa-enable

Configure PPP user default authentication method table:

[Quidway] aaa authentication-scheme login default radius

local

Configure the RADIUS server IP address and port, and use the default port number:

[Quidway] radius server 129.7.66.68 [Quidway] radius server 129.7.66.66 accouting-port 0 [Quidway] radius server 129.7.66.67 authentication-port 0

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 9

RADIUS Configuration Commands (VRP 1.74) Cont.

Configure the RADIUS server key, number of retransmissions, duration of the timeout timer:

[Quidway] radius shared-key this-is-my-secret

[Quidway] radius retry 2 [Quidway] radius timer response-timeout 5

Apply the default method table to the PPP-encapsulated

interface:

[Quidway-Serial0]ppp default

authentication-mode

pap

scheme

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 10

RADIUS Packet Debugging Command (VRP 1.74)

Packet debugging information switch

debugging radius packet

Used to help fault diagnosis of Radius

It can be used for observing the packet transmission and receiving and the contents of the entire RADIUS packet

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 11

Course Contents

AAA & RADIUS Configuration (VRP 1.74) AAA & RADIUS Configuration (VRP 3.40)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 12

Configure AAA (VRP 3.40) - I

Create/Delete ISP Domain userid@isp-name

domain [ isp-name | default { disable | enable isp-name }]

One access device might access users of different ISPs A per-ISP domain can be configured the domain attributes of itself. the default domain

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 13

Configure AAA (VRP 3.40) - II

Configure Relevant Attributes of ISP Domain

the adopted RADIUS server group

radius-scheme radius-scheme-name

Every ISP has active/block states

state { active | block }

Maximum number of supplicants

access-limit { disable | enable max-user-number }

The idle cut function

idle-cut { disable | enable minutes flow}

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 14

Configure AAA (VRP 3.40) - III

Add a Local User

[undo] local-user user-name password { simple | cipher } password

service-type { telnet [ level level ] | ftp [ ftp-directory directory ] | lanaccess } attribute { ip ip-address | mac mac-address | idle-cut minute | accesslimit max-user-number | vlan vlanid | location [ nas-ip ip-address ] port

portnum }

state { active | block }

Disconnect a User by Force

cut connection { all | access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 15

Configure RADIUS Protocol (VRP 3.40) - I

Attributes of every RADIUS server group

IP addresses of primary and second servers shared key RADIUS server type

Create a RADIUS server Group

radius scheme radius-server-name

Set IP Address and Port Number of RADIUS Server

primary {authentication | accounting} ip-address [ port-number ] secondary {authentication | accounting} ip-address [ port-number ]

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 16

Configure RADIUS Protocol (VRP 3.40) - II

Configure the shared key of RADIUS server group

local-server nas-ip ip-address key password

Set the supported type of RADIUS server

server-type { huawei | iphotel | portal | standard }

Set RADIUS server state

state primary { accounting | authentication } { block | active } state secondary{ accounting | authentication } { block | active }

Set username format transmitted to RADIUS server

user-name-format { with-domain | without-domain }

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 17

Display and Debugging (VRP 3.40) - I

Display the information of the ISP domains.

display domain [ isp-name ]

Display related information of users connection

display connection [ access-type { dot1x | gcm } | domain domain-name | interface portnum | ip ip-address | mac macaddress | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ]

Display the information of the RADIUS server groups

display radius [ radius-server-name ]

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 18

Display and Debugging (VRP 3.40) - II

Enable RADIUS packet debugging

debugging radius packet

Enable debugging of local RADIUS server group

debugging local-server { all | error| event| packet}

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 19

AAA/RADIUS Configuration Example (VRP 3.40) - I

To access to the VRP CLI, router RTA is configured with

RADIUS configuration

All the supplicants belong to the default domain huawei.com

Authentication Servers (RADIUS Server Cluster IP Address: 10.11.1.1 10.11.1.2)

Internet RTA Supplicant HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

Authenticator

Page 20

AAA/RADIUS Configuration Example (VRP 3.40) - II

RADIUS authentication is performed first, then, in case of

RADIUS server failure, Local authentication

RADIUS Parameters:

Encryption key for authentication: name Encryption key for accounting: money Retransmit packets (5 seconds/time; no more than 5 times) Real-time accounting : every 15 minutes.

Domain: huawei Local authentication

User: localuser Password: localpass

All rights reserved Page 21

HUAWEI TECHNOLOGIES CO., LTD.

AAA/RADIUS Configuration Example (VRP 3.40) - III

Create the RADIUS group radius1 and enters its configuration mode.

[Quidway] radius scheme radius1

Set IP address of the primary RADIUS servers.

[Quidway-radius-radius1] primary authentication 10.11.1.1 [Quidway-radius-radius1] primary accounting 10.11.1.2

Set the IP address of the second RADIUS servers.

[Quidway-radius-radius1] secondary authentication 10.11.1.2 [Quidway-radius-radius1] secondary accounting 10.11.1.1

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 22

AAA/RADIUS Configuration Example (VRP 3.40) - IV

Set the encryption key (with the authentication RADIUS server.)

[Quidway-radius-radius1] key authentication name

Set the encryption key( with the accounting RADIUS server)

[Quidway-radius-radius1] key accounting money

Set the timeouts and times (to the RADIUS server)

[Quidway-radius-radius1] timer 5 [Quidway-radius-radius1] retry 5

the interval (transmit real-time accounting packets to RADIUS server)

[Quidway-radius-radius1] timer realtime-accounting 15

Configure user to the RADIUS server after removing domain name.

[Quidway-radius-radius1] user-name-format without-domain [Quidway-radius-radius1] quit

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 23

AAA/RADIUS Configuration Example (VRP 3.40) - V

Create the user domain huawei.com

[Quidway] domain huawei.com

Specify radius1 as RADIUS server group for the users

[Quidway-isp-huawei.com] radius-scheme radius1

Specify the authentication modes for this domain (RADIUS and local):

[Quidway-isp-huawei.com] scheme radius-scheme radius 1 local

Add a local supplicant and sets its parameter.

[Quidway] local-user localuser@huawei.com [Quidway-user-localuser@huawei.com] password simple localpass [Quidway-user-localuser@huawei.com] service-type telnet terminal

Then set huawei.com as the default domain to use for authentication:

[Quidway]domain default enable huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 24

AAA/RADIUS Configuration Example (VRP 3.40) - VI

Finally, set the authentication mode for the Telnet lines:

[Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode scheme

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 25

Thank You
www.huawei.com