Method used to configure RADIUS authentication on the AR

12

RADIUS authentication is a remote authentication mode. An access device used as a RADIUS client collects user information (such as the user name and password) and sends the user information to a remote RADIUS server (AAA server). The RADIUS server authenticates users based on the information, and performs authorization and accounting for the users after the users are authenticated. The RADIUS server uniformly authenticates and manages (such as accounting) users to ensure network security.

Other related questions:
Does the AR used as the LNS support RADIUS authentication
The AR that functions as the L2TP network server (LNS) supports RADIUS authentication.

Method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000
The method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000 is as follows: A user connects to the LAC based on PPPoE and is authenticated by the RADIUS server. 1. Configure the LAC. a. Configure the default route. Assume that the next hop address on the path from the LAC to the LNS is 202.38.160.2. system-view [USG] sysname LAC [LAC] ip route-static 0.0.0.0 0.0.0.0 202.38.160.2 b. Create the virtual interface template and bind it with the interface. [LAC] interface Virtual-Template 1 [LAC-Virtual-Template1] ppp authentication-mode chap [LAC-Virtual-Template1] quit [LAC] interface GigabitEthernet 0/0/5 [LAC-GigabitEthernet0/0/5] pppoe-server bind virtual-template 1 [LAC-GigabitEthernet0/0/5] quit Note: You need to bind the virtual interface template with the interface that is connected to the dial-up user, so as to achieve the PPPoE Server function. c. Enable the L2TP. [LAC] l2tp enable d. Create and configure the L2TP group. [LAC] l2tp-group 1 [LAC-l2tp1] start l2tp ip 202.38.161.1 domain net1 [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher Hello123 [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] quit e. Create the authentication scheme. [LAC] aaa [LAC-aaa] authentication-scheme auth1 [LAC-aaa-authen-auth1] authentication-mode radius [LAC-aaa-authen-auth1] return f. Configure the RADIUS template. system-view [LAC] radius-server template temp [LAC-radius-temp] radius-server authentication 10.1.1.2 1812 [LAC-radius-temp] radius-server user-name domain-included g. By default, the radius-server user-name domain-included command has been configured. [LAC-radius-temp] radius-server shared-key key1 [LAC-radius-temp] quit h. Configure the domain, and apply the RADIUS template and authentication scheme. [LAC] aaa [LAC-aaa] domain net1 [LAC-aaa-domain-net1] authentication-scheme auth1 [LAC-aaa-domain-net1] radius-server temp [LAC-aaa-domain-net1] quit 2. Configure the LNS. a. Create the virtual interface template. system-view [USG] sysname LNS [LNS] interface Virtual-Template 1 b. Configure the virtual interface template. [LNS-Virtual-Template1] ip address 10.2.1.1 24 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit c. Enable the L2TP. [LNS] l2tp enable d. Create and configure the L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LAC-l2tp1] tunnel name LNS [LNS-l2tp1] tunnel password cipher Hello123 [LNS-l2tp1] quit a. Create the authentication scheme. [LNS] aaa [LNS-aaa] authentication-scheme auth1 [LNS-aaa-authen-auth1] authentication-mode radius [LNS-aaa-authen-auth1] return b. Configure the RADIUS template. system-view [LNS] radius-server template temp [LNS-radius-temp] radius-server authentication 10.1.2.2 1812 [LNS-radius-temp] radius-server user-name domain-included c. By default, the radius-server user-name domain-included command has been configured. [LNS-radius-temp] radius-server shared-key key1 [LNS-radius-temp] quit d. Configure the domain, and apply the RADIUS template and authentication scheme. [LNS] aaa [LNS-aaa] domain net1 [LNS-aaa-domain-net1] authentication-scheme auth1 [LNS-aaa-domain-net1] radius-server temp e. Configure the IP address pool. [LNS-aaa-domain-net1] ip pool 1 10.2.1.2 10.2.1.99 [LNS-aaa-domain-net1] quit f. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

How to configure the RADIUS authentication shared key on an S series switch
The RADIUS shared key is used to encrypt packets exchanged between an access device and a RADIUS server, ensuring security of packet transmission. The RADIUS shared key configured on the access device must be the same as that configured on the RADIUS server. If an S series switch (a non-S1700 switch) functions as an access device, configure the RADIUS shared key as follows: [HUAWEI] radius-server template shiva [HUAWEI-radius-shiva] radius-server shared-key cipher Huawei@2012

Both RADIUS authentication and local authentication are configured. Is local authentication performed when RADIUS authentication fails
The AR first performs RADIUS authentication. If RADIUS authentication fails, the AR does not perform local authentication. The AR performs local authentication only when the RADIUS server has no response.

Why does RADIUS authentication fail when the RADIUS server template and RADIUS server are properly configured
This problem has the following possible causes: -The IP address of the router (a RADIUS client) is not configured on the RADIUS server, so the RADIUS server cannot send an authentication response packet to the router. -Different shared keys are configured on the router and the RADIUS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top