If both RADIUS authentication and local authentication are configured, in which situation do S series switches perform local authentication

73

If multiple authentication modes are configured, an S series switch chooses these authentication modes in the configuration order. It uses the authentication mode that was configured later only when it does not receive any response in the current authentication. If the user fails in an authentication, the switch does not use another authentication mode.
For example, if both RADIUS authentication and local authentication are configured on a switch and the RADIUS authentication is configured first, the switch performs local authentication only when the connection with the RADIUS server times out. This rule also applies to switches configured with both HWTACACS authentication and local authentication.

Other related questions:
Both RADIUS authentication and local authentication are configured. Is local authentication performed when RADIUS authentication fails
The AR first performs RADIUS authentication. If RADIUS authentication fails, the AR does not perform local authentication. The AR performs local authentication only when the RADIUS server has no response.

Can S series switches perform RADIUS authentication and local authentication in master/backup mode
If RADIUS authentication is configured, you can also configure local authentication as the backup to prevent authentication failures caused by RADIUS server faults or network congestion. The configuration on an S series switch (except the S1700 switch) is as follows: [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme scheme0 [HUAWEI-aaa-authen-scheme0] authentication-mode radius local

802.1x local authentication configuration on S series switch
For S series switches except S1700 switches, in 802.1x local authentication and authorization, user information (including the local user name, password, and attributes) is configured on the switch. 802.1x local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the switch hardware capacity.
Assume that the user connects to GE0/0/1 of the switch and belongs to VLAN 100. In addition, the user uses local authentication and can connect to the network without authorization. Configure 802.1x local authentication as follows:
1. Create VLAN 100, and add interface GE0/0/1 to this VLAN.
[HUAWEI] vlan 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Configure the local user and the authentication domain of the user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x  authentication globally and on a specified interface.
a. Traditional mode (applicable to all versions)
[HUAWEI] undo authentication unified-mode  //Switch to the traditional mode (This configuration applies only to V200R005C00 and later versions.)
[HUAWEI] quit
<HUAWEI> reboot   //This configuration applies only to V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. Unified mode (applicable to V200R005C00 and later versions)
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100

Do S series switches perform local authentication when authentication accounts do not exist on the HWTACACS server
After the authentication-mode hwtacacs local command is executed on an S series switch to configure the authentication mode, the switch starts local authentication after the HWTACACS server does not respond. If an authentication account does not exist on an HWTACACS server, the server returns an authentication denial packet to the switch. In this case, the switch does not perform local authentication.

When both RADIUS authentication and local authentication are configured on an S series switch, why a user is disconnected after more than 10s
When both RADIUS authentication and local authentication are configured on an S series switch, the switch performs local authentication if it does not receive any response from the RADIUS server for some reasons (for example, the RADIUS server fails). As shown in the following configuration file, RADIUS authentication and accounting are configured on the switch. The user successfully logs in through local authentication, but RADIUS accounting fails because the RADIUS server does not respond. Therefore, the user is disconnected. # radius-server template rad //Configure a RADIUS server template. radius-server shared-key cipher %#%#HN!rP_Lc1<+L+H/&YUzN]CBy;_09Z>9T5\.k{T1/%#%# radius-server authentication 10.7.66.66 1812 weight 80 radius-server accounting 10.7.66.66 1813 weight 80 # aaa authentication-scheme default authentication-mode radius local //Configure the authentication scheme default and set the authentication modes to RADIUS authentication and local authentication. authorization-scheme default accounting-scheme default accounting-mode radius //Configure the accounting scheme default and set the accounting method to RADIUS accounting. domain default domain default_admin radius-server rad //Apply the RADIUS server template to the global default administrative domain. By default, the domain uses the authentication scheme default and accounting scheme default. local-user user1 password cipher %#%#9X%T3y\jN;_&5(FU-B4P;);/tc^%VI\mA1KeeH%#%# local-user user1 privilege level 15 local-user user1 service-type telnet terminal # Solution: �?For administrators (logging in through Telnet, SSH, FTP, HTTP, or terminals), accounting is not required, so RADIUS accounting configuration can be deleted. �?For non-administrator users, run the accounting start-fail online command in the accounting scheme view. After the command is executed, the users are not disconnected if accounting fails. However, accounting results are inaccurate. Before using this method, ensure that service will not be affected.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top