Configure S series switches to send user names without a domain name to the RADIUS server for authentication

62

For S series switches (except S1700 switches), the format of a user name is user name@domain name. In the user name, @ is the domain name delimiter, which can also be any of the following symbols: \ / : < > | ' %.
By default, a switch does not modify the user name entered by the user in the packets sent to the RADIUS server.
If the RADIUS server does not accept user names with domain names, users who enter user names with domain names fail the RADIUS authentication. To solve the problem, perform the following configuration on the switch to make the switch send user names without domain names to the RADIUS server.
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] undo radius-server user-name domain-included
Note: You can modify this configuration only when the RADIUS server template is not in use.

Other related questions:
During remote authentication of login to an S series switch, authentication fails because of the incorrect user name and password based on the debugging information. Actually, the user name and password are configured on the authentication server. What are the causes
For S series switches, this problem occurs because the user name contains the domain name. Check whether the user name contains the domain server on the authentication server. �?If the user name contains the domain name, run the radius-server user-name domain-included command in the RADIUS server template view or the hwtacacs-server user-name domain-included command in the HWTACACS server template view. �?If the user name does not contain the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view or the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view.

Users on an internal network cannot access Internal servers using domain names. Why
When a user device accesses the internal server using a domain name, whether the domain name contains the host name varies. Therefore, you have to configure different DNS domain names in the following two situations. For example, you want to access the domain name www.hbjs.gov.cn.
  • When the DNS Request packet sent by the user device contains the host name, that is, the user device uses the domain name www.hbjs.gov.cn to access the internal server, run the nat dns-map www.hbjs.gov.cn global-address global-port { tcp | udp } command.
  • When the DNS Request packet sent by the user device does not contain the host name, that is, the user device uses the domain name hbjs.gov.cn to access the internal server, run the nat dns-map hbjs.gov.cn global-address global-port { tcp | udp } command.
NOTE:

If you are not sure whether the DNS Request packet sent by the device contains the host name or not, it is recommended that you configure both the preceding commands.


Can authentication-free domain names be configured for Portal authentication on the AC
From V200R006, ACs support authentication-free domain names for Portal authentication. Network access rights of users can be configured through ACLs. If the administrator wants to control a user's access to a domain name, configure the user's access rights to the IP address corresponding to the domain name. If the domain name corresponds to multiple IP addresses, maintenance of the administrator may be complicated. In this case, configure a global domain name. Access rights control can then be implemented directly through the global domain name in the ACL. 1. Enter the system view, and configure a global domain name. system-view [AC6605] passthrough-domain name weixin.com id 1 2. Create a user ACL, and allow access to the global domain name in the ACL. system-view [AC6605] acl number 6001 [AC6605-acl-adv-6001] rule permit ip source user-group name user1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top