RADIUS authentication configuration on S series switch

3

RADIUS authentication is a remote authentication mode. An access device as a RADIUS client collects user information (such as user name and password) and sends the user information to a remote RADIUS server (AAA server). The RADIUS server authenticates users according to the information, and performs authorization and accounting for the users after the users are authenticated.The RADIUS server uniformly authenticates and manages (such as charging) users to ensure network security.
On an S series switch, except S1700, RADIUS authentication can be performed on both administrators and other users. The implementations on different models are the same.For the configuration methods, see Example for Configuring Authentication for Telnet Login Users (RADIUS Authentication) and Example for Configuring 802.1x Authentication to Control Internal User Access in the S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

Other related questions:
Can S series switches perform RADIUS authentication and local authentication in master/backup mode
If RADIUS authentication is configured, you can also configure local authentication as the backup to prevent authentication failures caused by RADIUS server faults or network congestion. The configuration on an S series switch (except the S1700 switch) is as follows: [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme scheme0 [HUAWEI-aaa-authen-scheme0] authentication-mode radius local

Prevent users failing RADIUS authentication from logging in to S series switches
Administrative users can log in to S series switches (except S1700 switches) after they pass the RADIUS authentication. Their user accounts are configured on the remote RADIUS server but not in the AAA view of a local switch. The methods of configuring switches to allow administrative users to log in after they pass the RADIUS authentication are similar.

Configure S series switches to send user names without a domain name to the RADIUS server for authentication
For S series switches (except S1700 switches), the format of a user name is user name@domain name. In the user name, @ is the domain name delimiter, which can also be any of the following symbols: \ / : < > | ' %. By default, a switch does not modify the user name entered by the user in the packets sent to the RADIUS server. If the RADIUS server does not accept user names with domain names, users who enter user names with domain names fail the RADIUS authentication. To solve the problem, perform the following configuration on the switch to make the switch send user names without domain names to the RADIUS server. [HUAWEI] radius-server template template1 [HUAWEI-radius-template1] undo radius-server user-name domain-included Note: You can modify this configuration only when the RADIUS server template is not in use.

If both RADIUS authentication and local authentication are configured, in which situation do S series switches perform local authentication
If multiple authentication modes are configured, an S series switch chooses these authentication modes in the configuration order. It uses the authentication mode that was configured later only when it does not receive any response in the current authentication. If the user fails in an authentication, the switch does not use another authentication mode. For example, if both RADIUS authentication and local authentication are configured on a switch and the RADIUS authentication is configured first, the switch performs local authentication only when the connection with the RADIUS server times out. This rule also applies to switches configured with both HWTACACS authentication and local authentication.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top