Local authentication configuration on S series switch

7

Local authentication means that an access switch functions as an AAA server to authenticate and authorize access users.In local authentication, user information, including the user name, password, and other attributes, is configured on the access switch.This mode provides fast processing and low operation cost. The major limitation of local authentication is that information storage is subject to the device hardware capacity.
On an S series switch, except S1700, local authentication can be performed on both administrators and other users. The implementations on different models are the same.For the configuration methods, see Example for Configuring Authentication for Telnet Login Users (AAA Local Authentication) in the S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.
The configurations for administrators and other users are the same.

Other related questions:
802.1x local authentication configuration on S series switch
For S series switches except S1700 switches, in 802.1x local authentication and authorization, user information (including the local user name, password, and attributes) is configured on the switch. 802.1x local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the switch hardware capacity.
Assume that the user connects to GE0/0/1 of the switch and belongs to VLAN 100. In addition, the user uses local authentication and can connect to the network without authorization. Configure 802.1x local authentication as follows:
1. Create VLAN 100, and add interface GE0/0/1 to this VLAN.
[HUAWEI] vlan 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Configure the local user and the authentication domain of the user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x  authentication globally and on a specified interface.
a. Traditional mode (applicable to all versions)
[HUAWEI] undo authentication unified-mode  //Switch to the traditional mode (This configuration applies only to V200R005C00 and later versions.)
[HUAWEI] quit
<HUAWEI> reboot   //This configuration applies only to V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. Unified mode (applicable to V200R005C00 and later versions)
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100

If both RADIUS authentication and local authentication are configured, in which situation do S series switches perform local authentication
If multiple authentication modes are configured, an S series switch chooses these authentication modes in the configuration order. It uses the authentication mode that was configured later only when it does not receive any response in the current authentication. If the user fails in an authentication, the switch does not use another authentication mode. For example, if both RADIUS authentication and local authentication are configured on a switch and the RADIUS authentication is configured first, the switch performs local authentication only when the connection with the RADIUS server times out. This rule also applies to switches configured with both HWTACACS authentication and local authentication.

How to configure local 802.1x authentication
In local authentication and authorization, user information including the local user name, password, and attributes is configured on an AR. In this mode, the AR provides fast processing and low operation cost, whereas the amount of information that can be stored is limited by the AR hardware capacity. An example is used here to describe local 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 100. Local authentication is used, and the user can access the Internet without authorization. 1. Create VLAN 100 and add GE1/0/0 to VLAN 100. [Huawei] vlan batch 100 [Huawei] interface gigabitethernet 1/0/0 [Huawei-GigabitEthernet1/0/0] port link-type access [Huawei-GigabitEthernet1/0/0] port default vlan 100 [Huawei-GigabitEthernet1/0/0] quit 2. Configure a local user, AAA schemes, and AAA domain. [Huawei]aaa [Huawei-aaa] local-user huawei password cipher hello@123 [Huawei-aaa] local-user huawei service-type 8021x [Huawei-aaa] authentication-scheme test [Huawei-aaa-authen-test] authentication-mode local [Huawei-aaa-authen-test] quit [Huawei-aaa] authorization-scheme test [Huawei-aaa-author-test] authorization-mode none [Huawei-aaa-author-test] quit [Huawei-aaa] domain default_admin [Huawei-aaa-domain-default_admin] authentication-scheme test [Huawei-aaa-domain-default_admin] authorization-scheme test 3. Enable 802.1x authentication globally and on an interface. [Huawei] dot1x enable [Huawei] interface gigabitethernet1/0/0 [Huawei-GigabitEthernet1/0/0] dot1x enable

Can S series switches perform RADIUS authentication and local authentication in master/backup mode
If RADIUS authentication is configured, you can also configure local authentication as the backup to prevent authentication failures caused by RADIUS server faults or network congestion. The configuration on an S series switch (except the S1700 switch) is as follows: [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme scheme0 [HUAWEI-aaa-authen-scheme0] authentication-mode radius local

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top