OBJECTIVE
The purpose of this post is to present a real switch configuration with authentication via RADIUS server in practice.
Networking Requirements
As shown in Figure 1, users belong to the domain huawei. Switch functions as the network access server on the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:
The RADIUS server will authenticate access users for Switch. If RADIUS authentication fails, local authentication is used.
The RADIUS servers at 192.168.61.6/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.
Figure 1 - Networking diagram of RADIUS authentication and accounting
Procedure
Step 1 - Configure a RADIUS server template.
# Configure a RADIUS template named ACME.
# Set the IP address and port numbers for the primary RADIUS authentication and accounting server.
# Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.
Step 2 - Configure authentication and accounting schemes.
# Create an authentication scheme named auth. Configure the authentication scheme to use RADIUS authentication as the active authentication mode and local authentication as the backup.
# Create an accounting scheme named acc, and configure the accounting scheme to use the RADIUS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.
Step 3 - Create a domain named huawei, and apply the authentication scheme auth, accounting scheme acc, and RADIUS server template ACME to the domain.
Step 4 - Set the domain huawei to the global default domain.
Step 5 - Configure local authentication.
Step 6 - Verify the configuration.
# Run the display radius-server configuration template template-name command on Switch to verify the RADIUS server template configuration.
Step 7 - Checking users on the RADIUS Server.
In the practical example I will be using a FREERADIUS server with address 192.168.61.6/24.
Step 8 - Logging in to the switch via RADIUS user
In the practical example, we will login to the switch via users registered with RADIUS.
Step 9 - Checking the authentication log on the RADIUS server
In the practical example, we will be checking the authentication log on the RADIUS server.
Step 10 - Checking user information on the Switch
# Run the display access-user user andersoncf detail command on Switch to verify the user authentication and method.
# Run the display access-user user huawei detail command on Switch to verify the user authentication and method.
To end our practical case, we are validating via switch that users have been authenticated via the RADIUS method.
Remembering that if the server is out for some reason the authentication will be done via the local user, in our example the user "user1" that was added in the example. In another post I do the test with the failure of RADIUS and authentication via local so as not to pollute the practical example with too much information.
--- End
