Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Example for Configuring R...

Example for Configuring RADIUS Authentication and Accounting - In Pratice Highlighted

Latest reply: Jun 14, 2021 17:20:46 1336 61 36 0 3
View the author 1#

OBJECTIVE


The purpose of this post is to present a real switch configuration with authentication via RADIUS server in practice.


Networking Requirements


As shown in Figure 1, users belong to the domain huawei. Switch functions as the network access server on the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:


The RADIUS server will authenticate access users for Switch. If RADIUS authentication fails, local authentication is used.


The RADIUS servers at 192.168.61.6/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

img_1


Figure 1 -  Networking diagram of RADIUS authentication and accounting



Procedure


Step 1 - Configure a RADIUS server template.


# Configure a RADIUS template named ACME.


img02


# Set the IP address and port numbers for the primary RADIUS authentication and accounting server.


Img03


# Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.


Img04


Step 2 - Configure authentication and accounting schemes.


# Create an authentication scheme named auth. Configure the authentication scheme to use RADIUS authentication as the active authentication mode and local authentication as the backup.


Img5


# Create an accounting scheme named acc, and configure the accounting scheme to use the RADIUS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.


Img06


Step 3 - Create a domain named huawei, and apply the authentication scheme auth, accounting scheme acc, and RADIUS server template ACME to the domain.


im7


Step 4 - Set the domain huawei to the global default domain.


Img_08


Step 5 - Configure local authentication.


img-09


Step 6 - Verify the configuration.


# Run the display radius-server configuration template template-name command on Switch to verify the RADIUS server template configuration.


Img10


Step 7 - Checking users on the RADIUS Server.


users


In the practical example I will be using a FREERADIUS server with address 192.168.61.6/24.


Step 8 - Logging in to the switch via RADIUS user


im11


ig12


In the practical example, we will login to the switch via users registered with RADIUS.


Step 9 - Checking the authentication log on the RADIUS server


19


In the practical example, we will be checking the authentication log on the RADIUS server.


Step 10 - Checking user information on the Switch


# Run the display access-user user andersoncf detail command on Switch to verify the user authentication and method.


img13


# Run the display access-user user huawei detail command on Switch to verify the user authentication and method.


Img14


To end our practical case, we are validating via switch that users have been authenticated via the RADIUS method.


i_f42.gifRemembering that if the server is out for some reason the authentication will be done via the local user, in our example the user "user1" that was added in the example. In another post I do the test with the failure of RADIUS and authentication via local so as not to pollute the practical example with too much information.


--- End

NetworkRADIUSLANS5700server

Like (36) Dislike (0) Favorite(3) Share Report
Previous: Huawei UPS Wins Platinum Award in IT Awards 2016 of DataCenter Insider
Next: How to apply large configurations in a few seconds
(1) (0)
31#
Irshadhussain
Created May 15, 2021 18:19:47

Interesting to know.
View more
  • x
  • convention:
(1) (0)
32#
Irshadhussain
Created May 15, 2021 18:19:54

Example for Configuring RADIUS Authentication and Accounting - In Pratice-3931079-1
View more
  • x
  • convention:
(1) (0)
33#
BAZ
MVE Author Created May 15, 2021 20:14:47

Great explanation.
You may use option Insert Code for better visibility
View more
  • x
  • convention:
(0) (0)
34#
Bitaites
Created May 18, 2021 06:26:16

Excellent Post
View more
  • x
  • convention:
(0) (0)
35#
IndianKid
Moderator Author Created May 18, 2021 06:31:07

thanks for sharing
View more
  • x
  • convention:
(0) (0)
36#
thisu
Created May 18, 2021 08:32:22

Great sharing. Keep it up.
View more
  • x
  • convention:
(0) (0)
37#
welisson_br
Created May 22, 2021 04:14:15

Hi Brow,

Taking a ride on your post I've noticed that you set the weight value into your server radius authentication.
So, I read the doc about that, but I am a slightly confused.
I've set up 3 radius authentication on my BRAS configuration(in order to keep the authentication backup), such as below;

radius-server authentication 192.168.1.43 1812 weight 50
radius-server authentication 192.168.1.26 1812 weight 80

Nonetheless the BRAS still keeps sending request authentication firslty a head the server 192.168.1.43 with its weight is set as 50.

what I've noticed that it is using the priority based on IP address instead of weight, what is the correct way to set the radius backup configuration respecting the priority?
View more
  • x
  • convention:
(1) (0)
38#
chenhui
Admin Created May 22, 2021 04:41:11

Posted by welisson_br at 2021-05-22 04:14 Hi Brow,Taking a ride on your post I've noticed that you set the weight value into your server radiu ...
Hello,
This parameter only take effects after the radius-server algorithm is set to loading share.
Please refer to https://support.huawei.com/hedex/hdx.do?lib=EDOC1100168834AEJ1215V&docid=EDOC1100168834&lang=en&v=05&tocLib=EDOC1100168834AEJ1215V&tocV=05&id=EN-US_CLIREF_0314080556&p=t&fe=1&ui=3&tocURL=resources%252Fcommand%252F8090_m2hkm2k%252Fradius-server_algorithm.html&keyword=radius%2Bserver%2Balgorithm
View more
  • x
  • convention:
(0) (0)
39#
welisson_br
Created May 23, 2021 02:53:07

Posted by chenhui at 2021-05-21 17:41 Hello, This parameter only take effects after the radius-server algorithm is set to loading share. ...
Hello,

So, in this case will it be requesting the other radius just if someone of them goes down, right?
for instance.
server 1 weight 70
server 2 weight 50
server 3 weight 40
View more
  • x
  • convention:
(0) (0)
40#
phuta
Created Jun 6, 2021 11:04:50

Good post
View more
  • x
  • convention:
12345
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.