Got it

Example for Configuring RADIUS Authentication and Accounting

Latest reply: May 13, 2021 07:50:20 388 26 23 0 3

OBJECTIVE


The purpose of this post is to present a basic RADIUS server configuration in practice.


Networking Requirements


As shown in Figure 1, users belong to the domain huawei. Switch functions as the network access server on the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:


The RADIUS server will authenticate access users for Switch. If RADIUS authentication fails, local authentication is used.


The RADIUS servers at 192.168.61.6/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

img_1


Figure 1 -  Networking diagram of RADIUS authentication and accounting


Configuration Roadmap


The configuration roadmap is as follows:


1. Configure a RADIUS server template.


2. Configure an authentication scheme and an accounting scheme.


3. Apply the RADIUS server template, authentication scheme, and accounting scheme to a domain.


i_f42.gifEnsure that the devices are routable before the configuration.


Ensure that the shared key in the RADIUS server template is the same as the setting on the RADIUS server.


If the RADIUS server does not accept the user name containing the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.


After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.


After the undo radius-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.


Procedure


1. Configure a RADIUS server template.


# Configure a RADIUS template named ACME.


<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template ACME            


# Set the IP address and port numbers for the primary RADIUSauthentication and accounting server.


[Switch-radius-ACME] radius-server authentication 192.168.61.6 1812 weight 80
[Switch-radius-ACME] radius-server accounting 192.168.61.6 1813 weight 80


# Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.


[Switch-radius-ACME] radius-server shared-key cipher Huawei@123
[Switch-radius-ACME] radius-server retransmit 2
[Switch-radius-ACME] undo radius-server user-name domain-included
[Switch-radius-ACME] quit


2. Configure authentication and accounting schemes.


# Create an authentication scheme named auth. Configure the authentication scheme to use RADIUS authentication as the active authentication mode and local authentication as the backup.


[Switch] aaa
[Switch-aaa] authentication-scheme auth
[Switch-aaa-auth] authentication-mode radius local
[Switch-aaa-auth] quit


# Create an accounting scheme named acc, and configure the accounting scheme to use the RADIUS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.


[Switch-aaa] accounting-scheme acc
[Switch-aaa-accounting-acc] authentication-mode radius
[Switch-aaa-accounting-acc] accounting start-fail online
[Switch-aaa-accounting-acc] quit


3. Create a domain named huawei, and apply the authentication scheme auth, accounting scheme acc, and RADIUS server template ACME to the domain.


[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme auth
[Switch-aaa-domain-huawei] accounting-scheme acc
[Switch-aaa-domain-huawei] radius-server ACME
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit


4. Set the domain huawei to the global default domain.


[Switch] domain huawei
[Switch] domain huawei admin


5. Configure local authentication.


[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@123
[Switch-aaa] local-user user1 service-type http
[Switch-aaa] local-user user1 privilege level 15
[Switch-aaa] quit


6. Verify the configuration.


# Run the display radius-server configuration template template-name command on Switch to verify the RADIUS server template configuration.


[Switch] display radius-server configuration template ACME
 
------------------------------------------------------------------------------
 Server-template-name          :  ACME
 Protocol-version              :  standard
 Traffic-unit                  :  B
 Shared-secret-key             :  ******
 Group-filter                  :  class  
 Timeout-interval(in second)   :  5
 Retransmission                :  2
 EndPacketSendTime             :  3
 Dead time(in minute)          :  5
 Domain-included               :  NO
 NAS-IP-Address                :  -
 Calling-station-id MAC-format :  xxxx-xxxx-xxxx
 Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
 NAS-Port-ID format            :  New
 Service-type                  :  -
 NAS-IPv6-Address              :  ::
 Server algorithm              :  master-backup
 Detect-interval(in second)    :  60
 Detect up-server(in second)   :  0
 Detect timeout(in second)     :  3
 Chargeable-user-identity      :  Not Support
 CUI Not reject                :  No
 Enable framed-ip-address      :  No
 Authentication Server 1       :  192.168.61.6     Port:1812  Weight:80  [UP]
                                  Vrf:- LoopBack:NULL Vlanif:NULL
                                  Source IP: ::  
                                  Source IP: ::
 Accounting Server     1       :  192.168.61.6     Port:1813  Weight:80  [UP]
                                  Vrf:- LoopBack:NULL Vlanif:NULL
                                  Source IP: ::
 ------------------------------------------------------------------------------


Configuration Files


Switch configuration file:


#
sysname Switch
#
domain huawei                                                                                                                      
domain huawei admin                                                                                                                
#
radius-server template ACME
radius-server shared-key cipher
%^%#{E#Q$7Lhi~+|4[K#qAc2w^Ur"!>!h%6z>xN_ap$=%^%#
radius-server authentication 192.168.61.6 1812 weight 80
radius-server accounting 192.168.61.6 1813 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme auth
 authentication-mode radius local
accounting-scheme acc
 accounting-mode radius
 accounting start-fail online
domain huawei
 authentication-scheme auth
 accounting-scheme acc
 radius-server ACME
local-user user1 password irreversible-cipher $1c$J64VRwN{N,$-q3h(w2#EP(RNiI\4M-Yax.,Lfe]>Zd:aD$l#Ph>$
local-user user1 privilege level 15                                                      
local-user user1 service-type http
#
return


--- End

  • x
  • convention:

chenhui
Admin Created May 10, 2021 00:40:29

  • x
  • convention:

lucian2003
MVE Author Created May 9, 2021 01:05:30

Thanks to share
View more
  • x
  • convention:

Faridrami
Faridrami Created May 9, 2021 16:09:48 (0) (0)
 
andersoncf1
andersoncf1 Created May 9, 2021 16:22:48 (0) (0)
Thanks friend  
IndianKid
Moderator Author Created May 9, 2021 05:01:19

Great information. Thanks.
View more
  • x
  • convention:

MangoKnight
Created May 9, 2021 05:32:31

Good and Detailed
View more
  • x
  • convention:

wissal
MVE Created May 9, 2021 06:49:36

Detailed explanation
View more
  • x
  • convention:

thibay
Created May 9, 2021 07:00:08

Great sharing.
View more
  • x
  • convention:

Unicef
MVE Created May 9, 2021 07:51:44

Well done
View more
  • x
  • convention:

Laiheang
Created May 9, 2021 08:11:30

cool
View more
  • x
  • convention:

simchamnan
Created May 9, 2021 08:40:13

nice
View more
  • x
  • convention:

Chanbora
Created May 9, 2021 08:46:15

good
View more
  • x
  • convention:

123
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.