Got it

[Knowledge sharing]How to assign privilege level from Microsoft NPS RADIUS server to Huawei switches ?

Latest reply: Oct 7, 2019 02:39:02 1578 1 3 1

Hello everyone,

As you know in many networks, we can use Microsoft NPS solution for Radius to create users and login to our devices using SSH/WEB authentication based on Radius. Even so, after configuring AAA and NPS side, we notice that we don't have privilege to run admin commands, and only ping/trace.

In this thread, I will show you the entire configuration needed for Huawei products and what change is required on NPS side to be able to work properly in this scenario.

So, let's start first with the configuration of Huawei switch side :

# Configure the VTY user interface.

[Switch]stelnet server enable //Enable the STelnet server function.
[Switch] user-interface vty 0 14 //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] protocol inbound ssh //Configure the user interface views in VTY 0 to VTY 14 to support SSH.
[Switch-ui-vty0-14] quit

# Run the command below to specify password authentication as the default authentication mode of SSH users.

[Switch] ssh authentication-type password

# Configure a RADIUS server template on the Switch to implement communication with the RADIUS server.

[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 1812 //Configure the RADIUS server IP and port.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit


# Specify a RADIUauthorization server.

[HUAWEI] radius-server authorization shared-key cipher Huawei@2012

# Configure an AAA authentication/authorization/accounting scheme, with the authentication mode being RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit

[Switch-aaa] authorization-scheme sch1//Create an authorization scheme named sch1.
[Switch-aaa-autho-sch1] authorization-mode if-authenticated local
[Switch-aaa-authen-sch1] quit

[Switch-aaa] accounting-scheme sch1 //Create an accounting scheme named sch1.
accounting-mode radius

[Switch-aaa-authen-sch1] quit

# Create a domain, and apply the AAA authentication scheme and RADIUS server template in the domain.

[Switch-aaa] domain //Create a domain named and enter the domain view.

[] authentication-scheme sch1 //Configure the authentication scheme sch1 for the domain.

[] authorization-scheme sch1//Configure the authorization scheme sch1 for the domain.

[] accounting-scheme sch1 //Configure the accounting scheme sch1 for the domain.

[] radius-server 1 //Apply the RADIUS server template 1 to the domain.

[] quit

[Switch-aaa] quit

# Configure the domain as the default global management domain so that an administrator does not need to enter the domain name for logging in to the Switch.

[Switch] domain admin

With this current configuration, if try to login with a user created on NPS we would have access to only ping/trace operations(level 1).

In order to have privilege to more operations we need to assign a higher privilege using this attribute:

This is the attribute that we need to send from NPS, the attribute number is 29 and the vendor ID of Huawei is 2011.


And the configuration from NPS should look like this, where the attribute value is the privilege level assigned by NPS :


If we start the debugging as follows, we need to see this privilege to confirm that configuration is ok.

<Huawei>debugging radius all

<Huawei>t m

<Huawei>t d

Authenticate and collect the output of debugging.


We should expect to see the Privilege attribute, like this : 


And if we see this attribute, for sure we have higher privilege and can issue more commands.

Hope this tutorial is ok, and if you have any questions don't hesitate to post here :D

  • x
  • convention:

MVE Created Oct 7, 2019 02:39:02 Helpful(1) Helpful(1)

Thanks for sharing.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.