[Knowledge sharing]How to assign privilege level from Microsoft NPS RADIUS server to Huawei switches ?

Latest reply: Oct 7, 2019 02:39:02 293 1 3 1

Hello everyone,


As you know in many networks, we can use Microsoft NPS solution for Radius to create users and login to our devices using SSH/WEB authentication based on Radius. Even so, after configuring AAA and NPS side, we notice that we don't have privilege to run admin commands, and only ping/trace.

In this thread, I will show you the entire configuration needed for Huawei products and what change is required on NPS side to be able to work properly in this scenario.

So, let's start first with the configuration of Huawei switch side :

# Configure the VTY user interface.

[Switch]stelnet server enable //Enable the STelnet server function.
[Switch] user-interface vty 0 14 //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] protocol inbound ssh //Configure the user interface views in VTY 0 to VTY 14 to support SSH.
[Switch-ui-vty0-14] quit


# Run the command below to specify password authentication as the default authentication mode of SSH users.

[Switch] ssh authentication-type password


# Configure a RADIUS server template on the Switch to implement communication with the RADIUS server.

[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the RADIUS server IP and port.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit

 

# Specify a RADIUauthorization server.

[HUAWEI] radius-server authorization 10.1.1.116 shared-key cipher Huawei@2012


# Configure an AAA authentication/authorization/accounting scheme, with the authentication mode being RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit

[Switch-aaa] authorization-scheme sch1//Create an authorization scheme named sch1.
[Switch-aaa-autho-sch1] authorization-mode if-authenticated local
[Switch-aaa-authen-sch1] quit

[Switch-aaa] accounting-scheme sch1 //Create an accounting scheme named sch1.
[Switch-aaa-autho-sch1]
accounting-mode radius

[Switch-aaa-authen-sch1] quit


# Create a domain, and apply the AAA authentication scheme and RADIUS server template in the domain.

[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter the domain view.

[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the authentication scheme sch1 for the domain.

[Switch-aaa-domain-huawei.com] authorization-scheme sch1//Configure the authorization scheme sch1 for the domain.

[Switch-aaa-domain-huawei.com] accounting-scheme sch1 //Configure the accounting scheme sch1 for the domain.

[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server template 1 to the domain.

[Switch-aaa-domain-huawei.com] quit

[Switch-aaa] quit


# Configure the domain huawei.com as the default global management domain so that an administrator does not need to enter the domain name for logging in to the Switch.

[Switch] domain huawei.com admin


With this current configuration, if try to login with a user created on NPS we would have access to only ping/trace operations(level 1).

In order to have privilege to more operations we need to assign a higher privilege using this attribute:

This is the attribute that we need to send from NPS, the attribute number is 29 and the vendor ID of Huawei is 2011.

e13f9b6bedbe47f2938474d3fa4e1d89


And the configuration from NPS should look like this, where the attribute value is the privilege level assigned by NPS :

aaa


If we start the debugging as follows, we need to see this privilege to confirm that configuration is ok.

<Huawei>debugging radius all

<Huawei>t m

<Huawei>t d

Authenticate and collect the output of debugging.

 

We should expect to see the Privilege attribute, like this : 

aaf


And if we see this attribute, for sure we have higher privilege and can issue more commands.

Hope this tutorial is ok, and if you have any questions don't hesitate to post here :D



  • x
  • convention:

umaryaqub
MVE Created Oct 7, 2019 02:39:02 Helpful(1) Helpful(1)

Thanks for sharing.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login