Got it

RADIUS configuration on CE6855

Created: Jun 30, 2020 11:16:01Latest reply: Jul 4, 2020 03:06:07 168 6 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi, 

I am completely new to Huawei, and I am attempting to configure RADIUS admin login for our switches, but I am not finding any documentation for how to configure it for the switches we are using (CE6855).

Documentation I am reading (https://support.huawei.com/enterprise/en/doc/EDOC1100095727) is telling me to perform the following commands:

# 
radius-server template t1 
 radius-server shared-key cipher %^%#wPPdHk[4q=4%I@XG|VE-:vg+I'-QC6-LlAE~Q&k;%^%#
 radius-server authentication 10.1.1.1 1812 weight 80
 radius-server accounting 10.1.1.1 1813 weight 80
#

However, the "radius-server template" command doesn't seem to work on my switch, and so I am not sure how to proceed with this.

I did found I am able to run this:

# 
radius server authorization x.x.x.x shared-key xxx

But, the documentation linked above is referring to the radius template that I have to create, which I do not have.

I am also unable to find any straight forward article on how to configure the RADIUS server side (NPS) in regards to VSA vendor code and attributes. I am only finding excessive lists of attributes and their meaning etc, and frankly its a little overwhelming. 

Am I missing something?
Any help would be much appreciated. :)

  • x
  • convention:

Featured Answers

Recommended answer

Admin Created Jun 30, 2020 14:12:46 Helpful(0) Helpful(0)

Hi,
You don't need to configure the 'radius-server template', instead,  a RADIUS Server Group is needed to set.
Here is a typical configuration.
#                                                                              
radius server group shiva                                                    
radius server shared-key-cipher %^%#!{{K=Y2lo>*\L5A=e}P%vBhqTJbsQ3$S^9<bb`i8%^%#  
radius server authentication 10.7.66.66 1812                                                  
radius server accounting 10.7.66.66 1813                                                      
radius server retransmit 2                                                    
#
aaa
 authentication-scheme auth
   authentication-mode radius
#
accounting-scheme abc
 accounting-mode radius
#
domain huawei
 authentication-scheme auth
 accounting-scheme abc
 radius server group shiva
#
For details, see
https://support.huawei.com/hedex/hdx.do?docid=EDOC1000168680&id=dc_cfg_aaa_0013&lang=en

For the configuration of the RADIUS server, you are advised to consult the server vendor.

View more
  • x
  • convention:

Pasjonsfrukt Created Jul 1, 2020 07:33:10
Thanks! I will give this a go once I figure out how to configure the NPS radius policies.

Possibly dumb follow-up question: I currently have a local user configured for admin login, will this be affected by me making changes to the aaa scheme? Do I have to configure this user as a local backup?  
All Answers
jason_hu Admin Created Jun 30, 2020 11:18:43 Helpful(0) Helpful(0)

Hello@Pasjonsfrukt,
What is the version of your switch?

View more
  • x
  • convention:

Pasjonsfrukt Created Jun 30, 2020 13:21:17
Hello Jason!

VRP (R) software, Version 8.150

Patch Version: V200R002SPH017

Is this sufficient?  
Popeye_Wang Admin Created Jun 30, 2020 14:12:46 Helpful(0) Helpful(0)

Hi,
You don't need to configure the 'radius-server template', instead,  a RADIUS Server Group is needed to set.
Here is a typical configuration.
#                                                                              
radius server group shiva                                                    
radius server shared-key-cipher %^%#!{{K=Y2lo>*\L5A=e}P%vBhqTJbsQ3$S^9<bb`i8%^%#  
radius server authentication 10.7.66.66 1812                                                  
radius server accounting 10.7.66.66 1813                                                      
radius server retransmit 2                                                    
#
aaa
 authentication-scheme auth
   authentication-mode radius
#
accounting-scheme abc
 accounting-mode radius
#
domain huawei
 authentication-scheme auth
 accounting-scheme abc
 radius server group shiva
#
For details, see
https://support.huawei.com/hedex/hdx.do?docid=EDOC1000168680&id=dc_cfg_aaa_0013&lang=en

For the configuration of the RADIUS server, you are advised to consult the server vendor.

View more
  • x
  • convention:

Pasjonsfrukt Created Jul 1, 2020 07:33:10
Thanks! I will give this a go once I figure out how to configure the NPS radius policies.

Possibly dumb follow-up question: I currently have a local user configured for admin login, will this be affected by me making changes to the aaa scheme? Do I have to configure this user as a local backup?  
Popeye_Wang Admin Created Jul 3, 2020 08:33:12 Helpful(0) Helpful(0)

Posted by Popeye_Wang at 2020-06-30 14:12 Hi,You don't need to configure the 'radius-server template', instead,  a RADIUS Server Group is nee ...

Hi,

By default, local authentication is used for user login, and the default domain is default_admin. If a local user is not created with a domain name, and the user does not add a domain name when logging in to the device, the user will be authenticated in the default domain and is not affected by the new domain that is bound to RADIUS authentication.

If you want local users to be authenticated in the new domain, you can add the domain name to the user name.

[~HUAWEI-aaa] local-user hello@abc password irreversible-cipher xxxxxx

Then configure authentication-mode radius local in the authentication scheme.  if the RADIUS authentication server does not respond and RADIUS authentication cannot be performed, the device starts local authentication.


View more
  • x
  • convention:

marygp Created Jul 4, 2020 03:06:07 Helpful(0) Helpful(0)

thanks! RADIUS configuration on CE6855-3361491-1
View more
  • x
  • convention:

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.