Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
Table of Contents
Chapter 1 AAA, RADIUS and HWTACACS Protocol Configuration ......................................... 1-1 1.1 AAA, RADIUS and HWTACACS Protocol Overview ......................................................... 1-1 1.1.1 AAA Overview ......................................................................................................... 1-1 1.1.2 RADIUS Protocol Overview .................................................................................... 1-1 1.1.3 HWTACACS Protocol Overview ............................................................................. 1-3 1.1.4 Implementing AAA/RADIUS on a Switch ................................................................ 1-5 1.2 AAA Configuration ............................................................................................................. 1-6 1.2.1 Creating/Deleting an ISP Domain ........................................................................... 1-6 1.2.2 Configuring Relevant Attributes of an ISP Domain ................................................. 1-7 1.2.3 Configuring Self-Service Server URL...................................................................... 1-9 1.2.4 Creating/Deleting a Local User ............................................................................. 1-10 1.2.5 Setting the Attributes of a Local User ................................................................... 1-10 1.2.6 Disconnecting a User by Force ............................................................................. 1-12 1.2.7 Configuring Dynamic VLAN Delivering ................................................................. 1-12 1.3 RADIUS Protocol Configuration....................................................................................... 1-14 1.3.1 Creating/Deleting a RADIUS scheme ................................................................... 1-15 1.3.2 Setting IP Address and Port Number of a RADIUS Server .................................. 1-15 1.3.3 Setting the RADIUS Packet Encryption Key ......................................................... 1-17 1.3.4 Configuring VPN of RADIUS Server ..................................................................... 1-18 1.3.5 Setting the Port State of the Local RADIUS Server .............................................. 1-18 1.3.6 Setting the Maximum Retry Times for RADIUS Request Packets........................ 1-19 1.3.7 Setting RADIUS Server Response Timeout Timer ............................................... 1-19 1.3.8 Setting Quiet Time of RADIUS Server .................................................................. 1-20 1.3.9 Setting the Retransmission Times of RADIUS Request Packets ......................... 1-20 1.3.10 Enabling the Selection of Radius Accounting Option.......................................... 1-21 1.3.11 Setting a Real-time Accounting Interval.............................................................. 1-21 1.3.12 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded ..................................................................................................................... 1-22 1.3.13 Enabling/Disabling Stop-Accounting Request Buffer.......................................... 1-22 1.3.14 Setting the Maximum Retransmitting Times of Stop-Accounting Request ......... 1-23 1.3.15 Setting the Supported Type of RADIUS Server .................................................. 1-23 1.3.16 Setting RADIUS Server State ............................................................................. 1-24 1.3.17 Setting the Username Format Transmitted to RADIUS Server .......................... 1-24 1.3.18 Setting the Unit of Data Flow that Transmitted to RADIUS Server..................... 1-25 1.3.19 Configuring the Source Address Used by NAS in RADIUS Packets .................. 1-25 1.3.20 Setting the Port State of RADIUS Client ............................................................. 1-26 1.3.21 Configuring a Local RADIUS Authentication Server ........................................... 1-27 1.4 HWTACACS Protocol Configuration................................................................................ 1-27
Huawei Technologies Proprietary i
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Table of Contents
1.4.1 Creating a HWTACACS Scheme.......................................................................... 1-28 1.4.2 Configuring HWTACACS Authentication Servers................................................. 1-28 1.4.3 Configuring HWTACACS Authorization Servers................................................... 1-29 1.4.4 Configuring HWTACACS Accounting Servers and the Related Attributes ........... 1-30 1.4.5 Configuring the Source Address for HWTACACS Packets Sent by NAS............. 1-31 1.4.6 Setting a Key for Securing the Communication with TACACS Server ................. 1-31 1.4.7 Setting the Username Format Acceptable to the TACACS Server....................... 1-31 1.4.8 Setting the Unit of Data Flows Destined for the TACACS Server......................... 1-32 1.4.9 Setting Timers Regarding TACACS Server .......................................................... 1-32 1.5 Displaying and Maintaining AAA and RADIUS Protocol.................................................. 1-34 1.6 AAA, RADIUS, and HWTACACS Protocol Configuration Examples............................... 1-35 1.6.1 Configuring Authentication at Remote RADIUS Server ........................................ 1-36 1.6.2 Configuring Authentication at Local RADIUS Authentication Server .................... 1-37 1.6.3 Configuring Authentication at Remote TACACS Server ....................................... 1-38 1.7 Troubleshooting AAA, RADIUS, and HWTACACS ......................................................... 1-39
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
I. What is RADIUS
Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS). After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving users request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls supplicant and corresponding connections, while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen.
Note: The authentication and authorization of a RADIUS scheme cannot be performed separately.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Working as a client of HWTACACS, the switch sends the username and password to the TACACS server for authentication, as shown in the following figure:
Terminal Us er
User
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
PC user1 PC user2 S8500 Series S3000 series PC user3 PC user4 S8500 Series Internet Internet ISP2 S2000 series ISP1
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Quidway Series Switches ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy (RADIUS scheme applied etc.) For Quidway Series Switches, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain. Perform the following operations in system view to create/delete an ISP domain: To do... Create ISP domain or enter the view of a specified domain Remove a specified ISP domain Enable the default ISP domain specified by isp-name Restore the default ISP domain to system Use the command... domain isp-name undo domain isp-name domain default enable isp-name domain default disable
By default, a domain named system has been created in the system. The attributes of system are all default values.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
users already online. An ISP is in Active state once it is created. That is, at that time, all the users in the domain are allowed to request network services. Maximum number of supplicants specifies how many supplicants can be contained in the ISP. For any ISP domain, there is no limit to the number of supplicants by default. The idle cut function means: If the traffic from a certain connection is lower than the defined traffic, cut off this connection. The PPP access users can obtain IP addresses through the PPP address negotiation function. Perform the following operations in ISP domain view to configure relevant attributes of an ISP domain: To do... Use the command... scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none } undo scheme { radius-scheme | hwtacacs-scheme | none } radius-scheme radius-scheme-name undo radius scheme radius-server-name state { primary | secondary } { accounting | authentication } { block | active } access-limit { disable | enable max-user-number } undo access-limit accounting optional undo accounting optional idle-cut { disable | enable minute flow } ip pool pool-number low-ip-address [ high-ip-address ] undo ip pool pool-number
Restore the default AAA scheme used by an ISP domain Configure the RADIUS scheme used by an ISP domain Delete the specified RADIUS scheme
Set a limit to the amount of supplicants Restore the limit to the default setting Enable accounting to be optional Disable accounting to be optional Set the Idle-cut Define an address pool to assign IP addresses to users Delete the specified address pool
Both the radius-scheme and scheme radius-scheme commands can be used to specify the RADIUS scheme for an ISP domain with the same effect, and the system adopts the last configuration.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
By default, the Local scheme is adopted, an ISP domain is in Active state once it is created, no limit is set to the amount of supplicants, accounting optional is disabled, idle-cut is disabled, and no IP address pool is defined.
Note: Ensure that there is neither broadcast nor invalid addresses in the address pool you are configuring. Otherwise, network failures or other problems may occur.
self-service-url disable
By default, self-service server URL is not configured on the switch. Note that, if "?" is contained in the URL, you must replace it with "|" when inputting the URL in the command line. The "Change user password" option is available only when the user passes the authentication; otherwise, this option is in grey and unavailable.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
By default, the user database of the system is empty. If the client user wants to access the FTP Server (S8500 devices) through FTP, the configuration is required.
Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Set a password for a specified user Remove the password set for the specified user Set the state of the specified user
Use the command... password { simple | cipher } password undo password state { active | block } service-type { ftp [ ftp-directory directory ] | lan-access | ppp [ call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] } undo service-type { ftp [ ftp-directory directory ] | lan-access | ppp [call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] } level level undo level attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum }* undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*
Set the priority of the specified user Restore the default priority of the specified user
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Note: Among the attribute options in local user view, only access-limit is applicable to telnet and ssh terminal users. Other attributes, such as port binding, VLAN binding, and IP binding, are applicable to only LAN users. When you bind a port to a user, this setting takes effect only when the slot number, the subslot number and the port number exist. When you configure service types telnet, ssh, and terminal, later configuration will overwrite the previous one. In this case, to configure the two or three of them at the same time, you must specify the desired service types in one command at one time. When you configure login path for an FTP user, ensure that the path is available in the standby board. Otherwise, the user may not be able to log in after an active/standby switchover.
By default, users are not authorized to any service, all their priorities are 0.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
As for a VLAN ID that is of string type, a switch compares the VLAN ID delivered by the RADIUS server with the names of the VLANs existing on the switch. If a matching entry is found, the switch adds the port to the corresponding VLAN. Otherwise, the delivery fails and the user fails to pass the authentication.
Note: When configuring a VLAN delivering mode, keep the mode configured on the switch consistent with the mode configured on the Radius Server. For the string delivery mode, the value range of the VLAN name supported by the switch is 1-32 characters. If the name configured on the Radius Server exceeds 32 characters, the delivery will fail. For the string delivery mode, a string that contains numerals only is first interpreted as a number. That is, if the VLAN name delivered by the RADIUS server contains only numerals (such as 1024), and the equivalent integer is within the range 1 to 4,094, the switch takes the VLAN name as an integer and add the authenticated port to the VLAN identified by the integer (In this case, the switch will add the port to VLAN 1024). If the equivalent integer is not within the range 1 to 4,094 (such as string 12345), the RADIUS server fails to deliver the VLAN name; if the all-numeral string contains space, such as 12 345, the first block of non-spaced numbers in the string will be converted into its equivalent integer, namely, integer 12 in this example. Hybrid ports and Trunk ports do not support VLAN delivering; only Access ports support VLAN delivering. If HGMP is enabled in the system, you cannot specify VLAN 2047 as a dynamically delivered VLAN.
Dynamic VLAN delivering configuration includes: Configuring VLAN delivery mode (integer or string) Configuring the name of the delivered VLAN
By default, the integer mode is used. That is, the switch supports the RADIUS server delivering VLAN IDs in integer form.
Huawei Technologies Proprietary 1-13
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Setting RADIUS Server State Setting the Username Format Transmitted to RADIUS Server Setting the Unit of Data Flow that Transmitted to RADIUS Server Configuring the Source Address Used by NAS in RADIUS Packets Setting the Port State of RADIUS Client Configuring a Local RADIUS Authentication Server Among the above tasks, creating RADIUS scheme and setting IP address of RADIUS server are required, while other takes are optional and can be performed as your requirements.
Several ISP domains can use a RADIUS server group at the same time. You can configure up to 16 RADIUS schemes, including the default server group named as System. By default, the system has a RADIUS scheme named system whose attributes are all default values.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Set IP address and port number of primary RADIUS authentication/authorization or accounting server. Restore IP address and port number of primary RADIUS authentication/authorization or accounting server to the default values. Set IP address and port number of secondary RADIUS authentication/authorization or accounting server. Restore IP address and port number of secondary RADIUS authentication/authorization or accounting server to the default values.
Use the command... primary { accountig | authenticaiton } ip-address [ port-number ] undo primary { accounting | authentication } secondary { accounting | authentication } ip-address [ port-number ] undo secondary { accounting | authentication }
Note: When a user logs into the Quidway S8500 routing switch that is directly connected with the user PC, the switch can obtain the valid VLAN of the user (that is, VLAN the user belongs to). But when the user logs into a Quidway S8500 routing switch that is not directly connected with the user PC (to perform cross-device management, for example), the switch cannot obtain the valid VLAN information of the user, and thus the switch uses the default VLAN ID (VLAN 1) to interact with the authentication server for authentication.
As for the default RADIUS scheme system: The IP address of the primary authentication server is 127.0.0.1, and the UDP port number is 1645. The IP address of the secondary authentication server is 0.0.0.0, and the UDP port number is 1812. The IP address of the primary accounting server is 127.0.0.1, and the UDP port number is 1646 The IP address of the secondary accounting server is 0.0.0.0, and the UDP port number is 1813; As for the newly created RADIUS scheme: The IP address of the primary/secondary authentication server is 0.0.0.0, and the UDP port number of this server is 1812; The IP address of the primary/secondary accounting server is 0.0.0.0, and the UDP port number of this server is 1813; In real networking environments, the above parameters shall be set according to the specific requirements. For example, you may specify 4 groups of different data to map 4 RADIUS servers, or specify one of the two servers as primary
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
authentication/authorization server and secondary accounting server and the other one as secondary authentication/authorization server and primary accounting server, or you may also set 4 groups of exactly same data so that every server serves as a primary and secondary AAA server. To guarantee the normal interaction between NAS and RADIUS server, make sure a route is available between RADIUS/HWTACACS server and NAS before setting IP address and UDP port of the RADIUS server and IP address and TCP port of the HWTACACS server. In addition, because RADIUS/HWTACACS protocol uses different ports to receive/transmit authentication/authorization and accounting packets, you shall set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS/HWTACACS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS/HWTACACS service port settings on Quidway series switches are supposed to be consistent with the port settings on RADIUS server. Normally, RADIUS accounting service port is 1813 and the authentication/authorization service port is 1812.
Note: For an S8500 routing switch, the default RADIUS scheme authentication/authorization port is 1645, the accounting port is 1646. And port 1812 and 1813 are for other schemes.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Set RADIUS accounting packet encryption key Restore the default RADIUS accounting packet encryption key
By default, the encryption keys of RADIUS authentication/authorization and accounting packets are all null.
By default, the local RADIUS server is enabled, and port 1645 and port 1646 are enabled.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
1.3.6 Setting the Maximum Retry Times for RADIUS Request Packets
Because RADIUS Protocol carries data through UDP packets, its communication process is not reliable. If the RADIUS Server does not respond to the NAS within the time specified by the response timeout timer, it is necessary for the NAS to retry sending the RADIUS request packets to the RADIUS Server. If the number of retry times exceeds maximum retry times while the RADIUS Server still does not respond, the NAS will assume its communication with the current RADIUS Server to have been cut off and will send request packets to another RADIUS Server. Use the following commands to set the maximum retry times of sending RADIUS request packets. Perform the following operations in RADIUS scheme view to configure the maximum retry times of sending RADIUS request packets: To do... Set the maximum retry times of sending RADIUS request packets Restore the maximum retry times of sending RADIUS request packets to the default value Use the command... retry retry-times undo retry
The default value of the response timeout timer of a RADIUS server is 3 seconds.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Note: When a RADIUS server (such as CAMS) uses huawei RADIUS protocol to dynamically assign upstream rate to each user, you must use self-defined flow template with the SMAC field on the access ports of users. Otherwise, traffic limit cannot be performed properly for each user.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
minute specifies the real-time accounting interval in minutes. The value shall be a multiple of 3. The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the performances of NAS and RADIUS are required. When there are a large amount of users (more than 1000, inclusive), we suggest a larger value. The following table recommends the ratio of minute value to the number of users. Table 1-2 Recommended real-time accounting intervals for different number of users Number of users 1 to 99 100 to 499 500 to 999 3 6 12 Real-time accounting interval in minutes
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
1.3.12 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded
RADIUS server usually checks if a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for long, it will consider that there is device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists. Quidway Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times. You can use the following command to set the maximum times of real-time accounting request failing to be responded. Perform the following operations in RADIUS scheme view to configure the maximum times of real-time accounting request failing to be responded To do... Set maximum times of real-time accounting request failing to be responded Restore the maximum times to the default value Use the command... retry realtime-accounting retry-times undo retry realtime-accounting
How to calculate the value of retry-times? Suppose that RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t. By default, the real-time accounting request can fail to be responded no more than 5 times.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
responds or discards the messages after transmitting for specified times. You can use the following command to set whether or not to save the stop-accounting requests. Perform the following operations in RADIUS scheme view to enable/disable stop-accounting request buffer: To do... Enable stop-accounting request buffer Disable stop-accounting request buffer Use the command... stop-accounting-buffer enable undo stop-accounting-buffer enable
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Set the Supported Type of RADIUS Server Restore the Supported Type of RADIUS Server to the default setting
By default, the newly created RADIUS scheme supports the server of standard type, while the default RADIUS scheme system supports the server of huawei type
By default, the state of each server in RADIUS scheme server group is active.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
you have to remove the domain name before sending the username to the RADIUS server. The following command of switch decides whether the username to be sent to RADIUS server carries ISP domain name or not. Perform the following operations in RADIUS scheme view to configure the username format transmitted to RADIUS server: To do... Set Username Format Transmitted to RADIUS Server Use the command... user-name-format { with-domain | without-domain }
Note: If a RADIUS scheme is configured not to allow usernames including ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)
By default, as for the newly created RADIUS scheme, the username sent to RADIUS servers includes an ISP domain name; as for the default RADIUS scheme system, the username sent to RADIUS servers excludes the ISP domain name.
1.3.18 Setting the Unit of Data Flow that Transmitted to RADIUS Server
The following command defines the unit of the data flow sent to RADIUS server. Perform the following operations in RADIUS scheme view to configure the unit of data flow transmitted to RADIUS server: To do... Set the unit of data flow transmitted to RADIUS server Restore the unit to the default setting Use the command... data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } } | { packet { giga-packet | kilo-packet | mega-packet | one-packet } } undo data-flow-format
By default, the default data unit is byte and the default data packet unit is one packet.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Configure the source address used by the NAS in RADIUS packets (RADIUS scheme view) Cancel the configured source address used by the NAS in RADIUS packets (RADIUS scheme view) Configure the source address used by the NAS in RADIUS packets (System view) Cancel the configured source address used by the NAS in RADIUS packets (System view)
Use the command... nas-ip ip-address undo nas-ip radius nas-ip ip-address [ vpn-instance vpn-instance-name ] undo radius nas-ip [ vpn-instance vpn-instance-name ]
The effect of the two commands is the same. However, the configuration done in RADIUS scheme view has a higher priority than the configuration done in system view. By default, no source address is specified, that is to say, the interface from which a packet is sent is regarded as the source address of the packet.
The port 1812 of the RADIUS client is enabled by default. If the port 1812 is disabled, all the UDP packets whose destination port is port 1812 will be dropped, so the remote RADIUS service cannot be used.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
By default, the IP address of local RADIUS authentication server group is 127.0.0.1 and the password is null. When using local RADIUS server function, note that, The number of UDP port used for authentication/authorization is 1645 and that for accounting is 1646. The password configured by local-server command must be the same as that of the RADIUS authentication/authorization packet configured by the command key authentication in radius scheme view. S8500 series serving as local RADIUS authentication servers currently only support the CHAP and PAP authentication modes; they do not support the EAP mode.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Note: Pay attention to the following when configuring a TACACS server: HWTACACS server does not check whether a scheme is being used by users when changing most of HWTACACS attributes, unless you delete the scheme. By default, the TACACS server has no key.
In the above configuration tasks, creating HWTACACS scheme and configuring TACACS authentication/authorization server are required; all other tasks are optional and you can determine whether to perform these configurations as needed.
By default, no HWTACACS scheme exists. If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view. In HWTACACS view, you can configure the HWTACACS scheme specifically. The system supports up to 16 HWTACACS schemes. You can only delete the schemes that are not being used.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
The primary and secondary authentication servers cannot use the same IP address. The default port number is 49. If you execute this command repeatedly, the new settings will replace the old settings. A TACACS scheme authentication server can be deleted only when no Active TCP connection used to send authentication packets is using the server.
Note: If only authentication and accounting servers are configured and no authorization server is configured, both authentication and accounting can be performed normally for the FTP, Telnet, and SSH users, but the priority of these users is 0 (that is, the lowest privilege level) by default,
The primary and secondary authorization servers cannot use the same IP address. The default port number is 49. If you execute this command repeatedly, the new settings will replace the old settings.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Do not configure the same IP address for the primary accounting server and the secondary accounting server. Otherwise, an error occurs. By default, a TACACS accounting server uses an all-zero IP address and port 49. If you execute the primary accounting or secondary accounting command repeatedly, the newly configured settings overwrite the corresponding existing settings. You can delete a TACACS scheme only when no Active TCP connection used to send authentication packets uses the server.
By default, stop-accounting packet retransmission is enabled, and the maximum number of transmission attempts is 300.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
1.4.5 Configuring the Source Address for HWTACACS Packets Sent by NAS
Perform the following operations in the corresponding view to configure the source address for HWTACACS packets sent by the NAS: To do... Configure the source address for HWTACACS packets sent from the NAS (HWTACACS view) Delete the configured source address for HWTACACS packets sent from the NAS (HWTACACS view) Configure the source address for HWTACACS packets sent from the NAS (System view) Cancel the configured source address for HWTACACS packets sent from the NAS (System view) Use the command... nas-ip ip-address undo nas-ip hwtacacs nas-ip ip-address undo hwtacacs nas-ip
The HWTACACS view takes precedence over the system view when configuring the source address for HWTACACS packets sent from the NAS. By default, the source address is not specified, and the virtual interface of the VLAN that contains the port to which the server connects for packet sending is used as the source address.
1.4.6 Setting a Key for Securing the Communication with TACACS Server
When using a TACACS server as an AAA server, you can set a key to improve the communication security between the switch and the TACACS server. Perform the following operations in HWTACACS view to set/cancel a key for securing the communication with the HWTACACS server: To do... Configure a key for securing the communication with the accounting, authorization or authentication server Delete the configuration Use the command... key { accounting | authorization | authentication } string undo key { accounting | authorization | authentication }
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Perform the following operations in HWTACACS view to configure the username format acceptable to the TACACS server: To do... Send username with domain name Send username without domain name Use the command... user-name-format with-domain user-name-format without-domain
1.4.8 Setting the Unit of Data Flows Destined for the TACACS Server
Perform the following operations in HWTACACS view to configure the unit of data flows destined for the TACACS server: To do... Set the unit of data flows destined for the TACACS server Restore the default unit of data flows destined for the TACACS server Use the command... data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet } undo data-flow-format { data | packet }
II. Setting the quiet timer for the primary TACACS server
Perform the following operations in HWTACACS view to configure the quiet timer for the primary TACACS server:
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Set the quiet timer for the primary TACACS server Restore the default setting
The timer quiet command is used to make the switch ignore users' requests for server within the time configured in this command in case the communication between the switch and the server is terminated. In that case, the switch can send users' requests to the server only after it has waited a time no less than the time configured with this command for the communication to be resumed. By default, the primary TACACS server must wait five minutes before it can resume the active state. The time ranges from 1 to 255.
The interval is in minutes and must be a multiple of 3. The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the numbers of users and the recommended intervals. Table 1-3 Numbers of users and the recommended intervals Number of users 1 to 99 100 to 499 500 to 999 1000 3 6 12 15 Real-time accounting interval (in minutes)
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
display connection [ access-type { dot1x | gcm } | domain domain-name | hwtacacs-scheme hwtacacs-scheme-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ] display local-user [ domain isp-name | idle-cut { disable | enable } | service-type { ftp | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlanid ] display local-server { statistics | nas-ip }
Display the statistics of local RADIUS server group Display the configuration information of all the RADIUS server groups or a specified one Display all global NAS-IP information configured in system view Display the statistics of RADIUS packets Display the stop-accounting requests saved in buffer without response Reset the statistics of RADIUS server Display the specified or all the HWTACACS schemes
display radius statistics display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } reset radius statistics display hwtacacs [ hwtacacs-scheme-name ]
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
To do... Display the HWTACACS stop-accounting requests saved in buffer without response Delete the stop-accounting requests saved in buffer without response Delete the HWTACACS stop-accounting requests saved in buffer without response Reset the statistics of HWTACACS server Enable RADIUS packet debugging Disable RADIUS packet debugging Enable debugging of local RADIUS authentication server Disable debugging of local RADIUS authentication server Enable HWTACACS debugging Disable HWTACACS debugging
Use the command... display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name reset hwtacacs statistics { accounting | authentication | authorization | all } debugging radius packet undo debugging radius packet debugging local-server { all | error | event | packet } undo debugging local-server { all | error | event | packet } debugging hwtacacs { all | error | event | message | receive-packet | send-packet } undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
Available in user view Available in user view Available in user view Available in user view Available in user view Available in user view Available in user view
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Table 1-4 Enable/disable the anti-attack function of packets To do... Enable/disable the anti-attack function of packets Use the command... anti-attack { arp | dot1x | ip } { disable | enable }
The anti-attack function of IP packets is enabled while the anti-attack function of ARP packets and dot1x packets are disabled by default.
Note: Configuring Telnet user authentication at the remote server is similar to configuring FTP users. The following description is based on Telnet users.
I. Network requirements
In the environment as illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered. One RADIUS server (as authentication server) is connected to the switch and the server IP address is 10.110.91.164. The password for exchanging messages between the switch and the authentication server is expert. The switch cuts off domain name from username and sends the left part to the RADIUS server.
Figure 1-4 Network diagram for the remote RADIUS authentication of Telnet users
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Omitted
Note: For details about configuring FTP and Telnet users, refer to FTP and TFTP Operation part in S8500 Series Routing Switches Operation Manual.
# Configure remote authentication mode for Telnet user, i.e. Scheme mode.
[Quidway-ui-vty0-4] authentication-mode scheme
Note: If RADIUS authentication is adopted for FTP user, you need to set server-type to huawei in the corresponding RADIUS scheme so that the huawei RADIUS protocol is used. Otherwise, user directory attributes cannot be obtained correctly.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Note: For details about local RADIUS authentication of Telnet/FTP users, refer to Setting the Port State of RADIUS Client.
Note: For configurations of FTP and Telnet users, refer to FTP and TFTP Operation in S8500 Series Routing Switches Operation Manual.
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
Operation Manual AAA RADIUS HWTACACS Quidway S8500 Series Routing Switches
The IP address of the corresponding RADIUS/HWTACACS server may not have been set on NAS. Please set a proper IP address for RADIUS/HWTACACS server. Ports of authentication/authorization and accounting services may not be set properly. So make sure they are consistent with the ports provided by RADIUS/HWTACACS server.
III. Symptom: After being authenticated and authorized, the user cannot send charging bill to the RADIUS/HWTACACS server.
Solution: The accounting port number may be set improperly. Please set a proper number. The accounting service and authentication/authorization service are provided on different servers, but NAS requires the services to be provided on one server (by specifying the same IP address). So please make sure the server settings on the NAS are consistent with the actual conditions.