Quidway S3000 Series Operation Manual Download Page 18

Page: 18 / 37

Operation Manual - Security
Quidway S3000 Series Ethernet Switches

Chapter 2 AAA and RADIUS Protocol Configuration

2-3

Internet

S3000 series

PC user1

PC user2

PC user3

PC user4

S3000 series

S2000-SI series

ISP1

ISP2

Internet

Authentication

Server

Accounting

Server

Authentication

Server

Accounting

Server1

Accounting

Server2

Internet

PC user1

PC user2

PC user3

PC user4

ISP1

ISP2

Internet

Authentication

Server

Accounting

Server

Authentication

Server

Accounting

Server1

Accounting

Server2

Figure 2-1

Networking when S3000 Series Ethernet switches applying RADIUS authentication

2.2 Configure AAA

AAA configuration includes:

Create/Delete ISP Domain

Configure Relevant Attributes of ISP Domain

Create a local user

Set attributes of local user

Disconnect a user by force

Among the above configuration tasks, creating ISP domain is compulsory, otherwise

the supplicant attributes cannot be distinguished. The other tasks are optional. You can

configure them at requirements.

2.2.1 Create/Delete ISP Domain

What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a

group of users belonging to the same ISP. Generally, for a username in the

userid@isp-name format, taking [email protected] as an example, the

isp-name (i.e. huawei163.net) following the @ is the ISP domain name. When Quidway

Series Ethernet Switches control user access, as for an ISP user whose username is in

userid@isp-name format, the system will take userid part as username for identification

and take isp-name part as domain name.

The purpose of introducing ISP domain settings is to support the multi-ISP application

environment. In such environment, one access device might access users of different

ISP. Because the attributes of ISP users, such as username and password formats, etc,

may be different, it is necessary to differentiate them through setting ISP domain. In

Summary of Contents for S3000 Series

Page 1: ...message retransmission 1 7 1 2 9 Set the handshake period of 802 1x 1 8 1 2 10 Configure Timers 1 8 1 2 11 Enable Disable quiet period Timer 1 9 1 3 Display and Debug 802 1x 1 9 1 4 802 1x Configuration Example 1 10 Chapter 2 AAA and RADIUS Protocol Configuration 2 1 2 1 AAA and RADIUS Protocol Overview 2 1 2 1 1 AAA Overview 2 1 2 1 2 RADIUS Protocol Overview 2 1 2 1 3 Implement AAA RADIUS on Eth...

Page 2: ...smitted to RADIUS Server 2 15 2 3 13 Set the Unit of Data Flow that Transmitted to RADIUS Server 2 15 2 3 14 Configure Local RADIUS Server Group 2 16 2 4 Display and Debug AAA and RADIUS Protocol 2 16 2 5 AAA and RADIUS Protocol Configuration Examples 2 17 2 5 1 Configuring FTP Telnet User Authentication at Remote RADIUS Server 2 17 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS ...

Page 3: ...ice etc the LAN providers generally hope to control the user s access In these cases the requirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the us...

Page 4: ...s to go through the complicated network to reach the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be...

Page 5: ...re the AAA scheme by selecting RADIUS or local authentication so as to assist 802 1x to implement the user ID authentication For detailed description of AAA refer to the corresponding AAA configuration 1 1 4 Implement 802 1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802 1x but also extend and optimize it in the following...

Page 6: ... requirements 1 2 1 Enable Disable 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 1 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x...

Page 7: ... state and permit the user to access the network resources This is the most common case 1 2 3 Set Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of port is configured globally Perform the following configurations in system view or Ethernet port view Table 1 ...

Page 8: ... in system view or Ethernet port view Table 1 5 Set maximum number of users via specified port Operation Command Set maximum number of users via specified port dot1x max user user number interface interface list Restore the maximum number of users on the port to the default value undo dot1x max user interface interface list By default 802 1x allows up to 256 supplicants on each port for S3000 Seri...

Page 9: ...02 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Set the Maximum times of authentication request message retransmission The following commands are use...

Page 10: ...commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 1 10 Configure timers Operation Command Configure timers dot1x timer quiet period quiet period value tx period tx period value supp timeout supp timeout value server timeout server timeout value Restore default settings of the timers undo dot1x timer quiet period tx period supp timeout ser...

Page 11: ... period value is 60s the tx period value is 30s the supp timeout value is 30s the server timeout value is 100s 1 2 11 Enable Disable quiet period Timer You can use the following commands to enable disable a quiet period timer of an Authenticator which can be a Quidway Series Ethernet Switch If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is s...

Page 12: ... response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1...

Page 13: ...refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified port Ethernet 0 1 Quidway dot1x interface ethernet 0 1 Set the access control mode This command could not be configured when it is configured as MAC based by default Quidway dot1x port method macbased interface ...

Page 14: ...he system to transmit real time accounting packets to the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei16...

Page 15: ...curity Quidway S3000 Series Ethernet Switches Chapter 1 802 1x Configuration 1 13 Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Page 16: ...horizes the user with specified services z Accounting traces network resources consumed by the user Generally applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As ...

Page 17: ...on with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client u...

Page 18: ...reating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Create Delete ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 huawei163 net a...

Page 19: ...evant attributes of ISP domain include the adopted RADIUS server group state and maximum number of supplicants Where z The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used The command shall be used together with the commands of setting RADIUS ...

Page 20: ...is chapter the state of domain is active there is no limit to the amount of supplicants and disable the idle cut configure 2 2 3 Create a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perform the following configu...

Page 21: ...Set the state of the specified user state active block Set a service type for the specified user For S3026 service type telnet level level ftp ftp directory directory lan access Cancel the service type of the specified user For S3026 undo service type telnet level ftp ftp directory lan access Set a service type for the specified user Except S3026 service type ftp ftp directory directory lan access...

Page 22: ... parameters using for information interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to the AAA Configuration section above RADIUS protocol configuration includes z Create Delete a RADIUS server grou...

Page 23: ...alues will be introduced in the following text 2 3 2 Set IP Address and Port Number of RADIUS Server After creating a RADIUS server group you are supposed to set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers So you can configure up to 4 groups of IP addresses and UDP port numbers However at least you ha...

Page 24: ...imary and second AAA server To guarantee the normal interaction between NAS and RADIUS server you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports a...

Page 25: ...n authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS server group view Table 2 10 Set response timeout timer...

Page 26: ...n of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS server group view Table 2 12 Set a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting minute...

Page 27: ...imes You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configurations in RADIUS server group view Table 2 14 Set maximum times of real time accounting request failing to be responded Operation Command Set maximum times of real time accounting request failing to be responded retry realtime accounting retry times ...

Page 28: ...t will be saved in the buffer 2 3 9 Set the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to RADIUS accounting server Accordingly if the message from Quidway Series Etherne...

Page 29: ...entication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the second server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the second one When the second one fails to communicate NAS will turn to the primary one a...

Page 30: ...user name format with domain without domain Note If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By ...

Page 31: ...used for authentication is 1645 and that for authorization is 1646 2 4 Display and Debug AAA and RADIUS Protocol After the above configuration execute display command in any view to display the running of the AAA and RADIUS configuration and to verify the effect of the configuration Execute reset command in user view to reset AAA and RADIUS configuration Execute debugging command in user view to d...

Page 32: ...ing of localRADIUS server group debugging local server all error event packet Disable debugging of localRADIUS server group undo debugging local server all error event packet 2 5 AAA and RADIUS Protocol Configuration Examples For the hybrid configuration example of AAA RADIUS protocol and 802 1x protocol refer to Configuration Example in 802 1x Configuration It will not be detailed here 2 5 1 Conf...

Page 33: ...I Configurtion Schedule Add a Telnet user Omitted Note For details about configuring FTP and Telnet users refer to User Interface Configuration in Getting Started Configure remote authentication mode for the Telnet user i e scheme mode Quidway ui vty0 4 authentication mode scheme Configure domain Quidway domain cams Quidway isp cams quit Configure RADIUS scheme Quidway radius scheme cams Quidway r...

Page 34: ...cation of Telnet FTP users refer to Configuring local RADIUS Server Group 2 6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting RADIUS protocol of TCP IP protocol suite is located on the application layer It mainly specifies how to exchange user information between NAS and RADIUS server of ISP So it is very likely to be invalid z Fault one User authentication authorization always fails T...

Page 35: ... well So please ensure the lines work well z The IP address of the corresponding RADIUS server may not have been set on NAS Please set a proper IP address for RADIUS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS server z Fault three After being authenticated and authorized the us...

Page 36: ...s is possible HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better ...

Page 37: ... the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute After the above configurations...

Search results

Summary of Contents for S3000 Series

Reviews:

Related manuals for S3000 Series

Brands by name

Popular brands

Quidway S3000 Series, Operation Manual

Search results

Summary of Contents for S3000 Series

Reviews:

Related manuals for S3000 Series

Brands by name

Popular brands