manualshive.com logo in svg

Quidway S3000 Series, Operation Manual

The Philips S3000 Series is a high-quality grooming product designed for precise and effortless facial hair trimming. Ensure maximum performance and optimal usage of your device by downloading the free user manual from manualshive.com. This manual provides detailed instructions and helpful tips for a seamless grooming experience.

Share
Download
background image

Operation Manual - Security 
Quidway S3000 Series Ethernet Switches

 

Chapter 2  AAA and RADIUS Protocol Configuration

 

2-16

 

2.3.14  Configure Local RADIUS Server Group 

RADIUS service, which adopts authentication/authorization/accounting servers to 

manage users, is widely used in Huawei Quidway series switches. Besides, local 

authentication/authorization/accounting service is also used in these products and it is 

called local RADIUS function, i.e. realize basic RADIUS function on the switch.  

Perform the following commands in system view to create/delete local RADIUS server 

group. 

Table 2-21

 

Create/Delete local RADIUS server group 

Operation Command 

Create local RADIUS server group 

and enter its view 

local-radius nas-ip 

ip-address  

key

 password

 

Delete local RADIUS server group 

undo local-radius nas-ip 

ip-address  

 

 

By default, the IP address of local RADIUS server group is 127.0.0.1 and the password 

is Huawei. 

When using local RADIUS server function of Huawei, remember the number of UDP 

port used for authentication is 1645 and that for authorization is 1646. 

2.4  Display and Debug AAA and RADIUS Protocol 

After the above configuration, execute

 display 

command in any view to display the 

running of the AAA and RADIUS configuration, and to verify the effect of the 

configuration. Execute 

reset

 command in user view to reset AAA and RADIUS 

configuration . Execute 

debugging

 command in user view to debug AAA and RADIUS. 

Table 2-22

 

Display and debug AAA and RADIUS protocol  

Operation

 

Command

 

Display the configuration information of 

the specified or all the ISP domains.

 

display domain

 [ 

isp-name

 ]

 

Display related information of user’s 

connection

 

display connection 

{

 access-type

 { 

dot1x 

gcm 

} | 

domain 

isp-name

 

|

 interface 

interface-type 

interface-number

 

|

 ip 

ip-address

 |

 mac 

mac-address

 

|

 

radius-scheme 

radius-scheme-name

 

vlan 

vlanid

 

|

 

ucibindex 

ucib-index

 

|

 user-name 

user-name

 

}

 

Display related information of the local 

user ( All S3000 series switches 

support SSH except S3026)

 

display local-user

 [ 

domain

 

isp-name

 | 

idle-cut

 { 

disable

 | 

enable

 } | 

service-type

 { 

telnet

 | 

ftp

 | 

lan-access

 | 

ssh

 } | 

state

 { 

active

 | 

block

 } | 

user-name

 

user-name

 | 

vlan

 

vlan

-id 

]

 

Display information of local RADIUS 

server group 

display local-server statistics 

Summary of Contents for S3000 Series

Page 1: ...message retransmission 1 7 1 2 9 Set the handshake period of 802 1x 1 8 1 2 10 Configure Timers 1 8 1 2 11 Enable Disable quiet period Timer 1 9 1 3 Display and Debug 802 1x 1 9 1 4 802 1x Configuration Example 1 10 Chapter 2 AAA and RADIUS Protocol Configuration 2 1 2 1 AAA and RADIUS Protocol Overview 2 1 2 1 1 AAA Overview 2 1 2 1 2 RADIUS Protocol Overview 2 1 2 1 3 Implement AAA RADIUS on Eth...

Page 2: ...smitted to RADIUS Server 2 15 2 3 13 Set the Unit of Data Flow that Transmitted to RADIUS Server 2 15 2 3 14 Configure Local RADIUS Server Group 2 16 2 4 Display and Debug AAA and RADIUS Protocol 2 16 2 5 AAA and RADIUS Protocol Configuration Examples 2 17 2 5 1 Configuring FTP Telnet User Authentication at Remote RADIUS Server 2 17 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS ...

Page 3: ...ice etc the LAN providers generally hope to control the user s access In these cases the requirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the us...

Page 4: ...s to go through the complicated network to reach the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be...

Page 5: ...re the AAA scheme by selecting RADIUS or local authentication so as to assist 802 1x to implement the user ID authentication For detailed description of AAA refer to the corresponding AAA configuration 1 1 4 Implement 802 1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802 1x but also extend and optimize it in the following...

Page 6: ... requirements 1 2 1 Enable Disable 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 1 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x...

Page 7: ... state and permit the user to access the network resources This is the most common case 1 2 3 Set Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of port is configured globally Perform the following configurations in system view or Ethernet port view Table 1 ...

Page 8: ... in system view or Ethernet port view Table 1 5 Set maximum number of users via specified port Operation Command Set maximum number of users via specified port dot1x max user user number interface interface list Restore the maximum number of users on the port to the default value undo dot1x max user interface interface list By default 802 1x allows up to 256 supplicants on each port for S3000 Seri...

Page 9: ...02 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Set the Maximum times of authentication request message retransmission The following commands are use...

Page 10: ...commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 1 10 Configure timers Operation Command Configure timers dot1x timer quiet period quiet period value tx period tx period value supp timeout supp timeout value server timeout server timeout value Restore default settings of the timers undo dot1x timer quiet period tx period supp timeout ser...

Page 11: ... period value is 60s the tx period value is 30s the supp timeout value is 30s the server timeout value is 100s 1 2 11 Enable Disable quiet period Timer You can use the following commands to enable disable a quiet period timer of an Authenticator which can be a Quidway Series Ethernet Switch If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is s...

Page 12: ... response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1...

Page 13: ...refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified port Ethernet 0 1 Quidway dot1x interface ethernet 0 1 Set the access control mode This command could not be configured when it is configured as MAC based by default Quidway dot1x port method macbased interface ...

Page 14: ...he system to transmit real time accounting packets to the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei16...

Page 15: ...curity Quidway S3000 Series Ethernet Switches Chapter 1 802 1x Configuration 1 13 Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Page 16: ...horizes the user with specified services z Accounting traces network resources consumed by the user Generally applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As ...

Page 17: ...on with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client u...

Page 18: ...reating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Create Delete ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 huawei163 net a...

Page 19: ...evant attributes of ISP domain include the adopted RADIUS server group state and maximum number of supplicants Where z The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used The command shall be used together with the commands of setting RADIUS ...

Page 20: ...is chapter the state of domain is active there is no limit to the amount of supplicants and disable the idle cut configure 2 2 3 Create a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perform the following configu...

Page 21: ...Set the state of the specified user state active block Set a service type for the specified user For S3026 service type telnet level level ftp ftp directory directory lan access Cancel the service type of the specified user For S3026 undo service type telnet level ftp ftp directory lan access Set a service type for the specified user Except S3026 service type ftp ftp directory directory lan access...

Page 22: ... parameters using for information interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to the AAA Configuration section above RADIUS protocol configuration includes z Create Delete a RADIUS server grou...

Page 23: ...alues will be introduced in the following text 2 3 2 Set IP Address and Port Number of RADIUS Server After creating a RADIUS server group you are supposed to set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers So you can configure up to 4 groups of IP addresses and UDP port numbers However at least you ha...

Page 24: ...imary and second AAA server To guarantee the normal interaction between NAS and RADIUS server you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports a...

Page 25: ...n authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS server group view Table 2 10 Set response timeout timer...

Page 26: ...n of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS server group view Table 2 12 Set a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting minute...

Page 27: ...imes You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configurations in RADIUS server group view Table 2 14 Set maximum times of real time accounting request failing to be responded Operation Command Set maximum times of real time accounting request failing to be responded retry realtime accounting retry times ...

Page 28: ...t will be saved in the buffer 2 3 9 Set the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to RADIUS accounting server Accordingly if the message from Quidway Series Etherne...

Page 29: ...entication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the second server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the second one When the second one fails to communicate NAS will turn to the primary one a...

Page 30: ...user name format with domain without domain Note If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By ...

Page 31: ...used for authentication is 1645 and that for authorization is 1646 2 4 Display and Debug AAA and RADIUS Protocol After the above configuration execute display command in any view to display the running of the AAA and RADIUS configuration and to verify the effect of the configuration Execute reset command in user view to reset AAA and RADIUS configuration Execute debugging command in user view to d...

Page 32: ...ing of localRADIUS server group debugging local server all error event packet Disable debugging of localRADIUS server group undo debugging local server all error event packet 2 5 AAA and RADIUS Protocol Configuration Examples For the hybrid configuration example of AAA RADIUS protocol and 802 1x protocol refer to Configuration Example in 802 1x Configuration It will not be detailed here 2 5 1 Conf...

Page 33: ...I Configurtion Schedule Add a Telnet user Omitted Note For details about configuring FTP and Telnet users refer to User Interface Configuration in Getting Started Configure remote authentication mode for the Telnet user i e scheme mode Quidway ui vty0 4 authentication mode scheme Configure domain Quidway domain cams Quidway isp cams quit Configure RADIUS scheme Quidway radius scheme cams Quidway r...

Page 34: ...cation of Telnet FTP users refer to Configuring local RADIUS Server Group 2 6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting RADIUS protocol of TCP IP protocol suite is located on the application layer It mainly specifies how to exchange user information between NAS and RADIUS server of ISP So it is very likely to be invalid z Fault one User authentication authorization always fails T...

Page 35: ... well So please ensure the lines work well z The IP address of the corresponding RADIUS server may not have been set on NAS Please set a proper IP address for RADIUS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS server z Fault three After being authenticated and authorized the us...

Page 36: ...s is possible HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better ...

Page 37: ... the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute After the above configurations...

Reviews:

No comments

Related manuals for S3000 Series

AAVARA PB5000 User Manual preview
PB5000
Brand: AAVARA Pages: 23
Eaton COOPER POWER SERIES Service Instructions Manual preview
COOPER POWER SERIES
Brand: Eaton Pages: 24
Eaton COOPER POWER SERIES Installation And Adjustment Instructions preview
COOPER POWER SERIES
Brand: Eaton Pages: 16
Eaton Crouse-hinds series Manual preview
Crouse-hinds series
Brand: Eaton Pages: 16
Eaton Cutler-Hammer AMPGARD Instructions preview
Cutler-Hammer AMPGARD
Brand: Eaton Pages: 4
JDS Uniphase SCG Series User Manual preview
SCG Series
Brand: JDS Uniphase Pages: 37
D-Link DXS-5000-54S Quick Installation Manual preview
DXS-5000-54S
Brand: D-Link Pages: 17
Qlogic SilverStorm 9000 Hardware Installation Manual preview
SilverStorm 9000
Brand: Qlogic Pages: 50
Cable Electronics Celabs Distribution Hub and Receiver Installation & Operation Instructions preview
Celabs Distribution Hub and Receiver
Brand: Cable Electronics Pages: 2
Enterasys Matrix DFE-Gold 4G4202-60 Hardware Installation Manual preview
Matrix DFE-Gold 4G4202-60
Brand: Enterasys Pages: 78
ZENEC 2E-AVS Instruction Manual preview
2E-AVS
Brand: ZENEC Pages: 16
Niles VSA-5 Owner'S Manual preview
VSA-5
Brand: Niles Pages: 7
S&T kontron KSwitch D4 MF User Manual preview
kontron KSwitch D4 MF
Brand: S&T Pages: 100
Manhattan 177290 User Manual preview
177290
Brand: Manhattan Pages: 4
Gira 2324 Series Operating Instructions preview
2324 Series
Brand: Gira Pages: 2
N-Tron 708TX User Manual & Installation Manual preview
708TX
Brand: N-Tron Pages: 157
ALFAtron ALF-MUH88E User Manual preview
ALF-MUH88E
Brand: ALFAtron Pages: 44
Black Box LGB2118A-R2 Startup Manual preview
LGB2118A-R2
Brand: Black Box Pages: 20

Brands by name

Popular brands

Load more brands