background image

Operation Manual - Security 
Quidway S3000 Series Ethernet Switches

 

Chapter 2  AAA and RADIUS Protocol Configuration

 

2-9

 

Operation

 

Command

 

Restore IP address and port number of primary RADIUS 
accounting server or server to the default values. 

undo primary

 

accounting 

Set IP address and port number of secondary RADIUS 

authentication/authorization server. 

 

secondary authentication

 ip-address 

port-number

 ]

 

Restore IP address and port number of second RADIUS 

authentication/authorization or server to the default 

values. 

undo secondary authentication

 

 

Set IP address and port number of second RADIUS 

accounting server.  

secondary accounting 

ip-address 

port-number

 ]

 

Restore IP address and port number of second RADIUS 

accounting server or server to the default values. 

undo secondary accounting 

 

In real networking environments, the above parameters shall be set according to the 

specific requirements.  For example, you may specify 4 groups of different data to map 

4 RADIUS servers, or specify one of the two servers as primary 

authentication/authorization server and second accounting server and the other one as 

second authentication/authorization server and primary accounting server, or you may 

also set 4 groups of exactly same data so that every server serves as a primary and 

second AAA server.  

To guarantee the normal interaction between NAS and RADIUS server, you are 

supposed to guarantee the normal routes between RADIUS server and NAS before 

setting IP address and UDP port of the RADIUS server.  In addition, because RADIUS 

protocol uses different UDP ports to receive/transmit authentication/authorization and 

accounting packets, you shall set two different ports accordingly.  Suggested by 

RFC2138/2139, authentication/authorization port number is 1812 and accounting port 

number is 1813. However, you may use values other than the suggested ones. 

(Especially for some earlier RADIUS Servers, authentication/authorization port number 

is often set to 1645 and accounting port number is 1646.)  

The RADIUS service port settings on Quidway Series Ethernet Switches are supposed 

to be consistent with the port settings on RADIUS server.  Normally, RADIUS 

accounting service port is 1813 and the authentication/authorization service port is 

1812.  

By default, all the IP addresses of primary/second authentication/authorization and 

accounting servers are 0.0.0.0, authentication/authorization service port is 1812 and 

accounting service UDP port is 1813.  

2.3.3  Set RADIUS Packet Encryption Key 

RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the 

exchanged packets. The two ends verify the packet through setting the encryption key.  

Only when the keys are identical can both ends to accept the packets from each other 

Содержание S3000 Series

Страница 1: ...message retransmission 1 7 1 2 9 Set the handshake period of 802 1x 1 8 1 2 10 Configure Timers 1 8 1 2 11 Enable Disable quiet period Timer 1 9 1 3 Display and Debug 802 1x 1 9 1 4 802 1x Configuration Example 1 10 Chapter 2 AAA and RADIUS Protocol Configuration 2 1 2 1 AAA and RADIUS Protocol Overview 2 1 2 1 1 AAA Overview 2 1 2 1 2 RADIUS Protocol Overview 2 1 2 1 3 Implement AAA RADIUS on Eth...

Страница 2: ...smitted to RADIUS Server 2 15 2 3 13 Set the Unit of Data Flow that Transmitted to RADIUS Server 2 15 2 3 14 Configure Local RADIUS Server Group 2 16 2 4 Display and Debug AAA and RADIUS Protocol 2 16 2 5 AAA and RADIUS Protocol Configuration Examples 2 17 2 5 1 Configuring FTP Telnet User Authentication at Remote RADIUS Server 2 17 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS ...

Страница 3: ...ice etc the LAN providers generally hope to control the user s access In these cases the requirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the us...

Страница 4: ...s to go through the complicated network to reach the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be...

Страница 5: ...re the AAA scheme by selecting RADIUS or local authentication so as to assist 802 1x to implement the user ID authentication For detailed description of AAA refer to the corresponding AAA configuration 1 1 4 Implement 802 1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802 1x but also extend and optimize it in the following...

Страница 6: ... requirements 1 2 1 Enable Disable 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 1 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x...

Страница 7: ... state and permit the user to access the network resources This is the most common case 1 2 3 Set Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of port is configured globally Perform the following configurations in system view or Ethernet port view Table 1 ...

Страница 8: ... in system view or Ethernet port view Table 1 5 Set maximum number of users via specified port Operation Command Set maximum number of users via specified port dot1x max user user number interface interface list Restore the maximum number of users on the port to the default value undo dot1x max user interface interface list By default 802 1x allows up to 256 supplicants on each port for S3000 Seri...

Страница 9: ...02 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Set the Maximum times of authentication request message retransmission The following commands are use...

Страница 10: ...commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 1 10 Configure timers Operation Command Configure timers dot1x timer quiet period quiet period value tx period tx period value supp timeout supp timeout value server timeout server timeout value Restore default settings of the timers undo dot1x timer quiet period tx period supp timeout ser...

Страница 11: ... period value is 60s the tx period value is 30s the supp timeout value is 30s the server timeout value is 100s 1 2 11 Enable Disable quiet period Timer You can use the following commands to enable disable a quiet period timer of an Authenticator which can be a Quidway Series Ethernet Switch If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is s...

Страница 12: ... response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1...

Страница 13: ...refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified port Ethernet 0 1 Quidway dot1x interface ethernet 0 1 Set the access control mode This command could not be configured when it is configured as MAC based by default Quidway dot1x port method macbased interface ...

Страница 14: ...he system to transmit real time accounting packets to the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei16...

Страница 15: ...curity Quidway S3000 Series Ethernet Switches Chapter 1 802 1x Configuration 1 13 Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Страница 16: ...horizes the user with specified services z Accounting traces network resources consumed by the user Generally applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As ...

Страница 17: ...on with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client u...

Страница 18: ...reating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Create Delete ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 huawei163 net a...

Страница 19: ...evant attributes of ISP domain include the adopted RADIUS server group state and maximum number of supplicants Where z The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used The command shall be used together with the commands of setting RADIUS ...

Страница 20: ...is chapter the state of domain is active there is no limit to the amount of supplicants and disable the idle cut configure 2 2 3 Create a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perform the following configu...

Страница 21: ...Set the state of the specified user state active block Set a service type for the specified user For S3026 service type telnet level level ftp ftp directory directory lan access Cancel the service type of the specified user For S3026 undo service type telnet level ftp ftp directory lan access Set a service type for the specified user Except S3026 service type ftp ftp directory directory lan access...

Страница 22: ... parameters using for information interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to the AAA Configuration section above RADIUS protocol configuration includes z Create Delete a RADIUS server grou...

Страница 23: ...alues will be introduced in the following text 2 3 2 Set IP Address and Port Number of RADIUS Server After creating a RADIUS server group you are supposed to set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers So you can configure up to 4 groups of IP addresses and UDP port numbers However at least you ha...

Страница 24: ...imary and second AAA server To guarantee the normal interaction between NAS and RADIUS server you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports a...

Страница 25: ...n authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS server group view Table 2 10 Set response timeout timer...

Страница 26: ...n of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS server group view Table 2 12 Set a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting minute...

Страница 27: ...imes You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configurations in RADIUS server group view Table 2 14 Set maximum times of real time accounting request failing to be responded Operation Command Set maximum times of real time accounting request failing to be responded retry realtime accounting retry times ...

Страница 28: ...t will be saved in the buffer 2 3 9 Set the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to RADIUS accounting server Accordingly if the message from Quidway Series Etherne...

Страница 29: ...entication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the second server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the second one When the second one fails to communicate NAS will turn to the primary one a...

Страница 30: ...user name format with domain without domain Note If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By ...

Страница 31: ...used for authentication is 1645 and that for authorization is 1646 2 4 Display and Debug AAA and RADIUS Protocol After the above configuration execute display command in any view to display the running of the AAA and RADIUS configuration and to verify the effect of the configuration Execute reset command in user view to reset AAA and RADIUS configuration Execute debugging command in user view to d...

Страница 32: ...ing of localRADIUS server group debugging local server all error event packet Disable debugging of localRADIUS server group undo debugging local server all error event packet 2 5 AAA and RADIUS Protocol Configuration Examples For the hybrid configuration example of AAA RADIUS protocol and 802 1x protocol refer to Configuration Example in 802 1x Configuration It will not be detailed here 2 5 1 Conf...

Страница 33: ...I Configurtion Schedule Add a Telnet user Omitted Note For details about configuring FTP and Telnet users refer to User Interface Configuration in Getting Started Configure remote authentication mode for the Telnet user i e scheme mode Quidway ui vty0 4 authentication mode scheme Configure domain Quidway domain cams Quidway isp cams quit Configure RADIUS scheme Quidway radius scheme cams Quidway r...

Страница 34: ...cation of Telnet FTP users refer to Configuring local RADIUS Server Group 2 6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting RADIUS protocol of TCP IP protocol suite is located on the application layer It mainly specifies how to exchange user information between NAS and RADIUS server of ISP So it is very likely to be invalid z Fault one User authentication authorization always fails T...

Страница 35: ... well So please ensure the lines work well z The IP address of the corresponding RADIUS server may not have been set on NAS Please set a proper IP address for RADIUS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS server z Fault three After being authenticated and authorized the us...

Страница 36: ...s is possible HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better ...

Страница 37: ... the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute After the above configurations...

Отзывы: