Internal

AAA & RADIUS

Configuration

ISSUE 1.0
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

 Objectives

Upon completion of this course, you will be able to:

 Understand the AAA services

 Master the basic principles of RADIUS

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 2

 Course Contents

AAA & RADIUS Configuration (VRP 1.74)

AAA & RADIUS Configuration (VRP 3.40)

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 3

 AAA Basic Configuration (VRP 1.74)

 Relative commands
 aaa-enable
 aaa accounting-scheme optional
 aaa authentication-scheme login { default | methods-list }
{ method1 [ method2 ... ] }
 aaa authentication-scheme ppp { default | methods-list }
{ method1 } [ method2 ... ]

 Method table
 5 effective combinations ： radius, local, none, radius local,
radius none

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 4

 Local User Database (VRP 1.74)

User name
Local user database
Password

User information
Services

Relative commands Calling number

Callback number
Local-user
Display aaa user
FTP directory

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 5

 AAA Configuration Commands (VRP 1.74)

 Startup AAA service

 [Quidway] aaa-enable
 Configure the default authentication method table for PPP user
 [Quidway] aaa authentication-scheme login default local
 User access is still available when the configuration is "charging
impossible" to realize no charging:
 [Quidway] aaa accounting-scheme optional
 Apply the default method table to the interface encapsulated
PPP:
 [Quidway-Serial0]ppp authentication-mode pap scheme default

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 6

 Debugging Information (VRP 1.74)

 Display active user

 display aaa user
 Primitive debugging information
 debugging radius primitive
 Event debugging information
 debugging radius event

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 7

 RADIUS Basic Configuration (VRP 1.74)

 Configure RADIUS server

 radius server { hostname | ip-address } [authentication-port
port-number ] [accouting-port port-number ]
 radius shared-key string
 Configure retransmission parameter
 radius-server retransmit
 radius-server timeout
 Configure real-time accounting function
 radius-server realtime-acct-timeout

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 8

 RADIUS Configuration Commands (VRP 1.74) - I

 Startup AAA
 [Quidway] aaa-enable
 Configure PPP user default authentication method table:
 [Quidway] aaa authentication-scheme login default radius
local
 Configure the RADIUS server IP address and port, and use
the default port number:
 [Quidway] radius server 129.7.66.68
 [Quidway] radius server 129.7.66.66 accouting-port 0
 [Quidway] radius server 129.7.66.67 authentication-port 0

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9

 RADIUS Configuration Commands (VRP 1.74) – Cont.

 Configure the RADIUS server key, number of retransmissions,

duration of the timeout timer:
 [Quidway] radius shared-key this-is-my-secret
 [Quidway] radius retry 2
 [Quidway] radius timer response-timeout 5
 Apply the default method table to the PPP-encapsulated
interface:
 [Quidway-Serial0]ppp authentication-mode pap scheme
default

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 10

 RADIUS Packet Debugging Command (VRP 1.74)

 Packet debugging information switch

 debugging radius packet

 Used to help fault diagnosis of Radius

 It can be used for observing the packet transmission and

receiving and the contents of the entire RADIUS packet

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 11

 Course Contents

AAA & RADIUS Configuration (VRP 1.74)

AAA & RADIUS Configuration (VRP 3.40)

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 12

 Configure AAA (VRP 3.40) - I

 Create/Delete ISP Domain userid@isp-name

 domain [ isp-name | default { disable | enable isp-name }]
 One access device might access users of different ISPs
 A per-ISP domain can be configured the domain attributes of itself.
 the default domain

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 13

 Configure AAA (VRP 3.40) - II

 Configure Relevant Attributes of ISP Domain

 the adopted RADIUS server group
 radius-scheme radius-scheme-name

 Every ISP has active/block states

 state { active | block }

 Maximum number of supplicants

 access-limit { disable | enable max-user-number }

 The idle cut function

 idle-cut { disable | enable minutes flow}

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 14

 Configure AAA (VRP 3.40) - III
 Add a Local User
 [undo] local-user user-name
 password { simple | cipher } password
 service-type { telnet [ level level ] | ftp [ ftp-directory directory ] | lan-
access }
 attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit
max-user-number | vlan vlanid | location [ nas-ip ip-address ] port
portnum }
 state { active | block }
 Disconnect a User by Force
 cut connection { all | access-type { dot1x | gcm } | domain domain-name
| interface portnum | ip ip-address | mac mac-address | radius-scheme
radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name
user-name }

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 15

 Configure RADIUS Protocol (VRP 3.40) - I
 Attributes of every RADIUS server group
 IP addresses of primary and second servers
 shared key
 RADIUS server type

 Create a RADIUS server Group

 radius scheme radius-server-name
 Set IP Address and Port Number of RADIUS Server
 primary {authentication | accounting} ip-address [ port-number ]
 secondary {authentication | accounting} ip-address [ port-number ]

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 16

 Configure RADIUS Protocol (VRP 3.40) - II

 Configure the shared key of RADIUS server group

 local-server nas-ip ip-address key password

 Set the supported type of RADIUS server

 server-type { huawei | iphotel | portal | standard }

 Set RADIUS server state

 state primary { accounting | authentication } { block | active }
 state secondary{ accounting | authentication } { block | active }

 Set username format transmitted to RADIUS server

 user-name-format { with-domain | without-domain }

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 17

 Display and Debugging (VRP 3.40) - I

 Display the information of the ISP domains.

 display domain [ isp-name ]
 Display related information of user’s connection
 display connection [ access-type { dot1x | gcm } | domain
domain-name | interface portnum | ip ip-address | mac mac-
address | radius-scheme radius-scheme-name | vlan vlanid |
ucibindex ucib-index | user-name user-name ]
 Display the information of the RADIUS server groups
 display radius [ radius-server-name ]

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 18

 Display and Debugging (VRP 3.40) - II

 Enable RADIUS packet debugging

 debugging radius packet
 Enable debugging of local RADIUS server group
 debugging local-server { all | error| event| packet}

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 19

 AAA/RADIUS Configuration Example (VRP 3.40) - I

 To access to the VRP CLI, router RTA is configured with

RADIUS configuration
 All the supplicants belong to the default domain huawei.com

Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)

Internet Authenticator

RTA
Supplicant

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 20

 AAA/RADIUS Configuration Example (VRP 3.40) - II

 RADIUS authentication is performed first, then, in case of

RADIUS server failure, Local authentication
 RADIUS Parameters:
 Encryption key for authentication: “name”
 Encryption key for accounting: “money”
 Retransmit packets (5 seconds/time; no more than 5 times)
 Real-time accounting : every 15 minutes.
 Domain: huawei
 Local authentication
 User: “localuser”
 Password: localpass

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 21

 AAA/RADIUS Configuration Example (VRP 3.40) - III

 Create the RADIUS group radius1 and enters its configuration

mode.
 [Quidway] radius scheme radius1
 Set IP address of the primary RADIUS servers.
 [Quidway-radius-radius1] primary authentication 10.11.1.1
 [Quidway-radius-radius1] primary accounting 10.11.1.2
 Set the IP address of the second RADIUS servers.
 [Quidway-radius-radius1] secondary authentication 10.11.1.2
 [Quidway-radius-radius1] secondary accounting 10.11.1.1

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 22

 AAA/RADIUS Configuration Example (VRP 3.40) - IV

 Set the encryption key (with the authentication RADIUS server.)

 [Quidway-radius-radius1] key authentication name
 Set the encryption key( with the accounting RADIUS server)
 [Quidway-radius-radius1] key accounting money
 Set the timeouts and times (to the RADIUS server)
 [Quidway-radius-radius1] timer 5
 [Quidway-radius-radius1] retry 5
 the interval (transmit real-time accounting packets to RADIUS server)
 [Quidway-radius-radius1] timer realtime-accounting 15
 Configure user to the RADIUS server after removing domain name.
 [Quidway-radius-radius1] user-name-format without-domain
 [Quidway-radius-radius1] quit

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 23

 AAA/RADIUS Configuration Example (VRP 3.40) - V

 Create the user domain huawei.com

 [Quidway] domain huawei.com
 Specify radius1 as RADIUS server group for the users
 [Quidway-isp-huawei.com] radius-scheme radius1
 Specify the authentication modes for this domain (RADIUS and local):
 [Quidway-isp-huawei.com] scheme radius-scheme radius 1 local
 Add a local supplicant and sets its parameter.
 [Quidway] local-user localuser@huawei.com
 [Quidway-user-localuser@huawei.com] password simple localpass
 [Quidway-user-localuser@huawei.com] service-type telnet terminal
 Then set huawei.com as the default domain to use for authentication:
 [Quidway]domain default enable huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24

 AAA/RADIUS Configuration Example (VRP 3.40) - VI

 Finally, set the authentication mode for the Telnet lines:

 [Quidway] user-interface vty 0 4
 [Quidway-ui-vty0-4] authentication-mode scheme

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 25

Thank You
www.huawei.com