Configuring the Remote AAA (RADIUS Protocol)-Part-1

Configuring the Remote AAA (RADIUS Protocol)- Part-1

This topic describes how to configure the local AAA so that the user authentication can be performed locally.

Procedure

Step 1 Configure the AAA authentication scheme.

  1. Run the aaa command to enter the AAA mode.
  2. Run the authentication-scheme command to add an authentication scheme.
  3. Run the authentication-mode local command to configure the authentication mode of the authentication scheme.
  4. Run the quit command to return to the AAA mode.

Step 2 Configure the accounting scheme.

  1. In the AAA mode, run the accounting-scheme command to add an AAA accounting scheme.
  2. Run the accounting-mode radius command to configure the accounting mode.
  3. Run the accounting interim interval command to set the interval of real-time accounting.

By default, the interval is 0 minutes, that is, the real-time accounting is not performed.

  1. Run the quit command to return to the AAA mode.

Step 3 Configure the RADIUS server template.

  1. Run the radius-server template command to create an RADIUS server template and enter the RADIUS server template mode.
  1. Run the radius-server authentication command to configure the IP address and the UDP port ID of the RADIUS server for authentication.

# To guarantee normal communication between the MA5600T/MA5603T/MA5608T and the RADIUS server, before configuring the IP address and UDP port of the RADIUS server, make sure that the route between the RADIUS server and the MA5600T/MA5603T/MA5608T is in the normal state.

#  Make sure that the configuration of the RADIUS service port of the MA5600T/MA5603T/MA5608T is consistent with the port configuration of the RADIUS server.

  1. Run the radius-server accounting command to configure the IP address and the UDP port ID of the RADIUS server for accounting.
  1. Run the radius-server shared-key command to configure the shared key of the RADIUS server.

# The RADIUS client (MA5600T/MA5603T/MA5608T) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS packets. They check the validity of the packets by setting the encryption key. They can receive the packets from each other and can respond to each other only when their keys are the same.

#  By default, the shared key of the RADIUS server is huawei.

  1. (Optional) Run the radius-server timeout command to set the response timeout time of the RADIUS server. By default, the timeout time is 5s.

#The MA5600T/MA5603T/MA5608T sends the request packets to the RADIUS server. If the RADIUS server does not respond within the response timeout time, the MA5600T/ MA5603T/MA5608T re-transmits the request packets to the RADIUS to ensure that users can get corresponding services from the RADIUS server.

  1. (Optional) Run the radius-server retransmit command to set the maximum re-transmit time of the RADIUS request packets. By default, the maximum re-transmit time is 3.

#When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds the maximum re-transmit time, the MA5600T/MA5603T/MA5608T considers that its communication with the RADIUS server is interrupted, and therefore transmits the RADIUS request packets to another RADIUS server.

  1. Run the (undo)radius-server user-name domain-included command to configure the user name (not) to carry the domain name when transmitted to the RADIUS server. By default, the user name of the RADIUS server carries the domain name.

An access user is named in the format of userid@domain-name, and the part after @ is the domain name. The MA5600T/MA5603T/MA5608T classifies a user into a domain according to the domain name.

#If an RADIUS server group rejects the user name carrying the domain name, the RADIUS server group cannot be set or used in two or more domains. Otherwise, when some access users in different domains have the same user name, the RADIUS server considers that these users are the same because the names transmitted to the server are the same.

  1. Run the quit command to return to the global config mode.

Step 4 Create a domain.

A domain is a group of users of the same type.

In the user name format userid@domain-name (for example, huawei20041028@huawei.net), “userid” indicates the user name for authentication and “domain-name” followed by “@” indicates the domain name.

The domain name for user login cannot exceed 15 characters, and the other domain names cannot exceed 20 characters.

  1. Run the aaa command to enter the AAA mode.
  2. In the AAA mode, run the domain command to create a domain.

End of Part-1

Be the first to comment

Leave a Reply

Your email address will not be published.


*


For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.