Setting Radius Packet Encryption Key - Huawei Quidway S3500 Series Operation Manual

Operation Manual - Security
Quidway S3500 Series Ethernet Switches
Set IP address and port number of second
RADIUS accounting server.
Restore IP address and port number of
second RADIUS accounting server or server
to the default values.
In real networking environments, the above parameters shall be set according to the
specific requirements. For example, you may specify 4 groups of different data to map
4 RADIUS
authentication/authorization server and second accounting server and the other one as
second authentication/authorization server and primary accounting server, or you may
also set 4 groups of exactly same data so that every server serves as a primary and
second AAA server.
To guarantee the normal interaction between NAS and RADIUS server, you are
supposed to guarantee the normal routes between RADIUS server and NAS before
setting IP address and UDP port of the RADIUS server. In addition, because RADIUS
protocol uses different UDP ports to receive/transmit authentication/authorization and
accounting packets, you shall set two different ports accordingly. Suggested by
RFC2138/2139, authentication/authorization port number is 1812 and accounting port
number is 1813. However, you may use values other than the suggested ones.
(Especially for some earlier RADIUS Servers, authentication/authorization port number
is often set to 1645 and accounting port number is 1646.)
The RADIUS service port settings on Quidway Series Switches are supposed to be
consistent with the port settings on RADIUS server. Normally, RADIUS accounting
service port is 1813 and the authentication/authorization service port is 1812.
By default, all the IP addresses of primary/second authentication/authorization and
accounting servers are 0.0.0.0, authentication/authorization service port is 1812 and
accounting service UDP port is 1813.

3.3.3 Setting RADIUS Packet Encryption Key

RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the
exchanged packets. The two ends verify the packet through setting the encryption key.
Only when the keys are identical can both ends to accept the packets from each other
end and give response.
You can use the following commands to set the encryption key for RADIUS packets.
Perform the following configurations in RADIUS scheme view.
Operation
servers, or specify
Huawei Technologies Proprietary
3-11
Chapter 3 AAA and RADIUS Protocol Configuration
secondary
ip-address [ port-number ]
undo secondary accounting
one of the two
Command
accounting
servers as primary