H3C S9500 Series Operation Manual
Aaa radius hwtacacs, routing switches
Hide thumbs
Also See for S9500 Series:
- Command manual (1842 pages) ,
- Operation manual (1504 pages) ,
- Operating manual (76 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - AAA RADIUS HWTACACS
H3C S9500 Series Routing Switches
Chapter 1 AAA/RADIUS/HWTACACS Configuration ................................................................. 1-1
1.1 AAA/RADIUS/HWTACACS Overview ............................................................................... 1-1
1.1.1 Introduction to AAA ................................................................................................. 1-1
1.1.2 Introduction to RADIUS........................................................................................... 1-2
1.1.3 Introduction to HWTACACS.................................................................................... 1-9
1.1.4 Protocols and Standards....................................................................................... 1-11
1.2 Configuration Task List .................................................................................................... 1-11
1.2.1 RADIUS Configuration Task List........................................................................... 1-12
1.2.2 HWTACACS Configuration Task List.................................................................... 1-13
1.3 Configuring AAA .............................................................................................................. 1-13
1.3.1 Configuration Prerequisites................................................................................... 1-14
1.3.2 Creating an ISP Domain ....................................................................................... 1-14
1.3.3 Configuring ISP Domain Attributes ....................................................................... 1-15
1.3.4 Configuring Authentication Methods for an ISP Domain....................................... 1-15
1.3.5 Configuring AAA Authorization Methods for an ISP Domain ................................ 1-17
1.3.6 Configuring AAA Accounting Methods for an ISP Domain ................................... 1-20
1.3.7 Configuring Local User Attributes ......................................................................... 1-22
1.3.8 Tearing down User Connections Forcibly ............................................................. 1-25
1.4 Configuring RADIUS........................................................................................................ 1-26
1.4.1 Creating a RADIUS Scheme................................................................................. 1-26
1.4.2 Specifying the RADIUS Authentication/Authorization Servers ............................. 1-27
1.4.3 Configuring the RADIUS Accounting Servers and Relevant Parameters............. 1-28
1.4.4 Setting the Shared Key for RADIUS Packets ....................................................... 1-29
1.4.6 Setting the Supported RADIUS Server Type ........................................................ 1-31
1.4.7 Setting the Status of RADIUS Servers.................................................................. 1-31
1.4.9 Configuring Local RADIUS Server ........................................................................ 1-33
1.4.10 Setting Timers Regarding RADIUS Servers ....................................................... 1-34
1.5 Configuring HWTACACS................................................................................................. 1-35
1.5.1 Creating a HWTACACS scheme .......................................................................... 1-35
1.5.2 Specifying the HWTACACS Authentication Servers............................................. 1-36
1.5.3 Specifying the HWTACACS Authorization Servers .............................................. 1-36
1.5.4 Specifying the HWTACACS Accounting Servers.................................................. 1-37
1.5.5 Setting the Shared Key for HWTACACS Packets ................................................ 1-38
1.5.7 Setting Timers Regarding HWTACACS Servers .................................................. 1-40
1.6 Displaying and Maintaining AAA/RADIUS/HWTACACS ................................................. 1-41
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S9500 Series
Summary of Contents for H3C S9500 Series
-
Page 1: Table Of Contents
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 AAA/RADIUS/HWTACACS Configuration ..............1-1 1.1 AAA/RADIUS/HWTACACS Overview ................1-1 1.1.1 Introduction to AAA ....................1-1 1.1.2 Introduction to RADIUS................... 1-2 1.1.3 Introduction to HWTACACS..................1-9 1.1.4 Protocols and Standards.................. - Page 2 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Table of Contents 1.6.1 Displaying and Maintaining AAA ................1-41 1.6.2 Displaying and Maintaining RADIUS..............1-41 1.6.3 Displaying and Maintaining HWTACACS ............. 1-42 1.7 AAA/RADIUS/HWTACACS Configuration Examples ............1-43 1.7.1 AAA for Telnet/SSH Users by a RADIUS Server..........
-
Page 3: Chapter 1 Aaa/Radius/Hwtacacs Configuration
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Chapter 1 AAA/RADIUS/HWTACACS Configuration When configuring AAA/RADIUS/HWTACACS, go to these sections for information you are interested in: AAA/RADIUS/HWTACACS Overview Configuration Task List Configuring AAA Configuring RADIUS... -
Page 4: Introduction To Radius
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration When a user tries to establish a connection to the NAS and to obtain the rights to access other networks or some network resources, the NAS authenticates the user or the corresponding connection. - Page 5 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration in providing access services and uses accounting to collect and record usage information of network resources. I. Client/server model Client: The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests).
- Page 6 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration III. Basic message exchange process of RADIUS Figure 1-3 depicts the basic message exchange process of RADIUS. Host RADIUS client RADIUS server 1) Username and password...
- Page 7 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting.
- Page 8 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Code Packet type Description From the client to the server. A packet of this type carries user information for the server to start or stop accounting on the user. It contains...
- Page 9 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Name Name Service-Type Acct-Multi-Session-Id Framed-Protocol Acct-Link-Count Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port...
- Page 10 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Name Name Framed-AppleTalk-Netwo Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Note: The attribute types listed in Table 1-2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2568.
-
Page 11: Introduction To Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.1.3 Introduction to HWTACACS Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between NAS and HWTACACS server. - Page 12 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user A Telnet user sends an access request to the NAS. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.
-
Page 13: Protocols And Standards
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration The HWTACACS server sends back an authentication response, requesting the login password. Upon receipt of the response, the HWTACACS client asks the user for the login password. -
Page 14: Radius Configuration Task List
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration For local authentication, configure local user attributes and add local users; for RADIUS/HWTACACS authentication, configure user attributes on the remote RADIUS/HWTACACS server. Note: To serve login users, configure the authentication mode for logging into the user interface to scheme. -
Page 15: Hwtacacs Configuration Task List
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Task Remarks Setting Maximum Number of RADIUS Request Optional Retransmission Attempts Setting the Supported RADIUS Server Type Optional Setting the Status of RADIUS Servers Optional... -
Page 16: Configuration Prerequisites
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.3.1 Configuration Prerequisites For remote authentication, authorization, or accounting, you must create the RADIUS or HWTACACS scheme first. RADIUS scheme: Reference a configured RADIUS scheme to implement authentication/authorization and accounting. -
Page 17: Configuring Isp Domain Attributes
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.3.3 Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain or... - Page 18 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration AAA supports the following authentication modes: No authentication: All users are trusted and no authentication is performed. Generally, this mode is not recommended. Local authentication: Authentication is performed by the NAS. User information (including username, password, and attributes) is configured on the access device.
-
Page 19: Configuring Aaa Authorization Methods For An Isp Domain
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks authentication login Specify the { hwtacacs-scheme authentication method for hwtacacs-scheme-name [ local ] | Optional login users local | none | radius-scheme... - Page 20 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Local authorization: Users are authorized by the access device according to the attributes configured for them. Remote authorization: The access device cooperates with a RADIUS or HWTACACS server to authorize users.
- Page 21 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks authorization lan-access Specify the authorization { local | none | radius-scheme Optional method for LAN users radius-scheme-name [ local ] }...
-
Page 22: Configuring Aaa Accounting Methods For An Isp Domain
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.3.6 Configuring AAA Accounting Methods for an ISP Domain In AAA, accounting is a separate process at the same level as authentication and authorization. Its responsibility is to send accounting start/update/end requests to the specified accounting server. - Page 23 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks accounting lan-access { local | none | Specify the accounting radius-scheme Optional method for LAN users radius-scheme-name [ local ] }...
-
Page 24: Configuring Local User Attributes
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.3.7 Configuring Local User Attributes For local authentication, you must create a local user and configure the attributes. A local user represents a set of users configured on a device, which are uniquely identified by the username. - Page 25 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Specify the Required service-type { lan-access | service { ssh | telnet | terminal }* No service is authorized to...
- Page 26 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Optional attribute { access-limit If the specified user is max-user-number | idle-cut bound to a remote port, minute | ip ip-address |...
-
Page 27: Tearing Down User Connections Forcibly
H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Note: An S9500 series switch does not display local users’ passwords, and the local-user password-display-mode command does not take effect on it. With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command. -
Page 28: Configuring Radius
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface Required... -
Page 29: Specifying The Radius Authentication/Authorization Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Note: A RADIUS scheme can be referenced by more than one ISP domain at the same time. 1.4.2 Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: To do…... -
Page 30: Configuring The Radius Accounting Servers And Relevant Parameters
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.4.3 Configuring the RADIUS Accounting Servers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations: To do… Use the command…... -
Page 31: Setting The Shared Key For Radius Packets
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Note: It is recommended to specify only the primary RADIUS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. -
Page 32: Setting Maximum Number Of Radius Request Retransmission Attempts
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Set the shared key for Required RADIUS key { accounting | authentication/authorizati authentication } string No shared key by default. -
Page 33: Setting The Supported Radius Server Type
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.4.6 Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type: To do… Use the command… Remarks Enter system view system-view —... -
Page 34: Configuring Attributes Related To Data To Be Sent To The Radius Server
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Follow these steps to set the status of RADIUS servers: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme... -
Page 35: Configuring Local Radius Server
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks data-flow-format data Optional { { byte | giga-byte | The defaults are as Specify the unit for data kilo-byte | mega-byte } |... -
Page 36: Setting Timers Regarding Radius Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Follow the steps below to configure the local RADIUS server. To do... Use the Command... Remarks Enter system view system-view — Required Configure local RADIUS... -
Page 37: Configuring Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks timer Optional Set the real-time realtime-accounting accounting interval 12 minutes by default minutes Note: The product of the maximum number of retransmission attempts of RADIUS packets and the RADIUS server response timeout period cannot be greater than 75. -
Page 38: Specifying The Hwtacacs Authentication Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.5.2 Specifying the HWTACACS Authentication Servers Follow these steps to specify the HWTACACS authentication servers: To do… Use the command Remarks Enter system view system-view —... -
Page 39: Specifying The Hwtacacs Accounting Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Specify the primary Required primary authorization HWTACACS ip-address [ port-number ] Configure at least one of authorization server the commands... -
Page 40: Setting The Shared Key For Hwtacacs Packets
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Enable the device to Optional buffer stop-accounting stop-accounting-buffer requests getting no enable Enabled by default responses Set the maximum number... -
Page 41: Configuring Attributes Related To The Data Sent To The Hwtacacs Server
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Set the shared keys for Required HWTACACS key { accounting | authentication, authorization | No shared key exists by... -
Page 42: Setting Timers Regarding Hwtacacs Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Caution: If a HWTACACS server does not support a username with the domain name, you can configure the device to remove the domain name before sending the username to the server. -
Page 43: Displaying And Maintaining Aaa/Radius/Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.6 Displaying and Maintaining AAA/RADIUS/HWTACACS 1.6.1 Displaying and Maintaining AAA To do… Use the command… Remarks Display the configuration Available in information of a display domain [ isp-name ]... -
Page 44: Displaying And Maintaining Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration To do… Use the command… Remarks Clear the statistics of reset radius statistics [ slot RADIUS slot-number ] reset stop-accounting-buffer { radius-scheme Delete the buffered... -
Page 45: Aaa/Radius/Hwtacacs Configuration Examples
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.7 AAA/RADIUS/HWTACACS Configuration Examples 1.7.1 AAA for Telnet/SSH Users by a RADIUS Server Note: Configuration of RADIUS authentication, authorization, and accounting for SSH users is similar to that for Telnet users. The following takes Telnet users as an example. - Page 46 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration III. Configuration procedure # Enable the Telnet server on the switch. <Sysname> system-view [Sysname] telnet server enable # Configure the switch to use AAA for authenticating Telnet users.
-
Page 47: Aaa For Ftp/Telnet Users By The Device Itself
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration 1.7.2 AAA for FTP/Telnet Users by the Device Itself Note: Configuration of local authentication and authorization for FTP users is similar to that for Telnet users. The following takes Telnet users as an example. - Page 48 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration [Sysname-isp-system] authorization login local [Sysname-isp-system] accounting login local [Sysname-isp-system] quit # You can achieve the same purpose by setting the default AAA schemes for all types of users.
-
Page 49: Aaa For Telnet Users By A Hwtacacs Server
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration [Sysname-radius-rad] server-type extended # Specify the AAA scheme for the domain. [Sysname] domain 1 [Sysname-isp-1] authentication login radius-scheme rad [Sysname-isp-1] authorization login radius-scheme rad [Sysname-isp-1] accounting login radius-scheme rad [Sysname-isp-cams] quit # Specify the local RADIUS server. -
Page 50: Aaa For Telnet Users By Separate Servers
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure the HWTACACS scheme. <Sysname> system-view [Sysname] hwtacacs scheme hwtac [Sysname-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Sysname-hwtacacs-hwtac] primary authorization 10.1.1.1 49... - Page 51 Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration Note: Configuration of separate AAA for other types of users is similar to that given in this example. The only difference lies in the access type.
-
Page 52: Troubleshooting Aaa/Radius/Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration [Sysname-radius-rd] user-name-format without-domain [Sysname-radius-rd] quit # Create local user named telnet. <Sysname> system-view [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple telnet123456 # Configure the AAA schemes of the ISP domain. -
Page 53: Troubleshooting Hwtacacs
Operation Manual – AAA RADIUS HWTACACS H3C S9500 Series Routing Switches Chapter 1 AAA/RADIUS/HWTACACS Configuration The same shared key is configured on both the RADIUS server and the NAS. Symptom 2: RADIUS packets cannot reach the RADIUS server. Analysis: The device fails to communicate with the RADIUS server (on physical layer or link layer).