H3C S3100-52P Operation Manual
Aaa - radius - hwtacacs
Hide thumbs
Also See for S3100-52P:
- Operation manual (955 pages) ,
- Command manual (55 pages) ,
- Installation manual (54 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - AAA - RADIUS - HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS Configuration .......................................................... 1-1
1.1 Overview ............................................................................................................................ 1-1
1.1.1 Introduction to AAA ................................................................................................. 1-1
1.1.2 Introduction to ISP Domain ..................................................................................... 1-2
1.1.3 Introduction to RADIUS........................................................................................... 1-2
1.1.4 Introduction to HWTACACS.................................................................................... 1-7
1.2 Configuration Task........................................................................................................... 1-10
1.3 AAA Configuration ........................................................................................................... 1-12
1.3.1 Configuration Prerequisites................................................................................... 1-13
1.3.2 Creating an ISP Domain ....................................................................................... 1-13
1.3.3 Configuring the Attributes of an ISP Domain ........................................................ 1-13
1.3.4 Configuring an AAA Scheme for an ISP Domain.................................................. 1-15
1.3.5 Configuring Dynamic VLAN Assignment .............................................................. 1-17
1.3.6 Configuring the Attributes of a Local User ............................................................ 1-19
1.3.7 Cutting Down User Connections Forcibly ............................................................. 1-21
1.4 RADIUS Configuration..................................................................................................... 1-21
1.4.1 Creating a RADIUS Scheme................................................................................. 1-22
1.4.2 Configuring RADIUS Authentication/Authorization Servers.................................. 1-23
1.4.3 Configuring RADIUS Accounting Servers............................................................. 1-24
1.4.4 Configuring Shared Keys for RADIUS Messages................................................. 1-25
1.4.6 Configuring to Support a Type of RADIUS Server................................................ 1-27
1.4.7 Configuring the Status of RADIUS Servers .......................................................... 1-27
1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers ...................... 1-28
1.4.9 Configuring Local RADIUS Authentication Server ................................................ 1-29
1.4.10 Configuring the Timers of RADIUS Servers........................................................ 1-30
1.4.12 Enabling the User Re-Authentication at Restart Function .................................. 1-32
1.5 HWTACACS Configuration.............................................................................................. 1-33
1.5.1 Creating a HWTACAS Scheme ............................................................................ 1-33
1.5.2 Configuring HWTACACS Authentication Servers................................................. 1-34
1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-35
1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36
1.5.5 Configuring Shared Keys for HWTACACS Messages.......................................... 1-36
1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers ..................... 1-37
1.5.7 Configuring the Timers of TACACS Servers......................................................... 1-38
1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information ....................... 1-39
1.7 AAA & RADIUS & HWTACACS Configuration Example ................................................. 1-41
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S3100-52P
Summary of Contents for H3C S3100-52P
-
Page 1: Table Of Contents
Operation Manual – AAA – RADIUS – HWTACACS H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 AAA & RADIUS & HWTACACS Configuration ............1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to AAA ....................1-1 1.1.2 Introduction to ISP Domain ..................1-2 1.1.3 Introduction to RADIUS................... - Page 2 Operation Manual – AAA – RADIUS – HWTACACS H3C S3100-52P Ethernet Switch Table of Contents 1.7.1 Remote RADIUS Authentication of Telnet/SSH Users ......... 1-41 1.7.2 Local Authentication of FTP/Telnet Users ............1-43 1.7.3 HWTACACS Authentication and Authorization of Telnet Users ......1-44 1.8 Troubleshooting AAA &...
-
Page 3: Chapter 1 Aaa & Radius & Hwtacacs Configuration
Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. For RADIUS protocol, you can use extended RADIUS protocol as well as standard RADIUS protocol. -
Page 4: Introduction To Isp Domain
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration combined together, and authorization cannot be performed alone without authentication. HWTACACS authorization: Users are authorized by a TACACS server. III. Accounting AAA supports the following accounting methods: None accounting: No accounting is performed for users. - Page 5 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Server: RADIUS Server runs on a computer or workstation at the center. It stores and maintains user authentication information and network service access information.
- Page 6 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS Server server Server server...
- Page 7 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Identifier Identifier Length Length Code Code Authenticator Authenticator Attributes Attributes Figure 1-3 RADIUS message forma The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1.
- Page 8 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration The Identifier field (one byte) is used to match requests and responses. It changes whenever the content of the Attributes field change, and whenever a valid response has been received for a previous request, but remains unchanged for message retransmission.
-
Page 9: Introduction To Hwtacacs
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Type field Type field Attribute type Attribute type value value Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) - Page 10 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS.
- Page 11 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration HWTACACS HWTACACS HWTACACS HWTACACS HWTACACS HWTACACS HWTACACS HWTACACS User User User User Client Client Server Server Client Client Server Server...
-
Page 12: Configuration Task
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration The TACACS server returns an authorization response, indicating that the user has passed the authorization. After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. - Page 13 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Configuration task Description Related section Creating Section 1.4.1 RADIUS RADIUS Required “Creating a RADIUS configuration scheme Scheme” Configuring Section 1.4.2 RADIUS “Configuring RADIUS...
-
Page 14: Aaa Configuration
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Configuration task Description Related section Section 1.4.11 Enabling “Enabling sending of trap Sending Trap message when Optional Message When RADIUS... -
Page 15: Configuration Prerequisites
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration need to use ISP domains to implement AAA management on access users, you should first configure ISP domains. 1.3.1 Configuration Prerequisites If you want to adopt remote AAA method, you must first create a RADIUS or HWTACACS scheme. - Page 16 Caution: On an S3100-52P Ethernet Switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the user name, the switch assumes that the user belongs to the default ISP domain.
-
Page 17: Configuring An Aaa Scheme For An Isp Domain
Configuration Note: H3C's CAMS Server is a service management system used to manage networks and secure networks and user information. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management. - Page 18 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions.
-
Page 19: Configuring Dynamic Vlan Assignment
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Table 1-8 Configure separate AAA schemes Operation Command Description Enter system view system-view — Create an ISP domain and enter its view, or enter... - Page 20 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Currently, the switch supports the following two types of assigned VLAN IDs: integer and string. Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch).
-
Page 21: Configuring The Attributes Of A Local User
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range;... - Page 22 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description Required service-type Authorize the user to By default, the system lan-access | { telnet | access specified type(s)
-
Page 23: Cutting Down User Connections Forcibly
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. -
Page 24: Creating A Radius Scheme
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. -
Page 25: Configuring Radius Authentication/Authorization Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: A RADIUS scheme can be referenced by multiple ISP domains simultaneously. 1.4.2 Configuring RADIUS Authentication/Authorization Servers Table 1-13 Configure RADIUS authentication/authorization servers... -
Page 26: Configuring Radius Accounting Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration 1.4.3 Configuring RADIUS Accounting Servers Table 1-14 Configure RADIUS accounting servers Operation Command Description Enter system view system-view — Required... -
Page 27: Configuring Shared Keys For Radius Messages
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: In an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two RADIUS servers as the primary and secondary accounting servers respectively. -
Page 28: Configuring Maximum Number Of Transmission Attempts Of Radius Request
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description Set a shared key for RADIUS accounting Required key accounting string messages Caution: The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server. -
Page 29: Configuring To Support A Type Of Radius Server
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration 1.4.6 Configuring to Support a Type of RADIUS Server Table 1-17 Configure to support a type of RADIUS server Operation... -
Page 30: Configuring The Attributes For Data To Be Sent To Radius Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description status state primary primary RADIUS authentication { block | authentication/authorizatio Optional active } n server By default, the primary... -
Page 31: Configuring Local Radius Authentication Server
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description RADIUS scheme view Optional nas-ip ip-address By default, no source IP Set the source IP address address is set; and the IP... -
Page 32: Configuring The Timers Of Radius Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description Required By default, local RADIUS Configure local RADIUS local-server nas-ip authentication server is authentication server ip-address key password configured with an NAS IP address of 127.0.0.1. -
Page 33: Enabling The Sending Of Trap Message When A Radius Server Is Down
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration immediately restores the communication with the primary server instead of communicating with the secondary server, and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged. -
Page 34: Enabling The User Re-Authentication At Restart Function
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Note: This configuration takes effect on all RADIUS schemes. The switch considers a RADIUS server as being down if it has tried the configured maximum times to send a message to the RADIUS server but does not receive any response. -
Page 35: Hwtacacs Configuration
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting-On message, it will not send the Accounting-On message any more. -
Page 36: Configuring Hwtacacs Authentication Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Table 1-24 Create a HWTACACS scheme Operation Command Description Enter system view system-view — Required Create HWTACACS hwtacacs scheme By default, no HWTACACS... -
Page 37: Configuring Hwtacacs Authorization Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: You are not allowed to configure the same IP address for both primary and secondary authentication servers. If you do this, the system will prompt that the configuration fails. -
Page 38: Configuring Hwtacacs Accounting Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration 1.5.4 Configuring HWTACACS Accounting Servers Table 1-27 Configure HWTACACS accounting servers Operation Command Description Enter system view system-view — Required... -
Page 39: Configuring The Attributes For Data To Be Sent To Tacacs Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration have been set on them, and can accept and respond to the messages only when both parties have the same shared key. -
Page 40: Configuring The Timers Of Tacacs Servers
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description HWTACACS scheme Optional view By default, no source IP Set the source IP address nas-ip ip-address address is set; the IP... -
Page 41: Displaying And Maintaining Aaa & Radius & Hwtacacs Information
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Caution: To control the interval at which users are charge in real time, you can set the real-time accounting interval. After the setting, the switch periodically sends online users' accounting information to the TACACS server at the set interval. - Page 42 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Table 1-32 Display and maintain RADIUS protocol information Operation Command Description Display RADIUS message display local-server statistics about local RADIUS...
-
Page 43: Aaa & Radius & Hwtacacs Configuration Example
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration Operation Command Description reset hwtacacs Clear HWTACACS statistics { accounting | message statistics authentication authorization | all } reset You can execute the... - Page 44 Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration The Telnet user names added to the RADIUS server must be in the format of userid@isp-name if you have configured the switch to include domain names in the user names to be sent to the RADIUS server in the RADIUS scheme.
-
Page 45: Local Authentication Of Ftp/Telnet Users
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration [H3C] domain cams [H3C-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain. -
Page 46: Hwtacacs Authentication And Authorization Of Telnet Users
You only need to change the server IP address, the authentication password, and the UDP port number of the authentication server to 127.0.0.1, h3c, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in section 1.7.1 , and configure local users (whether the names of local users carry domain names should be consistent with the configuration in the RADIUS scheme). -
Page 47: Troubleshooting Aaa & Radius & Hwtacacs Configuration
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration II. Network diagram Authentication server Authentication server Authenti Authentication server Authentication server Authentication server Authenti cation server cation server IP addres IP addres s: 10.110.91.164... -
Page 48: Troubleshooting Hwtacacs Configuration
Operation Manual – AAA – RADIUS – HWTACACS Chapter 1 AAA & RADIUS & HWTACACS H3C S3100-52P Ethernet Switch Configuration The user name is not in the userid@isp-name format, or the default ISP domain is not correctly specified on the switch — Use the correct user name format, or set a default ISP domain on the switch.