- DL manuals
- Quidway
- Switch
- S3000 Series
- Operation Manual
Quidway S3000 Series Operation Manual - page 33
Operation Manual - Security
Quidway S3000 Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol Configuration
2-18
II. Networking Topology
Authentication Servers
( IP address:10.110.91.164 )
Internet
Switch
telnet user
Internet
Figure 2-2 Configuring remote RADIUS authentication for Telnet users
III. Configurtion Schedule
# Add a Telnet user.
Omitted
Note:
For details about configuring FTP and Telnet users, refer to User Interface Configuration in Getting
Started.
# Configure remote authentication mode for the Telnet user, i.e. scheme mode.
[Quidway-ui-vty0-4] authentication-mode scheme
# Configure domain.
[Quidway] domain cams
[Quidway-isp-cams] quit
# Configure RADIUS scheme.
[Quidway] radius scheme cams
[Quidway-radius-cams] primary authentication 10.110.91.146 1812
[Quidway-radius-cams] key authentication expert
Summary of S3000 Series
Page 1
Operation manual - security quidway s3000 series ethernet switches table of contents i table of contents chapter 1 802.1x configuration ................................................................................................... 1-1 1.1 802.1x overview ...........................................
Page 2
Operation manual - security quidway s3000 series ethernet switches table of contents ii 2.3.6 set a real-time accounting interval...................................................................... 2-11 2.3.7 set maximum times of real-time accounting request failing to be responded 2-12 2.3.8 enab...
Page 3
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-1 chapter 1 802.1x configuration 1.1 802.1x overview 1.1.1 802.1x standard overview ieee 802.1x (hereinafter simplified as 802.1x) is a port based network access control protocol. Ieee issued it in 20...
Page 4
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-2 the lan access control device needs to provide the authenticator system of 802.1x. The devices at the user side such as the computers need to be installed with the 802.1x client supplicant software,...
Page 5
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-3 z eapol-start: authentication originating frame, actively originated by the supplicant. Z eapol-logoff: logoff request frame, actively terminating the authenticated state. Z eapol-key: key informati...
Page 6
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-4 the main 802.1x configuration includes: z enable/disable 802.1x z set the port access control mode z set port access control method z check the users that log on the switch via proxy z set maximum n...
Page 9
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-7 by default, authentication will not be launched when the user runs dhcp and applies for dynamic ip addresses. 1.2.7 configure authentication method for 802.1x user the following commands can be used...
Page 10
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-8 1.2.9 set the handshake period of 802.1x the following commands are used to set the handshake period of 802.1x. After setting handshake-period, system will send the handshake packet by the period. S...
Page 11
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-9 server-timeout-value: specify how long the duration of a timeout timer of an authentication server is. The value ranges from 100 to 300 in units of second. Supp-timeout: specify the authentication t...
Page 13
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-11 ii. Networking diagram supplicant authentication serv ers (radius server cluster ip address: 10.11.1.1 10.11.1.2) internet authenticator sw itch e0/1 supplicant authentication serv ers (radius serv...
Page 14
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-12 [quidway-radius-radius1] secondary authentication 10.11.1.2 [quidway-radius-radius1] secondary accounting 10.11.1.1 # set the encryption key when the system exchanges packets with the authenticatio...
Page 15
Operation manual - security quidway s3000 series ethernet switches chapter 1 802.1x configuration 1-13 [quidway-luser-localuser] service-type lan-access [quidway-luser-localuser] password simple localpass # enable the 802.1x globally. [quidway] dot1x.
Page 16: Configuration
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-1 chapter 2 aaa and radius protocol configuration 2.1 aaa and radius protocol overview 2.1.1 aaa overview authentication, authorization and accounting (aaa) provide a uniform framewor...
Page 17
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-2 and modems. Radius system is the important auxiliary part of network access server (nas). After radius system is started, if the user wants to have right to access other network or ...
Page 18
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-3 internet s3000 series pc user1 pc user2 pc user3 pc user4 s3000 series s2000-si series s2000-si series isp1 isp2 internet authentication server accounting server authentication serv...
Page 19
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-4 quidway series ethernet switches isp domain view, you can configure a complete set of exclusive isp domain attributes on a per-isp domain basis, which includes aaa policy ( radius s...
Page 20
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-5 table 2-2 configure relevant attributes of isp domain operation command specify the adopted radius server group radius-scheme radius-scheme-name restore the adopted radius server gr...
Page 21
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-6 table 2-4 set the method that a local user uses to set password operation command set the method that a local user uses to set password local-user password-display-mode { cipher-for...
Page 23
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-8 2.3.1 create/delete a radius server group as mentioned above, radius protocol configurations are performed on the per radius server group basis. Therefore, before performing other r...
Page 24
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-9 operation command restore ip address and port number of primary radius accounting server or server to the default values. Undo primary accounting set ip address and port number of s...
Page 25
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-10 end and give response. You can use the following commands to set the encryption key for radius packets. Perform the following configurations in radius server group view. Table 2-9 ...
Page 26
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-11 you can use the following command to set retransmission times of radius request packet. Perform the following configurations in radius server group view. Table 2-11 set retransmiss...
Page 27
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-12 number of users real-time accounting interval (minute) 500 to 999 12 ≥1000 ≥15 by default, minute is set to 12 minutes. 2.3.7 set maximum times of real-time accounting request fail...
Page 28
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-13 shall make its best effort to send the message to radius accounting server. Accordingly, if the message from quidway series ethernet switches to radius accounting server has not be...
Page 29
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-14 2.3.10 set the supported type of radius server quidway series ethernet switches support the standard radius protocol and the extended radius service platforms, such as ip hotel, 20...
Page 30
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-15 2.3.12 set username format transmitted to radius server as mentioned above, the supplicants are generally named in userid@isp-name format. The part following “@” is the isp domain ...
Page 31
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-16 2.3.14 configure local radius server group radius service, which adopts authentication/authorization/accounting servers to manage users, is widely used in huawei quidway series swi...
Page 32
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-17 operation command display the configuration information of all the radius server groups or a specified one display radius [ radius-server-name ] display the statistics information ...
Page 33
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-18 ii. Networking topology authentication servers ( ip address:10.110.91.164 ) internet switch telnet user internet figure 2-2 configuring remote radius authentication for telnet user...
Page 34
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-19 [quidway-radius-cams] service-type huawei [quidway-radius-cams] user-name-format without-domain # configuration association between domain and radius. [quidway-radius-cams] quit [q...
Page 35
Operation manual - security quidway s3000 series ethernet switches chapter 2 aaa and radius protocol configuration 2-20 z the encryption keys of radius server and nas may be different. Please check carefully and make sure that they are identical. Z there might be some communication fault between nas...
Page 36
Operation manual - security quidway s3000 series ethernet switches chapter 3 habp configuration 3-1 chapter 3 habp configuration 3.1 habp overview if 802.1x attribute is configured at a switch, on a switch, 802.1x will run authentication at those ports where 802.1x is enabled. Only those which pass ...
Page 37
Operation manual - security quidway s3000 series ethernet switches chapter 3 habp configuration 3-2 please perform the following operations in system view. Table 3-1 configuring habp server operation command enable habp attribute habp enable restore habp attribute to the default value undo habp enab...