H3C S3100-52P User manual
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Table of Contents
i
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration..........................................................1-1
1.1 Overview............................................................................................................................1-1
1.1.1 Introduction to AAA.................................................................................................1-1
1.1.2 Introduction to ISP Domain..................................................................................... 1-2
1.1.3 Introduction to RADIUS...........................................................................................1-2
1.1.4 Introduction to HWTACACS....................................................................................1-7
1.2 Configuration Task........................................................................................................... 1-10
1.3 AAA Configuration ........................................................................................................... 1-12
1.3.1 Configuration Prerequisites...................................................................................1-13
1.3.2 Creating an ISP Domain .......................................................................................1-13
1.3.3 Configuring the Attributes of an ISP Domain........................................................1-13
1.3.4 Configuring an AAA Scheme for an ISP Domain..................................................1-15
1.3.5 Configuring Dynamic VLAN Assignment ..............................................................1-17
1.3.6 Configuring the Attributes of a Local User............................................................1-19
1.3.7 Cutting Down User Connections Forcibly.............................................................1-21
1.4 RADIUS Configuration..................................................................................................... 1-21
1.4.1 Creating a RADIUS Scheme................................................................................. 1-22
1.4.2 Configuring RADIUS Authentication/Authorization Servers..................................1-23
1.4.3 Configuring RADIUS Accounting Servers.............................................................1-24
1.4.4 Configuring Shared Keys for RADIUS Messages.................................................1-25
1.4.5 Configuring Maximum Number of Transmission Attempts of RADIUS Request .. 1-26
1.4.6 Configuring to Support a Type of RADIUS Server................................................1-27
1.4.7 Configuring the Status of RADIUS Servers ..........................................................1-27
1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers......................1-28
1.4.9 Configuring Local RADIUS Authentication Server................................................1-29
1.4.10 Configuring the Timers of RADIUS Servers........................................................1-30
1.4.11 Enabling the Sending of Trap Message When a RADIUS Server is Down........1-31
1.4.12 Enabling the User Re-Authentication at Restart Function.................................. 1-32
1.5 HWTACACS Configuration..............................................................................................1-33
1.5.1 Creating a HWTACAS Scheme ............................................................................ 1-33
1.5.2 Configuring HWTACACS Authentication Servers.................................................1-34
1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-35
1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36
1.5.5 Configuring Shared Keys for HWTACACS Messages..........................................1-36
1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers.....................1-37
1.5.7 Configuring the Timers of TACACS Servers.........................................................1-38
1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information.......................1-39
1.7 AAA & RADIUS & HWTACACS Configuration Example.................................................1-41
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Table of Contents
ii
1.7.1 Remote RADIUS Authentication of Telnet/SSH Users......................................... 1-41
1.7.2 Local Authentication of FTP/Telnet Users ............................................................ 1-43
1.7.3 HWTACACS Authentication and Authorization of Telnet Users...........................1-44
1.8 Troubleshooting AAA & RADIUS & HWTACACS Configuration.....................................1-45
1.8.1 Troubleshooting RADIUS Configuration...............................................................1-45
1.8.2 Troubleshooting HWTACACS Configuration........................................................1-46
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-1
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1.1 Overview
1.1.1 Introduction to AAA
AAA is an acronym for the three security functions: authentication, authorization and
accounting. It provides a uniform framework for you to configure the three security
functions to implement network security management.
The network security mentioned here mainly refers to accesscontrol. It mainly controls:
zWhich users can access the network,
zWhich services are available to the users who can access the network, and
zHow to charge the users who are using network resources.
Accordingly, AAA provides the following three functions:
I. Authentication
AAA supports the following authentication methods:
zNone authentication: Users are trusted and are not checked for their validity.
Generally, this method is not recommended.
zLocal authentication: User information (including user name, password, and some
other attributes) is configured on this device, and users are authenticated on this
device instead of on a remote device. Local authentication is fast and requires
lower operational cost, but has the deficiency that information storage capacity is
limited by device hardware.
zRemote authentication: Users are authenticated remotely through RADIUS or
HWTACACS protocol. This device (for example, a H3C series switch) acts as the
client to communicate with the RADIUS or TACACS server. For RADIUS protocol,
you can use extended RADIUS protocol as well as standard RADIUS protocol.
II. Authorization
AAA supports the following authorization methods:
zDirect authorization: Users are trusted and directly authorized.
zLocal authorization: Users are authorized according to the related attributes
configured for their local accounts on this device.
zRADIUS authorization: Users are authorized after they pass RADIUS
authentication. In RADIUS protocol, authentication and authorization are
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-2
combined together, and authorization cannot be performed alone without
authentication.
zHWTACACS authorization: Users are authorized by a TACACS server.
III. Accounting
AAA supports the following accounting methods:
zNone accounting: No accounting is performed for users.
zRemote accounting: User accounting is performed on a remote RADIUS or
TACACS server.
Generally, AAA adopts client/server structure, where the client acts as the managed
resource and the serverstores user information. This structure has goodscalability and
facilitates the centralized management of user information.
1.1.2 Introduction to ISP Domain
An Internet service provider (ISP) domain is a group of users who belong to the same
ISP. For a user name in the format of userid@isp-name,the isp-name following the "@"
character is the ISPdomain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different forms of user name and password, different service
types/access rights), it is necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
1.1.3 Introduction to RADIUS
AAAis a management framework. It can be implemented by not only one protocol. But
in practice, the most commonly used protocol forAAA is RADIUS.
I. What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information
exchange protocol based on client/server structure. It can prevent unauthorized access
to your network and is commonly used in network environments where both high
security and remote user access service are required.
The RADIUS service involves three components:
zProtocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message
format and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-3
zServer: RADIUS Server runs on a computer or workstation at the center. It stores
and maintains user authentication information and network service access
information.
zClient: RADIUS Client runs on dial-in access server devices throughout the
network.
RADIUS is based on client/server model. A switch acting as a RADIUS client passes
user information to a specified RADIUS server, and takes appropriate action (such as
establishing/terminating user connection) depending on the responses returned from
the server. The RADIUS server receives user connection requests, authenticates users,
and returns all required information to the switch.
Generally, a RADIUS server maintains the following three databases (see Figure 1-1):
zUsers: This database stores information about users (such as user name,
password, protocol adopted and IP address).
zClients: This database stores information about RADIUS clients (such as shared
key).
zDictionary: The information stored in this database is used to interpret the
attributes and attribute values in the RADIUS protocol.
RADIUS server
Users Clients Dictionary
RADIUS server
Users Clients Dictionary
Figure 1-1 Databases in a RADIUS server
In addition, a RADIUS server can act as a client of some other AAA server to provide
authentication or accounting proxy service.
II. Basic message exchange procedure in RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and a
RADIUS server are verified through a shared key. This enhances the security. The
RADIUS protocol combines the authentication and authorization processes together by
sending authorization information along with the authentication response message.
Figure 1-2 depicts the message exchange procedure between user, switch and
RADIUS server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-4
RADIUS
Server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2) Access - Request
PC
RADIUS
client
(3) Access - Accept
(4) Accounting - Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting - Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2) Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2) Access - Request
PC
RADIUS
client
(3) Access - Accept
(4) Accounting - Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting - Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
Figure 1-2 Basic message exchange procedure of RADIUS
The basic message exchange procedure of RADIUS is as follows:
1) The user enters the user name and password.
2) The RADIUS client receives the user name and password, and then sends an
authentication request (Access-Request) to the RADIUS server.
3) The RADIUS server compares the received user information with that in the Users
database to authenticate the user. If the authentication succeeds, the RADIUS
server sends back to the RADIUS client an authentication response
(Access-Accept), which contains the user’s access right information. If the
authentication fails, the server returns an Access-Reject response.
4) The RADIUS client accepts or denies the user depending on the received
authentication result. If it accepts the user, the RADIUS client sends a
start-accounting request (Accounting-Request, with the Status-Type attribute
value = start) to the RADIUS server.
5) The RADIUS server returns a start-accounting response (Accounting-Response).
6) The user starts to access network resources.
7) The RADIUS client sends a stop-accounting request (Accounting-Request, with
the Status-Type attribute value = stop) to the RADIUS server.
8) The RADIUS server returns a stop-accounting response (Accounting-Response).
9) The access to network resources is ended.
III. RADIUS message format
RADIUS messages are transported over UDP, which does not guarantee reliable
delivery of messages between RADIUS server and client. As a remedy, RADIUS
adopts the following mechanisms: timer management, retransmission, and backup
server. Figure 1-3 depicts the format of RADIUS messages.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-5
Code Identifier
Authenticator
Attributes
Length
Code Identifier
Authenticator
Attributes
Length
t
Figure 1-3 RADIUS message forma
1) The Code field (one byte) decides the type of RADIUS message, as shown in
Table 1-1.
Table 1-1 Description on the major values of the Code field
Code Message type Message description
1 Access-Request
Direction: client->server.
The client transmits this message to the server to
determine if the user can access the network.
This message carries user information. It must contain
the User-Name attribute and may contain the following
attributes: NAS-IP-Address, User-Password and
NAS-Port.
2 Access-Accept
Direction: server->client.
The server transmits this message to the client if all the
attribute values carried in the Access-Request
message are acceptable (that is, the user passes the
authentication).
3 Access-Reject
Direction: server->client.
The server transmits this message to the client if any
attribute value carried in the Access-Request message
is unacceptable (that is, the user fails the
authentication).
4 Accounting-Req
uest
Direction: client->server.
The client transmits this message to the server to
request the server to start or end the accounting
(whether to start or to end the accounting is determined
by the Acct-Status-Type attribute in the message).
This message carries almost the same attributes as
those carried in theAccess-Request message.
5 Accounting-Res
ponse
Direction: server->client.
The server transmits this message to the client to notify
the client that it has received the Accounting-Request
message and has correctly recorded the accounting
information.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-6
2) The Identifier field (one byte) is used to match requests and responses. It changes
whenever the content of the Attributes field change, and whenever a valid
response has been received for a previous request, but remains unchanged for
message retransmission.
3) The Length field (two bytes) specifies the total length of the message (including
the Code, Identifier, Length, Authenticator and Attributes fields). The bytes beyond
the length are regarded as padding and are ignored upon reception. If a received
message is shorter than what the Length field indicates, it is discarded.
4) The Authenticator field (16 bytes) is used to authenticate the response from the
RADIUS server; and is used in the password hiding algorithm. There are two kinds
of authenticators: Request Authenticator and Response Authenticator.
5) The Attributes field contains specific authentication/authorization/accounting
information to provide the configuration details of a request or response message.
This field contains a list of field triplet (Type, Length and Value):
zThe Type field (one byte) specifies the type of an attribute. Its value ranges from 1
to 255. Table 1-2 lists the attributes that are commonly used in RADIUS
authentication/authorization.
zThe Length field (one byte) specifies the total length of the attribute in bytes
(including the Type, Length and Value fields).
zThe Value field (up to 253 bytes) contains the information of the attribute. Its format
is determined by the Type and Length fields.
Table 1-2 RADIUS attributes
Type field
value Attribute type Type field
value Attribute type
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-ID 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-7
Type field Type field
Attribute type Attribute type
value value
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38 Framed-AppleTalk-Network
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply-Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-ID 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this
protocol allows a device vendor to extend RADIUS to implement functions that are not
defined in standard RADIUS.
Figure 1-4 depicts the format of attribute 26. The Vendor-ID field used to identify a
vendor occupies four bytes, where the first byte is 0, and the other three bytes are
defined in RFC 1700. Here, the vendor can encapsulate multiple customized
sub-attributes (containing vendor-specific Type, Length and Value) to implement a
RADIUS extension.
VeType ndor-IDLength
Vendor-ID Type
(specified Length
(specified)
)
Specified attribute value……
VeType ndor-IDLength
Vendor-ID Vendor-Type Vendor-Length
Vendor-Value …
VeType ndor-IDLength
Vendor-ID Type
(specified Length
(specified)
)
Specified attribute value……
VeType ndor-IDLength
Vendor-ID Vendor-Type Vendor-Length
Vendor-Value …
Figure 1-4 Vendor-specific attribute format
1.1.4 Introduction to HWTACACS
I. What is HWTACACS
HWTACACS (Huawei terminal access controller access control system) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to the RADIUS
protocol, it implements AAA for different types of users (such as PPP, VPDN, and
terminal users) through communicating with TACACS server in client-server mode.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-8
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. Table 1-3 lists the
primary differences between HWTACACS and RADIUS.
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable network
transmission. Adopts UDP.
Encrypts the entire message except the
HWTACACS header. Encrypts only the password field in
authentication message.
Separates authentication from authorization.
For example, you can use one TACACS
server for authentication and another
TACACS server for authorization.
Combines authentication and
authorization.
Is more suitable for security control. Is more suitable for accounting.
Supports configuration command
authorization. Does not support.
In a typical HWTACACS application (as shown in Figure 1-5), a dial-up or terminal user
needs to log into the switch to perform some operations. As a HWTACACS client, the
switch sends the username and password to the TACACS server for authentication.
After passing authentication and being authorized, the user successfully logs into the
switch to perform operations.
TACACS server
129.7.66.66
ISDN /PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
ISDN/PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
129..66.67
TACACS server
ISDN /PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
ISDN/PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
TACACS server
129.7.66.66
ISDN /PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
ISDN/PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
129..66.67
TACACS server
ISDN /PSTN
Dial -up user HWTACACS client
Terminal user
TACACS server
TACACS server
129.7.66.67
TACACS server
ISDN/PSTN
Dial -up user HWTACACS client
Terminal user
Figure 1-5 Network diagram for a typical HWTACACS application
II. Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS
implements authentication, authorization, and accounting for a user. Figure 1-6
illustrates the basic message exchange procedure:
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-9
User HWTACACS
Client HWTACACS
Server
Requests to log in Authenticationstartrequest
Authentication respon
requesting username se,
Requests username
Enters username Authenticationcontinuanc
carrying username e message,
Authentication respon
requesting password se,
Requests password
Enters password Authenticationcontinuanc
carrying password e message,
Authenticationsuccess response
Authorization request
Authorization success response
Allows user to log in
Accountingstartrequest
Accountingstartresponse
Exits the switch Accountingstop request
Accountingstop response
User HWTACACS
Client HWTACACS
Server
User HWTACACS
Client HWTACACS
Server
Requests to log in Authenticationstartrequest
Authentication respon
requesting username se,
Requests username
Enters username Authenticationcontinuanc
carrying username e message,
Authentication respon
requesting password se,
Requests password
Enters password Authenticationcontinuanc
carrying password e message,
Authenticationsuccess response
Authorization request
Authorization success response
Allows user to log in
Accountingstartrequest
Accountingstartresponse
Exits the switch Accountingstop request
Accountingstop response
User HWTACACS
Client HWTACACS
Server
Figure 1-6 AAA implementation procedure for a telnet user
The basic message exchange procedure is as follows:
1) A user sends a login request to the switch acting as a TACACS client, which then
sends an authentication start request to the TACACS.
2) The TACACS server returns an authentication response, asking for the username.
Upon receiving the response, the TACACS client requests the user for the
username.
3) After receiving the username from the user, the TACACS client sends an
authentication continuance message carrying the username.
4) The TACACS server returns an authentication response, asking for the password.
Upon receiving the response, the TACACS client requests the user for the login
password.
5) After receiving the password, the TACACS client sends an authentication
continuance message carrying the password to the TACACS server.
6) The TACACS server returns an authentication response, indicating that the user
has passed the authentication.
7) The TACACS client sends a user authorization request to the TACACS server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-10
8) The TACACS server returns an authorization response, indicating that the user
has passed the authorization.
9) After receiving the response indicating an authorization success, the TACACS
client pushes the configuration interface of the switch to the user.
10) The TACACS client sends an accounting start request to the TACACS server.
11) The TACACS server returns an accounting response, indicating that it has
received the accounting start request.
12) The user logs out; the TACACS client sends an accounting stop request to the
TACACS server.
13) The TACACS server returns an accounting response, indicating that it has
received the accounting stop request.
1.2 Configuration Task
Table 1-4 Configuration tasks
Configuration task Description Related section
Creating an
ISP domain Required Section 1.3.2
“Creating an ISP
Domain”
Configuring the
attributes of an
ISP domain Optional
Section 1.3.3
“Configuring the
Attributes of an ISP
Domain”
Configuring an
AAA scheme
for an ISP
domain
Required
If local authentication is
adopted, refer to section
1.3.6 “Configuring the
Attributes of a Local
User”.
If RADIUS authentication
is adopted, refer to
section 1.4 “RADIUS
Configuration”.
Section 1.3.4
“Configuring an AAA
Scheme for an ISP
Domain”
Configuring
dynamic VLAN
assignment Optional Section 1.3.5
“Configuring Dynamic
VLAN Assignment”
Configuring the
attributes of a
local user Optional
Section 1.3.6
“Configuring the
Attributes of a Local
User”
AAA
configuration
Cutting down
user
connections
forcibly
Optional Section 1.3.7
“Cutting Down User
Connections Forcibly”
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-11
Configuration task Description Related section
Creating a
RADIUS
scheme Required Section 1.4.1
“Creating a RADIUS
Scheme”
Configuring
RADIUS
authentication/
authorization
servers
Required
Section 1.4.2
“Configuring RADIUS
Authentication/Author
ization Servers”
Configuring
RADIUS
accounting
servers
Required Section 1.4.3
“Configuring RADIUS
Accounting Servers”
Configuring
shared keys for
RADIUS
messages
Optional
Section 1.4.4
“Configuring Shared
Keys for RADIUS
Messages”
Configuring the
maximum
number of
transmission
attempts of a
RADIUS
request
Optional
Section 1.4.5
“Configuring
Maximum Number of
Transmission
Attempts of RADIUS
Request”
Configuring to
support a type
of RADIUS
server
Optional
Section 1.4.6
“Configuring to
Support a Type of
RADIUS Server”
Configuring the
status of
RADIUS
servers
Optional
Section 1.4.7
“Configuring the
Status of RADIUS
Servers”
Configuring the
attributes for
data to be sent
to RADIUS
servers
Optional
Section 1.4.8
“Configuring the
Attributes for Data to
be Sent to RADIUS
Servers”
Configuring
local RADIUS
authentication
server
Optional
Section 1.4.9
“Configuring Local
RADIUS
Authentication
Server”
RADIUS
configuration
Configuring the
timers of
RADIUS
servers
Optional
Section 1.4.10
“Configuring the
Timers of RADIUS
Servers”
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-12
Configuration task Description Related section
Enabling the
sending of trap
message when
a RADIUS
server is down
Optional
Section 1.4.11
“Enabling the
Sending of Trap
Message When a
RADIUS Server is
Down”
Enabling the
user
re-authenticati
on at restart
function
Optional
Section 1.4.12
“Enabling the User
Re-Authentication at
Restart Function”
Creating a
HWTACAS
scheme Required Section 1.5.1
“Creating a
HWTACAS Scheme”
Configuring
HWTACACS
authentication
servers
Required
Section 1.5.2
“Configuring
HWTACACS
Authentication
Servers”
Configuring
HWTACACS
authorization
servers
Required
Section 1.5.3
“Configuring
HWTACACS
Authorization
Servers”
Configuring
HWTACACS
accounting
servers
Optional
Section 1.5.4
“Configuring
HWTACACS
Accounting Servers”
Configuring
shared keys for
HWTACACS
messages
Optional
Section 1.5.5
“Configuring Shared
Keys for HWTACACS
Messages”
Configuring the
attributes for
data to be sent
to TACACS
servers
Optional
Section 1.5.6
“Configuring the
Attributes for Data to
be Sent to TACACS
Servers”
HWTACACS
configuration
Configuring the
timers of
TACACS
servers
Optional
Section 1.5.7
“Configuring the
Timers of TACACS
Servers”
1.3 AAA Configuration
The purpose of AAAconfiguration is to provide network access services to legal users
and at the same time protect your network device against unauthorized access. If you
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-13
need to use ISP domains to implement AAAmanagement on access users, you should
first configure ISP domains.
1.3.1 Configuration Prerequisites
If you want to adopt remote AAA method, you must first create a RADIUS or
HWTACACS scheme.
zRADIUS scheme (radius-scheme): You can reference a configured RADIUS
scheme to provide AAA services. For the configuration of RADIUS scheme, refer
to section 1.4 "RADIUS Configuration".
zHWTACACS scheme (hwtacacs-scheme): You can reference a configured
HWTACACS scheme to implement AAA services. For the configuration of
HWTACACS scheme, refer to section 1.5 "HWTACACS Configuration".
1.3.2 Creating an ISP Domain
Table 1-5 Create an ISP domain
Operation Command Description
Enter system view system-view —
Create an ISP domain
and enter its view, enter
the view of an existing ISP
domain, or set an ISP
domain as the default ISP
domain
domain { isp-name |
default { disable | enable
isp-name } }
Required
If no ISP domain is set as
the default ISP domain,
the ISP domain "system"
is used as the default ISP
domain.
1.3.3 Configuring the Attributes of an ISP Domain
Table 1-6 Configure the attributes of an ISP domain
Operation Command Description
Enter system view system-view —
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name Required
Set the status of the ISP
domain state { active | block }
Optional
By default, an ISP domain
is in the active state, that
is, all the users in the
domain are allowed to
request network service.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-14
Operation Command Description
Set the maximum number
of access users that can
be contained in the ISP
domain
access-limit {disable |
enable
max-user-number }
Optional
By default, there is no limit
on the number of access
users that can be
contained in an ISP
domain.
Set the user idle-cut
function idle-cut { disable |
enable minute flow }
Optional
By default, the user
idle-cut function is
disabled.
Set the
accounting-optional
switch accounting optional
Optional
By default, the
accounting-optional
switch is closed.
Set the messenger
function
messenger time
{ enable limit interval |
disable }
Optional
By default, the messenger
function is disabled.
Set the self-service server
location function self-service-url { disable
| enable url-string }
Optional
By default, the
self-service server
location function is
disabled.
Caution:
zOn an S3100-52P Ethernet Switch, each access user belongs to an ISP domain.
You can configure up to 16 ISP domains on the switch. When a user logs in, if no
ISP domain name is carried in the user name, the switch assumes that the user
belongs to the default ISP domain.
zIf the system does not find any available accounting server or fails to communicate
with any accounting server when it performs accounting for a user, it will not
disconnect the user as long as the accounting optional command has been
executed, though it cannot perform accounting for the user in this case.
zThe self-service server location function needs the cooperation of a
self-service-supported RADIUS server (such as CAMS, that is, comprehensive
access management server). Through self-service, users can manage and control
their account or card numbers by themselves. A server installed with the self-service
software is called a self-service server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-15
Note:
H3C's CAMS Server is a service management system used to manage networks and
secure networks and user information. With the cooperation of other networking
devices (such as switches) in a network, a CAMS server can implement the AAA
functions and right management.
1.3.4 Configuring an AAA Scheme for an ISP Domain
You can configure an AAA scheme in one of the following two ways:
I. Configuring a combined AAA scheme
You can use the scheme command to specify an AAA scheme for an ISP domain. If
you specify a RADIUS or HWTACACS scheme, the authentication, authorization and
accounting will be uniformly implemented by the RADIUS or TACACS server(s)
specified in the RADIUS or HWTACACS scheme. In this way, you cannot specify
different schemes for authentication, authorization and accounting respectively.
Table 1-7 Configure a combinedAAA scheme
Operation Command Description
Enter system view system-view —
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name Required
Configure an AAA
scheme for the ISP
domain
scheme { local | none |
radius-scheme
radius-scheme-name
[ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
Required
By default, an ISP domain
uses the local AAA
scheme.
Configure an RADIUS
scheme for the ISP
domain
radius-scheme
radius-scheme-name
Optional
This command has the
same function as the
scheme radius-scheme
command.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-16
Caution:
zYou can execute the scheme radius-scheme radius-scheme-name command to
adopt an already configured RADIUS scheme to implement all the three AAA
functions. If you adopt the local scheme, only the authentication and authorization
functions are implemented, the accounting function cannot be implemented.
zIf you execute the scheme radius-scheme radius-scheme-name local command,
the local scheme is used as the secondary scheme in case no RADIUS server is
available. That is, if the communication between the switch and a RADIUS server is
normal, no local authentication is performed; otherwise, local authentication is
performed.
zIf you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local
command, the local scheme is used as the secondary scheme in case no TACACS
server is available. That is, if the communication between the switch and a TACACS
server is normal, no local authentication is performed; otherwise, local
authentication is performed.
zIf you execute the scheme local or scheme none command to adopt local or none
as the primary scheme, the local authentication is performed or no authentication is
performed. In this case you cannot specify any RADIUS scheme at the same time.
II. Configuring separate AAA schemes
You can use the authentication, authorization, and accounting commands to
specify a scheme for eachof the three AAAfunctions (authentication, authorization and
accounting) respectively. The following gives the implementations of this separate way
for the services supported by AAA.
zFor terminal users
Authentication: RADIUS, local, HWTACACS or none.
Authorization: none or HWTACACS.
Accounting: RADIUS, HWTACACS or none.
You can use an arbitrary combination of the above implementations for your AAA
scheme configuration.
zFor FTP users
Only authentication is supported for FTP users.
Authentication: RADIUS, local, or RADIUS-local.
Perform the following configuration in ISP domain view.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-17
Table 1-8 Configure separate AAA schemes
Operation Command Description
Enter system view system-view —
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name Required
Configure an
authentication scheme for
the ISP domain
authentication
{ radius-scheme
radius-scheme-name
[local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Optional
By default, no separate
authentication scheme is
configured.
Configure an
authorization scheme for
the ISP domain
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
authorization scheme is
configured.
Configure an accounting
scheme for the ISP
domain
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
accounting scheme is
configured.
Note:
zIf a combined AAA scheme is configured as well as the separate authentication,
authorization and accounting schemes, the separate ones will be adopted in
precedence.
zRADIUS scheme and local scheme do not support the separation of authentication
and authorization. Therefore, pay attention when you make authentication and
authorization configuration for a domain: When the scheme radius-scheme or
scheme local command is executed and the authentication command is not
executed, the authorization information returned from the RADIUS or local scheme
still takes effect even if the authorization none command is executed.
1.3.5 Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch
ports of successfully authenticated users to different VLANs according to the attributes
assigned by the RADIUS server, so as to control the network resources that different
users can access.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-18
Currently, the switch supports the following two types of assigned VLAN IDs: integer
and string.
zInteger: If the RADIUS authentication server assigns integer type of VLAN IDs,
you can set the VLAN assignment mode to integer on the switch (this is also the
default mode on the switch). Then, upon receiving an integer ID assigned by the
RADIUS authentication server, the switch adds the port to the VLAN whose VLAN
ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first
creates a VLAN with the assigned ID, and then adds the port to the newly created
VLAN.
zString: If the RADIUS authentication server assigns string type of VLAN IDs, you
can set the VLAN assignment mode to string on the switch. Then, upon receiving a
string ID assigned by the RADIUS authentication server, the switch compares the
ID with existing VLAN names on the switch. If it finds a match, it adds the port to
the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails
the authentication.
In actual applications, to use this feature together with Guest VLAN, you should better
set port control to port-based mode.
Table 1-9 Configure dynamic VLAN assignment
Operation Command Description
Enter system view system-view —
Create an ISP domain
and enter its view domain isp-name —
Set the VLAN assignment
mode vlan-assignment-mode
{ integer | string }
Optional
By default, the VLAN
assignment mode is
integer.
Create a VLAN and enter
its view vlan vlan-id —
Set a VLAN name for
VLAN assignment name string This operation is required
if the VLAN assignment
mode is set to string.
Other manuals for S3100-52P
27
Table of contents
Other H3C Network Router manuals
H3C
H3C SR8803-F User manual
H3C
H3C S5120-SI Series Installation manual
H3C
H3C MSR Series Installation manual
H3C
H3C CR16000-F User manual
H3C
H3C S1526 User manual
H3C
H3C CR1606-F User manual
H3C
H3C MSR 50-40 User manual
H3C
H3C LS-5100-16P-SI-OVS-H3 Quick guide
H3C
H3C MSR-20-21 ROUTER User manual
H3C
H3C S9500 Series Installation instructions
H3C
H3C S5120-EI Series User manual
H3C
H3C MSR Series User manual
H3C
H3C SR8800-F User manual
H3C
H3C SR6600 SPE-FWM Installation manual
H3C
H3C CR16000-F User manual
H3C
H3C SR8800-X User manual
H3C
H3C H3C S7500E Series User manual
H3C
H3C MSR 30-16 User manual
H3C
H3C S3610 Series User manual
H3C
H3C S5560-HI Series User manual
