Quidway S3000 Series User manual
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 802.1x Configuration...................................................................................................1-1
1.1 802.1x Overview................................................................................................................1-1
1.1.1 802.1x Standard Overview......................................................................................1-1
1.1.2 802.1x System Architecture....................................................................................1-1
1.1.3 802.1x Authentication Process................................................................................1-2
1.1.4 Implement 802.1x on Ethernet Switch ....................................................................1-3
1.2 Configure 802.1x................................................................................................................1-3
1.2.1 Enable/Disable 802.1x ............................................................................................1-4
1.2.2 Set the Port Access Control Mode..........................................................................1-4
1.2.3 Set Port Access Control Method.............................................................................1-5
1.2.4 Check the Users that Log on the Switch via Proxy.................................................1-5
1.2.5 Set Supplicant Number on a Port............................................................................1-6
1.2.6 Set to Enable DHCP to Launch Authentication.......................................................1-6
1.2.7 Configure Authentication Method for 802.1x User..................................................1-7
1.2.8 Set the Maximum times of authentication request message retransmission..........1-7
1.2.9 Set the handshake period of 802.1x .......................................................................1-8
1.2.10 Configure Timers...................................................................................................1-8
1.2.11 Enable/Disable quiet-period Timer........................................................................1-9
1.3 Display and Debug 802.1x.................................................................................................1-9
1.4 802.1x Configuration Example.........................................................................................1-10
Chapter 2 AAA and RADIUS Protocol Configuration ................................................................2-1
2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1
2.1.1 AAA Overview.........................................................................................................2-1
2.1.2 RADIUS Protocol Overview ....................................................................................2-1
2.1.3 Implement AAA/RADIUS on Ethernet Switch.........................................................2-2
2.2 Configure AAA...................................................................................................................2-3
2.2.1 Create/Delete ISP Domain......................................................................................2-3
2.2.2 Configure Relevant Attributes of ISP Domain.........................................................2-4
2.2.3 Create a Local User ................................................................................................ 2-5
2.2.4 Set Attributes of Local User ....................................................................................2-5
2.2.5 Disconnect a User by Force....................................................................................2-6
2.3 Configure RADIUS Protocol ..............................................................................................2-7
2.3.1 Create/Delete a RADIUS server Group..................................................................2-8
2.3.2 Set IP Address and Port Number of RADIUS Server .............................................2-8
2.3.3 Set RADIUS Packet Encryption Key.......................................................................2-9
2.3.4 Set Response Timeout Timer of RADIUS Server.................................................2-10
2.3.5 Set Retransmission Times of RADIUS Request Packet.......................................2-10
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Table of Contents
ii
2.3.6 Set a Real-time Accounting Interval......................................................................2-11
2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded2-12
2.3.8 Enable/Disable Stopping Accounting Request Buffer...........................................2-12
2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request ..........2-13
2.3.10 Set the Supported Type of RADIUS Server........................................................2-14
2.3.11 Set RADIUS Server State ...................................................................................2-14
2.3.12 Set Username Format Transmitted to RADIUS Server ...................................... 2-15
2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server...........................2-15
2.3.14 Configure Local RADIUS Server Group.............................................................. 2-16
2.4 Display and Debug AAA and RADIUS Protocol..............................................................2-16
2.5 AAA and RADIUS Protocol Configuration Examples ......................................................2-17
2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ............2-17
2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................ 2-19
2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-19
Chapter 3 HABP Configuration....................................................................................................3-1
3.1 HABP Overview.................................................................................................................3-1
3.2 HABP configuration ...........................................................................................................3-1
3.2.1 Configuring HABP Server .......................................................................................3-1
3.2.2 Configuring HABP Client.........................................................................................3-2
3.3 Displaying and Debugging HABP Attribute .......................................................................3-2
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-1
Chapter 1 802.1x Configuration
1.1 802.1x Overview
1.1.1 802.1x Standard Overview
IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control
protocol. IEEE issued it in 2001 and suggested the related manufacturers should use
the protocol as the standard protocol for LAN user access authentication. The 802.1x
originated from the IEEE 802.11 standard, which is the standard for wireless LAN user
access. The initial purpose of 802.1x was to implement the wireless LAN user access
authentication. Since its principle is commonly applicable to all the LANs complying
with the IEEE 802 standards, the protocol finds wide application in wired LANs.
In the LANs complying with the IEEE 802 standards, the user can access the devices
and share the resources in the LAN through connecting the LAN access control device
like the LAN Switch. However, in telecom access, commercial LAN (a typical example
is the LAN in the office building) and mobile office etc., the LAN providers generally
hope to control the user’s access. In these cases, the requirement on the
above-mentioned “Port Based NetworkAccess Control” originates.
As the name implies, “Port Based NetworkAccess Control” means to authenticate and
control all the accessed devices on the port of LAN access control device. If the user’s
device connected to the port can pass the authentication, the user can access the
resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It
equals that the user is physically disconnected.
802.1x defines port based network access control protocol and only defines the
point-to-point connection between the access device and the access port. The port can
be either physical or logical. The typical application environment is as follows: Each
physical port of the LAN Switch only connects to one user workstation (based on the
physical port) and the wireless LAN access environment defined by the IEEE 802.11
standard (based on the logical port), etc.
1.1.2 802.1x System Architecture
The system using the 802.1x is the typical C/S (Client/Server) system architecture. It
contains three entities, which are illustrated in the following figure: Supplicant System,
Authenticator System and Authentication Sever System.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-2
The LAN access control device needs to provide the Authenticator System of 802.1x.
The devices at the user side such as the computersneed to be installed with the 802.1x
client Supplicant software, for example, the 802.1x client provided by Huawei
Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1xAuthentication Sever
system normally stays in the carrier’sAAA center.
Authenticator and Authentication Severexchange information through EAP (Extensible
Authentication Protocol) frames. The Supplicant and the Authenticator exchange
information through the EAPoL (Extensible Authentication Protocol over LANs) frame
defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which
is to be encapsulated in the packets of other AAAupper layer protocols (e.g. RADIUS)
so as to go through the complicated network to reach the Authentication Server. Such
procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the
other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection
state. The user can access and share the network resources any time through the ports.
The Controlled Port will be in connecting state only after the user passes the
authentication. Then the user is allowed to access the network resources.
Supplicant Authenticator
PAE
Authenticator
Server
Supplicant
System
Authenticator System Authenticator
Server
System
EAP protocol
exchanges
carried in
higher layer
protocol
EAPoL
Controlled
Port
Port
unauthorized
LAN
Uncontrolled
Port
Services
offered
by
Authenticators
System
Figure 1-1 802.1x system architecture
1.1.3 802.1x Authentication Process
802.1x configures EAP frame to carry the authentication information. The Standard
defines the following types of EAP frames:
zEAP-Packet: Authentication information frame, used to carry the authentication
information.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-3
zEAPoL-Start: Authentication originating frame, actively originated by the
Supplicant.
zEAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.
zEAPoL-Key: Key information frame, supporting to encrypt the EAP packets.
zEAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard
Forum (ASF).
The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant
and the Authenticator. The EAP-Packet information is re-encapsulated by the
Authenticator System and then transmitted to the Authentication Server System. The
EAPoL-Encapsulated-ASF-Alert is related to the network management information and
terminated by the Authenticator.
From the above fundamentals we can see that 802.1x provides an implementation
solution of user ID authentication. However, 802.1x itself is not enough to implement
the scheme. The administrator of the access device should configure the AAA scheme
by selecting RADIUS or local authentication so as to assist 802.1x to implement the
user ID authentication. For detailed description ofAAA, refer to the corresponding AAA
configuration.
1.1.4 Implement 802.1x on Ethernet Switch
Quidway Series Ethernet Switches not only support the port access authentication
method regulated by 802.1x, but also extend and optimize it in the following way:
zSupport to connect several End Stations in the downstream via a physical port.
zThe access control (or the user authentication method) can be based on port or
MAC address.
In this way, the system becomes much securer and easier to manage.
1.2 Configure 802.1x
The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet
switch. When the global 802.1x is not enabled, the user can configure the 802.1x state
of the port. The configured items will take effect after the global 802.1x is enabled.
Note:
1) Do not enable 802.1x and RSTP( or MSTP) simultaneously, otherwise switch may not work normally.
2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the
command mac-address max-mac-count cannot be configured on the port, and vice versa.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-4
The Main 802.1x configuration includes:
zEnable/Disable 802.1x
zSet the port access control mode
zSet port access control method
zCheck the users that log on the switch via proxy
zSet maximum number of users via each port
zSet to enable DHCP to launch authentication
zconfigure authentication method for 802.1x user
zSet the Maximum times of authentication request message retransmission
zSet the handshake period of 802.1x
zConfigure timers
zEnable/Disable quiet-period Timer
Among the above tasks, the first one is compulsory, otherwise 802.1x will not take any
effect. The other tasks are optional. You can perform the configurations at
requirements.
1.2.1 Enable/Disable 802.1x
The following commands can be used to enable/disable the 802.1x on the specified
port. When no port is specified in system view, the 802.1x is enabled/disabled globally.
Perform the following configurations in system view or Ethernet port view.
Table 1-1 Enable/Disable 802.1x
Operation Command
Enable the 802.1x dot1x [ interface interface-list ]
Disable the 802.1x undo dot1x [ interface interface-list ]
User can configure 802.1x on individual port, but it is not enabled yet. The configuration
will take effect right after 802.1x is enabled globally.
By default, 802.1x authentication has not been enabled globally and on any port.
1.2.2 Set the Port Access Control Mode.
The following commands can be used for setting 802.1x access control mode on the
specified port. When no port is specified, the access control mode of all ports is
configured.
Perform the following configurations in system view or Ethernet port view.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-5
Table 1-2 Set the port access control mode.
Operation Command
Set the port access control mode. dot1x port-control { authorized- force |
unauthorized-force | auto } [ interface interface-list ]
Restore the default access control mode
of the port. undo dot1x port-control [ interface interface-list ]
By default, the mode of 802.1x performing access control on the port is auto (automatic
identification mode, which is also called protocol control mode). That is, the initial state
of the port is unauthorized. It only permits EAPoL packets receiving/transmitting and
does not permit the user to access the network resources. If the authentication flow is
passed, the port will be switched to the authorized state and permit the user to access
the network resources. This is the most common case.
1.2.3 Set Port Access Control Method
The following commands are used for setting 802.1x access control method on the
specified port. When no port is specified in system view, the access control method of
port is configured globally.
Perform the following configurations in system view or Ethernet port view.
Table 1-3 Set port access control method
Operation Command
Set port access control method dot1x port-method { macbased | portbased }
[ interface interface-list ]
Restore the default port access control
method undo dot1x port-method [ interface interface-list ]
By default, 802.1x authentication method on the port is macbased. That is,
authentication is performed based on MAC addresses.
1.2.4 Check the Users that Log on the Switch via Proxy
The following commands are used for checking the users that log on the switch via
proxy.
Perform the following configurations in system view or Ethernet port view.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-6
Table 1-4 Check the users that log on the switch via proxy
Operation Command
Enable the check for access users via
proxy
dot1x supp-proxy-check { logoff | trap } [ interface
interface-list ]
Cancel the check for access users via
proxy
undo dot1x supp-proxy-check { logoff | trap }
[ interface interface-list ]
By default, cancel the control method set for access 802.1x users via proxy.
1.2.5 Set Supplicant Number on a Port
The following commands are used for setting number of users allowed by 802.1x on
specified port. When no port is specified, all the ports accept the same number of
supplicants.
Perform the following configurations in system view or Ethernet port view.
Table 1-5 Set maximum number of users via specified port
Operation Command
Set maximum number of users via
specified port dot1x max-user user-number [ interface interface-list ]
Restore the maximum number of
users on the port to the default value undo dot1x max-user [ interface interface-list ]
By default, 802.1x allows up to 256 supplicants on each port for S3000 Series Ethernet
switches (except 64 for S3026).
1.2.6 Set to Enable DHCP to Launch Authentication
The following commands are used for setting whether 802.1x enables the Ethernet
switch to launch the user ID authentication when the user runs DHCP and applies for
dynamic IP addresses.
Perform the following configurations in system view.
Table 1-6 Set to enable DHCP to launch authentication
Operation Command
Enable DHCP to launch authentication dot1x dhcp-launch
Disable DHCP to launch authentication undo dot1x dhcp-launch
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-7
By default, authentication will not be launched when the user runs DHCP and applies
for dynamic IP addresses.
1.2.7 Configure Authentication Method for 802.1x User
The following commands can be used to configure the authentication method for
802.1x user. Three kinds of methods are available: PAP authentication (RADIUS server
must support PAP authentication), CHAP authentication (RADIUS server must support
CHAP authentication), EAP relay authentication (switch send authentication
information to RADIUS server in the form of EAP packets directly and RADIUS server
must support EAP authentication).
Perform the following configurations in system view.
Table 1-7 Configure authentication method for 802.1x user
Operation Command
Configure authentication method for
802.1x user
dot1x authentication-method {chap |pap |eap
md5-challenge}
Restore the default authentication
method for 802.1x user undo dot1x authentication-method
By default, CHAP authentication is used for 802.1x user authentication.
1.2.8 Set the Maximum times of authentication request message
retransmission
The following commands are used for setting the maximum retransmission times of the
authentication request message that the switch sends to the supplicant.
Perform the following configurations in system view.
Table 1-8 Set the maximum times of the authentication request message retransmission
Operation Command
Set the maximum times of the authentication request
message retransmission dot1x retry max-retry-value
Restore the default maximum retransmission times undo dot1x retry
By default, the max-retry-value is 3. That is, the switch can retransmit the
authentication request message to a supplicant for 3 times at most.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-8
1.2.9 Set the handshake period of 802.1x
The following commands are used to set the handshake period of 802.1x. After setting
handshake-period, system will send the handshake packet by the period. Suppose the
dot1x retry time is configured as N, the system will consider the user having logged off
and set the user as logoff state if system doesn’t receive the response of user for
consecutive N times.
Perform the following configurations in system view.
Table 1-9 Set the handshake period of 802.1x
Operation Command
Set the handshake period of 802.1x dot1x timer handshake-period interval
Restore the handshake period to default value undo dot1x timer handshake-period
By default, handshake period is 15s.
1.2.10 Configure Timers
The following commands are used for configuring the 802.1x timers.
Perform the following configurations in system view.
Table 1-10 Configure timers
Operation Command
Configure timers
dot1x timer { quiet-period quiet-period-value | tx-period
tx-period-value | supp-timeout supp-timeout-value |
server-timeout server-timeout-value }
Restore default settings of the
timers
undo dot1x timer { quiet-period | tx-period | supp-timeout |
server-timeout }
quiet-period: Specify the quiet timer. If an 802.1x user has not passed the
authentication, the Authenticator will keep quiet for a while (which is specified by
quiet-period timer) before launching the authentication again. During the quiet period,
the Authenticator does not do anything related to 802.1x authentication.
quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to
120 in units of second.
server-timeout: Specify the timeout timer of an Authentication Server. If an
Authentication Server has not responded before the specified period expires, the
Authenticator will resend the authentication request.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-9
server-timeout-value: Specify how long the duration of a timeout timer of an
Authentication Server is. The value ranges from 100 to 300 in units of second.
supp-timeout: Specify the authentication timeout timer of a Supplicant. If a Supplicant
has not responded before the specified period expires, Authenticator will resend the
authentication request.
supp-timeout-value: Specify how long the duration of an authentication timeout timer of
a Supplicant is. The value ranges from 10 to 120 in units of second.
tx-period: Specify the transmission timeout timer. If a Supplicant has not responded
before the specified period expires, Authenticator will resend the authentication
request.
tx-period-value: Specify how long the duration of the transmission timeout timer is. The
value ranges from 10 to 120 in units of second.
By default, the quiet-period-value is 60s, the tx-period-value is 30s, the
supp-timeout-value is 30s, the server-timeout-value is 100s .
1.2.11 Enable/Disable quiet-period Timer
You can use the following commands to enable/disable a quiet-period timer of an
Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has
not passed the authentication, the Authenticator will keep quiet for a while (which is
specified by dot1x timer quiet-period command) before launching the authentication
again. During the quiet period, theAuthenticator does not do anything related to 802.1x
authentication.
Perform the following configuration in system view.
Table 1-11 Enable/Disable a quiet-period timer
Operation Command
Enable a quiet-period timer. dot1x quiet-period
Disable a quiet-period timer undo dot1x quiet-period
1.3 Display and Debug 802.1x
After the above configuration, execute display command in any view to display the
running of the VLAN configuration, and to verify the effect of the configuration. Execute
reset command in user view to reset 802.1x statistics information. Execute debugging
command in user view to debug the 802.1x module.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-10
Table 1-12 Display and debug 802.1x
Operation Command
Display the configuration, running and statistics
information of 802.1x
display dot1x [ sessions |statistics ]
[interface interface-list ]
Reset the 802.1x statistics information reset dot1x statistics [interface interface-list ]
Enable the error/event/packet/all debugging of
802.1x debugging dot1x { error | event | packet | all }
Disable the error/event/packet/all debugging of
802.1x.
undo debugging dot1x { error | event | packet
| all }
1.4 802.1x Configuration Example
I. Networking requirements
As shown in the following figure, the workstation of a user is connected to the port
Ethernet 0/1 of the Switch.
The switch administrator will enable 802.1x on all the ports to authenticate the
supplicants so as to control their access to the Internet. The access control mode is
configured as based on the MAC address
All the supplicants belong to the default domain huawei163.net, which can contain up to
30 users. RADIUS authentication is performed first. If there is no response from the
RADIUS server, local authentication will be performed. For accounting, if the RADIUS
server fails to account, the user will be disconnected. In addition, when the user is
accessed, the domain name does not follow the user name. Normally, if the user’s
traffic is less than 2kbps consistently over 20 minutes, he will be disconnected.
A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2
respectively, is connected to the switch. The former one acts as the
primary-authentication/second-accounting server. The latter one acts as the
secondary-authentication/primary-accounting server. Set the encryption key as “name”
when the system exchanges packets with the authentication RADIUS server and
“money” when the system exchanges packets with the accounting RADIUS server.
Configure the system to retransmit packets to the RADIUS server if no response
received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the
system to transmit a real-time accounting packet to the RADIUS server every 15
minutes. The system is instructed to transmit the user name to theRADIUS server after
removing the user domain name.
The user name of the local 802.1x access user is localuser and the password is
localpass (input in plain text). The idle cut function is enabled.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-11
II. Networking diagram
Supplicant
Authentication Serv ers
(RADIUS Server C luster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Sw itc h
E0/1
Supplicant
Authentication Serv ers
(RADIUS Server C luster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Sw itc h
E0/1
Figure 1-2 Enabling 802.1x and RADIUS to perform AAA on the supplicant
III. Configuration procedure
Note:
The following examples concern most of the AAA/RADIUS configuration commands. For details, refer to
the chapter AAA and RADIUS Protocol Configuration.
The configurations of accessing user workstation and the RADIUS server are omitted.
# Enable the 802.1x performance on the specified port Ethernet 0/1.
[Quidway] dot1x interface ethernet 0/1
# Set the access control mode. (This command could not be configured, when it is
configured as MAC-based by default.)
[Quidway] dot1x port-method macbased interface ethernet 0/1
# Create the RADIUS group radius1 and enters its configuration mode.
[Quidway] radius scheme radius1
#Set IP address of the primary authentication/accounting RADIUS servers.
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
# Set the IP address of the second authentication/accounting RADIUS servers.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-12
[Quidway-radius-radius1] secondary authentication 10.11.1.2
[Quidway-radius-radius1] secondary accounting 10.11.1.1
# Set the encryption key when the system exchanges packets with the authentication
RADIUS server.
[Quidway-radius-radius1] key authentication name
# Set the encryption key when the system exchanges packets with the accounting
RADIUS server.
[Quidway-radius-radius1] key accounting money
# Set the timeouts and times for the system to retransmit packets to the RADIUS
server.
[Quidway-radius-radius1] timer 5
[Quidway-radius-radius1] retry 5
# Set the interval for the system to transmit real-time accounting packets to the
RADIUS server.
[Quidway-radius-radius1] timer realtime-accounting 15
# Configure the system to transmit the user name to the RADIUS server after removing
the domain name.
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
# Create the user domain huawei163.net and enters isp configuration mode.
[Quidway] domain huawei163.net
# Specify radius1 as the RADIUS server group for the users in the domain
huawei163.net.
[Quidway-isp-huawei163.net] radius-scheme radius1
# Set a limit of 30 users to the domain huawei163.net.
[Quidway-isp-huawei163.net] access-limit enable 30
# Enable idle cut function for the user and set the idle cut parameter in the domain
huawei163.net.
[Quidway-isp-huawei163.net] idle-cut enable 20 2000
# Add a local supplicant and sets its parameter.
[Quidway] local-user localuser
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-13
[Quidway-luser-localuser] service-type lan-access
[Quidway-luser-localuser] password simple localpass
# Enable the 802.1x globally.
[Quidway] dot1x
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration
2-1
Chapter 2 AAA and RADIUS Protocol
Configuration
2.1 AAA and RADIUS Protocol Overview
2.1.1 AAA Overview
Authentication, Authorization and Accounting (AAA) provide a uniform framework used
for configuring these three security functions to implement the network security
management.
The network security mentioned here refers to access control and it includes:
zWhich user can access the network server?
zWhich service can the authorized user enjoy?
zHow to keep accounts for the user who is using network resource?
Accordingly, AAA shall provide the following services:
zAuthentication: authenticates if the user can access the network sever.
zAuthorization: authorizes the user with specified services.
zAccounting: traces network resources consumed by the user.
Generally applying Client/Server architecture, in which client ends run as managed
sources and the servers centralize and store user information, AAA framework owns
the good scalability, and is easy to realize the control and centralized management of
user information.
2.1.2 RADIUS Protocol Overview
As mentioned above, AAA is a management framework, so it can be implemented by
some protocols. RADIUS is such a protocol frequently used.
I. What is RADIUS
Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed
information switching protocol in Client/Server architecture. RADIUS can prevent the
network from interruption of unauthorized access and it is often used in the network
environments requiring both high security and remote user access. For example, it is
often used for managing a large number of scattering dial-in users who use serial ports
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration
2-2
and modems. RADIUS system is the important auxiliary part of Network Access Server
(NAS).
After RADIUS system is started, if the user wants to have right to access other network
or consume some network resources through connection to NAS (dial-in access server
in PSTN environment or Ethernet switch with access function in Ethernet environment),
NAS, namely RADIUS client end, will transmit user AAArequest to the RADIUS server.
RADIUS server has a user database recording all the information of user authentication
and network service access. When receiving user’s request from NAS, RADIUS server
performs AAA through user database query and update and returns the configuration
information and accounting data to NAS. Here, NAS controls supplicant and
corresponding connections, while RADIUS protocol regulates how to transmit
configuration and accounting information between NAS and RADIUS.
NAS and RADIUS exchange the information with UDP packets. During the interaction,
both sides encrypt the packets with keys before uploading user configuration
information (like password etc.) to avoid being intercepted or stolen.
II. RADIUS operation
RADIUS server generally uses proxy function of the devices like access server to
perform user authentication. The operation process is as follows: First, the user send
request message (the client username and encrypted password is included in the
message ) to RADIUS server. Second, the user will receive from RADIUS server
various kinds of response messages in which the ACCEPT message indicates that the
user has passed the authentication, and the REJECT message indicates that the user
has not passed the authentication and needs to input username and password again,
otherwise he will be rejected to access.
2.1.3 Implement AAA/RADIUS on Ethernet Switch
By now, we understand that in the above-mentioned AAA/RADIUS framework,
Quidway Series Ethernet Switches, serving as the user access device or NAS, is the
client end of RADIUS. In other words, the AAA/RADIUS concerning client-end is
implemented on Quidway Series Ethernet Switches. The figure below illustrates the
RADIUS authentication network including Quidway Series Ethernet Switches.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration
2-3
Internet
S3000 series
PC user1
PC user2
PC user3
PC user4
S3000 series
S2000-SI series
S2000-SI series
ISP1
ISP2
Internet Authentication
Server
Accounting
Server
Authentication
Server
Accounting
Server1
Accounting
Server2
InternetInternet
PC user1
PC user2
PC user3
PC user4
ISP1
ISP2
Internet Authentication
Server
Accounting
Server
Authentication
Server
Accounting
Server1
Accounting
Server2
Figure 2-1 Networking when S3000 Series Ethernet switches applying RADIUS authentication
2.2 Configure AAA
AAA configuration includes:
zCreate/Delete ISP Domain
zConfigure Relevant Attributes of ISP Domain
zCreate a local user
zSet attributes of local user
zDisconnect a user by force
Among the above configuration tasks, creating ISP domain is compulsory, otherwise
the supplicant attributes cannot be distinguished. The other tasks are optional. You can
configure them at requirements.
2.2.1 Create/Delete ISP Domain
What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a
group of users belonging to the same ISP. Generally, for a username in the
isp-name (i.e. huawei163.net) following the @ is the ISPdomain name. When Quidway
Series Ethernet Switches control user access, as for an ISP user whose username is in
userid@isp-name format, the system will take userid part as username for identification
and take isp-name part as domain name.
The purpose of introducing ISP domain settings is to support the multi-ISP application
environment. In such environment, one access device might access users of different
ISP. Because the attributes of ISP users, such as username and password formats, etc,
may be different, it is necessary to differentiate them through setting ISP domain. In
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration
2-4
Quidway Series Ethernet Switches ISP domain view, you can configure a complete set
of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA
policy ( RADIUS server group applied etc.)
For Quidway Series Ethernet Switches, each supplicant belongs to an ISP domain. Up
to 16 domains can be configured in the system. If a user has not reported its ISP
domain name, the system will put it into the default domain.
Perform the following configurations in system view.
Table 2-1 Create/Delete ISP domain
Operation Command
Create ISP domain or enter the view of a specified
domain.
domain [ isp-name | default { disable | enable
isp-name }]
Remove a specified ISP domain undo domain isp-name
By default, a domain named “system” has been created in the system. The attributes of
“system” are all default valuesthere is no ISP domain in the system.
2.2.2 Configure Relevant Attributes of ISP Domain
The relevant attributes of ISP domain include the adopted RADIUS server group, state,
and maximum number of supplicants . Where,
zThe adopted RADIUS server group is the one used by all the users in the ISP
domain. The RADIUS server group can be used for RADIUS authentication or
accounting. By default, the default RADIUS server group is used. The command
shall be used together with the commands of setting RADIUS server and server
cluster. For details, refer to the following Configuring RADIUS section of this
chapter.
zEvery ISP has active/block states. If an ISP domain is in active state, the users in it
can request for network service, while in block state, its users cannot request for
any network service, which will not affect the users already online. An ISP is in the
block state when it is created. No user in the domain is allowed to request for
network service.
zMaximum number of supplicants specifies how many supplicants can be
contained in the ISP. For any ISP domain, there is no limit to the number of
supplicants by default.
zThe idle cut function means: If the traffic from a certain connection is lower than
the defined traffic, cut off this connection.
zPerform the following configurations in ISP domain view.
Operation Manual - Security
Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration
2-5
Table 2-2 Configure relevant attributes of ISP domain
Operation Command
Specify the adopted RADIUS server group radius-scheme radius-scheme-name
Restore the adopted RADIUS server group to the
default RADIUS server group undo radius-scheme
Specify the ISP domain state to be used state { active | block }
Set a limit to the amount of supplicants access-limit { disable | enable
max-user-number }
Restore the limit to the default setting undo access-limit
Set the idle idle-cut { disable |enable minute flow}
By default, after an ISPdomain is created, the used RADIUS servergroup is the default
one named “default” (for relevant parameter configuration, refer to the Configuring
RADIUS section of this chapter).,the state of domain is active , there is no limit to the
amount of supplicants ,and disable the idle-cut configure.
2.2.3 Create a Local User
A local user is a group of users set on NAS. The username is the unique identifier of a
user. A supplicant requesting network service may use local authentication only if its
corresponding local user has been added onto NAS.
Perform the following configurations in system view
Table 2-3 Create/Delete a local user and relevant properties
Operation Command
Add local users local-user user-name
Delete all the local users undo local-user all
Delete a local user by specifying its type undo local-user { user-name | all [service-type
{ lan-access | ftp | telnet | ssh } ] }
By default, there is no local user in the system.
Please note that all S3000 series switches support SSH except S3026.
2.2.4 Set Attributes of Local User
The attributes of a local user include its password, state, service type and some other
settings.
Perform the following configurations in system view.
Table of contents
Other Quidway Switch manuals
Popular Switch manuals by other brands
HP
HP 5130 EI Switch Series Configuration guide
Broadcast Tools
Broadcast Tools ACS 8.2 Plus Installation and operation manual
Cisco
Cisco SRW2008 - Small Business Managed Switch datasheet
UE
UE Field Safety System One Series Installation and maintenance instructions
Vector
Vector MZ3-V01 quick start guide
Ankuoo
Ankuoo Neo Get started
