Operation Manual - Security

Quidway S3000-EI Series Ethernet Switches Table of Contents

Huawei Technologies Proprietary
i
Table of Contents
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 802.1x Overview................................................................................................................ 1-1
1.1.1 802.1x Standard Overview...................................................................................... 1-1
1.1.2 802.1x System Architecture .................................................................................... 1-1
1.1.3 802.1x Authentication Process................................................................................ 1-2
1.1.4 Implementing 802.1x on the Ethernet Switch ......................................................... 1-3
1.2 Configuring 802.1x............................................................................................................. 1-3
1.2.1 Enabling/Disabling 802.1x....................................................................................... 1-4
1.2.2 Setting the Port Access Control Mode. ................................................................... 1-4
1.2.3 Setting the Port Access Control Method................................................................. 1-5
1.2.4 Checking the Users that Log on the Switch via Proxy ............................................ 1-5
1.2.5 Setting the Supplicant Number on a Port................................................................ 1-6
1.2.6 Setting the Authentication in DHCP Environment................................................... 1-6
1.2.7 Configuring the Authentication Method for 802.1x User ......................................... 1-6
1.2.8 Enabling/Disabling Guest VLAN ............................................................................. 1-7
1.2.9 Setting 802.1x Re-authentication............................................................................ 1-8
1.2.10 Setting 802.1x Client Version Authentication........................................................ 1-9
1.2.11 Configuring 802.1x Dynamic User Binding ......................................................... 1-11
1.2.12 Setting the Maximum Times of Authentication Request Message Retransmission
........................................................................................................................................ 1-12
1.2.13 Configuring Timers.............................................................................................. 1-13
1.2.14 Enabling/Disabling a Quiet-Period Timer............................................................ 1-14
1.3 Displaying and Debugging 802.1x................................................................................... 1-15
1.4 802.1x Configuration Example......................................................................................... 1-15
Chapter 2 AAA and RADIUS Protocol Configuration ................................................................ 2-1
2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1
2.1.1 AAA Overview......................................................................................................... 2-1
2.1.2 RADIUS Protocol Overview .................................................................................... 2-1
2.1.3 Implementing AAA/RADIUS on Ethernet Switch .................................................... 2-2
2.2 AAA Configuration ............................................................................................................. 2-3
2.2.1 Creating/Deleting ISP Domain ................................................................................ 2-3
2.2.2 Configuring Relevant Attributes of ISP Domain...................................................... 2-4
2.2.3 Enabling/Disabling the Messenger Alert ................................................................. 2-5
2.2.4 Configuring Self-Service Server URL...................................................................... 2-6
2.2.5 Creating a Local User ............................................................................................. 2-6
2.2.6 Setting Attributes of Local User............................................................................... 2-7
2.2.7 Disconnecting a User by Force............................................................................... 2-8
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Table of Contents

Huawei Technologies Proprietary
ii
2.2.8 Configuring Dynamic VLAN with RADIUS Server................................................... 2-8
2.3 Configuring RADIUS Protocol.......................................................................................... 2-10
2.3.1 Creating/Deleting a RADIUS scheme................................................................... 2-10
2.3.2 Setting IP Address and Port Number of RADIUS Server...................................... 2-11
2.3.3 Setting RADIUS Packet Encryption Key ............................................................... 2-12
2.3.4 Setting Response Timeout Timer of RADIUS Server ........................................... 2-13
2.3.5 Setting Retransmission Times of RADIUS Request Packet ................................. 2-13
2.3.6 Enabling The Selection Of Radius Accounting Option.......................................... 2-14
2.3.7 Setting a Real-time Accounting Interval ................................................................ 2-14
2.3.8 Setting Maximum Times of Real-time Accounting Request Failing to be Responded
........................................................................................................................................ 2-15
2.3.9 Enabling/Disabling Stopping Accounting Request Buffer ..................................... 2-16
2.3.10 Setting the Maximum Retransmitting Times of Stopping Accounting Request .. 2-16
2.3.11 Setting the Supported Type of RADIUS Server .................................................. 2-17
2.3.12 Setting RADIUS Server State ............................................................................. 2-17
2.3.13 Setting Username Format Transmitted to RADIUS Server ................................ 2-18
2.3.14 Setting the Unit of Data Flow that Transmitted to RADIUS Server..................... 2-19
2.3.15 Configuring Local RADIUS Authentication Server .............................................. 2-19
2.4 Displaying and Debugging AAA and RADIUS Protocol................................................... 2-20
2.5 AAA and RADIUS Protocol Configuration Examples ...................................................... 2-21
2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ............ 2-21
2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................ 2-23
2.5.3 Configuring Dynamic VLAN with RADIUS Server................................................. 2-23
2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-24
Chapter 3 HABP Configuration.................................................................................................... 3-1
3.1 HABP Overview................................................................................................................. 3-1
3.2 HABP configuration ........................................................................................................... 3-1
3.2.1 Configuring HABP Server ....................................................................................... 3-1
3.2.2 Configuring HABP Client......................................................................................... 3-2
3.3 Displaying and Debugging HABP Attribute ....................................................................... 3-2

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-1
IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access control
the devices
d control all the
ork access control protocol and only defines the
point-to-point connection between the access device and the access port. The port can
1.1.2 802.
the typical C/S (Client/Server) system architecture. It
contains three entities, which are illustrated in the following figure: Supplicant System,
be installed with the 802.1x
ant and the Authenticator
Chapter 1 802.1x Configuration
1.1 802.1x Overview
1.1.1 802.1x Standard Overview
protocol that is used as the standard for LAN user access authentication.
In the LANs complying with the IEEE 802 standards, the user can access
and share the resources in the LAN through connecting the LAN access control device
like the LAN Switch. However, in telecom access, commercial LAN (a typical example
is the LAN in the office building) and mobile office etc., the LAN providers generally
hope to control the users access. In these cases, the requirement on the
above-mentioned Port Based Network Access Control originates.
Port Based Network Access Control means to authenticate an
accessed devices on the port of LAN access control device. If the users device
connected to the port can pass the authentication, the user can access the resources in
the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the
user is physically disconnected.
802.1x defines port based netw
be either physical or logical. The typical application environment is as follows: Each
physical port of the LAN Switch only connects to one user workstation (based on the
physical port) and the wireless LAN access environment defined by the IEEE 802.11
standard (based on the logical port), etc.
1x System Architecture
The system using the 802.1x is
Authenticator System and Authentication Server System.
The LAN access control device needs to provide the Authenticator System of 802.1x.
The devices at the user side such as the computers need to
client Supplicant software, for example, the 802.1x client provided by Huawei
Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1x Authentication
Server system normally stays in the carriers AAA center.
Authenticator and Authentication Server exchange information through EAP
(Extensible Authentication Protocol) frames. The Supplic
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-2
rt is always in bi-directional connection
exchange information through the EAPoL (Extensible Authentication Protocol over
LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP
frame, which is to be encapsulated in the packets of other AAA upper layer protocols
(e.g. RADIUS) so as to go through the complicated network to reach the Authentication
Server. Such procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the
other is the Controlled Port. The Uncontrolled Po
state. The user can access and share the network resources any time through the ports.
The Controlled Port will be in connecting state only after the user passes the
authentication. Then the user is allowed to access the network resources.
Supplicant
Authenticator
PAE
Authenticator
Server
Supplicant
Authenticator System
Authenticat
Server
System
or
System
EAP protocol
exchanges
carried in
higher layer
protocol
EAPoL
Controlled
Port
Port
unauthorized
LAN
Uncontrolled
Port
Services
offered
by
Authenticators
System

Figure 1-1 802.1x system architecture
1.1.3 802.
802.1x configures EAP frame to carry the authentication information. The Standard
rames:
EAP-Packet: Authentication information frame, used to carry the authentication
ng frame, actively originated by the
f request frame, actively terminating the authenticated state.
psulated-ASF-Alert: Supports the Alerting message of Alert Standard
ant
Authenticator System and then transmitted to the Authentication Server System. The
1x Authentication Process
defines the following types of EAP f
information.
EAPoL-Start: Authentication originati
Supplicant.
EAPoL-Logoff: Logof
EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.
EAPoL-Enca
Forum (ASF).
The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplic
and the Authenticator. The EAP-Packet information is re-encapsulated by the
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-3
selecting RADIUS or local authentication so as to
1.1.4 Imp
ort the port access authentication
ize it in the following way:
Support to connect several End Stations in the downstream via a physical port.
1.2 Configuring 802.1x
The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet
02.1x is not enabled, the user can configure the 802.1x state
items will take effect after the global 802.1x is enabled.
EAPoL-Encapsulated-ASF-Alert is related to the network management information and
terminated by the Authenticator.
802.1x provides an implementation solution of user ID authentication. However, 802.1x
itself is not enough to implement the scheme. The administrator of the access device
should configure the AAA scheme by
assist 802.1x to implement the user ID authentication. For detailed description of AAA,
refer to the corresponding AAA configuration.
lementing 802.1x on the Ethernet Switch
Quidway Series Ethernet Switches not only supp
method regulated by 802.1x, but also extend and optim
The access control (or the user authentication method) can be based on port or
MAC address.
In this way, the system becomes much securer and easier to manage.
switch. When the global 8
of the port. The configured

Note:
When 802.1x is enabled on a port, the max number of MAC address learning which is
onfigured by the command mac-address max-mac-count cannot be configured on
the port, and vice versa.
c

The Main 802.1x configuration includes:
Enabling/disabling 802.1x
Setting the port access control mode
Setting the port access control method
itch via proxy
sers via each port
ent
or 802.1x user

Checking the users that log on the sw
Setting the maximum number of u
Setting the Authentication in DHCP Environm
Configuring the authentication method f
Enabling/Disabling Guest VLAN
Setting 802.1x Re-authentication
Setting 802.1x Client Version Authentication
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-4
thentication request message retransmission
ry, otherwise 802.1x will not take any
t
1.2.1 Ena
mmand can be used to enable/disable the 802.1x on the specified port
or globally. When it is used in system view, if the parameter interface-list is not specified,
. If the parameter interface-list is specified, 802.1x will be
enabled on the specified port. When this command is used in Ethernet port view, the
Configuring 802.1x dynamic user binding
Setting the maximum times of au
Configuring timers
Enabling/disabling a quiet-period timer
Among the above tasks, the first one is compulso
effect. The other tasks are optional. You can perform the configurations a
requirements.
bling/Disabling 802.1x
The following co
802.1x will be globally enabled
parameter interface-list cannot be input and 802.1x can only be enabled on the current
port.
Perform the following configurations in system view or Ethernet port view.
Table 1-1 Enabling/disabling 802.1x
Operation Command
Enable the 802.1x dot1x [ interface interface-list ]
Disable the 802.1x undo dot1x [ interface interface-list ]

You can config on individual port before i globally. The
c effect right after 802.1
By default, 802.1x authentication has not be
1.2.2 Setting the Port Access Control Mode.
ontrol mode on the
specified port. When no port is specified, the access control mode of all ports is
view or Ethernet port view.
Table 1-2 Setting the port access control mode.
ure 802.1x t is enabled
onfiguration will take x is enabled globally.
en enabled globally and on any port.
The following commands can be used for setting 802.1x access c
configured.
Perform the following configurations in system
Operation Command
Set the port
dot1x port-control { authorized- force
access control mode. | unauthorized-force | auto }
[ interface interface-list ]
Restore the default access control mode
of the port.
undo dot1x port-control [ interface
interface-list ]
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-5
By default, the m x performing access control o uto (automatic
identification mode, which is also called prot
o ermits P
does not permit the user to access the netw ntication flow is
p h
th sources. This is the most com
1.2.3 Setting the Port Access Control Method
Table 1-3 Setting the port access control method

ode of 802.1 n the port is a
ocol control mode). That is, the initial state
EA oL packets receiving/transmitting and
ork resources. If the authe
f the port is unauthorized. It only p
assed, the port will be switched to the aut
e network re
orized state and permit the user to access
mon case.
The following commands are used for setting 802.1x access control method on the
specified port. When no port is specified in system view, the access control method of
port is configured globally.
Perform the following configurations in system view or Ethernet port view.
Operation Command
Set port access control method
portbased } [ interface interface-list ]
dot1x port-method { macbased |
Restore the default port access control
method
undo dot1x port-method [ interface
interface-list ]

By default, 802.1x authentication method on th
authentication is performed based on MAC addresse
e port is macbased. That is,
s.
1.2.4 Checking the Users that Log on the Sw
The following commands are used for chec r
p
ollowing configurations in system view or Ethernet port view.
itch via Proxy
king the use s that log on the switch via
roxy.
Perform the f
Table 1-4 Checking the users that log on the switch via proxy
Operation Command
Enable the check for access users via dot1x supp-proxy-check { logoff |
erface-list ] proxy trap } [ interface int
Cancel the check for access users via undo dot1x supp-proxy-check
proxy { logoff | trap } [ interface interface-list ]

These commands can be used to set on the specified interface when executed in
system view. The parameter interface-list cannot be input when the command is
executed in Ethernet Port view and it has effect only on the current interface. After
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-6
view, only if you enable
this feature on a n this configuration take ef ort.
1.2.5 Settin
T be
s port. When no port is specified,
upplicants.
globally enabling proxy user detection and control in system
specific port ca fects on the p
g the Supplicant Number on a Port
he following commands are used for setti
pecified
ng num r of users allowed by 802.1x on
all the ports accept the same number of
s
Perform the following configurations in system view or Ethernet port view.
Table 1-5 Setting the maximum number of users via a specified port
Operation Command
Set maximum number of users via
specified port
dot1x max-user user-num
[ interface interface-list ]
ber
Restore the maximum number of users
on the port to the default value
und
inter
o dot1x max-user [ interface
face-list ]

By default, 802.1x allows up to 256 supplicants on each port for S3000-EI Series
Ethernet switches.
1.2.6 Setting the Authenticat
an set 802.1x to
disable the swi r ID authentication o the following
c
P wing configurations in syste
T C
ion in DHCP Environment
If in DHCP environment the users configure static IP addresses, you c
tch to trigger the use ver them with
ommand.
erform the follo m view.
able 1-6 Setting the Authentication in DH P Environment
Operation Command
Disable the switch to trigger the user ID
in DHCP environment
authentication over the users who configure
static IP addresses
dot1x dhcp-launch
Enable the switch to trigger the authentication
dhcp-launch
over them
undo dot1x

atic IP addresses in DHCP environment.
1.2.7 Con .1x User
The following commands can be used to configure the authentication method for
802.1x user. Three kinds of methods are available: PAP authentication (RADIUS server
By default, the switch can trigger the user ID authentication over the users who
configure st
figuring the Authentication Method for 802
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-7
DIUS server must support
CHAP authenticat authentication (switch send authentication
information to RADIUS server in the form of EAP packets directly and RADIUS server
m
F d EAP-MD5 methods are available on the
s
: The client and RADIUS server check in EAP-TLS approach mutually
the security certificate authority of the others, to guarantee the validity of the
certificates and prevent data from being illegally used.
provide integrity protection,
sh identity
ation method for 802.1x user
must support PAP authentication), CHAP authentication (RA
ion), EAP relay
ust support EAP authentication).
or EAP authentication, PEAP, EAP-TLS an
witch:
EAP-TLS
PEAP: As a kind of EAP protocol, protected EAP (PEAP) first establishes an
encrypted transport layer security (TLS) channel to
and then initiates a new type of EAP negotiation, to accompli
authentication to the client.
If you want to enable PEAP, EAP-TLS or EAP-MD5 authentication method on an
Ethernet switch, you only need to use the command dot1x authentication-method
eap to enable EAP authentication.
Perform the following configurations in system view.
Table 1-7 Configuring the authentic
Operation Command
Configure authentication method for
802.1x
{ |
user
dot1x authentication-method chap
pap | eap }
R store the default authentication
thod for 802.1x user
undo dot1x authentication-method
e
me

By d
1.2.8 Enablin N
enticated for maximum times, the switch adds this
s performed when the user
of the Guest VLAN visits the resources within this Guest VLAN. However, if the user
, the requirements of
allowing unauth ers to access some resources ch as, the user
accesses some re alling 802.1x client, or the user upgrades 802.1x
c
P view or Ethernet port view.
efault, CHAP authentication is used for 802.1x user authentication.
g/Disabling Guest VLA
After the Guest VLAN function is enabled, the switch broadcasts active authentication
packets to all ports on which 802.1x are enabled. If there is still some ports do not return
response packets after being re-auth
ports into Guest VLAN. After that, no 802.1x authentication i
visits the outer resources, authentication is still needed. In this way
enticated us
sources without inst
are met, su
lient without authentication, and so on.
erform the following configuration in system
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-8
able 1-8 Enabling/disabling Guest VLAN T
Operation Command
Enabling Guest VLAN dot1x guest-vlan vlan-id [ interface interface-list ]
Disabling Guest VLAN undo dot1x guest-vlan vlan-id [ interface interface-list ]

Note the following:
Guest VLAN is only supported in the port-based authentication mode.
A switch only can be configured with one Guest VLAN.
Users who skip the authentication, fail in the authentication or get offline belong to
the Guest VLAN.
If dot1x dhcp-launch is configured on the switch, the Guest VLAN function cannot be
implemented because the switch does not send active authentication packet in this
mode.
1.2.9 Setting 802.1x Re-authentication
If the termination-action attribute on the RADIUS serv the server then sets
the term n attribute in the access-acce ich is sent to the switch
to ntic f
p
ou can also enable 802.1x re-authentication on the switch through this configuration,
making the switch re-authenticates the access users periodically.
I. Enabling 80
le the 802.1x feature both
Perf system view or Ethernet port view.
er is set to 1,
pt packet wh ination-actio
1. The switch re-authe ates the access user periodically after receiving this kind o
ackets.
Y
2.1x re-authentication
Before enabling the 802.1x re-authentication, you must enab
on the port and globally.
orm the following in
Table 1-9 Enabling/disabling 802.1x user re-authentication
Operation Command
Enable 802.1x user re-authentication
dot1x re-authenticate [ interface
interface-list ]
Disable 802.1x user re-authentication
undo dot1x re-authenticate [ interface
interface-list ]

By default, 802.1x re-authentication is disabled on all ports.
In system view, if the interface-list parameter is not specified, it means that to enable
et
the 802.1x re-authentication feature on all interfaces; if the interface-list parameter is
specified, it means that to enable the feature on the specified interfaces. In Ethern
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-9
annot be specified, and you can use command
only to enable the feature on the current interface.
II -authentication timeout timer
o modes:
1) The switch takes the session-timeout value in the access-accept packet as the
2) The switch alue set by the user throug eriod
command as the authentication period.
D one as the authentication
peri gur ,
th erm ttributes of 1, and then the
witch takes the session-timeout value in the access-accept packet as the
authentication period.
Perform the following in system view.
port view, the interface-list parameter c
. Configuring 802.1x re
The period of re-authentication is decided by the following tw
authentication period.
takes the v h the dot1x reauth-p
And this period defaults to 3600 seconds.
the last received uring the authentication, the switch takes
od. For example, after the user confi
e switch receives the packet with the t
ed the authentication period on the switch
ination-action a
s
Table 1-10 Configuring 802.1x re-authentication timeout timer
Operation Command
Configure parameters of
the timer
dot1x timer reauth-period reauth-period-value
Return to the defaults undo dot1x timer reauth-period

1.2.10 Setting sion Authentication
After
I.
n authentication
By default, reauth-period-value is 3600 seconds.
802.1x Client Ver
enabling 802.1x client version authentication, the switch authenticates the version
and validity of the 802.1x client of the access user, avoiding the access of the users at
the client with the defectively old version or at the invalid client.
Enabling 802.1x client version authentication
Perform the following in system view or Ethernet port view.
Table 1-11 Setting 802.1x client versio
Operation Command
Enable 802.1x client version dot1x version-c
authenti
heck [ interface
interface-li cation st ]
Disable 802.1x client versi
authentication
on undo dot1x version-check [ interface
interface-list ]

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-10
y default, 802.1x client version authentication is disabled on all ports.
ot specified, it means that to enable
the 802.1x client version authentication feature on all interfaces; if the interface-list
re on the specified interfaces. In
Ethernet port view, the parameter cannot be specified, and you can use
II
rst time, if the switch receives no
response from the client response within a certain period of time (set by the version
again. When the switch
nticates the
ations.
If configured, th functions on all ports that enabled version authentication
fu
Perform the f ng in system view.
T guring the maximum retry times for the switch to send version request
ame to the client
B
In system view, if the interface-list parameter is n
parameter is specified, it means that to enable the featu
interface-list
command only to enable the feature on the current interface.
. Configuring the maximum retry times for the switch to send version request
frame to the client
After sending client version request frame for the fi
authentication timeout timer), it resends version request
receives no response for the configured maximum times, it no longer authe
version of the client, and perform the following authentic
is command
nction.
ollowi
able 1-12 Confi
fr
Operation Command
Configure the maximum retry times for the
switch to send version request frame to the
client
max-retry-version-value
dot1x retry-version-max
Return to the defaults undo dot1x retry-version-max

By default, the switch tries 3 times at the most to send version request frame to the
II eout timer of version authentication
access user.
I. Configuring the tim
Perform the following in system view.
Table 1-13 Configuring the timeout timer of version authentication
Operation Command
Configure parameters of the timer dot1x timer ver-period ver-period-value
Return to the defaults undo dot1x timer ver-period

By default, ver-period-value is 1 second.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-11
1.2.11 Co
I. Overview
8 dynamically bind the IP address, the
M
a 802.1x user passes the authentication. An ts the
p ese four items. If the swi in
ackets sent by the user are not consistent with the bound ones, it will force the
ser to go offline.
users from changing their IP addresses. As some kind of accounting
servers charge by IP addresses, changing of IP addresses causes these
m accessing a network through authentication
ports when in port-based authentication mode. With dynamic user binding
ers to access the
network with uthenticated after a user authentication.
Wherea mic user binding is enabled, a the corresponding
, t h the
ngs after a u which prevents
other users from accessing the network through the port.
Note that:
dynamically, you must couple dynamic user

Configure the switch port connecting to the DHCP server to be a DHCP Snooping
port.
2) If the users use static IP addresses, you must use 802.1x clients developed by
II
address dynamically, enable DHCP Snooping globally on the
connecting to the DHCP server to be a DHCP
nfiguring 802.1x Dynamic User Binding
02.1x dynamic user binding enables a switch to
AC address, the accessing port, and the VLAN
fter an
to which the accessing port belongs
d the switch then only permi
ackets that match all th tch finds that the four items carried
the p
u
Dynamic user binding can be used to:
Prevent
accounting servers failing to charge effectively.
Prevent unauthenticated user fro
disabled, port-based authentication mode enables other us
out being a
s when dyna
passes the
switch binds
IP address, the MAC address he accessing port, and the VLAN to whic
accessing port belo ser passes the authentication,
1) If the users obtain their IP addresses
binding with DHCP Snooping in the following way:
Enable DHCP Snooping globally on the switch.
trusted
Huawei Technologies and select the Upload user IP address option in the [802.1x
Network Settings] dialog box when creating a new connection.
. Configuration Prerequisites
Enable 802.1x feature globally and on a port.
If you obtain an IP
switch and configure the switch port
Snooping trusted port.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-12
III. Co
Tabl
nfiguration Procedure
e 1-14 Configure 802.1x dynamic user binding
Operation Command Remarks
Enter system view system-view
Enable 802.1x dynamic
e
dot1x Required. 802.1x
us r binding
dynamic-binding-user
enable
dynamic user binding is
disabled by default.
Display related
display dot1x [ sessio
| ] [
information
statistics interface
interface-list ]
can be executed in any
view.
ns The display command

2.1x Dynamic User Binding Configuration Example IV. 80
1) Network requirements
ddresses dynamically.
from changing their IP addresses
2)
# En
# Enable 802.1x dynamic user binding.
[Quidway] dot1x dynamic-binding-user enable
# Enable DHCP Snooping glo . (Required for 802.1x u
a
[Quidway] dhcp-snooping
#
S sted port. (Re
dynamically)
1.2.12 Se es of Authentication Request Message
Retransmissi
The tting the maximum retransmission times of the
that the switch sends to the supplicant.
igurations in system view.
The 802.1x users obtain IP a
Configure the switch to prevent 802.1x users
after they pass the authentication.
Configuration procedure
able 802.1x globally.
<Quidway> system-view
System View: return to User View with Ctrl+Z.
[Quidway] dot1x
bally sers who obtain IP
ddresses dynamically)
Configure Ethernet 0/1 po
nooping tru
rt, which connects the DH
quired for 802.1x users
CP server, to be a DHCP
who obtain IP addresses
[Quidway] interface ethernet0/1
[Quidway-Ethernet0/1] dhcp-snooping trust
tting the Maximum Tim
on
following commands are used for se
authentication request message
Perform the following conf
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-13
ximum times of the authentication request message Table 1-15 Setting the ma
retransmission
Operation Command
Set the maximum times of the authentication
dot1x retry max-retry-value
request message retransmission
Restore the default maximum retransmission
times
undo dot1x retry

By default, the max-retry-value is 3. That is, the switch can retransmit the
authentication request message to a supplicant for 3 times at most.
1.2.13 Configuring Timers
the 802.1x timers.
Configuring timers
The following commands are used for configuring
Perform the following configurations in system view.
Table 1-16
Operation Command
Configure timers reauth-period-value | server-timeout
supp-timeout supp-timeout-val
dot1x timer { handshake-period handshake-period-value |
quiet-period quiet-period-value | reauth-period
server-timeout-value |
ue | tx-period
tx-period-value | ver-period ver-period-value }
Restore d
undo dot1x timer { handshake-period | quiet-period
efault
settings of the timers
|
reauth-period | server-timeout | supp-timeout | tx-period
riod } | ver-pe

handsh ins after the user has passed the authentication.
A by the period.
S the dot1x retry time is configured as N, the system will consider the user
aving logged off and set the user as logoff state if system doesnt receive the response
to 1024 in units
of second and defaults to 15.
the quiet timer. If an 802.1x user has not passed the
authentication, the Authenticator will keep quiet for a while (which is specified by
the quiet period,
1x authentication.
quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to
120 in units of second and defaults to 60.
ake-period: This timer beg
fter setting handshake-period, system will send th
uppose
e handshake packet
h
from user for consecutive N times.
handshake-period-value: Handshake period. The value ranges from 1
quiet-period: Specify
quiet-period timer) before launching the authentication again. During
the Authenticator does not do anything related to 802.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-14
timeout timer of an Authentication Server. If an
Authe rver has not responded befo ified period expires, the
Authenticator will resend the authentication reque
server-timeout-value: S
A er is
defaults to 100 seconds.
supp-timeout: Specify
A
encrypted te the Authenticator begins to run. If the
upplicant does not respond back successfully within the time range set by this timer,
the Authenticator will resend the above packet.
hich requests the user name or user name and
password together, the tx-period timer of the Authenticator begins to run. If the
e authentication request packet.
3600.
ver-period-value: Period set by the version request timeout timer, ranging from 1 to 30,
1.2.14 En uiet-Period Timer
s not do anything related to 802.1x
server-timeout: Specify the
ntication Se re the spec
st.
pecify how long the duration of a timeout timer of an
. The value ranges from 100 to 300 in units of second and

uthentication Serv
the authentication timeout timer of a Supplicant. After the
quest/Challenge request packet which requests the MD5 uthenticator sends Re
xt, the supp-timeout timer of
S
supp-timeout-value: Specify how long the duration of an authentication timeout timer of
a Supplicant is. The value ranges from 10 to 120 in units of second and defaults to 30.
tx-period: Specify the transmission timeout timer. After the Authenticator sends the
Request/Identity request packet w
Supplicant does not respond back with authentication reply packet successfully, then
the Authenticator will resend th
tx-period-value: Specify how long the duration of the transmission timeout timer is. The
value ranges from 10 to 120 in units of second and defaults to 30.
reauth-period: Re-authentication timeout timer. During the time limit set by this timer,
the supplicant device launches 802.1x re-authentication.
reauth-period-value: Period set by the re-authentication timeout timer, ranging from 1 to
86400, in seconds. By default, the value is
ver-period: Client version request timeout timer. If the supplicant device failed to send
the version response packet within the time set by this timer, then the authenticator
device will resend the version request packet.
in seconds. By default, the value is 1.
abling/Disabling a Q
You can use the following commands to enable/disable a quiet-period timer of an
Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has
not passed the authentication, the Authenticator will keep quiet for a while (which is
specified by dot1x timer quiet-period command) before launching the authentication
again. During the quiet period, the Authenticator doe
authentication.
Perform the following configuration in system view.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-15
Table 1-17 Enabling/disabling a quiet-period timer
Operation Command
Enable a quiet-period timer dot1x quiet-period
Disable a quiet-period timer undo dot1x quiet-period

By default, quiet-period timer is disabled.
1.3 Displaying and Debugging 802.1x
e effect of the configuration. Execute
After the above configuration, execute display command in any view to display the
running of the VLAN configuration, and to verify th
reset command in user view to reset 802.1x statistics. Execute debugging command
in user view to debug 802.1x.
Table 1-18 Displaying and debugging 802.1x
Operation Command
Display the configuration, running and
statistics information of 802.1x
display dot1x [ sessions | statistics ]
[ interface interface-list ]
Reset the 802.1x statistics information
reset dot1x
interface-li
statistics [ interface
st ]
Enable the error/event/packet/all
debugging of 802.1x
debugging dot1x { error | event |
packet | all }
Disable the error/event/packet/all
debugging of 802.1x.
undo debugging dot1x { error | event |
packet | all }

1.4 802
I.
As shown in th workstation of a us ted to the port
E
T enable 802 thenticate the
supplicants so as to control their access to the Internet. The access control mode is
onfigured as based on the MAC address
ain huawei163.net, which can contain up to
30 users. RADIUS authentication is performed first. If there is no response from the
RADIUS server, local authentication will be performed. For accounting, if the RADIUS
server fails to account, the user will be disconnected. In addition, when the user is
.1x Configuration Example
Networking requirements
e following figure, the er is connec
thernet 0/1 of the Switch.
he switch administrator will .1x on all the ports to au
c
All the supplicants belong to the default dom
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-16
user name. Normally, if the users
traffic is less than 2kbps consistently over 20 minutes, he will be disconnected.
et the encryption key as name when the system
ADIUS server and money when the
system exchanges packets with the accounting RADIUS server. Configure the system
to retransmit pa RADIUS server if no respo in 5 seconds.
R
r e RADIUS The system is
in he
domai
T
lo text). The idle cut fu ed.
II.
accessed, the domain name does not follow the
A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2
respectively, is connected to the switch. The former one acts as the
primary-authentication/secondary-accounting server. The latter one acts as the
primary-accounting server. S
exchanges packets with the authentication R
ckets to the nse received
etransmit the packet no more than 5 time
eal-time accounting packet to th
s in all. Configure the system to transmit a
server every 15 minutes.
structed to transmit the user name to t
n name.
RADIUS server after removing the user
he user name of the local 802.1x acces
calpass (input in plain
s user is localuser and the password is
nction is enabl
Networking diagram
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
E0/1
Switch
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Switch

II
Figure 1-2 Enabling 802.1x and RADIUS to perform AAA on the supplicant
I. Configuration procedure

Note:
The following examples concern most of the AAA/RADIUS configuration commands.
For details, refer to the chapter AAA and RADIUS Protocol Configuration.
The configurations of accessing user workstation and the RADIUS server are omitted.

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-17
rimary authentication/accounting RADIUS servers.
servers.
the authentication
# Set the encryption key when the system exchanges packets with the accounting
[Quidway-radius-radius1] key accounting money
for the system to retransmit packets to the RADIUS
rver.
[Quidway-radius-radius1] timer 5
adius-radius1] retry 5
# Configure the system to transmit the user name to the RADIUS server after removing
e domain name.
huawei163.net.
# Enable the 802.1x performance on the specified port Ethernet 0/1.
[Quidway] dot1x interface Ethernet 0/1
# Set the access control mode. (This command could not be configured, when it is
configured as MAC-based by default.)
[Quidway] dot1x port-method macbased interface Ethernet 0/1
# Create the RADIUS scheme radius1 and enters its view.
[Quidway] radius scheme radius1
# Set IP address of the p
[Quidway-radius-radius1] primary authentication 10.11.1.1
[Quidway-radius-radius1] primary accounting 10.11.1.2
# Set the IP address of the second authentication/accounting RADIUS
[Quidway-radius-radius1] secondary authentication 127.0.0.1 1645
[Quidway-radius-radius1] secondary accounting 10.11.1.1
[Quidway-radius-radius1] quit
# Set the encryption key when the system exchanges packets with
RADIUS server.
[Quidway] local-server nas-ip 127.0.0.1 key name
[Quidway] radius scheme radius1
[Quidway-radius-radius1] key authentication name
RADIUS server.
# Set the timeouts and times
se
[Quidway-r
# Set the interval for the system to transmit real-time accounting packets to the
RADIUS server.
[Quidway-radius-radius1] timer realtime-accounting 15
th
[Quidway-radius-radius1] user-name-format without-domain
[Quidway-radius-radius1] quit
# Create the user domain huawei163.net and enters isp configuration mode.
[Quidway] domain huawei163.net
# Specify radius1 as the RADIUS scheme for the users in the domain
[Quidway-isp-huawei163.net] radius-scheme radius1
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 1 802.1x Configuration

Huawei Technologies Proprietary
1-18
huawei163.net.
ter in the domain
ce-type lan-access
1x globally.

# Set a limit of 30 users to the domain
[Quidway-isp-huawei163.net] access-limit enable 30
# Enable idle cut function for the user and set the idle cut parame
huawei163.net.
[Quidway-isp-huawei163.net] idle-cut enable 20 2000
# Add a local supplicant and sets its parameter.
[Quidway] local-user localuser
[Quidway-luser-localuser] servi
[Quidway-luser-localuser] password simple localpass
# Enable the 802.
[Quidway] dot1x
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-1
rotocol
figuration
2.1 AAA and RADIUS Protocol Overview
2.1.1 AAA Overview
Authentication, Authorization and Accounting (AAA) provide a uniform framework used
for configuring these three security functions to implement the network security
management.
The network security mentioned here refers to access control and it includes:
Which user can access the network server?
Which service can the authorized user enjoy?
How to keep accounts for the user who is using network resource?
Accordingly, AAA shall provide the following services:
Authentication: authenticates if the user can access the network server.
Authorization: authorizes the user with specified services.
Accounting: traces network resources consumed by the user.
Generally applying Client/Server architecture, in which client ends run as managed
sources and the servers centralize and store user information, AAA framework owns
the good scalability, and is easy to realize the control and centralized management of
user information.
2.1.2 RADIUS Protocol Overview
As mentioned above, AAA is a management framework, so it can be implemented by
some protocols. RADIUS is such a protocol frequently used.
I. What is RADIUS
Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed
information switching protocol in Client/Server architecture. RADIUS can prevent the
network from interruption of unauthorized access and it is often used in the network
environments requiring both high security and remote user access. For example, it is
often used for managing a large number of scattering dial-in users who use serial ports
and modems. RADIUS system is the important auxiliary part of Network Access Server
(NAS).
Chapter 2 AAA and RADIUS P
Con
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-2
After RADIUS system is started, if the user wants to have right to access other network
or consume some network resources through connection to NAS (dial-in access server
vironment),
server.
RADIUS server has a u information of user authentication
and network service access. Whe request from NAS, RADIUS server
performs AAA through user database query and update and returns the configuration
NAS controls supplicant and
gulates how to transmit
configuration and accounting information between NAS and RADIUS.
US exchange the information with UDP packets. During the interaction,
both sides encrypt the packets with keys before uploading user configuration
II ation
erver to
perform user authentication. The operation process is as follows: First, the user send
u rypted password is included in the
ill receive from RADIUS server
hat the
essage indicates that the user
2.1.3 Implementi
IUS. In other words, the AAA/RADIUS concerning client-end is
implemented on Quidway Series Ethernet Switches. The figure below illustrates the
including Quidway Series Ethernet Switches.
in PSTN environment or Ethernet switch with access function in Ethernet en
NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS
ser database recording all the
n receiving users
information and accounting data to NAS. Here,
corresponding connections, while RADIUS protocol re
NAS and RADI
information (like password etc.) to avoid being intercepted or stolen.
. RADIUS oper
RADIUS server generally uses proxy function of the devices like access s
req est message (the client username and enc
message ) to RADIUS server. Second, the user w
various kinds of response messages in which the ACCEPT message indicates t
user has passed the authentication, and the REJECT m
has not passed the authentication and needs to input username and password again,
otherwise he will be rejected to access.
ng AAA/RADIUS on Ethernet Switch
By now, we understand that in the above-mentioned AAA/RADIUS framework,
Quidway Series Ethernet Switches, serving as the user access device or NAS, is the
client end of RAD
RADIUS authentication network
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-3
Internet
S3000-EI series
PC user1
PC user2
PC user3
PC user4
S3000-EI series
S2000-SI series
S2000-SI series
ISP1
ISP2
Internet
Authentication
Server
Accounting
Server
Server1
Accounting
Server2
Authentication
Server
Accounting
Internet Internet
PC user1
PC user2
PC user3
PC user4
ISP1
ISP2
Internet
Authentication
Server
Accounting
Server
Server1
Accounting
Server2
Authentication
Server
Accounting

Figure 2-1 Networking when S3000-EI Series Ethernet Switches applying RADIUS
authentication
2.2 AAA Configuration
Configuring Dynamic VLAN with RADIUS Server
ain is compulsory, otherwise
the supplicant attributes cannot be distinguished. The other tasks are optional. You can
2.2.1 Crea
ain is a
group of users belonging to the same ISP. Generally, for a username in the
userid@isp-name format, taking [email protected] as an example, the
isp-name (i.e. huawei163.net) following the @ is the ISP domain name. When Quidway
Series Switches control user access, as for an ISP user whose username is in
userid@isp-name format, the system will take userid part as username for identification
and take isp-name part as domain name.
The purpose of introducing ISP domain settings is to support the multi-ISP application
environment. In such environment, one access device might access users of different
AAA configuration includes:
Creating/Deleting ISP Domain
Configuring Relevant Attributes of ISP Domain
Enabling/Disabling the Messenger Alert
Configuring Self-Service Server URL
Creating a local user
Setting attributes of local user
Disconnecting a user by force
Among the above configuration tasks, creating ISP dom
configure them at requirements.
ting/Deleting ISP Domain
What is Internet Service Provider (ISP) domain? To make it simple, ISP dom
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-4
ssword formats, etc,
tting ISP domain. In
a complete set of
h includes AAA policy
P domain. Up to 16
rted its ISP domain
ISP. Because the attributes of ISP users, such as username and pa
may be different, it is necessary to differentiate them through se
Quidway Series Switches ISP domain view, you can configure
exclusive ISP domain attributes on a per-ISP domain basis, whic
( RADIUS scheme applied etc.)
For Quidway Series Switches, each supplicant belongs to an IS
domains can be configured in the system. If a user has not repo
name, the system will put it into the default domain.
Perform the following configurations in system view.
Table 2-1 Creating/Deleting ISP domain
Operation Command
Create ISP domain or enter the view of a
specified domain.
isp-name

domain
Remove a specified ISP domain undo domain isp-name
Enable the default ISP d
isp-name
omain specified by
domain default enable isp-name
Restore the default ISP domain to system domain default disable

By default, a domain named system has been created in the system. The attributes of
s
2.2.2 Con u ributes of ISP Domain
n include the adopted RADIUS scheme, state, and
scheme is used. The command shall be used
together with the commands of setting RADIUS server and server cluster. For
onfiguring RADIUS section of this chapter.
Every ISP has active/block states. If an ISP domain is in active state, the users in it
The idle cut function means: If the traffic from a certain connection is lower than
the defined traffic, cut off this connection.
sy tem are all default values.
fig ring Relevant Att
The relevant attributes of ISP domai
maximum number of supplicants . Where,
The adopted RADIUS scheme is the one used by all the users in the ISP domain.
The RADIUS scheme can be used for RADIUS authentication or accounting. By
default, the default RADIUS
details, refer to the following C
can request for network service, while in block state, its users cannot request for
any network service, which will not affect the users already online. An ISP is in the
block state when it is created. No user in the domain is allowed to request for
network service.
Maximum number of supplicants specifies how many supplicants can be
contained in the ISP. For any ISP domain, there is no limit to the number of
supplicants by default.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-5
Perform the following configurations in ISP domain view.
Table 2-2 Configuring relevant attributes of ISP domain
Operation Command
Specify the adopted RADIUS scheme radius-scheme radius-scheme-name
Restore the adopted RADIUS scheme to
the default RADIUS scheme
undo radius-scheme
Specify the ISP domain state to be used state { active | block }
Set a limit to the amount of supplicants
access-limit { disable | enable
max-user-number }
Restore the limit to the default setting undo access-limit
Set the idle idle-cut { disable | enable minute flow }

By default, af sed RADIUS scheme is the default one
n r nfiguring RADIUS
section of this chapter) activ e amount of
sup sabled
2.2.3 Enabling/Disabling the Messenger Alert
Messenger alert function allows the clients to inform the online users about their
maining online time through message alert dialog box.
wing command to enable this function and to configure
the remaining-online-time threshold (the limit argument) and the alert message
If the threshold is reached, the switch sends messages containing the users
e updated remaining online time through a
Perf
Tabl
ter an ISP domain is created, the u
amed system (for relevant parameter configu ation, refer to the Co
.,the state of domain is
plicants ,and the idle-cut function is di
e , there is no limit to th
.
re
The implementation of this function is as follows:
On the switch, use the follo
interval.
remaining online time to the client at the interval you configured.
The client keeps the user informed of th
dialog box.
orm the following configuration in ISP domain view.
e 2-3 Enabling/disabling message alert
Operation Command
Enable messenger alert and configure
remaining-online-time threshold and
interval at which the alert message is
messenger time enable limit interval
the
the
sent
Dis lert messenger time disable able messenger a
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-6
def
Restore the messenger alert as the
ault setting
undo messenger time

By d witch.
2.2.4 Configuring Self-Service Server URL
The self-service-url enable command can be used to c lf-service server
uniform resourc L). This command must be i with a RADIUS
s erv eir
a . tware
is
O ch rvice server
and pe e f
e
xplo ), locate the specified
sed to change the user passwo
ser password on this page.
erform the following configuration in ISP domain view.
efault, messenger alert is disabled on the s
onfigure se
ncorporated e locator (UR
erver that supports self-service. Self-s ice means that users can manage th
ccounts and card numbers by themselves
called a self-service server.
And a server with the self-service sof
nce this function is enabled on the swit , users can locate the self-se
rform self-management through th
Select "Change user password" on th
ollowing operations:
802.1x client.
After the client opens the default e rer (IE or NetScape
URL page u
Change u
rd on the self-service server.
P
Table 2-4 Configuring the self-service server URL
Operation Command
Configure self-service server URL and configure the
URL address used to change the user password on
self-service-url enable
url-string
the self-service server
Remove the configuration of self-service server URL self-service-url disable

By default, self-service server URL is not configured on the switch.
replace it with "|" when inputting the
L
The
au h
2.2.5 Creatin
A loc roup of users set on NAS. The username is the unique identifier of a
local authentication only if its
corresponding local user has been added onto NAS.
Perform the following configurations in system view
Note that, if "?" is contained in the URL, you must
UR in the command line.
"Change user password" option is available only when the user passes the
entication t ; otherwise, this option is in grey and unavailable.
g a Local User
al user is a g
user. A supplicant requesting network service may use
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-7
relevant properties Table 2-5 Creating/Deleting a local user and
Operation Command
Add local users local-user user-name
Delete all the local users undo local-user all
Delete a local user by undo local-user { user-name | all [ service-type
{ lan-acces specifying its type s | ftp | telnet | ssh } ] }

B s no local user in the system.
2.2.6 Setting Attributes of Local User
The attributes of a local user include its password display mode, state, service type and
I.
y default, there i
some other settings.
Setting the password display mode
Perform the following configurations in system view.
Table 2-6 Setting the method that a local user uses to display password
Operation Command
Set the mode that a local user
uses to display password
local-user password-display-mode
{ cipher-force | auto }
Cancel the mode that the local
u r uses to display password
undo local-user pa
se
ssword-display-mode

Wh re, auto means that the password dis e play mode will be the one specified by the
ord command in the following
table for reference), and cipher-force means that the password display mode of all the
II. Setting the attributes of local users
P
T utes concerned with a specified user
user at the time of configuring password (see the passw
accessing users must be in cipher text.
erform the following configurations in local user view.
able 2-7 Setting/Removing the attrib
Operation Command
Set a password for a
specified user
password { simple | cipher } password
Remove the password set
for the specified user
undo password
Set the state of the specified
user
state { active | block }
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-8
Operation Command
Set a service type for the service-type { ftp [ ftp-direc
specified user
tory directory ] |
lan-access | { ssh | telnet }* [ level level ] }
Cancel the service type of
the specified user
undo service-type { ftp [ ftp-directory ] |
lan-access | { ssh | telnet }* [ level ] }
Configure the attributes of
lan-access users
attribute { ip ip-address | mac mac-address |
idle-cut second | access-limit max-user-number |
vlan vlanid | location { nas-ip ip-address port
portnum | port portnum }*
Remove the attributes
defined for the lan-access
undo attribute { ip | mac | idle-cut | access-limit |
users
vlan | location }*

2.2.7 Disco orc
S
s following co
erform the following configurations in system view.
nnecting a User by F e
ometimes it is necessary to dis
ystem provides the
connect a user or a category of users by force. The
mmand to serve for this purpose.
P
Table 2-8 Disconnecting a user by force
Operation Command
Disconnect a
n { all | access-type dot1x } | domain
domain-name | interface portnum | ip ip-address | mac
d | ucibindex ucib-index | user-name user-name }
user by force mac-address | radius-scheme radius-scheme-name | vlan
vlani
cut connectio

By default, no online user will be disconnected by force.
2.2.8 Configuring Dynamic VLAN with RADIUS Server
Based on the ute value of the RADIUS server s the ports of
the users wh ssed the authentication to diff se of
c
appli ork together with Guest
V t a
singl
urrently the ethernet switches support RADIUS server delivers the integer type and
N.
delivery attrib
o have pa
, the switch add
erent VLANs, for purpo
ontrolling the network resources
cations, the ports are set in port-b
that the users can access. In the practical
ased mode in order to w
LAN. When the port is in MAC addr
e user.
ess-based mode, each port can only connec
C
string type VLAN ID.
Integer VLAN ID: The switch adds the port into the VLAN based on the integer ID
delivered from the server. If the VLAN does not exist, it first creates a VLAN and
then adds the port into the new VLA
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-9
string ID delivered from the server with the
VLAN names existing on the switch. If a matching entry is found, the switch adds
the delivery fails and the user

String ID: The switch compares the

the port into the corresponding VLAN. Otherwise,
cannot pass the authentication.
Note:
delivery mode, the VLAN to be delive e on
nd configured a name for it on
o such a restri er mode.
ule in handling strings: If the
IUS server delivers VLANs with full g IDs (1024 for example) and
and add the a ponding
For the string red must be an existing on
the switch. That is, you must h
the switch. There is n
ave created the VLAN a
ction for the integ
For the string delivery mode
RAD
, the switch follows this r
number strin
their converted integer form i
as integer IDs
s within the VLAN range, the switch just handles them
uthentication port to the VLAN with the corres
integer ID. In this example, the port is added into VLAN 1024.

T
Configuring VLAN delivery

I. Configuring
erform the following configuration in ISP domain view.
y mode
he dynamic VLAN with RADIUS server configuration includes:
mode
Configuring name of the delive
VLAN delivery m
red VLAN
ode
P
Table 2-9 Configuring VLAN deliver
Operation Command
Configure VLAN delivery mode as integer vlan-assignment-mode integer
Configure VLAN delivery mode as string vlan-assignment-mode string

By default, the integer mode is selected, that is, the switch supports the RADIUS server
deliv eger VLAN ID.
II. Configuring name
P wing
Table 2-10 Configuring name of the delivered VLAN
ering the int
of the delivered VLAN
configuration in VLAN view. erform the follo
Operation Command
Configure name of the delivered VLAN name string
Remove the configured VLAN name undo name

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-10
tc.
interaction between NAS and RADIUS Server. To make these
a
RAD
conf


n key
Setting response timeout timer of RADIUS server
Setting retransmission times of RADIUS request packet
ng the selection of RADIUS accounting option





r
Setting local RADIUS authentication server
mong the above tasks, creating RADIUS scheme and setting IP address of RADIUS
rformed as per your
2.3.1 Crea
col configurations are performed on the per
ng other RADIUS protocol
configurations, it is compulsory to create the RADIUS scheme and enter its view to set
its IP address.
You can use the following commands to create/delete a RADIUS scheme.
Perform the following configurations in system view.
2.3 Configuring RADIUS Protocol
For the Quidway Series Switches, the RADIUS protocol is configured on the per
RADIUS scheme basis. In real networking environment, a RADIUS scheme can be an
independent RADIUS server or a set of primary/second RADIUS servers with the same
configuration but two different IP addresses. Accordingly, attributes of every RADIUS
scheme include IP addresses of primary and second servers, shared key and RADIUS
server type e
Actually, RADIUS protocol configuration only defines some necessary parameters
using for information
par meters effective, it is necessary to configure, in the view, an ISP domain to use the
IUS scheme and specify it to use RADIUS AAA schemes. For more about the
iguration commands, refer to the AAA Configuration section above.
RADIUS protocol configuration includes:
Creating/Deleting a RADIUS scheme
Setting IP Address and Port Number of RADIUS Server
Setting RADIUS packet encryptio

Enabli
Setting a real-time accounting interval
Setting maximum times of real-time accounting request failing to be responded
Enabling/Disabling stopping accounting request buffer
Setting the maximum retransmitting times of stopping accounting request
Setting the Supported Type of RADIUS Server
Setting RADIUS server state
Setting username format transmitted to RADIUS server
Setting the unit of data flow that transmitted to RADIUS serve
A
server are required, while other takes are optional and can be pe
requirements.
ting/Deleting a RADIUS scheme
As mentioned above, RADIUS proto
RADIUS scheme basis. Therefore, before performi
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-11
eme Table 2-11 Creating/Deleting a RADIUS sch
Operation Command
Create a RADIUS scheme and
enter its view
radius scheme radius-scheme-name
Delete a RADIUS scheme undo radius scheme radius-scheme-name

Several ISP domains can use a RADIUS scheme at the same time. You can configure
up to 16 RADIUS schemes, including the default scheme named as system.
med system whose attributes are all
default values. The default attribute values will be introduced in the following text.
2.3.2 Setting IP Address and Port Number of RADIUS Server
After creating a RADIUS e, you are supposed to set IP d UDP port
numbers for the RADIUS servers, includin /second
a ccounting servers. So you can configure up
to ort numbers. However, at least you have to set
ne group of IP address and UDP port number for each pair of primary/second servers
re the normal AAA operation.
figure the IP address and port number for
By default, the system has a RADIUS scheme na
schem addresses an
g primary
uthentication/authorization servers and a
4 groups of IP addresses and UDP p
o
to ensu
You can use the following commands to con
RADIUS servers.
Perform the following configurations in RADIUS scheme view.
Table 2-12 Setting IP Address and Port Number of RADIUS Server
Operation Command
Set IP address and port number of primary
RADIUS authen
primary authentication
tication/authorization server. ip-address [ port-number ]
Restore IP address and port number of
primary RADIUS authentication/authorization
or server to the default values.
undo primary authentication
Set IP address and port number of primary
RADIUS accounting server.
primary accounting ip-address
[ port-number ]
Restore IP address and port number of
primary RADIUS accounting server or server undo primary accounting
to the default values.
Set IP address and port number of secondary secondary authentication
port-number ] RADIUS authentication/authorization server. ip-address [
R store IP address and port number e of
c secondary authentication se ond RADIUS authentication/authorization undo
or server to the default values.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-12
Operation Command
Set IP address and port number of second
RADIUS accounting server.
secondar
ip-address
y accounting
[ port-number ]
R store IP address and port number of e
c o secondary accounting se ond RADIUS accounting server or server und
to the default values.

In real networking environments, the above parameters shall be set according to the
authorization server and second accounting server and the other one as
second authentication/authorization server and primary accounting server, or you may
that every server serves as a primary and
fferent UDP ports to receive/transmit authentication/authorization and
accounting packets, you shall set two different ports accordingly. Suggested by
nting port
gested ones.
(Especially for some earlier RADIUS Servers, authentication/authorization port number
1646.)
The RADIUS t settings on Quidway Series e supposed to be
c RADIUS server. Normally, RADIUS accounting
s 13 and the authenti .
B ses of nd
nting servers are 0.0.0.0, authentication/authorization service port is 1812 and
ccounting service UDP port is 1813.
2.3.3 Sett
ey.
Only when the keys are identical can both ends to accept the packets from each other
You can use the following commands to set the encryption key for RADIUS packets.
specific requirements. For example, you may specify 4 groups of different data to map
4 RADIUS servers, or specify one of the two servers as primary
authentication/
also set 4 groups of exactly same data so
second AAA server.
To guarantee the normal interaction between NAS and RADIUS server, you are
supposed to guarantee the normal routes between RADIUS server and NAS before
setting IP address and UDP port of the RADIUS server. In addition, because RADIUS
protocol uses di
RFC2138/2139, authentication/authorization port number is 1812 and accou
number is 1813. However, you may use values other than the sug
is often set to 1645 and accounting port number is
service por Switches ar
onsistent with the port settings on
ervice port is 18 cation/authorization service port is 1812
y default, all the IP addres primary/second authentication/authorization a
accou
a
ing RADIUS Packet Encryption Key
RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the
exchanged packets. The two ends verify the packet through setting the encryption k
end and give response.
Perform the following configurations in RADIUS scheme view.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-13
Table 2-13 Setting RADIUS packet encryption key
Operation Command
Set RADIUS authentication/authorization packet
encryption key
key authentication string
Restore the default RADIUS
authentication/authorization packet encryption key.
undo key authentication
Set RADIUS accounting packet key key accounting string
Restore the defa accounting packet key und nting ult RADIUS o key accou

By default, ackets
a
2.3.4 Setting Response Ti
A uthorization or a st packet has been
tr eceived the response from RADIUS
s t er.
Y se timeout timer of RADIUS server
P s
T
the keys of RADIUS authentication/authorization and accounting p
re all huawei.
meout Timer of RADIUS Server
fter RADIUS (authentication/a ccounting) reque
ansmitted for a period of time, if NAS has not r
erver, it has to retransmit the request to guaran ee RADIUS service for the us
ou can use the following command to set respon
erform the following configurations in RADIUS
.
cheme view.
able 2-14 Setting response timeout timer of RADIUS server
Operation Command
Set response timeout timer of RADIUS server timer seconds
Restore the response timeout timer of RADIUS
undo timer
server to
default value

y default, timeout timer of RADIUS server is 3 seconds.
2.3.5 Sett
d.
B
ing Retransmission Times of RADIUS Request Packet
Since RADIUS protocol uses UDP packet to carry the data, the communication process
is not reliable. If the RADIUS server has not responded NAS before timeout, NAS has
to retransmit RADIUS request packet. If it transmits more than the specified retry-times,
NAS considers the communication with the primary and secondary RADIUS servers
has been disconnecte
You can use the following command to set retransmission times of RADIUS request
packet.
Perform the following configurations in RADIUS scheme view.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-14
Table 2-15 Setting retransmission times of RADIUS request packet
Operation Command
Set retransmission times of RADIUS request packet retry retry-times
Restore the default value of retransmission times undo retry

By default, RADIUS request packet will be retransmitted up to three times.
2.3.6 Ena
RADIUS accounting server fails when the
accounting optional is configured, the user can still use the network resource,
Perform the following configurations in RADIUS scheme view.
bling The Selection Of Radius Accounting Option
If no RADIUS server is available or if
otherwise, the user will be disconnected.
Table 2-16 Enabling the selection of RADIUS accounting option
Operation Command
Enable the selection of RADIUS accounting option accounting optional
Disable the selection of RADIUS accounting
undo accounting optional
option

mand in RADIUS scheme will no
longer send real-time a date packet or offline accoun
T e
a es this RADIUS scheme.
B
2.3.7 Settin erval
T et a terval.
fter the attribute is set, NAS will transmit the accounting information of online users to
llowing command to set a real-time accounting interval.
Perform the following configurations in RADIUS scheme view.
The user configured with accounting optional com
ccounting up ting packet.
he accounting optional command in RADIUS scheme
ccounting that us
view is only effective on th
y default, selection of RADIUS accounting option is disabled.
g a Real-time Accounting Int
o implement real-time accounting, it is necessary to s real-time accounting in
A
the RADIUS server regularly.
You can use the fo
Table 2-17 Setting a real-time accounting interval
Operation Command
Set a real-time accounting interval timer realtime-accounting minutes
Restore the default value of the interval undo timer realtime-accounting

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-15
erval in minutes. The
value shall be a multiple of 3.
r. The
smaller the value is, the erformances of NAS and RA uired.
W than 1000, ggest a
larg value to the number of
u
able 2-18 Recommended ratio of minutes to number of users
The parameter minutes specifies the real-time accounting int
The value of minutes is related to the performance of NAS and RADIUS serve
higher the p DIUS are req
hen there are a large amount of users (more inclusive), we su
er value. The following table recommends the ratio of minute
sers.
T
Number of users Real-time accounting interval (minute)
1 to 99 3
100 to 499 6
500 to 999 12
1000 15

By default, minute is set to 12 minutes.
2.3.8 Sett
be Respo
timer. If the RADIUS
server has not received the real-time accounting packet from NAS for long, it will
, it is necessary to
disconnect the user a nd on RADIUS server synch n some
u u um times of
real t
h fro erver for some
pecified times.
ccounting
request failing to be responded
ing Maximum Times of Real-time Accounting Request Failing to
nded
RADIUS server usually checks if a user is online with timeout
consider that there is device failure and stop accounting. Accordingly
t NAS end a ronously whe
npredictable failure exists. Quidway Series Switches s
-time accounting request failing to be responded. NAS will disconne
pport to set maxim
ct the user if i
as not received real-time accounting response m RADIUS s
s
You can use the following command to set the maximum times of real-time a
Perform the following configurations in RADIUS scheme view.
Table 2-19 Setting maximum times of real-time accounting request failing to be
responded
Operation Command
Set maximum times of real-time accounting request
failing to be responded
retry realtim
retry-tim
e-accounting
es
Restore the maximum times to the default value
undo retry
realtime-accounting

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-16
erver connection will
timeout in T and the r ounting interval of NAS is t, the art of the
result from dividing T by t is the value of count. Therefore, when ap d
th
B n 5
times
2.3.9 Enabling/Disabling Stopping Accounting Request Buffer
ffect the
essage to RADIUS accounting server.
Accordingly, if the message from Quidway Series Switches to RADIUS accounting
buffer and retransmit it
until the server responds or discards the messages after transmitting for specified times.
g to save the message or not. If save,
use the command to set the maximum retransmission times.
stopping accounting request buffer
How to calculate the value of retry-times? Suppose that RADIUS s
eal-time acc n the integer p
plied, T is suggeste
e numbers which can be divided exactly by t.
y default, the real-time accounting request can fail t
.
o be responded no more tha
Because the stopping accounting request concerns account balance and will a
amount of charge, which is very important for both the subscribers and the ISP, NAS
shall make its best effort to send the m
server has not been responded, switch shall save it in the local
The following command can be used for settin
Perform the following configurations in RADIUS scheme view.
Table 2-20 Enabling/Disabling
Operation Command
Enable stopping accounting request buffer stop-accounting-buffer enable
Disable stopping accounting request buffer
ccounting-buffer
able
undo stop-a
en

B quest
2.3.10 Sett g ing
Request
y important for both the subscribers and the ISP, NAS
Perform the following configurations in RADIUS scheme view.
y default, the stopping accounting re will be saved in the buffer.
ing the Maximum Retransmittin Times of Stopping Account
Because the stopping accounting request concerns account balance and will affect the
amount of charge, which is ver
shall make its best effort to send the message to RADIUS accounting server.
Accordingly, if the message from Quidway Series Switch to RADIUS accounting server
has not been responded, switch shall save it in the local buffer and retransmit it until the
server responds or discards the messages after transmitting for specified times. Use
the command to set the maximum retransmission times.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-17
T etting the maxim retransmitting times of stopping accounting request able 2-21 S um
Operation Command
Set the
stopping a
maximum retran g times of
ccounting request
retry stop-accounting
retry-times
smittin

Restore the maximum retransmitting times of
undo retry stop-accounting stopping accounting request to the default
value

By default, the stopping accounting request can be retransmitted for up to 500 times.
2.3.11 Se
Table 2-22 Setting the supported type of RADIUS server
tting the Supported Type of RADIUS Server
Quidway Series Switches support the standard RADIUS protocol and the extended
RADIUS service platforms, such as IP Hotel, 201+ and Portal, independently
developed by Huawei.
You can use the following command to set the supported types of RADIUS servers.
Perform the following configurations in RADIUS scheme view.
Operation Command
Setting the Supported Type of server-type { huawei | iphotel | portal |
RADIUS Server standard }
Restore the Supported Type of
RADIUS Server to the default setting
undo server-type

By default, the newly creat US scheme supports the server of standard type,
w f
huawei type.
2.3.12 Setting RADIUS Server State
For the primary and second servers (no matter it is an authentication/authorization
ne. When the second one fails to
set the primary server to be active manually, in order that NAS can
communicate with it right after the troubleshooting.
When the primary and second servers are both active or block, NAS will send the
packets to the primary server only.
ed RADI
hile the "system" RADIUS scheme created by the system supports the server o
server or accounting server), if the primary is disconnected to NAS for some fault, NAS
will automatically turn to exchange packets with the second server. However, after the
primary one recovers, NAS will not resume the communication with it at once, instead,
it continues communicating with the second o
communicate, NAS will turn to the primary one again. The following commands can be
used to
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-18
Perform the following configurations in RADIUS scheme view.
Table 2-23 Setting RADIUS server state
Operation Command
Set the state of primary RADIUS
server
state primary { accounting |
authentication } { block | active }
Set the state of second RADIUS
server
state secondary{ accounting |
authentication } { block | active }

By default, the state of each server in RADIUS scheme is active.
2.3.13 Setting Username Format Transmitted to RADIUS Server
As mentioned above, the supplicants are generally named in -name format.
The part following @ is the ISP domain name. Quidway Series Switches will put the
u to me
earli
you have to remove the d e s e username to the RADIUS
erver. The following command of switch decides whether the username to be sent to
RADIUS server carries ISP domain name or not.
userid@isp
sers into different ISP domains according the domain names. However, so
er RADIUS servers reject the username incl
omain name befor
uding ISP domain name. In this case,
ending th
s
Perform the following configurations in RADIUS scheme view.
Table 2-24 Setting username format transmitted to RADIUS server
Operation Command
Set Username Format Transmitted to { |
RADIUS Server
user-name-format with-domain
without-domain }

Note:
If a RADIUS scheme is configured not to allow usernames including ISP domain names,
the RADIUS scheme shall not be simultaneously used in more than one ISP domain.
Otherwise, the RADIUS server will regard two users in different ISP domains as the
luding their respective
domain names.)
same user by mistake, if they have the same username (exc

B
s name; as for the "s US scheme created by
th s excludes the ISP domain name.
y default, as for the newly created RADIUS sche
ervers includes an ISP domain
me, the username sent to RADIUS
ystem" RADI
e system, the username sent to RADIUS server
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-19
2.3.14 Se
ent to RADIUS server.
Perform the following configurations in RADIUS scheme view.
tting the Unit of Data Flow that Transmitted to RADIUS Server
The following command defines the unit of the data flow s
Table 2-25 Setting the unit of data flow transmitted to RADIUS server
Operation Command
Set the unit of data flow
transmitted to RADIUS server
kilo-byte | mega-byte } packet { giga-packet |
data-flow-format data { byte | giga-byte |
kilo-packet | mega-packet | one-packet }
Restore the unit to the default
undo data-flow-format
setting

B
2.3.15 Con cation Server
RADIUS service, which adopts authentication/authorization/accounting servers to
anage users, is widely used in Quidway series switches. Besides, local
Perform the following commands in system view to create/delete local RADIUS
y default, the default data unit is byte and the default data packet unit is one packet.
figuring Local RADIUS Authenti
m
authentication/authorization service is also used in these products and it is called local
RADIUS authentication server function, i.e. realize basic RADIUS function on the
switch.
authentication server.
Table 2-26 Creating/Deleting local RADIUS authentication server
Operation Command
Create local RADIUS authentication
server
local-server nas-ip ip-address key
password
Delete local RADIUS authentication
server
undo local-server nas-ip ip-address

By default, the IP address of local RADIUS authentication server is 127.0.0.1 and the
ation server function, note that,
d that for accounting is
1646.
ver command must be the same as that of
the RADIUS authentication/authorization packet co he command key
authentication in RADIUS scheme view.
password is Huawei.
When using local RADIUS authentic
1) The number of UDP port used for authentication is 1645 an
2) The password configured by local-ser
nfigured by t
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-20
2.4 Disp S
fter the above configuration, execute display command in any view to display the
running of the AAA and RADIUS configuration, and to verify the effect of the
AAA and RADIUS
statistics, etc. Execute debugging command in user view to debug AAA and RADIUS.
Table 2-27 Displaying and debugging AAA and RADIUS protocol
laying and Debugging AAA and RADIU Protocol
A
configuration. Execute reset command in user view to reset
Operation Command
Display the configuration
information of the specified or
all the ISP domains.
display domain [ isp-name ]
Display related information of
users connection
display connection [ access-type dot1x |
domain isp-name | interface portnum | ip
ip-address | mac mac-address | radius-scheme
radius-scheme-name | vlan vlanid | ucibindex
ucib-index | user-name user-name ]
Display related information of
the local user
{ disable | enable } | service-type
lan-access | ssh } | state { ac
display local-user [ domain isp-name | idle-cut
{ telnet | ftp |
tive | block } |
user-name user-name d] | vlan vlan-i
Display the statistics of local
RADIUS authentication server
display local-server statistics
Display the configuration
information of all the RADIUS
schemes or a specified one
display radius [ radius-scheme-name ]
Display the statistics of RADIUS
packets
display radius statistics
Display the stopping accounting
requests saved in buffer without
response (from system view)
display stop-accounting-buffer
{ radius-scheme radius-scheme-name |
session-id session-id | time-range start-time
stop-time | user-name user-name }
Delete the stopping accounting
requests saved in buffer without
response (from system view)
reset stop-accounting-buffer { radius-scheme
radius-scheme-name | session-id session-id |
time-range start-time stop-time | user-name
user-name }
Reset the statistics of RADIUS
server.
reset radius statistics
Enable RADIUS packet
debugging radius packet
debugging
Disable RADIUS packet
debugging
undo debugging radius packet
Enable debugging of local debugging local-server { all | error | event
RADIUS authentication server packet }
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-21
Operation Command
Disable of local
RADIUS authentication server
undo debugging er { all | error | debugging local-serv
event packet }

2.5 AAA and RADIUS Protoc Examples
or the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol,
Server

ol Configuration
F
refer to Configuration Example in 802.1x Configuration. It will not be detailed here.
2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS
Note:
Configuring Telnet user authentication at the remote server is similar to configuring
FTP users. The following description is based on Telnet users.

I. ments
to achieve through
proper configuration that the RADIUS server authenticates the Telnet users to be
registered.
O n
se address is 10.110.91.164. The pa anging messages between
th me
from username and sends the left part to the RADIUS server.
Networking Require
In the environment as illustrated in the following figure, it is required
ne RADIUS server (as authentication s
rver IP
erver) is connected to the switch a d the
ssword for exch
e switch and the authentication server is "expert. The switch cuts off domain na
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-22
II. Networking Topology
Authentication Servers
( IP address:10.110.91.164 )
Internet
Switch
telnet user
Internet

F
III. Configurtion Schedule
# Add a Telnet user.
O

igure 2-2 Configuring remote RADIUS authentication for Telnet users

mitted
Note:
F and Telnet users, refer to User Interface
C
or details about configuring FTP
onfiguration in Getting Started.

# Configure remote authentication mode for the Telnet user, i.e. scheme mode.
[ t
#
[Quidway] domain cams
[
#
[Quidway] radius scheme cams
[Quidway-radius-cams] primary authentication 10.110.91.164 1812
[Quidway-radius-cams] key authentication expert
[
[Quidway-radius-cams] user-name-format without-domain
#
[
[
[Quidway-isp-cams] radius-scheme cams
Quidway-ui-vty0-4] authentica
Configure domain.
ion-mode scheme
Quidway-isp-cams] quit
Configure RADIUS scheme.
Quidway-radius-cams] server-type huawei
Configuration association between domain and RADIUS.
Quidway-radius-cams] quit
Quidway] domain cams
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-23
2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server
L f
authentication. But you should modify the server IP address to 127.0.0.1,
uthentication password to Huawei, the UDP port number of the authentication server
ocal RADIUS authentication o Telnet/FTP users is similar to remote RADIUS
a
to 1645.

Note:
For details about local RADIUS authentication of Telnet/FTP users, refer to 2.3.15
Configuring Local RADIUS Authentication Server.

2.5.3 Configuring Dynamic VLAN with RADIUS Server
I.
sting VLAN ID test,
which corresponds to the name of VLAN 100 on the switch. The switch can add the port
VLAN 100 when the server delivers "test".
II
[Quidway-radius-ias] key accounting hello
[Quidway-radius-ias] quit
2) Create ISP domain
[Quidway] domain ias
[Quidway-isp-ias] scheme radius-scheme ias
3) Configure VLAN delivery mode as string
[Quidway-isp-ias] vlan-assignment-mode string
[Quidway-isp-ias] quit
4) Create a VLAN and specify its name.
# Create a VLAN.
[Quidway] vlan 100
Networking Requirements
The RADIUS server (taking Windows IAS as example) delivers
to
II. Networking diagram
See Figure 2-2.
I. Configuration procedure
1) Specify RADIUS scheme
[Quidway] radius scheme ias
[Quidway-radius-ias] primary authentication 10.11.1.1
[Quidway-radius-ias] primary accounting 10.11.1.2
[Quidway-radius-ias] key authentication hello
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-24
elivered VLAN.
de to string and the
. It mainly
RADIUS server of ISP.
1) The username may not be in the userid@isp-name format or NAS has not been
configured with a default ISP domain. Please use the username in proper format
lt ISP domain on NAS.
een configured in the RADIUS server database. Check
make sure that the configuration information of the user does
t in the database.
The user may have input a wrong password. So please make sure that the
supplicant inputs the correct password.
cryption keys of RADIUS server and NAS may be different. Please check
lly and make sure that they are identical.
ough pinging RADIUS from NAS. So please ensure
the normal communication between NAS and RADIUS.
Fault two: RADIUS packet cannot be transmitted to RADIUS server.
nk layer) connecting NAS and
ay not work well. So please ensure the lines work well.
2) The IP address of the corresponding RADIUS server may not have been set on
r IP address for RADIUS server.
3) UDP ports of authentication/authorization and accounting services may not be set
consistent with the ports provided by RADIUS
nnot send
1) The accounting port number may be set improperly. Please set a proper number.
# Configure name of the d
[Quidway-vlan100] name test
5) Configure on the Windows IAS server the VLAN delivery mo
name of the delivered VLAN to test.
2.6 AAA and RADIUS Protocol Fault Diagnosis and
Troubleshooting
RADIUS protocol of TCP/IP protocol suite is located on the application layer
specifies how to exchange user information between NAS and
So it is very likely to be invalid.
Fault one: User authentication/authorization always fails
Troubleshooting:
and configure the defau
2) The user may have not b
the database and
exis
3)
4) The en
carefu
5) There might be some communication fault between NAS and RADIUS server,
which can be discovered thr

Troubleshooting:
1) The communication lines (on physical layer or li
RADIUS server m
NAS. Please set a prope
properly. So make sure they are
server.
Fault three: After being authenticated and authorized, the user ca
charging bill to the RADIUS server.
Troubleshooting:
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches
Chapter 2 AAA and RADIUS Protocol
Configuration

Huawei Technologies Proprietary
2-25
d authentication/authorization service are provided on
NAS requires the services to be provided on one server (by
ase make sure the settings of servers are
consistent with the actual conditions.
2) The accounting service an
different servers, but
specifying the same IP address). So ple

Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 3 HABP Configuration

Huawei Technologies Proprietary
3-1
onfiguration
3.1 HAB
ch, on a switch, 802.1x will run authentication at
to fo 2.1x authentication is skipped, packets will
ossible.
to solve this
B server regularly sends
HABP resses of the member
client responds to the request packets and forwards them to the
e
HAB
HAB re 802.1x is enabled.
3.2 HABP

3.2.1 Con
Whe s HABP request packets
it enience of
can define the time interval for transmitting HABP request packets
To c

Plea
Chapter 3 HABP C
P Overview
If 802.1x attribute is configured at a swit
those ports where 802.1x is enabled. Only those which pass the authentication are able
rward packets. For those ports where 80
be filtered by 802.1x attribute, so the management over them is also imp
HABP(Huawei Authentication Bypass Protocol) attribute can be used
problem.
HABP packets contain the MAC address and other information of the member switches.
When HABP attribute is enabled at the management switch, 802.1x authentication will
be skipped for HABP packets, so management over switches is possible.
HA P includes HABP server and HABP client. In general, the
request packets to the client to collect the MAC add
switches, while the
low r-level switches. HABP server is often enabled at the management switch, while
P client is at the member switches.
P attribute had better be enabled at a switch whe
configuration
HABP attribute configuration tasks include:
Configuring HABP server
Configuring HABP client
figuring HABP Server
n HABP server is enabled, the management switch send
to s member switches to collect their MAC addresses, for the conv
management. You
on the management switch.
onfigure HABP server, follow these steps:
Enable HABP attribute
Configure HABP server
Set time interval for HABP request transmission
se perform the following operations in system view.
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 3 HABP Configuration

Huawei Technologies Proprietary
3-2
Table 3-1 Configuring HABP server
Operation Command
Enable HABP attribute habp enable
R store HABP attribute to the default value undo habp enable e
Configure the switch as HABP Server habp server vlan vlan-id
Delete HABP Server configuration undo habp server
Se ssion habp timer interval t time interval for HABP request transmi
Restore the time interval to the default value undo habp timer

By default, HABP attribute is disabled at a switch, the HABP mode is client, and the
time interval for HABP request transmission is 20 seconds.
3.2.2 Configuring HABP Client
HABP client runs at the member switches. Since the default HABP mode is client, you
only need to enable HABP attribute at a switch.
Please perform the following operations in system view.
Table 3-2 Configuring HABP client
Operation Command
Enable HABP attribute habp enable
Restore HABP to the default value undo habp enable

By default, HABP attribute is disabled at a switch.
3.3 Displaying and Debugging HABP Attribute
After the above configurations, you can view HABP attribute information using the
display command in any view, or just for check. You can also debug HABP module
using the debugging command in user view.
Table 3-3 Displaying and debugging HABP attribute
Operation Command
Display configuration information and state of HABP
attribute
display habp
Display MAC address table of HABP attribute display habp table
Display HABP packet statistics display habp traffic
Display HABP debugging state display debugging habp
Operation Manual - Security
Quidway S3000-EI Series Ethernet Switches Chapter 3 HABP Configuration

Huawei Technologies Proprietary
3-3
Operation Command
Enab habp le HABP debugging debugging
Disa gging habp ble HABP debugging undo debu