Example for Configuring the Primary and Secondary RADIUS Servers

Networking Requirements

As shown in Figure 1, users belong to the domain huawei. Switch functions as the network access server on the destination network, providing access to users only after they are remotely authenticated by the server. The remote authentication on Switch is described as follows:

The RADIUS server will authenticate access users for Switch. If RADIUS authentication fails, local authentication is used.
The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the primary and secondary authentication and accounting servers, respectively. The default authentication port and accounting port are 1812 and 1813, respectively.

Figure 1 Networking diagram of RADIUS authentication and accounting

Configuration Roadmap

The configuration roadmap is as follows:

Configure a RADIUS server template.
Configure an authentication scheme and an accounting scheme.
Apply the RADIUS server template, authentication scheme, and accounting scheme to a domain.

Ensure that the devices are routable before the configuration.
Ensure that the shared key in the RADIUS server template is the same as the setting on the RADIUS server.
If the RADIUS server does not accept the user name containing the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.
After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.
After the undo radius-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.

Procedure

Configure a RADIUS server template.

# Configure a RADIUS template named shiva.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template shiva

# Set the IP address and port numbers for the primary RADIUS authentication and accounting server.

[Switch-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
[Switch-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80

# Set the IP address and port numbers for the secondary RADIUS authentication and accounting server.

[Switch-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
[Switch-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40

# Set the shared key and retransmission count for the RADIUS server, and configure the device not to encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.

[Switch-radius-shiva] radius-server shared-key cipher Huawei@2012
[Switch-radius-shiva] radius-server retransmit 2
[Switch-radius-shiva] undo radius-server user-name domain-included
[Switch-radius-shiva] quit

Configure authentication and accounting schemes.
# Create an authentication scheme named auth. Configure the authentication scheme to use RADIUS authentication as the active authentication mode and local authentication as the backup.
```
[Switch] aaa
[Switch-aaa] authentication-scheme auth
[Switch-aaa-authen-auth] authentication-mode radius local
[Switch-aaa-authen-auth] quit
```
# Create an accounting scheme named abc, and configure the accounting scheme to use the RADIUS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.
```
[Switch-aaa] accounting-scheme abc
[Switch-aaa-accounting-abc] accounting-mode radius
[Switch-aaa-accounting-abc] accounting start-fail online
[Switch-aaa-accounting-abc] quit
```

Create a domain named huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme auth
[Switch-aaa-domain-huawei] accounting-scheme abc
[Switch-aaa-domain-huawei] radius-server shiva
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit

Set the domain huawei to the global default domain.

[Switch] domain huawei
[Switch] domain huawei admin

Configure local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@123
[Switch-aaa] local-user user1 service-type http
[Switch-aaa] local-user user1 privilege level 15
[Switch-aaa] quit

Verify the configuration.

# Run the display radius-server configuration template template-name command on Switch to verify the RADIUS server template configuration.

[Switch] display radius-server configuration template shiva
  ------------------------------------------------------------------------------
  Server-template-name          :  shiva
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  %^%#HN!rP_Lc1<+L+H/&YUzN]CBy;_09Z>9T5\.k{T1/%^%#
  Group-filter                  :  class  
  Timeout-interval(in second)   :  5
  Retransmission                :  2
  EndPacketSendTime             :  0
  Dead time(in minute)          :  5
  Domain-included               :  NO
  NAS-IP-Address                :  0.0.0.0
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
  NAS-Port-ID format            :  New 
  Service-type                  :  - 
  NAS-IPv6-Address              :  ::
  Detect-interval(in second)    :  60 
  Authentication Server 1       :  10.7.66.66     Port:1812  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Authentication Server 2       :  10.7.66.67     Port:1812  Weight:40  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     1       :  10.7.66.66     Port:1813  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  Accounting Server     2       :  10.7.66.67     Port:1813  Weight:40  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------

Configuration Files

Switch configuration file

#
 sysname Switch
#
domain huawei                                                                                                                       
domain huawei admin                                                                                                                 
# 
radius-server template shiva
 radius-server shared-key cipher %^%#HN!rP_Lc1<+L+H/&YUzN]CBy;_09Z>9T5\.k{T1/%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server authentication 10.7.66.67 1812 weight 40
 radius-server accounting 10.7.66.66 1813 weight 80
 radius-server accounting 10.7.66.67 1813 weight 40
 radius-server retransmit 2
 undo radius-server user-name domain-included
#
aaa
 authentication-scheme auth
  authentication-mode radius local
 accounting-scheme abc
  accounting-mode radius
  accounting start-fail online 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
 local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return

Related Information

AAA Attribute Query Tool

This tool provides details about AAA attributes of switches. You do not need to register a Huawei account before using this tool.

AAA Attribute Query Tool