Example for Configuring RADIUS+Local Authentication and User Level Authorization for Administrators
Network Requirements
- The administrator can log in to the device through STelnet only after entering a correct user name and password.
- After the administrator logs in to the device through STelnet, the server authorizes the privilege level 15 to the administrator, and the administrator can execute all commands at levels 0 to 15.
If the link between the device and server is disconnected, the administrator will be authenticated locally during a login to the device.
Configuration roadmap
- Configure STelnet login on the switch: Set the authentication mode of accessing VTY user interfaces to AAA, enable the STelnet service, and configure the authentication mode and service type for SSH users.
- Configure RADIUS authentication on the switch: Create a RADIUS server template, configure an AAA scheme, and configure a global default administrative domain.
- Configure a local user on the switch: Configure a local user name, password, and privilege level.
- Configure a RADIUS server.
Precautions
- Ensure that there are reachable routes between devices.
Ensure that the shared key in the RADIUS server template is the same as that configured on the RADIUS server.
- If the login account is created on the switch but not on the RADIUS server, RADIUS authentication will fail and local authentication will not be performed. Local authentication will be performed only when the RADIUS server is Down or does not respond.
- If the accounting mode is set to RADIUS in an accounting scheme, the administrator will pass local authentication but fail to log in to the device because starting accounting will fail after the link between the device and server is disconnected. To prevent this problem, run the accounting start-fail online command in the accounting scheme view to allow users to go online after initial accounting fails.
If the RADIUS server does not accept the user name containing the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view to configure the device to send packets that do not contain the domain name to the RADIUS server.
- After the domain is set to the global default administrative domain, and the user name of the administrator carries the domain name or does not carry any domain name, the administrator uses AAA configuration information in the global default administrative domain.
- After the undo radius-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.
- When the administrator priority is authorized using the RADIUS extended attribute HW-Exec-Privilege (26-29), the valid attribute value is in the range from 0 to 15. The value greater than or equal to 16 is invalid.
Procedure
- Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] dsa local-key-pair create Info: The key name will be: Switch_Host_DSA. Info: The key modulus can be any one of the following : 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: Info: Generating keys... Info: Succeeded in creating the DSA host keys.
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to 14 to AAA and SSH, respectively.
[Switch] user-interface vty 0 14 [Switch-ui-vty0-14] authentication-mode aaa [Switch-ui-vty0-14] protocol inbound ssh [Switch-ui-vty0-14] quit
# Enable the SSH server function on the device.
[Switch] stelnet server enable
# Set the authentication mode of all SSH users to password authentication and the service type to STelnet.
[Switch] ssh authentication-type default password
If the authentication mode and service type of only a few SSH users are password authentication and STelnet respectively, you can specify the SSH user name to set the authentication mode and service type of a single SSH user. For example, set the authentication mode and service type of an SSH user with the user name admin to password authentication and STelnet, respectively.
[Switch] ssh user admin authentication-type password
[Switch] ssh user admin service-type stelnet
- Configure RADIUS authentication.
# Configure a RADIUS server template on the device to enable the device to communicate with the RADIUS server.
[Switch] radius-server template 1 [Switch-radius-1] radius-server authentication 10.1.6.6 1812 [Switch-radius-1] radius-server accounting 10.1.6.6 1813 [Switch-radius-1] radius-server shared-key cipher Huawei@123 [Switch-radius-1] quit
# Configure an AAA authentication scheme named sch1 and set the authentication mode to RADIUS+local.
[Switch] aaa [Switch-aaa] authentication-scheme sch1 [Switch-aaa] authentication-mode radius local [Switch-aaa-authen-sch1] quit
# Configure an accounting scheme named acc1 and set the accounting mode to RADIUS accounting.
[Switch-aaa] accounting-scheme acc1 [Switch-aaa-accounting-acc1] accounting-mode radius [Switch-aaa-accounting-acc1] accounting start-fail online [Switch-aaa-accounting-acc1] quit
# Apply the AAA authentication scheme and RADIUS server template to the domain huawei.com.
[Switch-aaa] domain huawei.com [Switch-aaa-domain-huawei.com] authentication-scheme sch1 [Switch-aaa-domain-huawei.com] accounting-scheme acc1 [Switch-aaa-domain-huawei.com] radius-server 1 [Switch-aaa-domain-huawei.com] quit [Switch-aaa] quit
# Specify the domain huawei.com as a global default administrative domain.
[Switch] domain huawei.com admin
- Configure local authentication.
# Set the local account to user1, password to Huawei@123, and privilege level to 15.
[Switch] aaa [Switch-aaa] local-user user1 password irreversible-cipher Huawei@123 [Switch-aaa] local-user user1 service-type ssh [Switch-aaa] local-user user1 privilege level 15 [Switch-aaa] return
- Configure a RADIUS server.
The configuration includes adding a device, adding an administrator account, and setting the administrator level to 15.
- Verify the configuration.
- Check whether the administrator can successfully log in to the switch through STelnet.
Enter the user name user1 and password Huawei@123 configured on the RADIUS server. The administrator is then successfully authenticated and logs in to the switch through STelnet.
- When the link between the switch and RADIUS server is working properly, run the display access-user username user-name detail command on the switch to check information about the user user1.In the command output, the values of User access type, User Privilege, User authentication type, Current authentication method, Current authorization method, and Current accounting method indicate that the login mode, user level, authentication type, and AAA mode of the user are SSH, 15, administrator authentication, and RADIUS, respectively.
<Switch> display access-user username user1 detail ------------------------------------------------------------------------------ Basic: User ID : 11 User name : user1 Domain-name : huawei.com User MAC : - User IP address : 10.1.1.10 User IPv6 address : - User access time : 2019/07/10 09:15:02 User accounting session ID : huawei255255000000000f****2016009 Option82 information : - User access type : SSH User Privilege : AAA: User authentication type : Administrator authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ - When the link between the switch and RADIUS server is disconnected, run the display access-user username user-name detail command on the switch to check information about the user user1.In the command output, the values of User access type, User Privilege, User authentication type, Current authentication method, Current authorization method, and Current accounting method indicate that the login mode is SSH, the privilege level is 15, the authentication type is administrator authentication, and the authentication mode is local authentication.
<Switch> display access-user username user1 detail ------------------------------------------------------------------------------ Basic: User ID : 11 User name : user1 Domain-name : huawei.com User MAC : - User IP address : 10.1.1.10 User IPv6 address : - User access time : 2019/07/10 09:20:02 User accounting session ID : huawei255255000000000f****2016009 Option82 information : - User access type : SSH User Privilege : AAA: User authentication type : Administrator authentication Current authentication method : Local Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------
- Check whether the administrator can successfully log in to the switch through STelnet.
Configuration Files
Switch configuration file
#
sysname Switch
#
radius-server template 1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 10.1.6.6 1812 weight 80
radius-server accounting 10.1.6.6 1813 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius local
accounting-scheme acc1
accounting-mode radius
accounting start-fail online
domain huawei.com
authentication-scheme sch1
accounting-scheme acc1
radius-server 1
local-user user1 password irreversible-cipher $1a$&YTv-xg$H<$Rj=5*sUqT+0i<B<0lAELMMraNPQAp'cD1!N~mjNI$
local-user user1 privilege level 15
local-user user1 service-type ssh
#
user-interface vty 0 14
authentication-mode aaa
#
stelnet server enable
#
return