Example for Configuring the User Escape Function If a RADIUS Server Fault Occurs
Networking Requirements
In Figure 1, SwitchA functions as a NAS device on the enterprise network, two RADIUS servers are deployed on the network, users in the enterprise are authenticated in 802.1X + RADIUS authentication mode and can access the Internet after passing authentication. Now, the administrator wants users to obtain escape authorization if a RADIUS server fault occurs. User rights during escape are the same as those after successful authentication. After the RADIUS server fault is rectified, users can be re-authenticated and re-authorized by the RADIUS server.
Data Plan
Configuration Item |
Data |
|---|---|
Algorithm for selecting RADIUS servers |
Primary/secondary (default value) |
Conditions for setting the RADIUS server status to Down |
|
Retransmission of RADIUS request packets |
|
Automatic detection |
|
Escape rights if a RADIUS server fault occurs |
Enterprise users can access the Internet. |
Configuration Roadmap
- Configure RADIUS authentication.
- Configure the RADIUS server status detection function.
- Configure 802.1X authentication.
- Configure escape rights if a RADIUS server fault occurs and configure the reauthentication function if the RADIUS server fault is rectified.
Ensure that the Switch and RADIUS server are routable.
Procedure
- Configure VLANs and configure the allowed VLANs on the interfaces.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 20 [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type access [SwitchA-GigabitEthernet0/0/2] port default vlan 20 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface vlanif 20 [SwitchA-Vlanif20] ip address 192.168.2.10 24 [SwitchA-Vlanif20] quit [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 192.168.1.10 24 [SwitchA-Vlanif10] quit
- Configure a RADIUS server template.
# Create a RADIUS server template named controller.
[SwitchA] radius-server template controller# Configure the RADIUS authentication key, configure IP addresses and interface numbers of the primary and secondary RADIUS servers and the accounting server, and set the algorithm for selecting RADIUS servers.
[SwitchA-radius-controller] radius-server authentication 10.7.66.66 1812 weight 80 [SwitchA-radius-controller] radius-server accounting 10.7.66.66 1813 weight 80 [SwitchA-radius-controller] radius-server authentication 10.7.66.67 1812 weight 40 [SwitchA-radius-controller] radius-server accounting 10.7.66.67 1813 weight 40 [SwitchA-radius-controller] radius-server algorithm master-backup [SwitchA-radius-controller] radius-server shared-key cipher Huawei@123
# Configure the automatic detection function.
[SwitchA-radius-controller] radius-server testuser username test1 password cipher abc@123# Configure the automatic detection interval for RADIUS servers in Down status and the timeout period for detection packets. (The default values are used.)
[SwitchA-radius-controller] radius-server detect-server interval 60 [SwitchA-radius-controller] radius-server detect-server timeout 3
# Configure the number of retransmission times and interval of RADIUS Access-Request packets. (The default values are used.)
[SwitchA-radius-controller] radius-server retransmit 3 timeout 5 [SwitchA-radius-controller] quit
- Configure conditions for setting the RADIUS server status to Down. (The default values are used.)
[SwitchA] radius-server dead-interval 5 [SwitchA] radius-server dead-count 2 [SwitchA] radius-server detect-cycle 2 [SwitchA] radius-server max-unresponsive-interval 300
- Configure an authentication scheme and an accounting scheme.
# Configure the authentication scheme auth and set the authentication mode to RADIUS authentication.
[SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius [SwitchA-aaa-authen-auth] quit
# Configure the accounting scheme acc and set the accounting mode to RADIUS accounting.
[SwitchA-aaa] accounting-scheme acc [SwitchA-aaa-accounting-acc] accounting-mode radius [SwitchA-aaa-accounting-acc] quit
- Configure domain huawei and apply the authentication scheme auth, accounting scheme acc, and RADIUS server template controller to the domain.
[SwitchA-aaa] domain huawei [SwitchA-aaa-domain-huawei] authentication-scheme auth [SwitchA-aaa-domain-huawei] accounting-scheme acc [SwitchA-aaa-domain-huawei] radius-server controller [SwitchA-aaa-domain-huawei] quit [SwitchA-aaa] quit
- Configure 802.1X authentication.
# Switch the NAC mode to unified.
By default, the unified mode is used. After the NAC mode is switched, the device automatically reboots. You can run the display authentication mode command to check the current NAC mode of the device.
[SwitchA] authentication unified-mode# Configure the 802.1X access profile d1.[SwitchA] dot1x-access-profile name d1 [SwitchA-dot1x-access-profile-d1] quit
By default, an 802.1X access profile uses the EAP relay authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication request packets.
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the authentication profile, and specify the domain huawei as the forcible authentication domain in the authentication profile.
After a forcible domain is configured in the authentication profile, users using this authentication profile are authenticated in the domain no matter whether the user names carry domain names or carry what kind of domain names.
[SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] dot1x-access-profile d1 [SwitchA-authen-profile-p1] access-domain huawei force [SwitchA-authen-profile-p1] quit
# Configure escape rights if a RADIUS server fault occurs and configure the reauthentication function if the RADIUS server fault is rectified. The authorization service scheme during user escape is used as an example. For details about other authorization information, see (Optional) Configuring Authentication Event Authorization Information.
[SwitchA] acl 3001 [SwitchA-acl-adv-3001] rule 1 permit ip source 192.168.2.0 0.0.0.255 [SwitchA-acl-adv-3001] quit [SwitchA] aaa [SwitchA-aaa] service-scheme s1 [SwitchA-aaa-service-s1] acl-id 3001 [SwitchA-aaa-service-s1] quit [SwitchA-aaa] quit [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] authentication event authen-server-down action authorize service-scheme s1 [SwitchA-authen-profile-p1] authentication event authen-server-up action re-authen [SwitchA-authen-profile-p1] quit
# Bind the authentication profile p1 to interfaces ranging from GE0/0/2 to GE0/0/n and enable 802.1X authentication. Take GE0/0/2 as an example.
[SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] authentication-profile p1 [SwitchA-GigabitEthernet0/0/2] quit
- Check the configuration.
# Run the display radius-server configuration template template-name command on SwitchA to check the configuration of the RADIUS server template controller.
[SwitchA] display radius-server configuration template controller ------------------------------------------------------------------------------ Server-template-name : controller Protocol-version : standard Traffic-unit : B Shared-secret-key : %^%#<1bHCyUgA+s\%jzV_Pwl`i1[e}HX=iRl1+qD+P%^%# Group-filter : class Timeout-interval(in second) : 5 Retransmission : 3 EndPacketSendTime : 3 Dead time(in minute) : 5 Domain-included : Original NAS-IP-Address : - Calling-station-id MAC-format : xxxx-xxxx-xxxx Called-station-id MAC-format : XX-XX-XX-XX-XX-XX NAS-Port-ID format : New Service-type : - WLAN Called-station-id format : ap-mac:ssid NAS-IPv6-Address : :: Server algorithm : master-backup Detect-interval(in second) : 60 Detect up-server(in second) : 0 Detect timeout(in second) : 3 Testuser-username : test1 Testuser-ciperpwd : %^%#sn\dDprW4(}@sqUZGhg&8vMD4PatvD@H56)p7]7$%^%# Chargeable-user-identity : Not Support CUI Not reject : No Authentication Server 1 : 10.7.66.66 Port:1812 Weight:80 [up] Vrf:- LoopBack:NULL Vlanif:NULL Source IP: :: Authentication Server 2 : 10.7.66.67 Port:1812 Weight:40 [up] Vrf:- LoopBack:NULL Vlanif:NULL Source IP: :: Accounting Server 1 : 10.7.66.66 Port:1813 Weight:80 [up] Vrf:- LoopBack:NULL Vlanif:NULL Source IP: :: Accounting Server 2 : 10.7.66.67 Port:1813 Weight:40 [up] Vrf:- LoopBack:NULL Vlanif:NULL Source IP: :: ------------------------------------------------------------------------------# Run the display authentication-profile configuration name authentication-profile-name command on SwitchA to check the configuration of the RADIUS server template p1.
[SwitchA] display authentication-profile configuration name p1 Profile name : p1 Dot1x access profile name : d1 Mac access profile name : - Portal access profile name : - Free rule template : - Force domain : huawei Dot1x force domain : - Mac-authen force domain : - Portal force domain : - Default domain : - Dot1x default domain : - Mac-authen default domain : - Portal default domain : - Permit domain : - Authentication handshake : Enable Authentication handshake period : 300s Auth-fail re-auth period : 60s Pre-auth re-auth period : 60s Auth-fail aging time : 82800s Pre-auth aging time : 82800s Dot1x-mac-bypass : Disable Mac authen before 802.1x authen force : Disable Single-access : Disable Device-type authorize service-scheme : - Mac move detect enable : Enable Authentication mode : multi-authen Authen-fail authorize service-scheme : - Authen-server-down authorize service-scheme : s1 Pre-authen authorize service-scheme : - Security-name-delimiter : - Domain-name-delimiter : - Domain-location : - Domainname-parse-direction : - WLAN max user number : 128 Bound vap profile : - SVF flag : Disable Ip-static-user : Disable Roam-realtime-accounting : Disable Update-IP-realtime-accounting : Enable IP-address in-accounting-start : Disable IP-address arp-delay : Disable Update-session-mode : Disable Linkdown offline delay time : 10 Termination action : - Control direction : Inbound Update-Info-realtime-accounting : Enable Authentication roam pre-authen mac-authen : Disable - Verify the configuration.
When SwitchA and the RADIUS server are properly connected, run the display radius-server item template controller command on SwitchA to check whether the RADIUS server status is Up (STState = STState-up).
- When SwitchA is disconnected from the RADIUS server and conditions for setting the RADIUS server status to Down are met, run the display radius-server item template controller command on SwitchA to check whether the RADIUS server status is Down (STState = STState-down).
- When the RADIUS server status is Down, users can access the Internet.
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
access-domain huawei force
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
#
radius-server template controller
radius-server shared-key cipher %^%#<1bHCyUgA+s\%jzV_Pwl`i1[e}HX=iRl1+qD+P%^%#
radius-server authentication 10.7.66.66 1812 weight 80
radius-server authentication 10.7.66.67 1812 weight 40
radius-server accounting 10.7.66.66 1813 weight 80
radius-server accounting 10.7.66.67 1813 weight 40
radius-server testuser username test1 password cipher %^%#sn\dDprW4(}@sqUZGhg&8vMD4PatvD@H56)p7]7$%^%#
#
acl number 3001
rule 1 permit ip source 192.168.2.0 0.0.0.255
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acc
accounting-mode radius
service-scheme s1
acl-id 3001
domain huawei
authentication-scheme auth
accounting-scheme acc
radius-server controller
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
authentication-profile p1
#
dot1x-access-profile name d1
#
return