< Home

Configuring an AAA Scheme

Context

An AAA scheme defines the authentication, authorization, and accounting modes used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in the authentication scheme, and set the accounting mode to RADIUS in the accounting scheme. RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. If RADIUS authentication is used, you do not need to configure an authorization scheme.

To prevent authentication failures caused by no response from a single authentication mode, configure local authentication or non-authentication as the backup authentication mode in the authentication scheme.

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

  • Configure an authentication scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run authentication-scheme scheme-name

      An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

      By default, two authentication schemes named default and radius are available on the device. The two schemes can only be modified, but cannot be deleted.

    4. Run authentication-mode radius

      The authentication mode is set to RADIUS.

      By default, local authentication is used, and the names of local users are case-insensitive.

      To configure local authentication as the backup authentication mode, run the authentication-mode radius { local | local-case } command.

    5. (Optional) Run undo server no-response accounting

      The device is configured not to send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.

      By default, when the accounting function is configured, the device does not send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.

    6. (Optional) Run radius-reject local

      The administrator is configured to be authenticated using the local authentication mode after the administrator's RADIUS authentication request is rejected.

      By default, an administrator is not authenticated using the local authentication mode after the administrator's RADIUS authentication request is rejected. After the RADIUS authentication request is rejected, that is, the RADIUS server responds with an Access-Reject packet, the authentication process ends and the administrator fails to be authenticated.

      • This function takes effect only for the administrators.
      • To implement this function, the authentication mode must be RADIUS + local authentication.

    7. (Optional) Run authentication-super [ hwtacacs | radius | super ] * none

      The authentication mode used to upgrade user levels in the current authentication scheme is configured.

      By default, the super mode is used. That is, local authentication is used.

    8. (Optional) Run authentication-type radius chap access-type admin [ ftp | ssh | telnet | terminal | http ] *

      PAP authentication is replaced with CHAP authentication when RADIUS authentication is performed on administrators.

      By default, PAP authentication is used when RADIUS authentication is performed on administrators.

    9. Run quit

      Return to the AAA view.

    10. (Optional) Configure the account locking function.

      1. Run the access-user remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for access users who fail remote authentication.

        Or: run the administrator remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for administrators who fail remote authentication.

        By default, the account locking function is disabled for access users who fail remote authentication, and the account locking function is enabled for administrators who fail remote authentication. The authentication retry interval is 5 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 5 minutes.

      2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>

        A user is configured to access the network using a specified IP address if the user account is locked.

        By default, a user cannot access the network if the user account is locked.

        You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.

      3. Run remote-user authen-fail unblock { all | username username }

        A remote AAA authentication account that has failed authentication is unlocked.

    11. (Optional) Run aaa-author session-timeout invalid-value enable

      The device is disabled from disconnecting or reauthenticating users when the RADIUS server delivers the Session-Timeout attribute with value 0.

      By default, when the RADIUS server delivers the Session-Timeout attribute with value 0, this attribute does not take effect.

    12. Run quit

      Return to the system view.

    13. (Optional) Run aaa-authen-bypass enable time time-value

      The bypass authentication timeout interval is configured.

      By default, the bypass authentication function is disabled.

  • Configure an accounting scheme.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed, or the view of an existing accounting scheme is displayed.

      By default, the accounting scheme named default is available on the device. This scheme can only be modified, but cannot be deleted.

    4. Run accounting-mode radius

      The accounting mode is set to RADIUS.

      By default, the accounting mode is none.

    5. (Optional) Configure policies for accounting failures.

      • Configure a policy for accounting-start failures.

        Run accounting start-fail { offline | online }

        A policy for accounting-start failures is configured.

        By default, users cannot go online if accounting-start fails.

      • Configure a policy for real-time accounting failures.

        1. Run accounting realtime interval

          The real-time accounting function is enabled, and the interval for real-time accounting is configured.

          By default, the device performs accounting based on the user online duration, and the real-time accounting function is disabled.

        2. Run accounting interim-fail [ max-times times ] { offline | online }

          The maximum number of real-time accounting failures and a policy used after the number of real-time accounting failures exceeds the maximum are configured.

          By default, the maximum number of real-time accounting failures is 3, and the device keeps users online after the number of real-time accounting failures exceeds the maximum.

      • Configure a policy for accounting-stop failures.

        1. Run quit

          Return to the AAA view.

        2. Run quit

          Return to the system view.

        3. Run radius-server template template-name

          The RADIUS server template view is displayed.

        4. Run radius-server accounting-stop-packet resend [ resend-times ]

          Retransmission of accounting-stop packets is enabled, and the number of accounting-stop packets that can be retransmitted each time is configured.

          By default, retransmission of accounting-stop packets is enabled, and the retransmission times is 3.

    6. (Optional) Run quit

      Return to the system view.

    7. (Optional) Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

      By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

      Only the NAC unified mode supports this command.

    8. (Optional) Run authentication { update-info-accounting | update-ip-accounting } * enable

      The device is configured to send accounting packets upon terminal information updating and address updating.

      By default, the device sends accounting packets upon terminal information updating and address updating.

      Only the NAC unified mode supports this command.

Verifying the Configuration

  • Run the display authentication-scheme [ authentication-scheme-name ] command to view the authentication scheme configuration.
  • Run the display accounting-scheme [ accounting-scheme-name ] command to view the accounting scheme configuration.
Parent Topic: Using RADIUS to Perform Authentication, Authorization, and Accounting
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >