< Home

Notice to Be Taken When the Device Connects to Non-Huawei RADIUS Servers

Notice to Be Taken When the Device Connects to an H3C iMC RADIUS Server

When the device connects to an H3C iMC RADIUS server to perform authentication, authorization, or accounting for 802.1X users, configure security check policies (for example, check whether the 802.1X client has two network cards and whether the 802.1X client version is correct) on the RADIUS server to improve security. In addition, perform the following operations on the device:

  1. Configure RADIUS accounting.

  2. Run the dot1x authentication-method eap command to configure EAP relay authentication for 802.1X users.

  3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to configure the device to return the EAP packets with type value of 10 and data type of 25 to the RADIUS server.

  4. Run the radius-attribute translate HW-Up-Priority HW-User-Information receive command to convert the HW-Up-Priority attribute in the received RADIUS packets into HW-User-Information.

  5. If the RADIUS server needs to dynamically authorize AAA users, the attributes delivered by security check policy may be different from the attributes delivered by dynamic authorization. Therefore, run the authorization-modify mode modify command to set the update mode for user authorization information delivered by the RADIUS server to Modify. After the command is executed, the attributes delivered by dynamic authorization will not overwrite the attributes delivered by security check policy.

  6. (V200R010C00 and later versions) To use the session management function, run the radius-server session-manage ip-address shared-key cipher share-key command to enable session management on the RADIUS server and set the IP address and shared key of the RADIUS session management server.

If the active server fails, the switch sends the authentication request packets to the standby server. The timeout interval of the security check session on iNode is short. Therefore, you are advised to run the following command to ensure non-stop service:

Run the radius-server retransmit retry-times timeout time-value command to set the number of times RADIUS request packets are retransmitted to 1 and timeout interval to be shorter than 5s.

Notice to Be Taken When the Device Connects to a Ruijie RADIUS Server

If you want to view the MAC addresses or IP addresses of online users on a Ruijie RADIUS server, set the device type to H3C or Digital China on the RADIUS server

Notice to Be Taken When the Device Connects to a Leagsoft RADIUS Server

When the NAS-IP of the RADIUS client (device) is configured on the Leagsoft RADIUS server, the MAC address of the device also needs to be configured.

Notice to Be Taken When the Device Connects to a Symantec RADIUS Server

  • The Symantec RADIUS server can only be used as an authentication server, but cannot be used as an authorization or accounting server. When the device connects to a Symantec RADIUS server, ensure that the RADIUS server is not configured as an authorization or accounting server.
  • When the Symantec RADIUS server performs 802.1X authentication for users, perform the following configurations on the device:

    • Run the undo dot1x handshake command to disable handshake between the device and 802.1X online users.

    • Run the dot1x authentication-method eap command to configure EAP relay authentication for 802.1X users.

Parent Topic: Typical AAA Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >