radius-server calling-station-id
Function
The radius-server calling-station-id command configures a method of constructing the No. 31 RADIUS public attribute, namely, Calling-Station-Id.
The undo radius-server calling-station-id command deletes the configured method of constructing the No. 31 RADIUS public attribute.
By default, no method of constructing the No. 31 RADIUS public attribute is configured.
This command is supported only on the NetEngine 8000 F1A.
Format
radius-server calling-station-id include [ delimiter delimiter ] { { option82 | access-line-id } [ delimiter delimiter ] | mac [ mac-format type1 ] [ delimiter delimiter ] | interface [ delimiter delimiter ] | domain [ delimiter delimiter ] | sysname [ delimiter delimiter ] } *
radius-server calling-station-id include refer-option61
radius-server calling-station-id include vlan-binding
radius-server calling-station-id lns-default version1
radius-server calling-station-id include vlan-description
radius-server calling-station-id include llid user-type { ppp | lns } *
radius-server calling-station-id include pevlan [ { delimiter delimiter-vlan } [ cevlan ] ]
radius-server calling-station-id include cevlan [ { delimiter delimiter-vlan } [ pevlan ] ]
radius-server calling-station-id lns-default version1 force
radius-server calling-station-id include line-id
undo radius-server calling-station-id
undo radius-server calling-station-id lns-default version1
undo radius-server calling-station-id include llid user-type { ppp | lns } *
undo radius-server calling-station-id lns-default version1 force
Parameters
| Parameter | Description | Value |
|---|---|---|
| delimiter delimiter-vlan |
Indicates the delimiter. |
b, *, -, \, #, $, @, &, : . |
| delimiter delimiter |
Indicates the delimiter. |
The value can be b, *, -, \, #, $, @, &, :, _. |
| option82 |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the Option 82 field. |
- |
| access-line-id |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the access-line-id field. |
- |
| mac |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the MAC address. |
- |
| mac-format |
Indicates the delimiter of MAC address. |
Specifies type1 so that the MAC address is displayed in the format of aa-bb-cc-dd-ee-ff. By default, the MAC address is displayed in the format of aa:bb:cc:dd:ee:ff. |
| type1 |
Specifies type1 so that the MAC address is displayed in the format of aa-bb-cc-dd-ee-ff. |
- |
| interface |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the interface. |
- |
| domain |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the domain name. |
- |
| sysname |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the system name. |
- |
| refer-option61 |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed as follows.
|
- |
| vlan-binding |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the slot(2)port(2)vpi(2)vci(4)vlan(4)mac(12) format. The vpi(2) and vci(4) field values are fixed at 0. |
- |
| lns-default |
Indicates the default Calling-Station-Id attribute format on the LNS. |
- |
| version1 |
Indicates version 1, which includes the device's system name and access interface information. The value ends with #0#0. |
- |
| vlan-description |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the vlan-description format, that is, sysname#slot/subslot/port#Pevlan.CeVlan#vlan-description. In this format, sysname has a maximum of 30 characters, and vlan-description has a maximum of 128 characters. If vlan-description is configured, the Calling-Station-Id attribute in RADIUS authentication and accounting packets uses this format. |
- |
| llid |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the logical line ID (LLID) information in an authentication accept packet sent by the RADIUS server. |
- |
| user-type |
Specifies the user type. |
- |
| ppp |
Indicates that the configuration takes effect for PPP users. |
- |
| lns |
Indicates that the configuration takes effect for LNS users. |
- |
| pevlan |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the outer VLAN information. |
- |
| cevlan |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the inner VLAN information. |
- |
| line-id |
Indicates that the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the prefix+remote-id+suffix format, that is, ######+remote-id+#. If line-id is configured, the Calling-Station-Id attribute in RADIUS authentication and accounting packets uses this format. |
- |
Usage Guidelines
Usage Scenario
When a Huawei device is connected to another device not conforming to relevant standards, you can run the radius-server calling-station-id command to configure the Huawei device to construct the No. 31 RADIUS public attribute.
- The client-option82 command is run on the BAS interface to configure the interface to trust the Option 82 information reported by the user if the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the Option 82 field.
- After the radius-server calling-station-id include refer-option61 command is used, the calling-station-ID attribute format is determined based on Option 61:
- If user packets carry Option 61, the Calling-Station-Id attribute contains a user's MAC address.
- If user packets do not carry Option 61, the calling-station-ID attribute contains a user name that excludes a domain name.
- If vlan-binding is specified, the Calling-Station-Id attribute is constructed in the format of slot(2)port(2)vpi(2)vci(4)vlan(4)mac(12). If the port field of a VE interface contains more than 2 bytes, all bytes in the port field are encapsulated. This attribute construction rule applies to both DHCP and PPP users.
- If line-id is configured, the Calling-Station-Id attribute is constructed in the "prefix+remote-id+suffix" format, specifically, ######+remote-id+#. The maximum length of the Remote-Id attribute is 63 bytes. After the radius-server access-line-id length extend command is run, the maximum length of the Remote-ID attribute is 198 bytes. If the length of the Remote-Id attribute exceeds the maximum value, the Calling-Station-Id attribute is constructed based on the MAC address format.
- If the radius-server calling-station-id include pevlan [ { delimiter <delimiter-vlan> } [ cevlan ] ] and radius-server calling-station-id include cevlan [ { delimiter <delimiter-vlan> } [ pevlan ] ] commands are run, the No. 31 RADIUS public attribute Calling-Station-Id is constructed based on the outer and inner VLAN information. The Calling-Station-Id attribute contains user VLAN information. You can specify either or both of pevlan and cevlan. If you specify both pevlan and cevlan and specify pevlan before specifying cevlan, the RADIUS server parses pevlan before parsing cevlan. If you specify cevlan before specifying pevlan, the RADIUS server parses cevlan before parsing pevlan. If access users send packets that carry single VLAN tags, the single VLAN tags can only be encapsulated into pevlan.
- After the radius-server calling-station-id lns-default version1 command is run, the LNS encapsulates the Calling-Station-Id attribute into RADIUS authentication and accounting packets in the default format, even if the packets sent from the LAC to the LNS do not carry the calling-number attribute. By default, if the LAC sends user packets without the calling-number attribute to the LNS, the RADIUS authentication and accounting packets sent to the RADIUS server do not carry the Calling-Station-Id attribute. In some special scenarios, to enable the LNS to encapsulate the Calling-Station-Id attribute into RADIUS authentication and accounting packets in the default version1 format irrespective of whether the LAC sends the calling-number attribute to the LNS, run the radius-server calling-station-id lns-default version1 force command.
- In RADIUS authentication and accounting scenarios, to enable user authentication and accounting request packets to carry LLID information in authentication accept packets sent by the RADIUS server to uniformly identify a type of users, run the radius-server calling-station-id include llid user-type { ppp | lns }* command. After the radius-server calling-station-id include llid user-type { ppp | lns }* command is run, the authentication process for PPP or LNS users has the following changes, and going-online performance is affected because users are authenticated twice.
- 1.Two authentication request packets are sent. The format of the user name in the first authentication request packet is NAS-IP-Address NAS-Port-Id, and the password is configured using the default-password command. If the password is not configured, use the actual password. The user name and password in the second authentication request packet and accounting request packet are the actual user name and password.
- 2.If the RADIUS server delivers the LLID attribute in the first authentication accept packet, the Calling-Station-Id field in the second authentication request packet and accounting request packet is encapsulated with the LLID information. If the LLID attribute fails to be obtained (for example, the RADIUS server does not deliver the No. 31 RADIUS public attribute Calling-Station-Id, a RADIUS Access-Reject packet is received, or the authentication times out), the Calling-Station-Id field in the second authentication request packet and accounting request packet is the same as that in the first authentication request packet.
- 3.If the shared key configured on the device is inconsistent with that configured on the RADIUS server, the second authentication is not performed. If the system fails to obtain the LLID information from the RADIUS server, the authentication and accounting packets for the second authentication will carry the No. 31 RADIUS Calling-Station-Id attribute by default. However, if this occurs after the radius-server calling-station-id disable with-llid-fail command is run, the authentication and accounting packets for the second authentication will not carry the No. 31 RADIUS Calling-Station-Id attribute. This configuration helps identify the users who have failed to obtain the LLID information.
Precautions
The formats of encapsulating the Calling-Station-Id attribute configured using the commands with the include keyword are mutually exclusive. If two different commands with the include keyword are run, the later configuration overrides the previous one.
In VS mode, this command is supported only by the admin VS.
Example
<HUAWEI> system-view [~HUAWEI] radius-server group huawei [*HUAWEI-radius-huawei] commit [~HUAWEI-radius-huawei] radius-server calling-station-id include option82
<HUAWEI> system-view [~HUAWEI] radius-server group huawei [*HUAWEI-radius-huawei] commit [~HUAWEI-radius-huawei] radius-server calling-station-id include refer-option61
<HUAWEI> system-view [~HUAWEI] radius-server group huawei [*HUAWEI-radius-huawei] commit [~HUAWEI-radius-huawei] radius-server calling-station-id include mac
<HUAWEI> system-view [~HUAWEI] radius-server group huawei [*HUAWEI-radius-huawei] commit [~HUAWEI-radius-huawei] radius-server calling-station-id include pevlan delimiter _ cevlan