radius-server user-name(RADIUS server group view)

Function

The radius-server user-name command sets the name format of RADIUS server users.

The undo radius-server user-name domain-included command configures an device to delete the domain name in a user name before sending it to the RADIUS server.

By default, the user name includes the domain name.

Format

radius-server user-name domain-included

radius-server user-name original

undo radius-server user-name original

undo radius-server user-name domain-included

Parameters

Parameter Description Value
original

Indicates that the format of the user name is the same as what the user enters. The user name sent to the RADIUS server includes the domain name only when the user name entered during login includes the domain name.

-
domain-included

Includes the domain name in the user name. That is, the user name in the format of "user name@domain name".

-

Views

RADIUS server group view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
radius write

Usage Guidelines

Usage Scenario

User names of the device are in the format of "user@domain". Certain RADIUS servers support only the pure user name format; whereas certain servers support user names that include domain names. You need to configure whether the user names sent from the device to the RADIUS server contain domain names.

Precautions

In VS mode, this command is supported only by the admin VS.

The default admin domain is a domain configured using the default-domain admin command. An admin domain is the default admin domain or a domain having the adminuser-priority configuration. By default, the default admin domain name is default_admin.

Scenario 1:

Scenario Description:

If a RADIUS server group is bound to only the default admin domain, an error message is displayed when the undo radius-server user-name domain-included command is run in the view of the RADIUS server group.

[HUAWEI–radius-rad] undo radius-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks.

The current AAA configuration is as follows:

[~HUAWEI-aaa]display this

aaa

local-user root123 password irreversible-cipher 1c1cS0sK$EOY & 1X;cDL"w6Cb]X5gPx & %gt{8,GO@V/MHM3QhzO$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

authentication-scheme default0

authentication-scheme default1

authentication-scheme default

authentication-mode radius

authorization-scheme default

accounting-scheme default0

accounting-scheme default1

domain default0

domain default1

domain default_admin

radius-server group rad

domain default

Solution:

Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.

[~HUAWEI-radius-rad] radius-server user-name original

[~HUAWEI-radius-rad] commit

Impact:

After the configurations are changed, user names that carry domain names are not supported. A login failure occurs if a user name carrying a domain name, such as, user001@default_admin is used for login.

Scenario 2:

Scenario Description:

If a RADIUS server group is bound to both the default admin domain and common domain, an error message is displayed when the undo radius-server user-name domain-included command is run in the view of the RADIUS server group.

[HUAWEI-radius-rad] undo radius-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

aaa

local-user root123 password irreversible-cipher 1c1cS0sK$EOY & 1X;cDL"w6Cb]X5gPx & %gt{8,GO@V/MHM3QhzO$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

authentication-scheme default0

authentication-scheme default1

authentication-scheme default

authentication-mode radius

authorization-scheme default

accounting-scheme default0

accounting-scheme default1

domain default0

domain default1

domain default_admin

radius-server group rad

domain dom2

radius-server group rad

domain default

Solution:

1.Create another RADIUS server group that has the same configurations as the RADIUS server group bound to the non-admin domain.

[*HUAWEI] radius-server group radnew

Info: A new server-group is created.

Warning: Please configure the shared-key. Configuring shared-key is mandatory to communicate with RADIUS server.

[*HUAWEI-radius-radnew] radius-server authentication 192.168.0.2 1812

[*HUAWEI-radius-radnew] radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s <*5TaHp@Hw~th1Rj99%%^%#

2.Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.

[-radius-radnew] radius-server user-name original

[-radius-radnew] commit

[-radius-radnew] display this

radius-server group radnew

radius-server 192.168.0.2

radius-server shared-key cipher %%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%%#

radius-server user-name original

3.Bind the new RADIUS server group to the default admin domain.

[-aaa-domain-default_admin] radius-server group radnew

[-aaa-domain-default_admin] commit

Impact:

After the configurations are changed, user names that carry the default admin domain name, such as user001@default_admin, are not supported. A login failure occurs if a user name carrying the default admin domain name is used for login. User names that carry common domain names, such as user001@dom2, are supported.

Scenario 3:

Scenario Description:

If a RADIUS server group is bound to only the non-default admin domain, an error message is displayed when the undo radius-server user-name domain-included command is run in the view of the RADIUS server group.

[HUAWEI-radius-rad] undo radius-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

aaa

local-user root123 password irreversible-cipher 1c1cS0sK$EOY & 1X;cDL"w6Cb]X5gPx & %gt{8,GO@V/MHM3QhzO$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

authentication-scheme default0

authentication-scheme default1

authentication-scheme default

authentication-mode radius

authorization-scheme default

accounting-scheme default0

accounting-scheme default1

domain default0

domain default1

domain default_admin

domain dom1

adminuser-priority 3

radius-server group rad

domain default

Solution:

1.Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.

[*HUAWEI] radius-server group rad

[*HUAWEI-radius-rad] radius-server user-name original

[*HUAWEI-radius-rad] commit

2.Add user names that carry domain names on the RADIUS server group.For example, add the user name user001@dom1 for an existing user name user001.

Impact: None.

Scenario 4:

Scenario Description:

If a RADIUS server group is bound to both the non-default admin domain and common domain, an error message is displayed when the undo radius-server user-name domain-included command is run in the view of the RADIUS server group.

[HUAWEI-radius-rad] undo radius-server user-name domain-included

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks.

The current AAA configuration is as follows:

[~HUAWEI-aaa] display this

aaa

local-user root123 password irreversible-cipher 1c1cS0sK$EOY & 1X;cDL"w6Cb]X5gPx & %gt{8,GO@V/MHM3QhzO$

local-user root123 service-type telnet ssh

local-user root123 level 3

local-user root123 state block fail-times 3 interval 5

authentication-scheme default0

authentication-scheme default1

authentication-scheme default

authentication-mode radius

authorization-scheme default

accounting-scheme default0

accounting-scheme default1

domain default0

domain default1

domain default_admin

domain dom1

adminuser-priority 3

radius-server group rad

domain dom2

radius-server group rad

domain default

Solution:

1.Create another RADIUS server group that has the same configurations as the RADIUS server group bound to the non-admin domain.

[*HUAWEI] radius-server group radnew

Info: A new server-group is created.

Warning: Please configure the shared-key. Configuring shared-key is mandatory to communicate with RADIUS server.

[*HUAWEI-radius-radnew] radius-server authentication 192.168.0.2 1812

[*HUAWEI-radius-radnew] radius-server shared-key-cipher %^%#c~<code>zCvqg.=Qh-fSl4;s <*5TaHp@Hw~th1Rj99%%^%# 2.Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration. [-radius-radnew] radius-server user-name original [-radius-radnew] commit [-radius-radnew] display this radius-server group radnew radius-server authentication 192.168.0.2 1812 radius-server shared-key-cipher %^%#c~</code>zCvqg.=Qh-fSl4;s & c <*5TaHp@Hw~th1Rj99%%^%#

radius-server user-name original

3.Bind the new RADIUS server group to the common admin domain dom1.

[-aaa-domain-dom1] radius-server group radnew

[-aaa-domain-dom1] commit

4.Add user names that carry domain names on the RADIUS server group.

For example, add the user name user001@dom1 for an existing user name user001.

Impact: None.

Example

# Configure the user name to exclude the domain name.
<HUAWEI> system-view
[~HUAWEI] radius-server group huawei
[*HUAWEI-radius-huawei] undo radius-server user-name domain-included
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >