test-aaa

Function

The test-aaa command checks whether a user can pass the authentication of the RADIUS server group.

Format

test-aaa user-name password [ password random [ random-num1 random-num2 ] timestamp [ timestamp-num1 timestamp-num2 ] ] radius-group group-name [ radius-server ip-address [ vpn-instance vpn-instancename ] port-number ] [ chap | pap ] [ test-group test-group-name ] [ trace ]

Parameters

Parameter Description Value
user-name

Specifies the name of the user to be tested.

The value is a string of 1 to 253 characters.
password random random-num1 random-num2

Specifies a 64-bit random value used to encrypt passwords. random1 indicates the first 32-bit random values. random2 indicates the latter 32-bit random value.

Both random1 and random2 are an integer ranging from 0 to 4294967295. The default value is generated by the device randomly.
password

Specifies the password of the user to be tested.

The value is a string of 1 to 128 characters.
timestamp timestamp-num1 timestamp-num2

Specifies a 64-bit timestamp used to encrypt passwords. random1 specifies the first 32-bit timestamp. random2 specifies the latter 32-bit timestamp.

Both timestamp1 and timestamp2 are an integer ranging from 0 to 4294967295. The default value is 0:0:0 of 1970 the Greenwich Mean Time (GTM).
radius-group group-name

Specifies the name of a RADIUS server group.

The value is a string of 1 to 32 characters.
radius-server ip-address

Specifies the IP address of a RADIUS server.

The value is in dotted decimal notation.
vpn-instance vpn-instancename

Specifies the VPN instance name of a RADIUS server.

The value is a string of 1 to 31 characters.
port-number

Specifies the port number of a RADIUS server.

The value is an integer ranging from 0 to 65535.
chap

Indicates the CHAP authentication mode. CHAP is the default authentication mode.

-
pap

Indicates the PAP authentication mode.

-
test-group test-group-name

Specifies the name of a test RADIUS server group.

The value is a string of 1 to 32 characters.
trace

Display detailed information about radius packets exchanged between and radius server.

-

Views

All views

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
radius execute

Usage Guidelines

Usage Scenario

When an AAA fault occurs, you can run the test-aaa command to test whether a user can pass the authentication of the RADIUS server group and find the cause of the fault.

For an IPTV user, after a password random value (R) and timestamp (TS) are configured, the device encrypts the password (R+Password+TS) based on the MD5 hash algorithm. Then the device sends the RADIUS an ultimate password that consists of O (1-bit value, the value is 1)+R (64-bit value configured using a command line or generated automatically)+TS (a 64-bit value configured using a command line or generated automatically)+Key (encrypted password)+login (the configuration user name).

The encryption algorithm used for MD5 authentication poses security risks.

In VS mode, this command is supported only by the admin VS.

Example

# Check whether user user1@huawei (the R value is 1024, the TS is generated automatically) can be authenticated by the server group radius-group1.
<HUAWEI> test-aaa user1@huawei Root@123 password random 1024 timestamp  radius-group radius-group1 pap
# Check whether user user1@huawei can be authenticated by the test RADIUS server group radius-group2.
<HUAWEI> test-aaa user1@huawei Root@123 radius-group radius-group1 test-group 2
# Check whether user user1@huawei can be authenticated by the RADIUS server group radius-group1.
<HUAWEI> test-aaa user1@huawei Root@123 radius-group radius-group1 pap
# Check whether user user1@huawei can be authenticated by the test RADIUS server group radius-group2 and display detail information about radius packets exchanged between and radius server.
<HUAWEI> test-aaa user1@huawei Root@123 radius-group radius-group1 test-group 2 trace
RADIUS Sent a Packet                                 
  Server Template: 0                                   
  Server IP   : 10.3.100.41                           
  Vpn-Instance: -                                      
  NAS Port    : 1812                                   
  Protocol: Standard                                   
  Code    : Authentication request                     
  Len     : 120                                        
  ID      : 63                                         
  [User-Name(1)                       ] [user1 ] [a]       
  [CHAP-Password(3)                   ] [19] [******]  
  [CHAP-Challenge(60)                 ] [18] [******]  
  [NAS-IP-Address(4)                  ] [6 ] [10.3.4.13]
  [Service-Type(6)                    ] [6 ] [2]       
  [Framed-Protocol(7)                 ] [6 ] [1]       
  [NAS-Identifier(32)                 ] [5 ] [~HUAWEI]     
  [NAS-Port-Type(61)                  ] [6 ] [15]      
  [Acct-Session-Id(44)                ] [31] [*HUAWEI 00000000000000a5b6e1283652]
  Radius Received a Packet                             
  Server Template: 0                                   
  Server IP   : 10.3.100.41                           
  Vpn-Instance: -                                      
  Server Port : 1812                                   
  NAS Port    : 1812                                   
  Protocol: Standard                                   
  Code    : Authentication accept                      
  Len     : 38                                         
  ID      : 63                                         
  [HW-Output-Peak-Information-Rate(Huawei-6)] [6 ] [70000000]
  [HW-Output-Committed-Information-Rate(Huawei-5)] [6 ] [66000000]

Info: Account test succeed!                                       
  Radius Sent a Packet                                 
  Server Template: 0                                   
  Server IP   : 10.3.100.41                           
  Vpn-Instance: -                                      
  NAS Port    : 1813                                   
  Protocol: Standard                                   
  Code    : Account request                            
  Len     : 83                                         
  ID      : 55                                         
  [User-Name(1)                       ] [user1 ] [a]       
  [Acct-Status-Type(40)               ] [6 ] [2]       
  [NAS-IP-Address(4)                  ] [6 ] [255.255.255.255]
  [NAS-Identifier(32)                 ] [5 ] [~HUAWEI]     
  [Acct-Delay-Time(41)                ] [6 ] [0]       
  [Acct-Session-Id(44)                ] [31] [*HUAWEI 00000000000000a5b6e1283652]
  [Acct-Terminate-Cause(49)           ] [6 ] [1]       
  Radius Received a Packet                             
  Server Template: 0                                   
  Server IP   : 10.3.100.41                           
  Vpn-Instance: -                                      
  Server Port : 1813                                   
  NAS Port    : 1813                                   
  Protocol: Standard                                   
  Code    : Account resp                               
  Len     : 38                                         
  ID      : 55                                         
  [HW-Output-Peak-Information-Rate(Huawei-6)] [6 ] [70000000]
  [HW-Output-Committed-Information-Rate(Huawei-5)] [6 ] [66000000]
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >