Example for Performing Authentication and Accounting for Users by Using RADIUS
This section provides an example for performing authentication and accounting by using RADIUS.
Networking Requirements
As shown in Figure 1, the users access the network through DeviceA and the users belong to the domain named huawei. DeviceB functions as the access server for the destination network. To access the destination network, the users have to traverse the network where DeviceA and DeviceB reside and pass remote authentication of the access server. After that, the users can access the network through DeviceB. Remote authentication is implemented on the DeviceB as follows:
The RADIUS server performs authentication and accounting for access users.
The RADIUS server at 10.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server at 10.7.66.67/24 functions as the secondary authentication and accounting server. The default port numbers for authentication and accounting 1812 and 1813 are used.
Configuration Roadmap
The configuration roadmap is as follows:
Configure a RADIUS server group, an authentication scheme, and an accounting scheme on DeviceB.
Apply the RADIUS server group, authentication scheme, and accounting scheme to a domain.
Run the adminuser-priority command in the domain view if you want to configure a user not in the default_admin domain as an administrator for login. The domain must be configured as the authentication domain for BAS access users.
Data Preparation
To complete the configuration, you need the following data:
IP addresses of the primary and secondary RADIUS authentication servers
IP addresses of the primary and secondary RADIUS accounting servers
Procedure
- # Set a host name, such as HUAWEI, for the BRAS.
<Device> system-view [~Device] sysname HUAWEI [*HUAWEI] commit
- Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
[~HUAWEI] radius-server group shiva
# Configure IP addresses and interface numbers for the primary RADIUS authentication and accounting servers.
[*HUAWEI-radius-shiva] radius-server authentication 10.7.66.66 1812 [*HUAWEI-radius-shiva] radius-server accounting 10.7.66.66 1813
# Configure IP addresses and interface numbers for the secondary RADIUS authentication and accounting servers.
[*HUAWEI-radius-shiva] radius-server authentication 10.7.66.67 1812 [*HUAWEI-radius-shiva] radius-server accounting 10.7.66.67 1813
# Set the key and the number of retransmission attempts for the RADIUS servers.
[*HUAWEI-radius-shiva] radius-server shared-key-cipher it-is-my-secret1 [*HUAWEI-radius-shiva] radius-server retransmit 2 [HUAWEI-radius-shiva] commit [~HUAWEI-radius-shiva] quit
# Enter the AAA view.
[~HUAWEI] aaa
# Configure authentication scheme 1, with the authentication mode being RADIUS.
[~HUAWEI-aaa] authentication-scheme 1 [*HUAWEI-aaa-authen-1] authentication-mode radius [*HUAWEI-aaa-authen-1] commit [~HUAWEI-aaa-authen-1] quit
# Configure accounting scheme 1, with the accounting mode being RADIUS.
[~HUAWEI-aaa] accounting-scheme 1 [~HUAWEI-aaa-accounting-1] accounting-mode radius [*HUAWEI-aaa-accounting-1] commit [~HUAWEI-aaa-accounting-1] quit
- Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1, and RADIUS server group shiva in the domain.
[~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] authentication-scheme 1 [*HUAWEI-aaa-domain-huawei] accounting-scheme 1 [*HUAWEI-aaa-domain-huawei] radius-server group shiva [*HUAWEI-aaa-domain-huawei] commit
- Verify the configuration.
Run the display radius-server configuration group shiva command on the router to check whether the configurations of the RADIUS server group meet the requirements.
<HUAWEI> display radius-server configuration group shiva ------------------------------------------------------- Server-group-name : shiva Authentication-server: IP:10.7.66.66 Port:1812 Weight[0] [UP] Vpn: - Authentication-server: IP:10.7.66.67 Port:1812 Weight[0] [UP] Vpn: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Accounting-server : IP:10.7.66.66 Port:1813 Weight[0] [UP] Vpn: - Accounting-server : IP:10.7.66.67 Port:1813 Weight[0] [UP] Vpn: - Accounting-server : - Accounting-server : - Accounting-server : - Accounting-server : - Accounting-server : - Accounting-server : - Protocol-version : radius Shared-secret-key : ****** Retransmission : 2 Timeout-interval(s) : 5 Acct-Stop-Packet Resend : NO Acct-Stop-Packet Resend-Times : 0 Traffic-unit : B ClassAsCar : NO User-name-format : Domain-included Option82 parse mode : - Attribute-translation: NO Packet send algorithm: Master-Backup Tunnel password : cipherRun the display domain domain-name command on the router to check the configurations of the domain.
<HUAWEI> display domain huawei ------------------------------------------------------------------------------ Domain-name : huawei Domain-state : Active Authentication-scheme-name : 1 Accounting-scheme-name : 1 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time,flow) : 0, 60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : - User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time(second) : 300 Ancp auto qos adapt : Disable RADIUS-server-template : shiva Two-acct-template : - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disabled Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - Quota-out : Offline ------------------------------------------------------------------------------
Configuration Files
#
sysname HUAWEI
#
radius-server group shiva
radius-server authentication 10.7.66.66 1812 weight 0
radius-server authentication 10.7.66.67 1812 weight 0
radius-server accounting 10.7.66.66 1813 weight 0
radius-server accounting 10.7.66.67 1813 weight 0
radius-server shared-key-cipher %^%#h{FXVBLZX9#`VI]EWUUaOSHGd5E!.1DGeVYEie=%^%
radius-server retransmit 2
#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server group shiva
#
return