(Optional) Configuring Negotiated Parameters of the RADIUS Server

A RADIUS server and the NetEngine 8000 F must use the same RADIUS parameters and message format to communicate.

Context

The negotiated parameters are as follows:

  • RADIUS protocol version

    The NetEngine 8000 F supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS+1.1.

    • The standard RADIUS protocol is based on RFC 2865.

    • RADIUS+1.0 is a Huawei proprietary RADIUS protocol, compatible with the early versions in which the standard vendor-ID is not defined.

    • RADIUS+1.1 is an extension of RFC 2865, supporting more Huawei proprietary RADIUS attributes.

  • Key

    A key is used to encrypt user passwords and generate a response authenticator.

    The key on the NetEngine 8000 F must be the same as that on the RADIUS server so that both parties of the authentication identify each other. The key is case sensitive.

  • Username format

    On the NetEngine 8000 F, a username is in the format of user@domain. Certain RADIUS servers do not support the usernames that contain domain names. Therefore, you must set the format of the username that the NetEngine 8000 F sends to the RADIUS server according to whether the username containing the domain name is supported on the RADIUS server.

  • Traffic unit

    The traffic units used by different RADIUS servers may be different. The NetEngine 8000 F supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of various RADIUS servers.

  • Retransmission parameters

    After a device sends a packet to the RADIUS server, if no response is returned within the specified time, the NetEngine 8000 F resends the packet. In this manner, authentication or accounting information will not be lost due to temporary congestion on the network.

    Retransmission parameters of the RADIUS server include the timeout period and the maximum number of retransmission times.

  • RADIUS attribute values case-sensitive or case-insensitive

    Some RADIUS servers support case-sensitive values of RADIUS attributes, and only the value of the HW-QoS-Profile-Name attribute is case sensitive.

  • Number of pending packets

    Pending packets refer to those packets that have been sent but are not responded to. The RADIUS server can concurrently process only a certain number of pending packets. Therefore, the number of pending packets must be restricted.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run radius-server packet statistics algorithm { version1 | version2 }

    The mode for collecting statistics about RADIUS authentication request and response packets is configured.

    If version1 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about Access-Request packets and retransmitted Access-Request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including Access-Accept, Access-Reject, and Access-Challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the number of Access-Request packets, and the Access Accepts field indicates the number of Access-Accept packets.

    If version2 is specified in the radius-server packet statistics algorithm command, the radiusAccClientRequests object of the MIB collects statistics about Access-Request packets and retransmitted Access-Request packets, and the radiusAccClientResponses object of the MIB collects all authentication response packets, including Access-Accept, Access-Reject, and Access-Challenge packets and incorrect response packets. In the display radius-server packet ip-address ip-address authentication command output, the Access Requests field indicates the sum number of Access-Request packets and retransmitted Access-Request packets, and the Access Accepts field indicates the sum number of all authentication response packets, including Access-Accept, Access-Reject, and Access-Challenge packets and incorrect response packets.

  3. Run radius-server admin-user domain-exclude enable

    The device is enabled to apply the undo radius-server user-name domain-included command configuration to the default administrative domain or the domain with the adminuser-priority level command configured.

  4. Run radius-server { accounting | authentication } [ip-address [ vpn-instance vpn-instance ] ] [ port ] pending-limit pending-limit

    The maximum number of pending packets that can be sent to the RADIUS server is set.

  5. Run radius-server group group-name

    The RADIUS server group view is displayed.

  6. Run radius-server type { standard | plus10 | plus11 }

    The version of a RADIUS protocol the router runs to communicate with a RADIUS server is set.

  7. Run radius-server { shared-key key-string | shared-key-cipher key-cipher-string } [ { authentication | accounting } ip-address [ vpn-instance instance-name ] port [ weight weight ] ]

    The key of a RADIUS server is configured.

    You can configure a key on the NetEngine 8000 F for each RADIUS server.

  8. Run radius-server user-name { domain-included | original }

    The format of a username contained in RADIUS packets is configured.

  9. Run radius-attribute apply user-name match user-type { ipoe | pppoe }

    The router replaces the username with a username delivered by a RADIUS server.

  10. Run radius-server traffic-unit { byte | gbyte | kbyte | mbyte }

    The traffic unit of RADIUS packets is set.

    This command is invalid for the RADIUS servers that do not measure traffic by bytes and the RADIUS servers that run the standard RADIUS protocol.

  11. Run radius-server { retransmit retry-times | timeout timeout-value } *

    The maximum number of transmitted request packets to all RADIUS authentication and accounting servers and the retransmission timeout period are set.

    To separately set the preceding parameters for either all RADIUS authentication servers or RADIUS accounting servers, run the radius-server { authentication | accounting } retransmit retry-times timeout timeout-value command.

  12. Run radius-attribute agent-circuit-id format { cn | tr-101 }

    The ID format of the circuits through which RADIUS packets are transmitted and of which the router notifies an upstream device is set.

  13. Run radius-server called-station-id include { ap-ip account-request | [ delimiter delimiter ] { ap-mac [ mac-format type1 ] [ delimiter delimiter ] | ssid [ delimiter delimiter ] } * }

    The method of constructing the Called-Station-Id attribute (30) is set.

  14. Run radius-server calling-station-id include [ delimiter delimiter ] { domain [ delimiter delimiter ] | mac [ mac-format type1 ] [ delimiter delimiter ] | interface [ delimiter delimiter ] | sysname [ delimiter delimiter ] | { option82 | access-line-id } [ delimiter delimiter ] } *

    The method of constructing the Calling-Station-Id attribute (31) is set.

  15. Run radius-attribute case-sensitive qos-profile-name

    Whether the value of a specified RADIUS attribute is case sensitive is determined.

    • The attribute-name value can only be set to HW-QoS-Profile-Name. This is because only the value of the HW-QoS-Profile-Name attribute is case sensitive.

    • A QoS profile name on the router must be the same as the QoS profile name that a RADIUS server delivers. A case inconsistency causes the router to use QoS policies incorrectly.

  16. Run radius-server accounting-start-packet send after-ppp

    The NetEngine 8000 F is configured to send Accounting-Start packets to the RADIUS server after NCP goes Up for PPPv6 users who use DHCPv6 to obtain IPv6 addresses.

  17. Run commit

    The configuration is committed.

Parent Topic: Configuring RADIUS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >