(Optional) Configuring RADIUS Proxy Authentication

RADIUS proxy authentication is configured on a BRAS to forward RADIUS packets between a RADIUS client and a RADIUS server to authenticate user information

Context

In some cases, user authentication and accounting are performed on different devices. For example, an AC authenticates users, whereas a BRAS charges users. To prevent the two devices from sending authentication packets to the RADIUS server simultaneously, configure the BRAS that performs user accounting as a RADIUS proxy. The RADIUS proxy then records authentication information of users when forwarding RADIUS authentication packets. The BRAS with RADIUS proxy authentication configured transparently transmits RADIUS packets from a specified RADIUS client to the RADIUS server, records authorization information delivered by the RADIUS server, and transparently transmits authentication response packets. In this situation, the BRAS can use the recorded authorization information to authorize users.

RADIUS proxy authentication takes effect only for IPoE users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-client ip-address [ mask { mask-ip | mask-length } ] [ vpn-instance instance-name ] { { shared-key key | shared-key-cipher key-string-cipher } | server-group groupname | roam-domain domain-name | domain-authorization | trigger-web { authentication | accounting | none } } *

    RADIUS client parameters, including the IP address, VPN instance, shared key, and RADIUS server group, are set on the RADIUS proxy.

  3. (Optional) Run radius-client check-attribute-length loose [ correct-forwarding ]

    The RADIUS proxy is enabled to check the length of each attribute in each Access-Request or Accounting-Request packet. After this command is run, the RADIUS proxy can parse attributes longer than or equal to 2 bytes carried in an Access-Request or Accounting-Request packet before forwarding such a packet to a RADIUS server that also supports such attributes. For Access-Request packets, if a RADIUS server cannot process a packet that carries a 2-byte attribute, configure the correct-forwarding parameter in this command to enable the RADIUS proxy to delete each 2-byte attribute from the packet and reduce the Length field value by 2 before forwarding the packet to the RADIUS server.

  4. (Optional) Run radius-client packet dscp dscp-value

    A DSCP value is set for RADIUS packets sent by the RADIUS proxy to the AP/AC.

  5. Run commit

    The configuration is committed.

Parent Topic: Configuring RADIUS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >