H3C S3610 Series Operating instructions

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 AAA & RADIUS & HWTACACS Configuration..........................................................1-1

1.1 Overview............................................................................................................................1-1

1.1.1 Introduction to AAA.................................................................................................1-1

1.1.2 Introduction to ISP Domain.....................................................................................1-2

1.1.3 Introduction to RADIUS...........................................................................................1-2

1.1.4 Introduction to HWTACACS....................................................................................1-8

1.2 Configuration Tasks.........................................................................................................1-12

1.3 AAA Configuration ........................................................................................................... 1-14

1.3.1 Configuration Prerequisites...................................................................................1-15

1.3.2 Creating an ISP Domain .......................................................................................1-15

1.3.3 Configuring the Attributes of an ISP Domain........................................................ 1-16

1.3.4 Configuring AAA Authentication of an ISP Domain ..............................................1-16

1.3.5 Configuring AAA Authorization of an ISP Domain................................................1-18

1.3.6 Configuring AAA Accounting of an ISP Domain ...................................................1-20

1.3.7 Configuring the Attributes of a Local User............................................................ 1-22

1.3.8 Cutting Down User Connections Forcibly.............................................................1-24

1.4 RADIUS Configuration..................................................................................................... 1-25

1.4.1 Creating a RADIUS Scheme................................................................................. 1-25

1.4.2 Configuring RADIUS Authentication/Authorization Servers..................................1-26

1.4.3 Configuring RADIUS Accounting Servers and Related Parameters.....................1-27

1.4.4 Configuring Shared Keys for RADIUS Packets .................................................... 1-28

1.4.5 Configuring the Maximum Number of Transmission Attempts of RADIUS Packets1-29

1.4.6 Configuring the Supported RADIUS Server Type................................................. 1-30

1.4.7 Configuring the Status of RADIUS Servers ..........................................................1-30

1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers......................1-31

1.4.9 Configuring a Local RADIUS Server.....................................................................1-32

1.4.10 Configuring the Timers of RADIUS Servers........................................................1-33

1.5 HWTACACS Configuration..............................................................................................1-34

1.5.1 Creating a HWTACACS Scheme..........................................................................1-34

1.5.2 Configuring HWTACACS Authentication Servers................................................. 1-35

1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-36

1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36

1.5.5 Configuring Shared Keys for RADIUS Packets .................................................... 1-37

1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers.....................1-38

1.5.7 Configuring the Timers of TACACS Servers.........................................................1-39

1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information.......................1-40

1.7 AAA & RADIUS & HWTACACS Configuration Examples............................................... 1-42

1.7.1 Remote RADIUS Authentication of Telnet/SSH Users......................................... 1-42

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches Table of Contents

ii

1.7.2 Local Authentication, Authorization and Accounting for FTP/Telnet of Users......1-44

1.7.3 TACACS Authentication/Authorization and Accounting of Telnet Users..............1-46

1.7.4 Local Authentication, HWTACACS Authorization and RADIUS Accounting of Telnet

users...............................................................................................................................1-47

1.8 Troubleshooting AAA & RADIUS & HWTACACS Configuration.....................................1-49

1.8.1 Troubleshooting the RADIUS Protocol .................................................................1-49

1.8.2 Troubleshooting the HWTACACS Protocol ..........................................................1-50

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-1

Chapter 1 AAA & RADIUS & HWTACACS

Configuration

1.1 Overview

1.1.1 Introduction to AAA

AAA is shortened from the three security functions: authentication, authorization and

accounting. It provides a uniform framework for you to configure the three security

functions to implement the network security management.

The network security mentioned here mainly refers to access control. It mainly controls:

z Which users can access the network,

z Which services the users can have access to,

z How to charge the users who are using network resources.

Accordingly, AAA provides the following services:

I. Authentication

AAA supports the following authentication methods:

z None authentication: Users are trusted and no authentication is performed on the

users. Generally, this method is not recommended.

z Local authentication: User information (including user name, password, and

attributes) is configured on this device. Local authentication is fast and requires

lower operational cost. But the information storage capacity is limited by device

hardware.

z Remote authentication: Users are authenticated remotely through the RADIUS

protocol or HWTACACS protocol. This device (for example, a H3C series switch)

acts as the client to communicate with the RADIUS server or TACACS server. For

RADIUS protocol, both standard and extended RADIUS protocols can be used.

II. Authorization

AAA supports the following authorization methods:

z Direct authorization: Users are trusted and directly authorized. Users have the

default rights now.

z Local authorization: Users are authorized according to the related attributes

configured for their local accounts on the device.

z RADIUS authorization: Users are authorized after they pass the RADIUS

authentication. The authentication and authorization of RADIUS protocol are

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-2

bound together, and you cannot perform RADIUS authorization alone without

RADIUS authentication.

z HWTACACS authorization: Users are authorized by TACACS server.

III. Accounting

AAA supports the following accounting methods:

z None accounting: No accounting is performed for users.

z Local accounting: This function is intended for managing the number of local user

connections and collecting the statistics about the number of users connected.

z Remote accounting: User accounting is performed on the remote RADIUS server

or TACACS server.

Generally, AAA adopts the client/server structure, where the client acts as the managed

resource and the server stores user information. This structure has good scalability and

facilitates the centralized management of user information. AAA can be based on

multiple protocols, and currently RADIUS or HWTACACS is used.

1.1.2 Introduction to ISP Domain

An Internet service provider (ISP) domain is a group of users who belong to the same

ISP. For a user name in the format of userid@isp-name, the isp-name following the @

character is the ISP domain name. The access device uses userid as the user name for

authentication, and isp-name as the domain name.

In a multi-ISP environment, the users connected to the same access device may

belong to different domains. Since the users of different ISPs may have different

attributes (such as different compositions of user name and password, different service

types/rights), it is necessary to distinguish the users by setting ISP domains.

You can configure a set of ISP domain attributes (including AAA policy, RADIUS

scheme, and so on) for each ISP domain independently in ISP domain view.

1.1.3 Introduction to RADIUS

AAA is a management framework. It can be implemented by not only one protocol. But

in practice, the most commonly used protocol for AAA is RADIUS.

I. What is RADIUS

RADIUS (remote authentication dial-in user service) is a distributed information

exchange protocol in client/server structure. It can prevent unauthorized access to the

network and is commonly used in network environments where both high security and

remote user access service are required.

The RADIUS service involves three components:

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-3

z Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format

and message transfer mechanism of RADIUS, and define 1812 as the

authentication port and 1813 as the accounting port.

z Server: The RADIUS server runs on a computer or workstation at the center. It

stores and maintains the information on user authentication and network service

access.

z Client: The RADIUS clients run on the dial-in access server device. They can be

deployed anywhere in the network.

RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes

user information to a designated RADIUS server, and makes processing (such as

connecting/disconnecting users) depending on the responses returned from the server.

The RADIUS server receives user's connection requests, authenticates users, and

returns all required information to the switch.

Generally, the RADIUS server maintains the following three databases (as shown in

Figure 1-1):

z Users: This database stores information about users (such as user name,

password, adopted protocol and IP address).

z Clients: This database stores the information about RADIUS clients (such as

shared keys).

z Dictionary: This database stores the information used to interpret the attributes

and attribute values of the RADIUS protocol.

RADIUS Server

Users Clients

Dictionary

Figure 1-1 Databases in RADIUS server

In addition, the RADIUS server can act as the client of some other AAA server to

provide the authentication or accounting proxy service.

II. Basic message exchange procedure of RADIUS

The messages exchanged between a RADIUS client (a switch, for example) and the

RADIUS server are verified by using a shared key. This enhances the security. The

RADIUS protocol combines the authentication and authorization processes together by

sending authorization information in the authentication response message.

Figure 1-2

depicts the message exchange procedure between user, switch and RADIUS server.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-4

Figure 1-2 Basic message exchange procedure of RADIUS

The basic message exchange procedure of RADIUS is as follows:

1) The user enters the user name and password.

2) The RADIUS client receives the user name and password, and then sends an

authentication request (Access-Request) to the RADIUS server.

3) The RADIUS server compares the received user information with that in the Users

database to authenticate the user. If the authentication succeeds, the RADIUS

server sends back an authentication response (Access-Accept), which contains

the information of user’s rights, to the RADIUS client. If the authentication fails, it

returns an Access-Reject response.

4) The RADIUS client accepts or denies the user depending on the received

authentication result. If it accepts the user, the RADIUS client sends a

start-accounting request (Accounting-Request, with the Status-Type filed set to

“start”) to the RADIUS server.

5) The RADIUS server returns a start-accounting response (Accounting-Response).

6) The user starts to access the resources.

7) The RADIUS client sends a stop-accounting request (Accounting-Request, with

the Status-Type field set to “stop”) to the RADIUS server.

8) The RADIUS server returns a stop-accounting response (Accounting-Response).

9) The user stops accessing the network resources.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-5

III. RADIUS packet structure

RADIUS uses UDP to transmit messages. It ensures the correct message exchange

between RADIUS server and client through the following mechanisms: timer

management, retransmission, and backup server.

Figure 1-3 depicts the structure of

the RADIUS packets.

Code

Identifier

Authenticator

Attribute

Length

e

Figure 1-3 RADIUS packet structur

1) The Code field decides the type of the RADIUS packet, as shown in

Table 1-1.

Table 1-1 Description on major values of the Code field

Code Packet type Packet description

1 Access-Request

Direction: client->server.

The client transmits this packet to the server to

determine if the user can access the network.

This packet carries user information. It must contain the

User-Name attribute and may contain the following

attributes: NAS-IP-Address, User-Password and

NAS-Port.

2 Access-Accept

Direction: server->client.

The server transmits this packet to the client if all the

attribute values carried in the Access-Request packet

are acceptable (that is, the user passes the

authentication).

3 Access-Reject

Direction: server->client.

The server transmits this packet to the client if any

attribute value carried in the Access-Request packet is

unacceptable (that is, the user fails the authentication).

4

Accounting-Req

uest

Direction: client->server.

The client transmits this packet to the server to request

the server to start or end the accounting (whether to

start or to end the accounting is determined by the

Acct-Status-Type attribute in the packet).

This packet carries almost the same attributes as those

carried in the Access-Request packet.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-6

Code Packet type Packet description

5

Accounting-Res

ponse

Direction: server->client.

The server transmits this packet to the client to notify

the client that it has received the Accounting-Request

packet and has correctly recorded the accounting

information.

2) The Identifier field (one byte) identifies the request and response packets. It is

subject to the Attribute field and varies with the received valid responses, but

keeps unchanged during retransmission.

3) The Length field (two bytes) specifies the total length of the packet (including the

Code, Identifier, Length, Authenticator and Attribute fields). The bytes beyond the

length will be regarded as padding bytes and are ignored upon receiving the

packet. If the received packet is shorter than the value of this field, it will be

discarded.

4) The Authenticator field (16 bytes) is used to verify the packet returned from the

RADIUS server; it is also used in the password hiding algorithm. There are two

kinds of authenticators: Request and Response.

5) The Attribute field contains special authentication, authorization, and accounting

information to provide the configuration details of a request or response packet.

This field is represented by a field triplet (Type, Length and Value):

z The Type field (one byte) specifies the type of the attribute. Its value ranges from 1

to 255.

Table 1-2 lists the attributes that are commonly used in RADIUS

authentication and authorization.

z The Length field (one byte) specifies the total length of the Attribute field in bytes

(including the Type, Length and Value fields).

z The Value field (up to 253 bytes) contains the information about the attribute. Its

content and format are determined by the Type and Length fields.

Table 1-2 RADIUS attributes

Value of

the Type

field

Attribute type

Value of

the Type

field

Attribute type

1 User-Name 23 Framed-IPX-Network

2 User-Password 24 State

3 CHAP-Password 25 Class

4 NAS-IP-Address 26 Vendor-Specific

5 NAS-Port 27 Session-Timeout

6 Service-Type 28 Idle-Timeout

7 Framed-Protocol 29 Termination-Action

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-7

Value of Value of

the Type

field

Attribute type

the Type

Attribute type

field

8 Framed-IP-Address 30 Called-Station-Id

9 Framed-IP-Netmask 31 Calling-Station-Id

10 Framed-Routing 32 NAS-Identifier

11 Filter-ID 33 Proxy-State

12 Framed-MTU 34 Login-LAT-Service

13 Framed-Compression 35 Login-LAT-Node

14 Login-IP-Host 36 Login-LAT-Group

15 Login-Service 37 Framed-AppleTalk-Link

16 Login-TCP-Port 38

Framed-AppleTalk-Networ

k

17 (unassigned) 39 Framed-AppleTalk-Zone

18 Reply-Message 40-59 (reserved for accounting)

19 Callback-Number 60 CHAP-Challenge

20 Callback-ID 61 NAS-Port-Type

21 (unassigned) 62 Port-Limit

22 Framed-Route 63 Login-LAT-Port

The RADIUS protocol takes good scalability. Attribute 26 (Vender-Specific) defined in

this protocol allows a device vendor to extend RADIUS to implement functions that are

not defined in standard RADIUS.

Figure 1-4 depicts the structure of attribute 26. The Vendor-ID field representing the

code of the vendor occupies four bytes. The first byte is 0, and the other three bytes are

defined in RFC1700. Here, the vendor can encapsulate multiple customized

sub-attributes (containing Type, Length and Value) to obtain extended RADIUS

implementation.

VeType ndor-IDLength

Vendor-ID

Type

(specified

Length

(specified)

)

Specified attribute value……

VeType ndor-IDLength

Vendor-ID

Type

(specified

Length

(specified)

)

Specified attribute value……

e

Figure 1-4 Part of the RADIUS packet containing extended attribut

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-8

1.1.4 Introduction to HWTACACS

I. What is HWTACACS

HUAWEI Terminal Access Controller Access Control System (HWTACACS) is an

enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS

protocol, it implements AAA for different types of users (such as PPP/VPDN login users

and terminal users) through communications with TACACS servers in the Client-Server

mode. S3610&S5510 series Ethernet switches support authentication, authorization,

and accounting for telnet, FTP, Aux, and SSH users.

Compared with RADIUS, HWTACACS provides more reliable transmission and

encryption, and therefore is more suitable for security control.

Table 1-3 lists the

primary differences between HWTACACS and RADIUS protocols.

Table 1-3 Comparison between HWTACACS and RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable

network transmission.

Adopts UDP.

Encrypts the entire packet except the

HWTACACS header.

Encrypts only the password field in

authentication packets.

Separates authentication from

authorization. For example, you can

provide authentication and authorization

on different TACACS servers.

Brings together authentication and

authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of

configuration commands.

Not support.

In a typical HWTACACS application, a terminal user needs to log in to the device for

operations. As the client of HWTACACS in this case, the switch sends the username

and password to the TACACS server for authentication. After passing authentication

and being authorized, the user can log in to the switch to perform operations, as shown

in

Figure 1-5.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-9

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

Terminal user

HWTACACS client

HWTACACS server

129.7.66.66

HWTACACS server

129.7.66.67

Terminal user

HWTACACS client

Figure 1-5 Network diagram for a typical HWTACACS application

II. Basic message exchange procedure in HWTACACS

For example, use HWTACACS to implement authentication, authorization, and

accounting for a telnet user.

Figure 1-6 illustrates the basic message exchange

procedure:

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-10

Figure 1-6 The AAA implementation procedure for a telnet user

The basic message exchange procedure is as follows:

1) A user requests access to the switch; the TACACS client sends an authentication

start request packet to TACACS server upon receipt of the request.

2) The TACACS server sends back an authentication response requesting for the

username; the TACACS client asks the user for the username upon receipt of the

response.

3) The TACACS client sends an authentication continuance packet carrying the

username after receiving the username from the user.

4) The TACACS server sends back an authentication response, requesting for the

password. Upon receipt of the response, the TACACS client requests the user for

the login password.

5) After receiving the login password, the TACACS client sends an authentication

continuance packet carrying the login password to the TACACS server.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-11

6) The TACACS server sends back an authentication response indicating that the

user has passed the authentication.

7) The TACACS client sends the user authorization request packet to the TACACS

server.

8) The TACACS server sends back the authorization response, indicating that the

user has passed the authorization.

9) Upon receipt of the response indicating an authorization success, the TACACS

client pushes the configuration interface of the switch to the user.

10) The TACACS client sends an accounting start request packet to the TACACS

server.

11) The TACACS server sends back an accounting response, indicating that it has

received the accounting start request.

12) The user logs out; the TACACS client sends an accounting stop request to the

TACACS server.

13) The TACACS server sends back an accounting stop packet, indicating that the

accounting stop request has been received.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-12

1.2 Configuration Tasks

Table 1-4 Configuration tasks

Operation Description Related section

Create an ISP

domain

Required

Section

1.3.2

“Creating an ISP

Domain

”

Configure the

attributes of the

ISP domain

Optional

Section

1.3.3

“Configuring the

Attributes of an ISP

Domain

”

Configure an AAA

authentication

scheme for the

ISP domain

Required

If local

authentication is

adopted, refer to

section

1.3.7

“Configuring the

Attributes of a Local

User

”.

If RADIUS

authentication is

adopted, refer to

section

1.4

“RADIUS

Configuration

”.

If HWTACACS

authentication is

adopted , refer to

section

“

HWTACACS

Configuration

”

Section

1.3.4

"Configuring AAA

Authentication of an

ISP Domain

”

Configure an AAA

authorization

scheme for the

ISP domain

Optional

Section

1.3.5

“Configuring AAA

Authorization of an

ISP Domain

”

Configure an AAA

accounting

scheme for the

ISP domain

Optional

Section

1.3.6

“Configuring AAA

Accounting of an ISP

Domain

”

Configure the

attributes of a local

user

Optional

Section

1.3.7

Configuring the

Attributes of a Local

User

”

AAA

configuration

Cut down user

connections

forcibly

Optional

Section

1.3.8 Cutting

Down User

Connections Forcibly

”

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-13

Operation Description Related section

Create a RADIUS

scheme

Required

Section

1.4.1

“Creating a RADIUS

Scheme

”

Configure

RADIUS

authentication/aut

horization servers

Required

Section 1.4.2

“Configuring RADIUS

Authentication/Author

ization Servers

”

Configure

RADIUS

accounting

servers

Required

Section

1.4.3

“Configuring RADIUS

Accounting Servers

”

Configure shared

keys for RADIUS

packets

Required

Section

1.4.4

“Configuring Shared

Keys for RADIUS

Packets

”

Configure the

maximum number

of transmission

attempts of

RADIUS requests

Optional

Section

1.4.5

“Configuring the

Maximum Number of

Transmission

Attempts of RADIUS

Packets

”

Configure the

supported

RADIUS server

type

Optional

Section

1.4.6

“Configuring the

Supported RADIUS

Server Type

”

Configure the

status of RADIUS

servers

Optional

Section

1.4.7

“Configuring the

Status of RADIUS

Servers

”

Configure the

attributes for data

to be sent to

RADIUS servers

Optional

Section

1.4.8

“Configuring the

Attributes for Data to

be Sent to RADIUS

Servers

”

Configure a local

RADIUS

authentication

server

Optional

Section

1.4.9

“Configuring a Local

RADIUS Server

”

RADIUS

configuration

Configure the

timers for RADIUS

servers

Optional

Section

1.4.10

“Configuring the

Timers of RADIUS

Servers

”

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-14

Operation Description Related section

Create a

HWTACACS

scheme

Required

Section

1.5.1

“Creating a

HWTACACS

Scheme

”

Configure

HWTACACS

authentication

servers

Required

Section

1.5.2

“Configuring

HWTACACS

Authentication

Servers

”

Configure

HWTACACS

authorization

servers

Required

Section

1.5.3

“Configuring

HWTACACS

Authorization

Servers

”

Configure

HWTACACS

accounting

servers

Optional

Section

1.5.4

“Configuring

HWTACACS

Accounting Servers

”

Configure shared

keys for RADIUS

packets

Required

Section

1.5.5

“Configuring Shared

Keys for RADIUS

Packets

”

Configure the

attributes for data

to be sent to

TACACS servers

Optional

Section

1.5.6

“Configuring the

Attributes for Data to

be Sent to TACACS

Servers

”

HWTACACS

configuration

Configure the

timers of TACACS

servers

Optional

Section

1.5.7

“Configuring the

Timers of TACACS

Servers

”

1.3 AAA Configuration

The goal of AAA configuration is to protect network devices against unauthorized

access and at the same time provide network access services to authorized users. If

you need to use ISP domains to implement AAA management on access users, you

need to configure the ISP domains.

There are three types of users in AAA: login, command authorization, and lan-access.

You can configure authentication/authorization/accounting policies independently

according to the actual requirements of users.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-15

1.3.1 Configuration Prerequisites

If you want to adopt remote AAA method, you must create a RADIUS or HWTACACS

scheme.

z RADIUS scheme (radius-scheme): You can reference a configured RADIUS

scheme to implement AAA services. For the configuration of RADIUS scheme,

refer to section

1.4 "RADIUS Configuration".

z HWTACACS scheme (hwtacacs-scheme): You can reference a configured

HWTACACS scheme to implement AAA services. For the configuration of

RADIUS scheme, refer to section

1.5 "HWTACACS Configuration".

1.3.2 Creating an ISP Domain

For the device, each access user belongs to one ISP domain. The system supports up

to 16 ISP domains. If no ISP domain name is provided when a user logs in, the system

ascribes the user to the default ISP domain.

Table 1-5 Create an ISP domain

Operation Command Description

Enter system view

system-view

—

Create an ISP domain and enter

its view, enter the view of an

existing ISP domain,

domain isp-name

Required

Return to system view

quit

Configure the default ISP

domain

domain default { disable |

enable isp-name }

Optional

The default ISP

domain is

"system".

Caution:

To remove the default ISP domain you define, you must first use the domain default

disable command.

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-16

1.3.3 Configuring the Attributes of an ISP Domain

Table 1-6 Configure the attributes of an ISP domain

Operation Command Description

Enter system view

system-view

—

Create an ISP domain or

enter the view of an existing

ISP domain

domain isp-name

Required

Activate/deactivate the ISP

domain

state { active |

block }

Optional

By default, once an ISP

domain is created, it is in the

active state; that is, all the

users in this domain are

allowed to access the

network.

Set the maximum number of

access users that can be

contained in the ISP domain

access-limit

{ disable | enable

max-user-number }

Optional

After an ISP domain is

created, the number of

access users it can contain

is unlimited by default.

Set the user idle-cut function

idle-cut { disable |

enable minute flow }

Optional

By default, user idle-cut

function is disabled.

Set the self-service server

location function

self-service-url

{ disable | enable

url-string }

Optional

By default, the self-service

server location function is

disabled.

Caution:

The self-service server location function must cooperate with a self-service-supported

RADIUS server (such as CAMS). Through self-service, users can manage and control

their accounts or card numbers by themselves. A server installed with the self-service

software is called a self-service server.

1.3.4 Configuring AAA Authentication of an ISP Domain

Authentication, authorization and accounting are three independent service

procedures in AAA. Authentication fulfills interactive authentication of user

name/password/user profile to meet individual access or service requests. It neither

delivers authorization message to the users who make service requests nor triggers

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-17

accounting. In AAA, you can use only authentication rather than authorization or

accounting. Without any configuration, by default the authentication of the domain is

local. You can configure authentication according to the following three steps:

Step1: To use RADIUS solution for authentication, you first need to configure a

RADIUS scheme to cite; to use local or none solution for authentication, you do not

need to configure a scheme.

Step 2: Determine the access ways or service types to configure. You can configure

authentication based on different access ways and service types, and restrict the

authentication protocols available for access through configuration.

Step 3: Determine whether to configure a default authentication for all access ways or

service types.

Table 1-7 Configure AAA authentication of an ISP domain

Operation Command Remarks

Enter system view

system-view

—

Create an ISP

domain or enter

the created ISP

domain view

domain isp-name

Required

Configure

authentication for

all users

authentication default

{ radius-scheme radius-scheme-name

[ local ] | hwtacacs-scheme

hwtacacs-scheme-name [ local ] |

local | none }

Optional

By default, local

authentication is

used.

Configure

authentication for

login user

authentication login { radius-scheme

radius-scheme-name [ local ] |

hwtacacs-scheme

hwtacacs-scheme-name [ local ] |

local | none }

Optional

Configure

authentication for

lan-access user

authentication lan-access

{ radius-scheme radius-scheme-name

[ local ] | local | none }

Optional

Operation Manual – AAA & RADIUS & HWTACACS

H3C S3610&S5510 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACAC

S Configuration

1-18

Caution:

z The authentication configured by the authentication default command is

applicable to all users. That is, the configuration takes effect for all users. But its

priority is lower than that configured in the specified access mode.

z If you have configured RADIUS as the solution for authentication, AAA only receives

authentication results from RADIUS Server. Although it is carried in the packet

responded for authentication success, but RADIUS authorization information is not

handled in the process of authentication response.

z If you have configured the radius-scheme radius-scheme-name local command,

or hwtacacs-scheme hwtacacs-scheme-name local command, local is used as

the alternative authentication when the RADIUS Server or TACACS server fails.

That is, the local authentication is used only when the RADIUS Server or TACACS

server does not work.

z In the case of that local or none is used as the first solution for authentication, you

can only use the local authentication or none authentication. You cannot use

RADIUS solution simultaneously.

1.3.5 Configuring AAA Authorization of an ISP Domain

Authorization is an independent procedure at the same level as authentication and

accounting in AAA, which is responsible for sending authorization requests to the

configured authorization server and delivering relevant authorization messages to

users after authorization. It is optional in the AAA configuration of an ISP domain.

By fault, the authorization scheme for an ISP domain is local. If you configure the

authorization scheme as none, no authorization is required. In this case, the

authenticated users have only default right. For example, by default EXEC users (for

instance, Telnet users and SSH users) have the lowest visit right. And FTP users are

authorized to use the root directory. You can configure authorization according to the

following three steps:

Step 1: If you choose HWTACACS authorization scheme, you should first define the

HWTACACS scheme to be used. For RADIUS authorization, it takes effect only when

the RADIUS scheme of authentication and authorization are configured similarly.

Step 2: Determine the access ways or service types to configure. You can configure

authorization based on different access ways and service types, and restrict the

authorization protocols available for access through configuration.

Step 3: Determine whether to configure a default authorization for all access ways or

service types.

Page is loading ...

H3C S3610 Series Operating instructions

This manual is also suitable for

H3C S3610 Series Operating instructions

Related papers

Other documents