S5510 Series

H3C S5510 Series, S3610 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S5510 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration..........................................................1-1
1.1 Overview............................................................................................................................1-1
1.1.1 Introduction to AAA.................................................................................................1-1
1.1.2 Introduction to ISP Domain.....................................................................................1-2
1.1.3 Introduction to RADIUS...........................................................................................1-2
1.1.4 Introduction to HWTACACS....................................................................................1-8
1.2 Configuration Tasks.........................................................................................................1-12
1.3 AAA Configuration ........................................................................................................... 1-14
1.3.1 Configuration Prerequisites...................................................................................1-15
1.3.2 Creating an ISP Domain .......................................................................................1-15
1.3.3 Configuring the Attributes of an ISP Domain........................................................ 1-16
1.3.4 Configuring AAA Authentication of an ISP Domain ..............................................1-16
1.3.5 Configuring AAA Authorization of an ISP Domain................................................1-18
1.3.6 Configuring AAA Accounting of an ISP Domain ...................................................1-20
1.3.7 Configuring the Attributes of a Local User............................................................ 1-22
1.3.8 Cutting Down User Connections Forcibly.............................................................1-24
1.4 RADIUS Configuration..................................................................................................... 1-25
1.4.1 Creating a RADIUS Scheme................................................................................. 1-25
1.4.2 Configuring RADIUS Authentication/Authorization Servers..................................1-26
1.4.3 Configuring RADIUS Accounting Servers and Related Parameters.....................1-27
1.4.4 Configuring Shared Keys for RADIUS Packets .................................................... 1-28
1.4.5 Configuring the Maximum Number of Transmission Attempts of RADIUS Packets1-29
1.4.6 Configuring the Supported RADIUS Server Type................................................. 1-30
1.4.7 Configuring the Status of RADIUS Servers ..........................................................1-30
1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers......................1-31
1.4.9 Configuring a Local RADIUS Server.....................................................................1-32
1.4.10 Configuring the Timers of RADIUS Servers........................................................1-33
1.5 HWTACACS Configuration..............................................................................................1-34
1.5.1 Creating a HWTACACS Scheme..........................................................................1-34
1.5.2 Configuring HWTACACS Authentication Servers................................................. 1-35
1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-36
1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36
1.5.5 Configuring Shared Keys for RADIUS Packets .................................................... 1-37
1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers.....................1-38
1.5.7 Configuring the Timers of TACACS Servers.........................................................1-39
1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information.......................1-40
1.7 AAA & RADIUS & HWTACACS Configuration Examples............................................... 1-42
1.7.1 Remote RADIUS Authentication of Telnet/SSH Users......................................... 1-42
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches Table of Contents
ii
1.7.2 Local Authentication, Authorization and Accounting for FTP/Telnet of Users......1-44
1.7.3 TACACS Authentication/Authorization and Accounting of Telnet Users..............1-46
1.7.4 Local Authentication, HWTACACS Authorization and RADIUS Accounting of Telnet
users...............................................................................................................................1-47
1.8 Troubleshooting AAA & RADIUS & HWTACACS Configuration.....................................1-49
1.8.1 Troubleshooting the RADIUS Protocol .................................................................1-49
1.8.2 Troubleshooting the HWTACACS Protocol ..........................................................1-50
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-1
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1.1 Overview
1.1.1 Introduction to AAA
AAA is shortened from the three security functions: authentication, authorization and
accounting. It provides a uniform framework for you to configure the three security
functions to implement the network security management.
The network security mentioned here mainly refers to access control. It mainly controls:
z Which users can access the network,
z Which services the users can have access to,
z How to charge the users who are using network resources.
Accordingly, AAA provides the following services:
I. Authentication
AAA supports the following authentication methods:
z None authentication: Users are trusted and no authentication is performed on the
users. Generally, this method is not recommended.
z Local authentication: User information (including user name, password, and
attributes) is configured on this device. Local authentication is fast and requires
lower operational cost. But the information storage capacity is limited by device
hardware.
z Remote authentication: Users are authenticated remotely through the RADIUS
protocol or HWTACACS protocol. This device (for example, a H3C series switch)
acts as the client to communicate with the RADIUS server or TACACS server. For
RADIUS protocol, both standard and extended RADIUS protocols can be used.
II. Authorization
AAA supports the following authorization methods:
z Direct authorization: Users are trusted and directly authorized. Users have the
default rights now.
z Local authorization: Users are authorized according to the related attributes
configured for their local accounts on the device.
z RADIUS authorization: Users are authorized after they pass the RADIUS
authentication. The authentication and authorization of RADIUS protocol are
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-2
bound together, and you cannot perform RADIUS authorization alone without
RADIUS authentication.
z HWTACACS authorization: Users are authorized by TACACS server.
III. Accounting
AAA supports the following accounting methods:
z None accounting: No accounting is performed for users.
z Local accounting: This function is intended for managing the number of local user
connections and collecting the statistics about the number of users connected.
z Remote accounting: User accounting is performed on the remote RADIUS server
or TACACS server.
Generally, AAA adopts the client/server structure, where the client acts as the managed
resource and the server stores user information. This structure has good scalability and
facilitates the centralized management of user information. AAA can be based on
multiple protocols, and currently RADIUS or HWTACACS is used.
1.1.2 Introduction to ISP Domain
An Internet service provider (ISP) domain is a group of users who belong to the same
ISP. For a user name in the format of userid@isp-name, the isp-name following the @
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different compositions of user name and password, different service
types/rights), it is necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
1.1.3 Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But
in practice, the most commonly used protocol for AAA is RADIUS.
I. What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information
exchange protocol in client/server structure. It can prevent unauthorized access to the
network and is commonly used in network environments where both high security and
remote user access service are required.
The RADIUS service involves three components:
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-3
z Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format
and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
z Server: The RADIUS server runs on a computer or workstation at the center. It
stores and maintains the information on user authentication and network service
access.
z Client: The RADIUS clients run on the dial-in access server device. They can be
deployed anywhere in the network.
RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes
user information to a designated RADIUS server, and makes processing (such as
connecting/disconnecting users) depending on the responses returned from the server.
The RADIUS server receives user's connection requests, authenticates users, and
returns all required information to the switch.
Generally, the RADIUS server maintains the following three databases (as shown in
Figure 1-1):
z Users: This database stores information about users (such as user name,
password, adopted protocol and IP address).
z Clients: This database stores the information about RADIUS clients (such as
shared keys).
z Dictionary: This database stores the information used to interpret the attributes
and attribute values of the RADIUS protocol.
RADIUS Server
Users Clients
Dictionary
Figure 1-1 Databases in RADIUS server
In addition, the RADIUS server can act as the client of some other AAA server to
provide the authentication or accounting proxy service.
II. Basic message exchange procedure of RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and the
RADIUS server are verified by using a shared key. This enhances the security. The
RADIUS protocol combines the authentication and authorization processes together by
sending authorization information in the authentication response message.
Figure 1-2
depicts the message exchange procedure between user, switch and RADIUS server.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-4
Figure 1-2 Basic message exchange procedure of RADIUS
The basic message exchange procedure of RADIUS is as follows:
1) The user enters the user name and password.
2) The RADIUS client receives the user name and password, and then sends an
authentication request (Access-Request) to the RADIUS server.
3) The RADIUS server compares the received user information with that in the Users
database to authenticate the user. If the authentication succeeds, the RADIUS
server sends back an authentication response (Access-Accept), which contains
the information of user’s rights, to the RADIUS client. If the authentication fails, it
returns an Access-Reject response.
4) The RADIUS client accepts or denies the user depending on the received
authentication result. If it accepts the user, the RADIUS client sends a
start-accounting request (Accounting-Request, with the Status-Type filed set to
“start”) to the RADIUS server.
5) The RADIUS server returns a start-accounting response (Accounting-Response).
6) The user starts to access the resources.
7) The RADIUS client sends a stop-accounting request (Accounting-Request, with
the Status-Type field set to “stop”) to the RADIUS server.
8) The RADIUS server returns a stop-accounting response (Accounting-Response).
9) The user stops accessing the network resources.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-5
III. RADIUS packet structure
RADIUS uses UDP to transmit messages. It ensures the correct message exchange
between RADIUS server and client through the following mechanisms: timer
management, retransmission, and backup server.
Figure 1-3 depicts the structure of
the RADIUS packets.
Code
Identifier
Authenticator
Attribute
Length
e
Figure 1-3 RADIUS packet structur
1) The Code field decides the type of the RADIUS packet, as shown in
Table 1-1.
Table 1-1 Description on major values of the Code field
Code Packet type Packet description
1 Access-Request
Direction: client->server.
The client transmits this packet to the server to
determine if the user can access the network.
This packet carries user information. It must contain the
User-Name attribute and may contain the following
attributes: NAS-IP-Address, User-Password and
NAS-Port.
2 Access-Accept
Direction: server->client.
The server transmits this packet to the client if all the
attribute values carried in the Access-Request packet
are acceptable (that is, the user passes the
authentication).
3 Access-Reject
Direction: server->client.
The server transmits this packet to the client if any
attribute value carried in the Access-Request packet is
unacceptable (that is, the user fails the authentication).
4
Accounting-Req
uest
Direction: client->server.
The client transmits this packet to the server to request
the server to start or end the accounting (whether to
start or to end the accounting is determined by the
Acct-Status-Type attribute in the packet).
This packet carries almost the same attributes as those
carried in the Access-Request packet.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-6
Code Packet type Packet description
5
Accounting-Res
ponse
Direction: server->client.
The server transmits this packet to the client to notify
the client that it has received the Accounting-Request
packet and has correctly recorded the accounting
information.
2) The Identifier field (one byte) identifies the request and response packets. It is
subject to the Attribute field and varies with the received valid responses, but
keeps unchanged during retransmission.
3) The Length field (two bytes) specifies the total length of the packet (including the
Code, Identifier, Length, Authenticator and Attribute fields). The bytes beyond the
length will be regarded as padding bytes and are ignored upon receiving the
packet. If the received packet is shorter than the value of this field, it will be
discarded.
4) The Authenticator field (16 bytes) is used to verify the packet returned from the
RADIUS server; it is also used in the password hiding algorithm. There are two
kinds of authenticators: Request and Response.
5) The Attribute field contains special authentication, authorization, and accounting
information to provide the configuration details of a request or response packet.
This field is represented by a field triplet (Type, Length and Value):
z The Type field (one byte) specifies the type of the attribute. Its value ranges from 1
to 255.
Table 1-2 lists the attributes that are commonly used in RADIUS
authentication and authorization.
z The Length field (one byte) specifies the total length of the Attribute field in bytes
(including the Type, Length and Value fields).
z The Value field (up to 253 bytes) contains the information about the attribute. Its
content and format are determined by the Type and Length fields.
Table 1-2 RADIUS attributes
Value of
the Type
field
Attribute type
Value of
the Type
field
Attribute type
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-7
Value of Value of
the Type
field
Attribute type
the Type
Attribute type
field
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-ID 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38
Framed-AppleTalk-Networ
k
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply-Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-ID 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
The RADIUS protocol takes good scalability. Attribute 26 (Vender-Specific) defined in
this protocol allows a device vendor to extend RADIUS to implement functions that are
not defined in standard RADIUS.
Figure 1-4 depicts the structure of attribute 26. The Vendor-ID field representing the
code of the vendor occupies four bytes. The first byte is 0, and the other three bytes are
defined in RFC1700. Here, the vendor can encapsulate multiple customized
sub-attributes (containing Type, Length and Value) to obtain extended RADIUS
implementation.
VeType ndor-IDLength
Vendor-ID
Type
(specified
Length
(specified)
)
Specified attribute value……
VeType ndor-IDLength
Vendor-ID
Type
(specified
Length
(specified)
)
Specified attribute value……
e
Figure 1-4 Part of the RADIUS packet containing extended attribut
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-8
1.1.4 Introduction to HWTACACS
I. What is HWTACACS
HUAWEI Terminal Access Controller Access Control System (HWTACACS) is an
enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS
protocol, it implements AAA for different types of users (such as PPP/VPDN login users
and terminal users) through communications with TACACS servers in the Client-Server
mode. S3610&S5510 series Ethernet switches support authentication, authorization,
and accounting for telnet, FTP, Aux, and SSH users.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control.
Table 1-3 lists the
primary differences between HWTACACS and RADIUS protocols.
Table 1-3 Comparison between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable
network transmission.
Adopts UDP.
Encrypts the entire packet except the
HWTACACS header.
Encrypts only the password field in
authentication packets.
Separates authentication from
authorization. For example, you can
provide authentication and authorization
on different TACACS servers.
Brings together authentication and
authorization.
Suitable for security control. Suitable for accounting.
Supports to authorize the use of
configuration commands.
Not support.
In a typical HWTACACS application, a terminal user needs to log in to the device for
operations. As the client of HWTACACS in this case, the switch sends the username
and password to the TACACS server for authentication. After passing authentication
and being authorized, the user can log in to the switch to perform operations, as shown
in
Figure 1-5.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-9
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
Terminal user
HWTACACS client
HWTACACS server
129.7.66.66
HWTACACS server
129.7.66.67
Terminal user
HWTACACS client
Figure 1-5 Network diagram for a typical HWTACACS application
II. Basic message exchange procedure in HWTACACS
For example, use HWTACACS to implement authentication, authorization, and
accounting for a telnet user.
Figure 1-6 illustrates the basic message exchange
procedure:
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-10
Figure 1-6 The AAA implementation procedure for a telnet user
The basic message exchange procedure is as follows:
1) A user requests access to the switch; the TACACS client sends an authentication
start request packet to TACACS server upon receipt of the request.
2) The TACACS server sends back an authentication response requesting for the
username; the TACACS client asks the user for the username upon receipt of the
response.
3) The TACACS client sends an authentication continuance packet carrying the
username after receiving the username from the user.
4) The TACACS server sends back an authentication response, requesting for the
password. Upon receipt of the response, the TACACS client requests the user for
the login password.
5) After receiving the login password, the TACACS client sends an authentication
continuance packet carrying the login password to the TACACS server.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-11
6) The TACACS server sends back an authentication response indicating that the
user has passed the authentication.
7) The TACACS client sends the user authorization request packet to the TACACS
server.
8) The TACACS server sends back the authorization response, indicating that the
user has passed the authorization.
9) Upon receipt of the response indicating an authorization success, the TACACS
client pushes the configuration interface of the switch to the user.
10) The TACACS client sends an accounting start request packet to the TACACS
server.
11) The TACACS server sends back an accounting response, indicating that it has
received the accounting start request.
12) The user logs out; the TACACS client sends an accounting stop request to the
TACACS server.
13) The TACACS server sends back an accounting stop packet, indicating that the
accounting stop request has been received.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-12
1.2 Configuration Tasks
Table 1-4 Configuration tasks
Operation Description Related section
Create an ISP
domain
Required
Section
1.3.2
Creating an ISP
Domain
Configure the
attributes of the
ISP domain
Optional
Section
1.3.3
Configuring the
Attributes of an ISP
Domain
Configure an AAA
authentication
scheme for the
ISP domain
Required
If local
authentication is
adopted, refer to
section
1.3.7
Configuring the
Attributes of a Local
User
”.
If RADIUS
authentication is
adopted, refer to
section
1.4
“RADIUS
Configuration
”.
If HWTACACS
authentication is
adopted , refer to
section
HWTACACS
Configuration
Section
1.3.4
"Configuring AAA
Authentication of an
ISP Domain
Configure an AAA
authorization
scheme for the
ISP domain
Optional
Section
1.3.5
Configuring AAA
Authorization of an
ISP Domain
Configure an AAA
accounting
scheme for the
ISP domain
Optional
Section
1.3.6
Configuring AAA
Accounting of an ISP
Domain
Configure the
attributes of a local
user
Optional
Section
1.3.7
Configuring the
Attributes of a Local
User
AAA
configuration
Cut down user
connections
forcibly
Optional
Section
1.3.8 Cutting
Down User
Connections Forcibly
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-13
Operation Description Related section
Create a RADIUS
scheme
Required
Section
1.4.1
Creating a RADIUS
Scheme
Configure
RADIUS
authentication/aut
horization servers
Required
Section 1.4.2
Configuring RADIUS
Authentication/Author
ization Servers
Configure
RADIUS
accounting
servers
Required
Section
1.4.3
Configuring RADIUS
Accounting Servers
Configure shared
keys for RADIUS
packets
Required
Section
1.4.4
Configuring Shared
Keys for RADIUS
Packets
Configure the
maximum number
of transmission
attempts of
RADIUS requests
Optional
Section
1.4.5
Configuring the
Maximum Number of
Transmission
Attempts of RADIUS
Packets
Configure the
supported
RADIUS server
type
Optional
Section
1.4.6
Configuring the
Supported RADIUS
Server Type
Configure the
status of RADIUS
servers
Optional
Section
1.4.7
Configuring the
Status of RADIUS
Servers
Configure the
attributes for data
to be sent to
RADIUS servers
Optional
Section
1.4.8
Configuring the
Attributes for Data to
be Sent to RADIUS
Servers
Configure a local
RADIUS
authentication
server
Optional
Section
1.4.9
Configuring a Local
RADIUS Server
RADIUS
configuration
Configure the
timers for RADIUS
servers
Optional
Section
1.4.10
Configuring the
Timers of RADIUS
Servers
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-14
Operation Description Related section
Create a
HWTACACS
scheme
Required
Section
1.5.1
Creating a
HWTACACS
Scheme
Configure
HWTACACS
authentication
servers
Required
Section
1.5.2
Configuring
HWTACACS
Authentication
Servers
Configure
HWTACACS
authorization
servers
Required
Section
1.5.3
Configuring
HWTACACS
Authorization
Servers
Configure
HWTACACS
accounting
servers
Optional
Section
1.5.4
Configuring
HWTACACS
Accounting Servers
Configure shared
keys for RADIUS
packets
Required
Section
1.5.5
Configuring Shared
Keys for RADIUS
Packets
Configure the
attributes for data
to be sent to
TACACS servers
Optional
Section
1.5.6
Configuring the
Attributes for Data to
be Sent to TACACS
Servers
HWTACACS
configuration
Configure the
timers of TACACS
servers
Optional
Section
1.5.7
Configuring the
Timers of TACACS
Servers
1.3 AAA Configuration
The goal of AAA configuration is to protect network devices against unauthorized
access and at the same time provide network access services to authorized users. If
you need to use ISP domains to implement AAA management on access users, you
need to configure the ISP domains.
There are three types of users in AAA: login, command authorization, and lan-access.
You can configure authentication/authorization/accounting policies independently
according to the actual requirements of users.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-15
1.3.1 Configuration Prerequisites
If you want to adopt remote AAA method, you must create a RADIUS or HWTACACS
scheme.
z RADIUS scheme (radius-scheme): You can reference a configured RADIUS
scheme to implement AAA services. For the configuration of RADIUS scheme,
refer to section
1.4 "RADIUS Configuration".
z HWTACACS scheme (hwtacacs-scheme): You can reference a configured
HWTACACS scheme to implement AAA services. For the configuration of
RADIUS scheme, refer to section
1.5 "HWTACACS Configuration".
1.3.2 Creating an ISP Domain
For the device, each access user belongs to one ISP domain. The system supports up
to 16 ISP domains. If no ISP domain name is provided when a user logs in, the system
ascribes the user to the default ISP domain.
Table 1-5 Create an ISP domain
Operation Command Description
Enter system view
system-view
Create an ISP domain and enter
its view, enter the view of an
existing ISP domain,
domain isp-name
Required
Return to system view
quit
Configure the default ISP
domain
domain default { disable |
enable isp-name }
Optional
The default ISP
domain is
"system".
Caution:
To remove the default ISP domain you define, you must first use the domain default
disable command.
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-16
1.3.3 Configuring the Attributes of an ISP Domain
Table 1-6 Configure the attributes of an ISP domain
Operation Command Description
Enter system view
system-view
Create an ISP domain or
enter the view of an existing
ISP domain
domain isp-name
Required
Activate/deactivate the ISP
domain
state { active |
block }
Optional
By default, once an ISP
domain is created, it is in the
active state; that is, all the
users in this domain are
allowed to access the
network.
Set the maximum number of
access users that can be
contained in the ISP domain
access-limit
{ disable | enable
max-user-number }
Optional
After an ISP domain is
created, the number of
access users it can contain
is unlimited by default.
Set the user idle-cut function
idle-cut { disable |
enable minute flow }
Optional
By default, user idle-cut
function is disabled.
Set the self-service server
location function
self-service-url
{ disable | enable
url-string }
Optional
By default, the self-service
server location function is
disabled.
Caution:
The self-service server location function must cooperate with a self-service-supported
RADIUS server (such as CAMS). Through self-service, users can manage and control
their accounts or card numbers by themselves. A server installed with the self-service
software is called a self-service server.
1.3.4 Configuring AAA Authentication of an ISP Domain
Authentication, authorization and accounting are three independent service
procedures in AAA. Authentication fulfills interactive authentication of user
name/password/user profile to meet individual access or service requests. It neither
delivers authorization message to the users who make service requests nor triggers
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-17
accounting. In AAA, you can use only authentication rather than authorization or
accounting. Without any configuration, by default the authentication of the domain is
local. You can configure authentication according to the following three steps:
Step1: To use RADIUS solution for authentication, you first need to configure a
RADIUS scheme to cite; to use local or none solution for authentication, you do not
need to configure a scheme.
Step 2: Determine the access ways or service types to configure. You can configure
authentication based on different access ways and service types, and restrict the
authentication protocols available for access through configuration.
Step 3: Determine whether to configure a default authentication for all access ways or
service types.
Table 1-7 Configure AAA authentication of an ISP domain
Operation Command Remarks
Enter system view
system-view
Create an ISP
domain or enter
the created ISP
domain view
domain isp-name
Required
Configure
authentication for
all users
authentication default
{ radius-scheme radius-scheme-name
[ local ] | hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Optional
By default, local
authentication is
used.
Configure
authentication for
login user
authentication login { radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Optional
Configure
authentication for
lan-access user
authentication lan-access
{ radius-scheme radius-scheme-name
[ local ] | local | none }
Optional
Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA & RADIUS & HWTACAC
S Configuration
1-18
Caution:
z The authentication configured by the authentication default command is
applicable to all users. That is, the configuration takes effect for all users. But its
priority is lower than that configured in the specified access mode.
z If you have configured RADIUS as the solution for authentication, AAA only receives
authentication results from RADIUS Server. Although it is carried in the packet
responded for authentication success, but RADIUS authorization information is not
handled in the process of authentication response.
z If you have configured the radius-scheme radius-scheme-name local command,
or hwtacacs-scheme hwtacacs-scheme-name local command, local is used as
the alternative authentication when the RADIUS Server or TACACS server fails.
That is, the local authentication is used only when the RADIUS Server or TACACS
server does not work.
z In the case of that local or none is used as the first solution for authentication, you
can only use the local authentication or none authentication. You cannot use
RADIUS solution simultaneously.
1.3.5 Configuring AAA Authorization of an ISP Domain
Authorization is an independent procedure at the same level as authentication and
accounting in AAA, which is responsible for sending authorization requests to the
configured authorization server and delivering relevant authorization messages to
users after authorization. It is optional in the AAA configuration of an ISP domain.
By fault, the authorization scheme for an ISP domain is local. If you configure the
authorization scheme as none, no authorization is required. In this case, the
authenticated users have only default right. For example, by default EXEC users (for
instance, Telnet users and SSH users) have the lowest visit right. And FTP users are
authorized to use the root directory. You can configure authorization according to the
following three steps:
Step 1: If you choose HWTACACS authorization scheme, you should first define the
HWTACACS scheme to be used. For RADIUS authorization, it takes effect only when
the RADIUS scheme of authentication and authorization are configured similarly.
Step 2: Determine the access ways or service types to configure. You can configure
authorization based on different access ways and service types, and restrict the
authorization protocols available for access through configuration.
Step 3: Determine whether to configure a default authorization for all access ways or
service types.
/