2. H3C
  3. S3100-52P

H3C S3100-52P Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S3100-52P Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Table of Contents
i
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration..........................................................1-1
1.1 Overview............................................................................................................................1-1
1.1.1 Introduction to AAA.................................................................................................1-1
1.1.2 Introduction to ISP Domain.....................................................................................1-2
1.1.3 Introduction to RADIUS...........................................................................................1-2
1.1.4 Introduction to HWTACACS....................................................................................1-7
1.2 Configuration Task........................................................................................................... 1-10
1.3 AAA Configuration ........................................................................................................... 1-12
1.3.1 Configuration Prerequisites...................................................................................1-13
1.3.2 Creating an ISP Domain .......................................................................................1-13
1.3.3 Configuring the Attributes of an ISP Domain........................................................ 1-13
1.3.4 Configuring an AAA Scheme for an ISP Domain..................................................1-15
1.3.5 Configuring Dynamic VLAN Assignment ..............................................................1-17
1.3.6 Configuring the Attributes of a Local User............................................................ 1-19
1.3.7 Cutting Down User Connections Forcibly.............................................................1-21
1.4 RADIUS Configuration..................................................................................................... 1-21
1.4.1 Creating a RADIUS Scheme................................................................................. 1-22
1.4.2 Configuring RADIUS Authentication/Authorization Servers..................................1-23
1.4.3 Configuring RADIUS Accounting Servers............................................................. 1-24
1.4.4 Configuring Shared Keys for RADIUS Messages................................................. 1-25
1.4.5 Configuring Maximum Number of Transmission Attempts of RADIUS Request .. 1-26
1.4.6 Configuring to Support a Type of RADIUS Server................................................1-27
1.4.7 Configuring the Status of RADIUS Servers ..........................................................1-27
1.4.8 Configuring the Attributes for Data to be Sent to RADIUS Servers......................1-28
1.4.9 Configuring Local RADIUS Authentication Server................................................1-29
1.4.10 Configuring the Timers of RADIUS Servers........................................................1-30
1.4.11 Enabling the Sending of Trap Message When a RADIUS Server is Down........1-31
1.4.12 Enabling the User Re-Authentication at Restart Function..................................1-32
1.5 HWTACACS Configuration..............................................................................................1-33
1.5.1 Creating a HWTACAS Scheme ............................................................................ 1-33
1.5.2 Configuring HWTACACS Authentication Servers................................................. 1-34
1.5.3 Configuring HWTACACS Authorization Servers................................................... 1-35
1.5.4 Configuring HWTACACS Accounting Servers...................................................... 1-36
1.5.5 Configuring Shared Keys for HWTACACS Messages..........................................1-36
1.5.6 Configuring the Attributes for Data to be Sent to TACACS Servers.....................1-37
1.5.7 Configuring the Timers of TACACS Servers.........................................................1-38
1.6 Displaying and Maintaining AAA & RADIUS & HWTACACS Information.......................1-39
1.7 AAA & RADIUS & HWTACACS Configuration Example.................................................1-41
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch Table of Contents
ii
1.7.1 Remote RADIUS Authentication of Telnet/SSH Users......................................... 1-41
1.7.2 Local Authentication of FTP/Telnet Users ............................................................1-43
1.7.3 HWTACACS Authentication and Authorization of Telnet Users...........................1-44
1.8 Troubleshooting AAA & RADIUS & HWTACACS Configuration.....................................1-45
1.8.1 Troubleshooting RADIUS Configuration...............................................................1-45
1.8.2 Troubleshooting HWTACACS Configuration........................................................ 1-46
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-1
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1.1 Overview
1.1.1 Introduction to AAA
AAA is an acronym for the three security functions: authentication, authorization and
accounting. It provides a uniform framework for you to configure the three security
functions to implement network security management.
The network security mentioned here mainly refers to access control. It mainly controls:
z Which users can access the network,
z Which services are available to the users who can access the network, and
z How to charge the users who are using network resources.
Accordingly, AAA provides the following three functions:
I. Authentication
AAA supports the following authentication methods:
z None authentication: Users are trusted and are not checked for their validity.
Generally, this method is not recommended.
z Local authentication: User information (including user name, password, and some
other attributes) is configured on this device, and users are authenticated on this
device instead of on a remote device. Local authentication is fast and requires
lower operational cost, but has the deficiency that information storage capacity is
limited by device hardware.
z Remote authentication: Users are authenticated remotely through RADIUS or
HWTACACS protocol. This device (for example, a H3C series switch) acts as the
client to communicate with the RADIUS or TACACS server. For RADIUS protocol,
you can use extended RADIUS protocol as well as standard RADIUS protocol.
II. Authorization
AAA supports the following authorization methods:
z Direct authorization: Users are trusted and directly authorized.
z Local authorization: Users are authorized according to the related attributes
configured for their local accounts on this device.
z RADIUS authorization: Users are authorized after they pass RADIUS
authentication. In RADIUS protocol, authentication and authorization are
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-2
combined together, and authorization cannot be performed alone without
authentication.
z HWTACACS authorization: Users are authorized by a TACACS server.
III. Accounting
AAA supports the following accounting methods:
z None accounting: No accounting is performed for users.
z Remote accounting: User accounting is performed on a remote RADIUS or
TACACS server.
Generally, AAA adopts client/server structure, where the client acts as the managed
resource and the server stores user information. This structure has good scalability and
facilitates the centralized management of user information.
1.1.2 Introduction to ISP Domain
An Internet service provider (ISP) domain is a group of users who belong to the same
ISP. For a user name in the format of userid@isp-name, the isp-name following the "@"
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different forms of user name and password, different service
types/access rights), it is necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
1.1.3 Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But
in practice, the most commonly used protocol for AAA is RADIUS.
I. What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information
exchange protocol based on client/server structure. It can prevent unauthorized access
to your network and is commonly used in network environments where both high
security and remote user access service are required.
The RADIUS service involves three components:
z Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message
format and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-3
z Server: RADIUS Server runs on a computer or workstation at the center. It stores
and maintains user authentication information and network service access
information.
z Client: RADIUS Client runs on dial-in access server devices throughout the
network.
RADIUS is based on client/server model. A switch acting as a RADIUS client passes
user information to a specified RADIUS server, and takes appropriate action (such as
establishing/terminating user connection) depending on the responses returned from
the server. The RADIUS server receives user connection requests, authenticates users,
and returns all required information to the switch.
Generally, a RADIUS server maintains the following three databases (see
Figure 1-1):
z Users: This database stores information about users (such as user name,
password, protocol adopted and IP address).
z Clients: This database stores information about RADIUS clients (such as shared
key).
z Dictionary: The information stored in this database is used to interpret the
attributes and attribute values in the RADIUS protocol.
RADIUS server
Users Clients
Dictionary
RADIUS server
Users Clients
Dictionary
Figure 1-1 Databases in a RADIUS server
In addition, a RADIUS server can act as a client of some other AAA server to provide
authentication or accounting proxy service.
II. Basic message exchange procedure in RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and a
RADIUS server are verified through a shared key. This enhances the security. The
RADIUS protocol combines the authentication and authorization processes together by
sending authorization information along with the authentication response message.
Figure 1-2 depicts the message exchange procedure between user, switch and
RADIUS server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-4
RADIUS
Server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2)
Access - Request
PC
RADIUS
client
(3) Access - Accept
(4) Accounting - Request (start)
(5) Accounting
-
Response
(7) Accounting - Request (
(8) Accounting - Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
Server
(1) The user inputs the user name and password
(2)
Access -Request
PC
RADIUS
Client
(3) Access -Accept
(4) Accounting -Request (start)
(5) Accounting -Response
(7) Accounting - Request (
(8) Accounting -Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
RADIUS
server
(1) The user inputs the user name and password
(2)
Access - Request
PC
RADIUS
client
(3) Access - Accept
(4) Accounting - Request (start)
(5) Accounting
-
Response
(7) Accounting - Request (
(8) Accounting - Response
(9) Inform the user the access is ended
stop)
(6) The user starts to access the resources
Figure 1-2 Basic message exchange procedure of RADIUS
The basic message exchange procedure of RADIUS is as follows:
1) The user enters the user name and password.
2) The RADIUS client receives the user name and password, and then sends an
authentication request (Access-Request) to the RADIUS server.
3) The RADIUS server compares the received user information with that in the Users
database to authenticate the user. If the authentication succeeds, the RADIUS
server sends back to the RADIUS client an authentication response
(Access-Accept), which contains the user’s access right information. If the
authentication fails, the server returns an Access-Reject response.
4) The RADIUS client accepts or denies the user depending on the received
authentication result. If it accepts the user, the RADIUS client sends a
start-accounting request (Accounting-Request, with the Status-Type attribute
value = start) to the RADIUS server.
5) The RADIUS server returns a start-accounting response (Accounting-Response).
6) The user starts to access network resources.
7) The RADIUS client sends a stop-accounting request (Accounting-Request, with
the Status-Type attribute value = stop) to the RADIUS server.
8) The RADIUS server returns a stop-accounting response (Accounting-Response).
9) The access to network resources is ended.
III. RADIUS message format
RADIUS messages are transported over UDP, which does not guarantee reliable
delivery of messages between RADIUS server and client. As a remedy, RADIUS
adopts the following mechanisms: timer management, retransmission, and backup
server.
Figure 1-3 depicts the format of RADIUS messages.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-5
Code
Identifier
Authenticator
Attributes
Length
Code
Identifier
Authenticator
Attributes
Length
t
Figure 1-3 RADIUS message forma
1) The Code field (one byte) decides the type of RADIUS message, as shown in
Table 1-1.
Table 1-1 Description on the major values of the Code field
Code Message type Message description
1 Access-Request
Direction: client->server.
The client transmits this message to the server to
determine if the user can access the network.
This message carries user information. It must contain
the User-Name attribute and may contain the following
attributes: NAS-IP-Address, User-Password and
NAS-Port.
2 Access-Accept
Direction: server->client.
The server transmits this message to the client if all the
attribute values carried in the Access-Request
message are acceptable (that is, the user passes the
authentication).
3 Access-Reject
Direction: server->client.
The server transmits this message to the client if any
attribute value carried in the Access-Request message
is unacceptable (that is, the user fails the
authentication).
4
Accounting-Req
uest
Direction: client->server.
The client transmits this message to the server to
request the server to start or end the accounting
(whether to start or to end the accounting is determined
by the Acct-Status-Type attribute in the message).
This message carries almost the same attributes as
those carried in the Access-Request message.
5
Accounting-Res
ponse
Direction: server->client.
The server transmits this message to the client to notify
the client that it has received the Accounting-Request
message and has correctly recorded the accounting
information.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-6
2) The Identifier field (one byte) is used to match requests and responses. It changes
whenever the content of the Attributes field change, and whenever a valid
response has been received for a previous request, but remains unchanged for
message retransmission.
3) The Length field (two bytes) specifies the total length of the message (including
the Code, Identifier, Length, Authenticator and Attributes fields). The bytes beyond
the length are regarded as padding and are ignored upon reception. If a received
message is shorter than what the Length field indicates, it is discarded.
4) The Authenticator field (16 bytes) is used to authenticate the response from the
RADIUS server; and is used in the password hiding algorithm. There are two kinds
of authenticators: Request Authenticator and Response Authenticator.
5) The Attributes field contains specific authentication/authorization/accounting
information to provide the configuration details of a request or response message.
This field contains a list of field triplet (Type, Length and Value):
z The Type field (one byte) specifies the type of an attribute. Its value ranges from 1
to 255.
Table 1-2 lists the attributes that are commonly used in RADIUS
authentication/authorization.
z The Length field (one byte) specifies the total length of the attribute in bytes
(including the Type, Length and Value fields).
z The Value field (up to 253 bytes) contains the information of the attribute. Its format
is determined by the Type and Length fields.
Table 1-2 RADIUS attributes
Type field
value
Attribute type
Type field
value
Attribute type
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-ID 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-7
Type field Type field
Attribute type Attribute type
value value
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38 Framed-AppleTalk-Network
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply-Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-ID 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this
protocol allows a device vendor to extend RADIUS to implement functions that are not
defined in standard RADIUS.
Figure 1-4 depicts the format of attribute 26. The Vendor-ID field used to identify a
vendor occupies four bytes, where the first byte is 0, and the other three bytes are
defined in RFC 1700. Here, the vendor can encapsulate multiple customized
sub-attributes (containing vendor-specific Type, Length and Value) to implement a
RADIUS extension.
VeType ndor-IDLength
Vendor-ID
Type
(specified
Length
(specified)
)
Specified attribute value……
VeType ndor-IDLength
Vendor-ID Vendor-Type
Vendor-Length
Vendor-Value …
VeType ndor-IDLength
Vendor-ID
Type
(specified
Length
(specified)
)
Specified attribute value……
VeType ndor-IDLength
Vendor-ID Vendor-Type
Vendor-Length
Vendor-Value …
Figure 1-4 Vendor-specific attribute format
1.1.4 Introduction to HWTACACS
I. What is HWTACACS
HWTACACS (Huawei terminal access controller access control system) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to the RADIUS
protocol, it implements AAA for different types of users (such as PPP, VPDN, and
terminal users) through communicating with TACACS server in client-server mode.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-8
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control.
Table 1-3 lists the
primary differences between HWTACACS and RADIUS.
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire message except the
HWTACACS header.
Encrypts only the password field in
authentication message.
Separates authentication from authorization.
For example, you can use one TACACS
server for authentication and another
TACACS server for authorization.
Combines authentication and
authorization.
Is more suitable for security control. Is more suitable for accounting.
Supports configuration command
authorization.
Does not support.
In a typical HWTACACS application (as shown in
Figure 1-5), a dial-up or terminal user
needs to log into the switch to perform some operations. As a HWTACACS client, the
switch sends the username and password to the TACACS server for authentication.
After passing authentication and being authorized, the user successfully logs into the
switch to perform operations.
TACACS server
129.7.66.66
ISDN /PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
IS DN/ PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
129..66.67
TACACS server
ISDN /PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
IS DN/ PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
TACACS server
129.7.66.66
ISDN /PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
129.7.66.67
TACACS server
IS DN/ PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
129..66.67
TACACS server
ISDN /PSTN
Dial -up user
HWTACACS client
Terminal user
TACACS server
TACACS server
129.7.66.67
TACACS server
IS DN/ PSTN
Dial -up user
HWTACACS client
Terminal user
Figure 1-5 Network diagram for a typical HWTACACS application
II. Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS
implements authentication, authorization, and accounting for a user.
Figure 1-6
illustrates the basic message exchange procedure:
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-9
User
HWTACACS
Clie n t
HWTACACS
Server
Requests to log in
Authentication start request
Authentication respon
requesting username
se,
Requests username
Enters username
Authentication continuanc
carrying username
e message,
Authentication respon
requesting password
se,
Requests password
Enters password
Authentication continuanc
carrying password
e message,
Authentication success response
Authorization request
Authorization success response
Allows user to log in
Accounting start request
Accounting start response
Exits the switch
Accounting stop request
Accounting stop response
User
HWTA CACS
Client
HWTA CACS
Server
User
HWTACACS
Clie n t
HWTACACS
Server
Requests to log in
Authentication start request
Authentication respon
requesting username
se,
Requests username
Enters username
Authentication continuanc
carrying username
e message,
Authentication respon
requesting password
se,
Requests password
Enters password
Authentication continuanc
carrying password
e message,
Authentication success response
Authorization request
Authorization success response
Allows user to log in
Accounting start request
Accounting start response
Exits the switch
Accounting stop request
Accounting stop response
User
HWTA CACS
Client
HWTA CACS
Server
Figure 1-6 AAA implementation procedure for a telnet user
The basic message exchange procedure is as follows:
1) A user sends a login request to the switch acting as a TACACS client, which then
sends an authentication start request to the TACACS.
2) The TACACS server returns an authentication response, asking for the username.
Upon receiving the response, the TACACS client requests the user for the
username.
3) After receiving the username from the user, the TACACS client sends an
authentication continuance message carrying the username.
4) The TACACS server returns an authentication response, asking for the password.
Upon receiving the response, the TACACS client requests the user for the login
password.
5) After receiving the password, the TACACS client sends an authentication
continuance message carrying the password to the TACACS server.
6) The TACACS server returns an authentication response, indicating that the user
has passed the authentication.
7) The TACACS client sends a user authorization request to the TACACS server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-10
8) The TACACS server returns an authorization response, indicating that the user
has passed the authorization.
9) After receiving the response indicating an authorization success, the TACACS
client pushes the configuration interface of the switch to the user.
10) The TACACS client sends an accounting start request to the TACACS server.
11) The TACACS server returns an accounting response, indicating that it has
received the accounting start request.
12) The user logs out; the TACACS client sends an accounting stop request to the
TACACS server.
13) The TACACS server returns an accounting response, indicating that it has
received the accounting stop request.
1.2 Configuration Task
Table 1-4 Configuration tasks
Configuration task Description Related section
Creating an
ISP domain
Required
Section
1.3.2
Creating an ISP
Domain
Configuring the
attributes of an
ISP domain
Optional
Section
1.3.3
Configuring the
Attributes of an ISP
Domain
Configuring an
AAA scheme
for an ISP
domain
Required
If local authentication is
adopted, refer to section
1.3.6 Configuring the
Attributes of a Local
User
”.
If RADIUS authentication
is adopted, refer to
section
1.4 RADIUS
Configuration
”.
Section
1.3.4
Configuring an AAA
Scheme for an ISP
Domain
Configuring
dynamic VLAN
assignment
Optional
Section 1.3.5
Configuring Dynamic
VLAN Assignment
Configuring the
attributes of a
local user
Optional
Section
1.3.6
Configuring the
Attributes of a Local
User
AAA
configuration
Cutting down
user
connections
forcibly
Optional
Section
1.3.7
Cutting Down User
Connections Forcibly
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-11
Configuration task Description Related section
Creating a
RADIUS
scheme
Required
Section 1.4.1
Creating a RADIUS
Scheme
Configuring
RADIUS
authentication/
authorization
servers
Required
Section
1.4.2
Configuring RADIUS
Authentication/Author
ization Servers
Configuring
RADIUS
accounting
servers
Required
Section
1.4.3
Configuring RADIUS
Accounting Servers
Configuring
shared keys for
RADIUS
messages
Optional
Section 1.4.4
Configuring Shared
Keys for RADIUS
Messages
Configuring the
maximum
number of
transmission
attempts of a
RADIUS
request
Optional
Section
1.4.5
Configuring
Maximum Number of
Transmission
Attempts of RADIUS
Request
Configuring to
support a type
of RADIUS
server
Optional
Section 1.4.6
Configuring to
Support a Type of
RADIUS Server
Configuring the
status of
RADIUS
servers
Optional
Section
1.4.7
Configuring the
Status of RADIUS
Servers
Configuring the
attributes for
data to be sent
to RADIUS
servers
Optional
Section 1.4.8
Configuring the
Attributes for Data to
be Sent to RADIUS
Servers
Configuring
local RADIUS
authentication
server
Optional
Section
1.4.9
Configuring Local
RADIUS
Authentication
Server
RADIUS
configuration
Configuring the
timers of
RADIUS
servers
Optional
Section
1.4.10
Configuring the
Timers of RADIUS
Servers
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-12
Configuration task Description Related section
Enabling the
sending of trap
message when
a RADIUS
server is down
Optional
Section
1.4.11
Enabling the
Sending of Trap
Message When a
RADIUS Server is
Down
Enabling the
user
re-authenticati
on at restart
function
Optional
Section
1.4.12
Enabling the User
Re-Authentication at
Restart Function
Creating a
HWTACAS
scheme
Required
Section 1.5.1
Creating a
HWTACAS Scheme
Configuring
HWTACACS
authentication
servers
Required
Section
1.5.2
Configuring
HWTACACS
Authentication
Servers
Configuring
HWTACACS
authorization
servers
Required
Section
1.5.3
Configuring
HWTACACS
Authorization
Servers
Configuring
HWTACACS
accounting
servers
Optional
Section
1.5.4
Configuring
HWTACACS
Accounting Servers
Configuring
shared keys for
HWTACACS
messages
Optional
Section
1.5.5
Configuring Shared
Keys for HWTACACS
Messages
Configuring the
attributes for
data to be sent
to TACACS
servers
Optional
Section 1.5.6
Configuring the
Attributes for Data to
be Sent to TACACS
Servers
HWTACACS
configuration
Configuring the
timers of
TACACS
servers
Optional
Section
1.5.7
Configuring the
Timers of TACACS
Servers
1.3 AAA Configuration
The purpose of AAA configuration is to provide network access services to legal users
and at the same time protect your network device against unauthorized access. If you
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-13
need to use ISP domains to implement AAA management on access users, you should
first configure ISP domains.
1.3.1 Configuration Prerequisites
If you want to adopt remote AAA method, you must first create a RADIUS or
HWTACACS scheme.
z RADIUS scheme (radius-scheme): You can reference a configured RADIUS
scheme to provide AAA services. For the configuration of RADIUS scheme, refer
to section
1.4 "RADIUS Configuration".
z HWTACACS scheme (hwtacacs-scheme): You can reference a configured
HWTACACS scheme to implement AAA services. For the configuration of
HWTACACS scheme, refer to section
1.5 "HWTACACS Configuration".
1.3.2 Creating an ISP Domain
Table 1-5 Create an ISP domain
Operation Command Description
Enter system view
system-view
Create an ISP domain
and enter its view, enter
the view of an existing ISP
domain, or set an ISP
domain as the default ISP
domain
domain { isp-name |
default { disable | enable
isp-name } }
Required
If no ISP domain is set as
the default ISP domain,
the ISP domain "system"
is used as the default ISP
domain.
1.3.3 Configuring the Attributes of an ISP Domain
Table 1-6 Configure the attributes of an ISP domain
Operation Command Description
Enter system view
system-view
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name
Required
Set the status of the ISP
domain
state { active | block }
Optional
By default, an ISP domain
is in the active state, that
is, all the users in the
domain are allowed to
request network service.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-14
Operation Command Description
Set the maximum number
of access users that can
be contained in the ISP
domain
access-limit { disable |
enable
max-user-number }
Optional
By default, there is no limit
on the number of access
users that can be
contained in an ISP
domain.
Set the user idle-cut
function
idle-cut { disable |
enable minute flow }
Optional
By default, the user
idle-cut function is
disabled.
Set the
accounting-optional
switch
accounting optional
Optional
By default, the
accounting-optional
switch is closed.
Set the messenger
function
messenger time
{ enable limit interval |
disable }
Optional
By default, the messenger
function is disabled.
Set the self-service server
location function
self-service-url { disable
| enable url-string }
Optional
By default, the
self-service server
location function is
disabled.
Caution:
z On an S3100-52P Ethernet Switch, each access user belongs to an ISP domain.
You can configure up to 16 ISP domains on the switch. When a user logs in, if no
ISP domain name is carried in the user name, the switch assumes that the user
belongs to the default ISP domain.
z If the system does not find any available accounting server or fails to communicate
with any accounting server when it performs accounting for a user, it will not
disconnect the user as long as the accounting optional command has been
executed, though it cannot perform accounting for the user in this case.
z The self-service server location function needs the cooperation of a
self-service-supported RADIUS server (such as CAMS, that is, comprehensive
access management server). Through self-service, users can manage and control
their account or card numbers by themselves. A server installed with the self-service
software is called a self-service server.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-15
Note:
H3C's CAMS Server is a service management system used to manage networks and
secure networks and user information. With the cooperation of other networking
devices (such as switches) in a network, a CAMS server can implement the AAA
functions and right management.
1.3.4 Configuring an AAA Scheme for an ISP Domain
You can configure an AAA scheme in one of the following two ways:
I. Configuring a combined AAA scheme
You can use the scheme command to specify an AAA scheme for an ISP domain. If
you specify a RADIUS or HWTACACS scheme, the authentication, authorization and
accounting will be uniformly implemented by the RADIUS or TACACS server(s)
specified in the RADIUS or HWTACACS scheme. In this way, you cannot specify
different schemes for authentication, authorization and accounting respectively.
Table 1-7 Configure a combined AAA scheme
Operation Command Description
Enter system view
system-view
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name
Required
Configure an AAA
scheme for the ISP
domain
scheme { local | none |
radius-scheme
radius-scheme-name
[ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
Required
By default, an ISP domain
uses the local AAA
scheme.
Configure an RADIUS
scheme for the ISP
domain
radius-scheme
radius-scheme-name
Optional
This command has the
same function as the
scheme radius-scheme
command.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-16
Caution:
z You can execute the scheme radius-scheme radius-scheme-name command to
adopt an already configured RADIUS scheme to implement all the three AAA
functions. If you adopt the local scheme, only the authentication and authorization
functions are implemented, the accounting function cannot be implemented.
z If you execute the scheme radius-scheme radius-scheme-name local command,
the local scheme is used as the secondary scheme in case no RADIUS server is
available. That is, if the communication between the switch and a RADIUS server is
normal, no local authentication is performed; otherwise, local authentication is
performed.
z If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local
command, the local scheme is used as the secondary scheme in case no TACACS
server is available. That is, if the communication between the switch and a TACACS
server is normal, no local authentication is performed; otherwise, local
authentication is performed.
z If you execute the scheme local or scheme none command to adopt local or none
as the primary scheme, the local authentication is performed or no authentication is
performed. In this case you cannot specify any RADIUS scheme at the same time.
II. Configuring separate AAA schemes
You can use the authentication, authorization, and accounting commands to
specify a scheme for each of the three AAA functions (authentication, authorization and
accounting) respectively. The following gives the implementations of this separate way
for the services supported by AAA.
z For terminal users
Authentication: RADIUS, local, HWTACACS or none.
Authorization: none or HWTACACS.
Accounting: RADIUS, HWTACACS or none.
You can use an arbitrary combination of the above implementations for your AAA
scheme configuration.
z For FTP users
Only authentication is supported for FTP users.
Authentication: RADIUS, local, or RADIUS-local.
Perform the following configuration in ISP domain view.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-17
Table 1-8 Configure separate AAA schemes
Operation Command Description
Enter system view
system-view
Create an ISP domain
and enter its view, or enter
the view of an existing ISP
domain
domain isp-name
Required
Configure an
authentication scheme for
the ISP domain
authentication
{ radius-scheme
radius-scheme-name
[ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Optional
By default, no separate
authentication scheme is
configured.
Configure an
authorization scheme for
the ISP domain
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
authorization scheme is
configured.
Configure an accounting
scheme for the ISP
domain
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
accounting scheme is
configured.
Note:
z If a combined AAA scheme is configured as well as the separate authentication,
authorization and accounting schemes, the separate ones will be adopted in
precedence.
z RADIUS scheme and local scheme do not support the separation of authentication
and authorization. Therefore, pay attention when you make authentication and
authorization configuration for a domain: When the scheme radius-scheme or
scheme local command is executed and the authentication command is not
executed, the authorization information returned from the RADIUS or local scheme
still takes effect even if the authorization none command is executed.
1.3.5 Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch
ports of successfully authenticated users to different VLANs according to the attributes
assigned by the RADIUS server, so as to control the network resources that different
users can access.
Operation Manual – AAA – RADIUS – HWTACACS
H3C S3100-52P Ethernet Switch
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
1-18
Currently, the switch supports the following two types of assigned VLAN IDs: integer
and string.
z Integer: If the RADIUS authentication server assigns integer type of VLAN IDs,
you can set the VLAN assignment mode to integer on the switch (this is also the
default mode on the switch). Then, upon receiving an integer ID assigned by the
RADIUS authentication server, the switch adds the port to the VLAN whose VLAN
ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first
creates a VLAN with the assigned ID, and then adds the port to the newly created
VLAN.
z String: If the RADIUS authentication server assigns string type of VLAN IDs, you
can set the VLAN assignment mode to string on the switch. Then, upon receiving a
string ID assigned by the RADIUS authentication server, the switch compares the
ID with existing VLAN names on the switch. If it finds a match, it adds the port to
the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails
the authentication.
In actual applications, to use this feature together with Guest VLAN, you should better
set port control to port-based mode.
Table 1-9 Configure dynamic VLAN assignment
Operation Command Description
Enter system view
system-view
Create an ISP domain
and enter its view
domain isp-name
Set the VLAN assignment
mode
vlan-assignment-mode
{ integer | string }
Optional
By default, the VLAN
assignment mode is
integer.
Create a VLAN and enter
its view
vlan vlan-id
Set a VLAN name for
VLAN assignment
name string
This operation is required
if the VLAN assignment
mode is set to string.
/