HCIA-Datacom MksU

AAA Configuration Examples

This section provides several AAA configuration examples, including networking requirements,
configuration notes, and configuration roadmap.

1.7.1 Example for Configuring RADIUS Authentication and

Accounting
Networking Requirements
As shown in Figure 1-3, users access the network through Switch A and belong to the
domain huawei. Switch B functions as the network access server of the destination network.
Request packets from users need to traverse the network where Switch A and Switch B are
located to reach the authentication server. Users can access the destination network
through Switch B only after being authenticated. The remote authentication on Switch B is
described as follows:
• The RADIUS server will authenticate access users for SwitchB. If RADIUS
authentication fails, local authentication is used.
• The RADIUS server at 10.7.66.66/24 functions as the primary authentication
and accounting server. The RADIUS server at 10.7.66.67/24 functions as the
secondary authentication and accounting server. The default authentication port
and accounting port are 1812 and 1813.
Figure 1-3 Networking diagram of RADIUS authentication and accounting
HCIA-Datacom MksU

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server template.
2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting
scheme to the domain.

NOTE:
Perform the following configurations only on Switch B.

Procedure
1. Configure a RADIUS server template.
# Configure a RADIUS template shiva.
<HUAWEI> system-view
[HUAWEI] radius-server template shiva

# Configure the IP address and port numbers of the primary RADIUS

authentication and accounting server.
[HUAWEI-radius-shiva] radius-server authentication 10.7.66.66
1812 weight 80
[HUAWEI-radius-shiva] radius-server accounting 10.7.66.66 1813
weight 80

# Configure the IP address and port numbers of the secondary RADIUS

authentication and accounting server.
[HUAWEI-radius-shiva] radius-server authentication 10.7.66.67
1812 weight 40
[HUAWEI-radius-shiva] radius-server accounting 10.7.66.67 1813
weight 40

# Set the key and retransmission count for the RADIUS server, and configure
the device not to encapsulate the domain name in the user name when sending
RADIUS packets to a RADIUS server.
[HUAWEI-radius-shiva] radius-server shared-key cipher hello
[HUAWEI-radius-shiva] radius-server retransmit 2
[HUAWEI-radius-shiva] undo radius-server user-name domain-
included

[HUAWEI-radius-shiva] quit

2. Configure authentication and accounting schemes.

# Create an authentication scheme auth. In the authentication scheme, the
system performs RADIUS authentication first, and performs local
authentication if RADIUS authentication fails.
[HUAWEI] aaa
HCIA-Datacom MksU

[HUAWEI-aaa] authentication-scheme auth

[HUAWEI-aaa-authen-auth] authentication-mode radius local
[HUAWEI-aaa-authen-auth] quit

# Configure the accounting scheme abc that uses RADIUS accounting and the
policy that the device is kept online when accounting fails.
[HUAWEI-aaa] accounting-scheme abc
[HUAWEI-aaa-accounting-abc] accounting-mode radius
[HUAWEI-aaa-accounting-abc] accounting start-fail online
[HUAWEI-aaa-accounting-abc] quit

3. Configure a domain huawei and apply authentication scheme auth, accounting

scheme abc, and RADIUS server template shiva to the domain.
4. [HUAWEI-aaa] domain huawei
5. [HUAWEI-aaa-domain-huawei] authentication-scheme auth
6. [HUAWEI-aaa-domain-huawei] accounting-scheme abc
7. [HUAWEI-aaa-domain-huawei] radius-server shiva
8. [HUAWEI-aaa-domain-huawei] quit
9. [HUAWEI-aaa] quit
[HUAWEI] quit

NOTE:
After the domain huawei is configured, if a user enters the user name in the format of
user@huawei, the device authenticates the user in the domain huawei. If the user name does
not contain the domain name or the domain name in the user name does not exist, the device
authenticates the user in the default domain.
The domain that a user belongs to depends on the RADIUS client but not the RADIUS server.
After the undo radius-server user-name domain-included command is executed
on SwitchB, SwitchB sends the user name without the domain name to the RADIUS server
when receiving the user name in the format of user@huawei. However, SwitchB places the
user in the domain huawei for authentication.

10. Configure AAA local authentication.

11. [HUAWEI] aaa
12. [HUAWEI-aaa] local-user user1 password cipher Huawei@123
13. [HUAWEI-aaa] local-user user1 service-type http
14. [HUAWEI-aaa] local-user user1 privilege level 15
15. [HUAWEI-aaa] quit

16. Verify the configuration.

Run the display radius-server configuration template template-
name command on Switch B, and you can see that the configuration of the
RADIUS server template meets the requirements.
<HUAWEI> display radius-server configuration template shiva
-------------------------------------------------------------
-----------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
HCIA-Datacom MksU

Shared-secret-key :
%$%$1"y;E[c;<.(_RS/w*!`IOxof%$%$
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : 0.0.0.0
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Server algorithm : master-backup
Authentication Server 1 : 10.7.66.66 Port:1812
Weight:80
Vrf:- LoopBack:NULL
Source IP: ::
Authentication Server 2 : 10.7.66.67 Port:1812
Weight:40
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 1 : 10.7.66.66 Port:1813
Weight:80
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 2 : 10.7.66.67 Port:1813
Weight:40
Vrf:- LoopBack:NULL
Source IP: ::
-------------------------------------------------------------
-----------------

Configuration Files
Configuration files on Switch B
#
radius-server template shiva
radius-server shared-key cipher %$%$1"y;E[c;<.(_RS/w*!`IOxof%$%$
radius-server authentication 10.7.66.66 1812 weight 80
radius-server authentication 10.7.66.67 1812 weight 40
radius-server accounting 10.7.66.66 1813 weight 80
radius-server accounting 10.7.66.67 1813 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
authentication-scheme auth
accounting-scheme abc
HCIA-Datacom MksU

radius-server shiva
local-user user1 password cipher %$%$1"y;E[c;<.(_RS/w*!`IOxof%$%$
local-user user1 privilege level 15
local-user user1 service-type http
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
authentication-scheme auth
accounting-scheme abc
radius-server shiva
#
return

1.7.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
Networking Requirements
As shown in Figure 1-4, the customer requirements are as follows:
• The HWTACACS server will authenticate access users for SwitchB. If
HWTACACS authentication fails, local authentication is used.
• The HWTACACS server will authorize access users for SwitchB. If
HWTACACS authorization fails, local authorization is used.
• HWTACACS accounting is used by SwitchB for access users.
• Real-time accounting is performed every 3 minutes.
• The IP addresses of primary and secondary HWTACACS servers are
10.7.66.66/24 and 10.7.66.67/24. The port number for authentication,
accounting, and authorization is 49.
HCIA-Datacom MksU

Figure 1-4 Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization
scheme, and accounting scheme to the domain.

NOTE:
Perform the following configurations only on SwitchB.

Procedure
1. Enable HWTACACS.
2. <HUAWEI> system-view
[HUAWEI] hwtacacs enable

NOTE:
The HWTACACS function is enabled by default. If the HWTACACS configuration has not
been modified, you do not need to run this command.

3. Configure an HWTACACS server template.

# Configure the HWTACACS server template ht.
[HUAWEI] hwtacacs-server template ht
HCIA-Datacom MksU

# Configure the IP addresses and port numbers of the primary HWTACACS

authentication, authorization, and accounting servers.
[HUAWEI-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66
49
[HUAWEI-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66
49
[HUAWEI-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49

# Configure the IP addresses and port numbers of the secondary HWTACACS

authentication, authorization, and accounting servers.
[HUAWEI-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67
49 secondary
[HUAWEI-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67
49 secondary
[HUAWEI-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49
secondary

# Configure the shared key of the HWTACACS server.

[HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[HUAWEI-hwtacacs-ht] quit

4. Configure the authentication scheme, authorization scheme, and accounting

scheme.
# Create an authentication scheme l-h. In the authentication scheme, the system
performs HWTACACS authentication first, and performs local authentication
if HWTACACS authentication fails.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme l-h
[HUAWEI-aaa-authen-l-h] authentication-mode hwtacacs local
[HUAWEI-aaa-authen-l-h] quit

# Create an authorization scheme hwtacacs. In the authorization scheme, the

system performs HWTACACS authorization first, and performs local
authorization if HWTACACS authorization fails.
[HUAWEI-aaa] authorization-scheme hwtacacs
[HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs local
[HUAWEI-aaa-author-hwtacacs] quit

# Create an accounting scheme hwtacacs and set HWTACACS accounting.

[HUAWEI-aaa] accounting-scheme hwtacacs
[HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[HUAWEI-aaa-accounting-hwtacacs] accounting start-fail online

# Set the interval of real-time accounting to 3 minutes.

[HUAWEI-aaa-accounting-hwtacacs] accounting realtime 3
[HUAWEI-aaa-accounting-hwtacacs] quit

5. Configure a domain huawei, and apply the authentication scheme l-h,

authorization scheme hwtacacs, accounting scheme hwtacacs, and the
HWTACACS server template ht to the domain.
HCIA-Datacom MksU

6. [HUAWEI-aaa] domain huawei

7. [HUAWEI-aaa-domain-huawei] authentication-scheme l-h
8. [HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs
9. [HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs
10. [HUAWEI-aaa-domain-huawei] hwtacacs-server ht
11. [HUAWEI-aaa-domain-huawei] quit
12. [HUAWEI-aaa] quit
[HUAWEI] quit

13. Configure AAA local authentication.

14. [HUAWEI] aaa
15. [HUAWEI-aaa] local-user user1 password cipher Huawei@123
16. [HUAWEI-aaa] local-user user1 service-type http
17. [HUAWEI-aaa] local-user user1 privilege level 15
18. [HUAWEI-aaa] quit

19. Configure the global default domain for administrations.

[HUAWEI] domain huawei admin

20. Verify the configuration.

Run the display hwtacacs-server template command on SwitchB, and you
can see that the configuration of the HWTACACS server template meets the
requirements.
<HUAWEI> display hwtacacs-server template ht
-------------------------------------------------------------
--------------
HWTACACS-server template name : ht
Primary-authentication-server : 10.7.66.66:49:-
Primary-authorization-server : 10.7.66.66:49:-
Primary-accounting-server : 10.7.66.66:49:-
Secondary-authentication-server : 10.7.66.67:49:-
Secondary-authorization-server : 10.7.66.67:49:-
Secondary-accounting-server : 10.7.66.67:49:-
Current-authentication-server : 10.7.66.66:49:-
Current-authorization-server : 10.7.66.66:49:-
Current-accounting-server : 10.7.66.66:49:-
Source-IP-address : 0.0.0.0
Shared-key : ****************
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
--------------

Run the display domain command on SwitchB, and you can see that the
configuration of the domain meets the requirements.
<HUAWEI> display domain name huawei
HCIA-Datacom MksU

Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name : -
RADIUS-server-template : -
HWTACACS-server-template : ht
User-group : -
Push-url-address : -

Configuration Files
Configuration files on Switch B
#
domain huawei admin
#
hwtacacs-server template ht
hwtacacs-server authentication 10.7.66.66
hwtacacs-server authentication 10.7.66.67 secondary
hwtacacs-server authorization 10.7.66.66
hwtacacs-server authorization 10.7.66.67 secondary
hwtacacs-server accounting 10.7.66.66
hwtacacs-server accounting 10.7.66.67 secondary
hwtacacs-server shared-key cipher %$%$|)&LT+J>dN>=IqD<gO/Fj$xo%$%$
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode hwtacacs local
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain default
domain default_admin
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
local-user user1 password irreversible-cipher
%$%$@'}9B*+FN![}%57+_t|EU"bk%@%@
local-user user1 privilege level 15
local-user user1 service-type http
HCIA-Datacom MksU

#
return

1.7.3 Example for Configuring Domain-based User

Management
Networking Requirements
As shown in Figure 1-5, enterprise users access the network through SwitchA and SwitchB. The
user names do not contain any domain name.
The enterprise requires that common users should access the network and obtain rights after
passing RADIUS authentication and the administrator user should log in to the device for
management after passing local authentication on SwitchB.
Figure 1-5 Configuring domain-based user management

Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and a VLANIF interface so that SwitchB can communicate
with the RADIUS server.
2. Configure authentication and accounting schemes for common users and apply
the schemes to the default domain to authenticate common users such as users
using 802.1x or Portal authentication. The user names of the users do not carry
domain names.
3. Configure authentication and authorization schemes for the administrator user
and apply the schemes to the default_admin domain to authenticate the
administrator user such as the user logging in through Telnet, SSH, or FTP.
The user name of the administrator user does not carry the domain name.
HCIA-Datacom MksU

NOTE:
Ensure that the RADIUS server address, port number, and shared key in the RADIUS server template are the same
as the settings on the RADIUS server.
Ensure that users have been configured on the RADIUS server. In this example, a user with the user name test1 and
password 123456 has been configured on the RADIUS server.
This example provides only the configuration of SwitchB. The configurations of SwitchA and the RADIUS server
are not mentioned here.

Procedure
1. Create a VLAN and configure an interface.
# Create VLAN 11 on SwitchB.
<HUAWEI> system-view
[HUAWEI] vlan batch 11

# Configure GE0/0/2 connecting SwitchB and the RADIUS server and

add GE0/0/2 to VLAN 11.
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port link-type access
[HUAWEI-GigabitEthernet0/0/2] port default vlan 11
[HUAWEI-GigabitEthernet0/0/2] quit

# Create VLANIF 11 and configure IP address 192.168.2.29/24 for it.

[HUAWEI] interface vlanif11
[HUAWEI-Vlanif11] ip address 192.168.2.29 24
[HUAWEI-Vlanif11] quit

2. Configure RADIUS AAA for common users using 802.1x authentication.

# Create and configure a RADIUS server template rd1.
[HUAWEI] radius-server template rd1
[HUAWEI-radius-rd1] radius-server authentication 192.168.2.30
1812
[HUAWEI-radius-rd1] radius-server accounting 192.168.2.30 1813
[HUAWEI-radius-rd1] radius-server shared-key cipher hello
[HUAWEI-radius-rd1] radius-server retransmit 2
[HUAWEI-radius-rd1] quit

# Create authentication and accounting schemes abc in which the

authentication and accounting modes are both RADIUS.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme abc
[HUAWEI-aaa-authen-abc] authentication-mode radius
[HUAWEI-aaa-authen-abc] quit
[HUAWEI-aaa] accounting-scheme abc
[HUAWEI-aaa-accounting-abc] accounting-mode radius
[HUAWEI-aaa-accounting-abc] quit
HCIA-Datacom MksU

# Test the connection between SwitchB and the RADIUS server. The test
user test1 with password 123456 has been configured on the RADIUS server.
[HUAWEI-aaa] test-aaa test1 123456 radius-template rd1
Info: Account test succeed.

# Bind authentication and accounting schemes abc, and RADIUS server

template rd1 to the default domain.
[HUAWEI-aaa] domain default
[HUAWEI-aaa-domain-default] authentication-scheme abc
[HUAWEI-aaa-domain-default] accounting-scheme abc
[HUAWEI-aaa-domain-default] radius-server rd1
[HUAWEI-aaa-domain-default] quit
[HUAWEI-aaa] quit

# Enable 802.1x authentication globally and on an interface.

[HUAWEI] vlan batch 10
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 20
[HUAWEI-GigabitEthernet0/0/1] quit

# Set the global default domain for common users to default. After common
users enter their user names in the format of user@default, the device performs
AAA authentication on these users in the default domain. If a user name does
not contain a domain name or the domain name does not exist, the device
authenticates the common user in the default common domain.
[HUAWEI] domain default

3. Configure local authentication and authorization for the administrator user test.
# Configure the device to use AAA for the Telnet user that logs in through the
VTY user interface.
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] authentication-mode aaa
[HUAWEI-ui-vty0-14] quit

# Configure a local user named test with password admin@12345 and user
level 3.
[HUAWEI] aaa
[HUAWEI-aaa] local-user test password irreversible-cipher
admin@12345 privilege level 3

# Configure the access type of the user test as Telnet.

[HUAWEI-aaa] local-user test service-type telnet
HCIA-Datacom MksU

# Configure local account locking, and set the retry count to 5 minutes,
consecutive authentication failure count to 3, and local account locking
duration to 5 minutes.
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 5
retry-time 3 block-time 5

# Configure the authentication scheme auth in which local authentication is

used.
[HUAWEI-aaa] authentication-scheme auth
[HUAWEI-aaa-authen-auth] authentication-mode local
[HUAWEI-aaa-authen-auth] quit

# Configure the authorization scheme autho in which local authorization is

used.
[HUAWEI-aaa] authorization-scheme autho
[HUAWEI-aaa-author-autho] authorization-mode local
[HUAWEI-aaa-author-autho] quit

# Configure the default_admin domain, and apply the authentication

scheme auth and authorization scheme autho to the domain.
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme auth
[HUAWEI-aaa-domain-default_admin] authorization-scheme autho
[HUAWEI-aaa-domain-default_admin] quit
[HUAWEI-aaa] quit

# Set the global default domain for administrative users to default_admin.

After administrative users enter their user names in the format of
user@default_admin, the device performs AAA authentication on these users
in the default_admin domain. If a user name does not contain a domain name
or the domain name does not exist, the device authenticates the administrative
user in the default administrative domain.
[HUAWEI] domain default_admin admin
[HUAWEI] quit

4. Verify the configuration.

Run the display dot1x interface command on SwitchB. You can see 802.1x
authentication.
<HUAWEI> display dot1x interface gigabitethernet 0/0/1

GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled

Port control type is Auto
Authentication mode is MAC-based
Authentication method is CHAP
Reauthentication is disabled
Maximum users: 20
Current users: 0
Guest VLAN is disabled
Critical VLAN is disabled
HCIA-Datacom MksU

Restrict VLAN is disabled

Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0

When common users go online and enter the user name test1 and
password 123456 on the 802.1x client, run the display access-user
domain and display access-user user-id commands. You can view the domain
that users belong to and the access type.
<HUAWEI> display access-user domain default
--------------------------------------------------------------
----------------
UserID Username IP address
MAC
--------------------------------------------------------------
----------------
16040 test1 -
00e0-4c97-31f6
--------------------------------------------------------------
----------------
Total 1,1 printed
<HUAWEI> display access-user user-id 16040
Bsic:
User ID : 16040
User name : test1
Domain-name : default
User MAC : 00e0-4c97-31f6
User IP address : -
User access time : 2009/02/15 19:10:52
User accounting session ID : 255255000000000f910d2016040
Option82 information : -
User access type : 802.1x

AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS

When the user logs in through Telnet and enters the user name test and
password admin@12345, run the display access-user domain and display
HCIA-Datacom MksU

access-user user-id commands. You can view the domain that the user belongs
to and the access type.
<HUAWEI> display access-user domain default_admin
--------------------------------------------------------------
----------------
UserID Username IP address
MAC
--------------------------------------------------------------
----------------
16009 test 10.135.18.217
-
--------------------------------------------------------------
----------------
Total 1,1 printed
<HUAWEI> display access-user user-id 16009
Basic:
User ID : 16009
User name : test
Domain-name : default_admin
User MAC : -
User IP address : 10.135.18.217
User access time : 2009/02/15 05:10:52
User accounting session ID :
HUAWEI255255000000000f910d2016009
User access type : Telnet

AAA:
User authentication type : Administrator
authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None

Configuration File
Configuration file of SwitchB
#
vlan batch 10 11
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %$%$lrWRXXUmJ/5W\uBqID/6EULC%$%$
radius-server authentication 192.168.2.30 1812
radius-server accounting 192.168.2.30 1813
radius-server retransmit 2
#
aaa
authentication-scheme auth
authentication-scheme abc
HCIA-Datacom MksU

authentication-mode radius
authorization-scheme autho
accounting-scheme abc
accounting-mode radius
domain default
authentication-scheme abc
accounting-scheme abc
domain default_admin