01-01 AAA Configuration

Huawei AR Series IOT Gateway
CLI-based Configuration Guide - Security 1 AAA Configuration
1 AAA Configuration
About This Chapter
1.1 Overview of AAA

1.2 Understanding AAA
1.3 Application Scenarios for AAA
1.4 Licensing Requirements and Limitations for AAA
1.5 Default Settings for AAA
1.6 Summary of AAA Configuration Tasks
1.7 Configuring AAA
1.8 Maintaining AAA
1.9 Configuration Examples for AAA
1.1 Overview of AAA
Definition
Authentication, Authorization, and Accounting (AAA) provide a user management
mechanism, including the following functions:
● Authentication: verifies the identity of users for network access.
● Authorization: authorizes users to use particular services.
● Accounting: records the network resources used by users.
Users can use one or more security services provided by AAA. For example, if a
company wants to authenticate employees that access certain network resources,
the network administrator only needs to configure an authentication server. If the
company also wants to record operations performed by employees on the
network, an accounting server is needed.
In summary, AAA authorizes users to access specific resources and records user
operations. AAA is widely used because it features good scalability and facilitates
Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 1

centralized user information management. AAA can be implemented using

multiple protocols, and RADIUS is the most widely used protocol.
Purpose
AAA prevents unauthorized users from logging in to a device and improves system
security.
1.2 Understanding AAA
1.2.1 Domain-based User Management

An NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
As shown in Figure 1-1, the domain manages configuration information including
the AAA scheme, server template, and authorization information in a unified
manner.
● AAA scheme: is divided into authentication, authorization, and accounting
schemes that are used to define authentication, authorization, and accounting
methods and the order in which the methods take effect. For details about
the AAA scheme, see 1.2.2 AAA Scheme.
● Server template: is used to configure a server for authentication,
authorization, and accounting. When a server is configured for authorization,
you can obtain the authorization information from the server and domain. For
details, see Figure 1-2.
If local authentication or authorization is used, you need to configure
information related to the local user.
● Authorization information in the domain: can be configured in a domain.

Figure 1-1 AAA configuration information in a domain

Authenticatio
n method
Local User names and
Authentication authentication passwords of local users
scheme
Server-based
authentication
…… IP address, port number,
and shared key of the
Authorization authentication server
method
Server-based IP address, port number,
Authorization authorization and shared key of the
scheme authorization server
Local
authorization IP address, port number,
Domain …… and shared key of the
accounting server
Accounting
Accounting method
scheme Server-based
accounting
……
Server
template
Authorization
information in the
domain
Authorization information can be delivered by a server or configured in a domain.

Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-2.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.

Figure 1-2 Two types of authorization information

Two types of
authorization
information
Authorization Authorization
method information delivered
Authorization Server-based by a server
scheme authorization
Authorization
Local
information in a
authorization
domain
Domain to Which a User Belongs

As shown in Figure 1-3, the domain to which a user belongs is determined by the
user name for logging in to the NAS. If the user name does not contain the
domain name or the domain name contained in the user name is not configured
on the NAS, the NAS cannot determine the domain to which the user belongs. In
this case, the NAS adds the user to the default domain based on the user type.
Figure 1-3 Determining domains based on user names
User name
Whether the user Yes Is the domain Yes The domain name
name contains the name configured on contained in the
domain name? the NAS device? user name is used.
No No
The default
domain name is
used.
As shown in Table 1-1, AAA divides users into administrators and access users to
provide more refined and differentiated authentication, authorization, and
accounting services. An NAS has two global default domains, namely, the global
default administrative domain default_admin and the global default common
domain default. The two domains are used as the global default domains for
administrators and access users, respectively. Default configurations in the two
domains are different.

NOTE
The accounting scheme default is bound to the two global default domains. Modifying the
accounting scheme may affect configurations of the two domains.
The two global default domains cannot be deleted and can only be modified.
Table 1-1 Global default domain

User User Access Mode Global Default
Type Defaul Configurations in
t the Global Default
Domai Domain
n
Auth Accou Aut
entic nting hori
ation Sche zati
Sche me on
me Sch
em
e
Administr Is also called a login user and default defau defaul N/A
ator refers to the user who can log in to _admi lt t
NAS through FTP, HTTP, SSH, n (local (non-
Telnet, and the console port. authe accou
nticat nting)
ion)
Access Includes SSLVPN users and PPP default radiu defaul N/A
user users and NAC users (including s t
802.1X authenticated, MAC address (local (non-
authenticated, and Portal authe accou
authenticated users). nticat nting)
ion)
The global default domain can be customized based on actual requirements. The
customized global default domain can be the global default common domain and
the global default management domain at the same time.
You can run the display aaa configuration command to check the current global
default common domain and the global default management domain on the NAS.
The command output is as follows:
<Huawei> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default management domain
Normal user default domain : default //Global default common domain
For some access modes, you can specify the domain to which a user belongs using
the command provided in the corresponding authentication profile to meet
requirements of the user authentication management policy. For example, you can
configure a default domain and a forcible domain for NAC access users on the
NAS based on the authentication profile and specify the user type (802.1X, MAC
address, or Portal authenticated user), achieving flexible configuration. The

forcible domain, default domain, and domain carried in the user name are listed in
descending order of the priority.
Forcible domain with a specified authentication method in the authentication

profile > Forcible domain in the authentication profile > Domain carried in the
user name > Default domain with a specified authentication method in the
authentication profile > Default domain in the authentication profile > Global
default domain. Note that a forcible domain specified for MAC address
authenticated users within a MAC address range has the highest priority and takes
precedence over that configured in an authentication profile.
Format of User Names Sent by an NAS to the RADIUS Server

NOTE
● Only RADIUS authentication supports modification of the user-entered original user names.
● You can change the user-entered original user name based on the RADIUS server template.
An NAS can determine whether a user name sent to the RADIUS server contains
the domain name based on the RADIUS server requirements. By default, an NAS
directly sends the user-entered original user name to the RADIUS server without
changing it.
You can set the format of user names sent by an NAS to the RADIUS server using
the commands in Table 1-2.
The following commands modify only the user name format in RADIUS packets
sent to the RADIUS server and do not modify the user name format in EAP
packets. During 802.1X authentication, the RADIUS server checks whether the user
name carried in EAP packets is the same as that on the RADIUS server. Therefore,
you cannot modify the original user name using the radius-server user-name
domain-included or undo radius-server user-name domain-included command
during 802.1X authentication; otherwise, authentication may fail.
Table 1-2 Setting the format of user names sent by an NAS to the RADIUS server
Command User Name User-entered User Name Sent by

Format User Name an NAS to the
RADIUS Server
radius-server user- User-entered user- user-

name original original user name@huawe name@huawei.com
name (default i.com
configuration)
user-name user-name
radius-server user- Domain name user- user-

name domain- included name@huawe name@huawei.com
included i.com
user-name user-name@default
Assume that users use
the default domain
default.

undo radius-server Domain name user- user-name

user-name domain- excluded name@huawe
included i.com
user-name user-name
undo radius-server Domain name user- user-name

user-name domain- excluded name@huawe
included except-eap NOTE i.com
This command
takes effect user-name user-name
only for non-
EAP
authenticated
users.
1.2.2 AAA Scheme

During AAA implementation, you can define a set of AAA configuration policies
using an AAA scheme. An AAA scheme contains a collection of authentication,
authorization, and accounting methods defined on an NAS. Such methods can be
used in combination depending on access features of users and security
requirements.
1.2.2.1 Authentication Scheme
An authentication scheme is used to define methods for user authentication and

the order in which authentication methods take effect. An authentication scheme
is applied to a domain. It is combined with the authorization scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
Authentication Methods Supported by a Device

● RADIUS authentication: User information is configured on the RADIUS server
through which user authentication is performed.
● HWTACACS authentication: User information is configured on the HWTACACS
server through which user authentication is performed.
● Local authentication: The device functions as an authentication server and
user information is configured on the device. This mode features fast
processing and low operation costs. However, the information storage
capacity is subject to the device hardware.
● Non-authentication: Users are completely trusted without validity check. This
mode is rarely used.
Order in Which Authentication Methods Take Effect

An authentication scheme enables you to designate one or more authentication
methods to be used for authentication, thus ensuring a backup system for
authentication in case the initial method does not respond. An NAS uses the first

method listed in the scheme to authenticate users; if that method does not
respond, the NAS selects the next authentication method in the authentication
scheme. This process continues until there is successful communication with a
listed authentication method or the authentication method list is exhausted, in
which case authentication fails.
NOTE
The NAS attempts authentication with the next listed authentication method only when there is
no response from the previous method. If authentication fails at any point in this cycle —
meaning that the AAA server responds by denying the user access — the authentication process
stops and no other authentication methods are attempted.
1.2.2.2 Authorization Scheme
An authorization scheme is used to define methods for user authorization and the
order in which authorization methods take effect. An authorization scheme is
applied to a domain. It is combined with the authentication scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
Authorization Methods Supported by a Device

● HWTACACS authorization: An HWTACACS server is used to authorize users.
● Local authorization: The device functions as an authorization server to
authorize users based on user information configured on the device.
● Non-authorization: Authenticated users have unrestricted access rights on a
network.
● if-authenticated authorization: If passing authentication, a user passes
authorization; otherwise, the user fails authorization. This mode applies to
scenarios where users must be authenticated and the authentication process
can be separated from the authorization process.
NOTE
RADIUS authentication is combined with authorization and cannot be separated. If

authentication succeeds, authorization also succeeds. When RADIUS authentication is used, you
do not need to configure an authorization scheme.
In addition, the "authentication + rights level" method is typically used to control

access of the administrators (login users) to the device, improving the device
operation security. Authentication restricts the administrators' access to the device
and the rights level defines commands that the administrators can enter after
logging in to the device. For details about the method, see CLI Login Configuration
in Huawei AR Series V200R009 CLI-based configuration - Basic Configuration
Guide.
Order in Which Authorization Methods Take Effect

An authorization scheme enables you to designate one or more authorization
methods to be used for authorization, thus ensuring a backup system for
authorization in case the initial method does not respond. The first method listed
in the scheme is used to authorize users; if that method does not respond, the
next authorization method in the authentication scheme is selected. If the initial

method responds with an authorization failure message, the AAA server refuses to
provide services for the user. In this case, authorization ends and the next listed
method is not used.
Authorization Information
Authorization information can be delivered by a server or configured in a domain.
Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-4.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
Figure 1-4 Two types of authorization information

Two types of
authorization
information
Authorization Authorization
method information delivered
Authorization Server-based by a server
scheme authorization
Authorization
Local
information in a
authorization
domain
Table 1-3 shows authorization information typically used by a server. Table 1-4
shows authorization information that can be configured in a domain.
Table 1-3 Common authorization information of a RADIUS server
Authorization Description
Information
ACL number Is delivered by the server. You need to configure ACL number-
related rules on the NAS.
ACL rule Is directly delivered by the server. As defined in the rule, users
can access all network resources included in the ACL. You do
not need to configure the corresponding ACL on the NAS.

Information
VLAN If dynamic VLAN delivery is configured on the server,

authorization information sent to the NAS includes the VLAN
attribute. After the NAS receives the authorization information,
it changes the VLAN to which the user belongs to the delivered
VLAN.
The delivered VLAN does not change or affect the interface
configuration. The delivered VLAN, however, takes precedence
over the user-configured VLAN. That is, the delivered VLAN
takes effect after the authentication succeeds, and the user-
configured VLAN takes effect after the user goes offline.
User group The server delivers the user group name to the NAS. You need
to configure the corresponding group and network resources in
the group on the NAS.
CAR The server delivers authorization to control the committed

information rate (CIR), peak information rate (PIR), committed
burst size (CBS), and peak burst size (PBS) for access between
the user and NAS.
Administrator Priority of an administrator (such as a Telnet user) delivered by

level the server. The priority ranges from 0 to 15. The value greater
than or equal to 16 is invalid.
Service Name of a service scheme delivered by the server. You need to

scheme configure the corresponding service scheme and the network
authorization and policy in the scheme on the NAS.
Idle-cut Idle-cut time delivered by the server. After a user goes online, if
the consecutive non-operation period or the duration when
traffic is lower than a specified value exceeds the idle-cut time,
the user is disconnected.
Reauthenticati Remaining service availability period delivered by the server. If

on or forcible the period expires, reauthentication is performed for the user
logout or the user is forced to go offline according to the server-
delivered action.

Table 1-4 Authorization information that can be configured in a domain

Parameter
VLAN VLAN-based authorization is easy to deploy and requires

low maintenance costs. It applies to scenarios where
employees in an office or a department have the same
access rights.
In local authorization, you only need to configure VLANs
and corresponding network resources in the VLAN on the
NAS.
If a user uses Portal authentication or a hybrid
authentication mode (including Portal authentication),
the NAS cannot perform VLAN-based authorization for
the user.
After a user obtains VLAN-based authorization, the user
needs to manually request an IP address using DHCP.
Service scheme A service scheme and corresponding network resources in

the scheme need to be configured on the NAS.
User group A user group consists of users (terminals) with the same
attributes such as the role and rights. For example, you
can divide users on a campus network into the R&D
group, finance group, marketing group, and guest group
based on the enterprise department structure, and grant
different security policies to different departments.
You need to configure a user group and corresponding
network resources in the group on the NAS.
1.2.2.3 Accounting Scheme
An accounting scheme is used to define a user accounting method. An accounting

scheme is applied to a domain. It is combined with the authentication scheme,
authorization scheme, and server template in the domain for user authentication,
authorization, and accounting.
Accounting Methods Supported by a Device

● RADIUS accounting: A RADIUS server is used to perform user accounting.
● HWTACACS accounting: An HWTACACS server is used to perform user
accounting.
● Non-accounting: Users can access a network without being charged.
Order in Which Accounting Methods Take Effect

You can only specify an accounting method at one time in an accounting scheme.
RADIUS accounting packets in 1.2.4.2 RADIUS Packets indicate that accounting
packets are divided into Accounting-Request and Accounting-Response packets.

Accounting succeeds if each Accounting-Request packet sent by a device is

responded by the server with an Accounting-Response packet. If no Accounting-
Response packet is received from the server, accounting fails.
After the accounting function is enabled, the device sends Accounting-Request
packets recording user activities to the AAA server. The AAA server then performs
user accounting and auditing based on information in the packets. Take RADIUS
accounting as an example. Accounting-Request packets are divided into three
types:
● Accounting-Request (Start) packet: When a user is successfully authenticated
and begins to access network resources, the device sends an Accounting-
Request (Start) packet to the RADIUS server.
● Accounting-Request (Stop) packet: When a user is disconnected proactively
(or forcibly by the NAS), the device sends an Accounting-Request (Stop)
packet to the server.
● Accounting-Request (Interim-update) packet: To reduce accounting deviation
and ensure that the accounting server can receive Accounting-Request (Stop)
packets and stop user accounting, you can configure the real-time accounting
function on the device. In this case, the device periodically sends an
Accounting-Request (Interim-update) packet to the RADIUS server.
Typically, each Accounting-Request packet sent by a device is responded by the
server with an Accounting-Response packet. If the device does not receive a
corresponding Accounting-Response packet due to network faults, accounting
fails. In this case, the device determines whether the user can still be online
depending on the type of the Accounting-Request packet as follows:
● Accounting-start failure: The user goes offline by default.
● Real-time accounting failure: The user is allowed to be online by default.
● stop_acct_fail: The device retransmits the Accounting-Request(Stop) packet.
1.2.3 Local Authentication and Authorization
Local AAA Server

A device functioning as an AAA server is called a local AAA server that performs
user authentication and authorization and cannot perform user accounting.
Similar to the remote AAA server, the local AAA server requires the local user
names, passwords, and authorization information of local users. The
authentication and authorization speed of a local AAA server is faster than that of
a remote AAA server, which reduces operation costs. However, the information
storage capacity of a local AAA server is subject to the device hardware.
Security Policy for Local User Password

Password Length and Complexity
When an administrator creates local users on a device, the length and complexity
of local users' passwords have been controlled by commands on the device. The
complexity check requires that the password must be a combination of at least
two of the following: digits, lowercase letters, uppercase letters, and special
characters. In addition, a password must consist of at least eight characters.

Password Validity Period
After the local administrator password policy is enabled, the local administrator
can set the password validity period. The default validity period is 90 days and can
be changed.
If the password of a local user expires and the local user still uses this password to
log in to the device, the device prompts the user that the password has expired,
and asks the user whether to change the password. The device then performs the
following operations depending on the user selection:
● If the user enters Y, the user needs to enter the old password, new password,
and confirm password. The password can be successfully changed only when
the old password is correct and the new password and confirm password are
the same and meet password length and complexity requirements.
● If the user enters N or fails to change the password, the user cannot log in to
the device.
The device also supports the password expiration prompt function. When a user
logs in to the device, the device checks how many days the password is valid for. If
the number of days is less than the prompt days set in the command, the device
notifies the user how long the password will expire and asks the user whether to
change the password.
● If the user changes the password, the device records the new password and
modification time.
● If the user does not change the password or fails to change the password, the
user can still log in to the device as long as the password has not expired.
Password Modification Policy
During password modification, you are not advised to use old passwords. By
default, the new password cannot be the same as those used for the last five
times.
The local administrator can change the password of an equal- or lower-level local
user.
1.2.4 RADIUS AAA
1.2.4.1 Overview of RADIUS
AAA can be implemented using multiple protocols. RADIUS is most frequently

used in actual scenarios.
RADIUS is a protocol that uses the client/server model in distributed mode and
protects a network from unauthorized access. It is often used on networks that
require high security and control remote user access. It defines the UDP-based
RADIUS packet format and transmission mechanism, and specifies UDP ports 1812
and 1813 as the default authentication and accounting ports respectively.
At the very beginning, RADIUS was only the AAA protocol used for dial-up users.
As the user access mode diversifies, such as Ethernet access, RADIUS can also be
applied to these access modes. RADIUS provides the access service through

authentication and authorization and records the network resource usage of users
through accounting.
RADIUS has the following characteristics:
● Client/Server model
● Secure message exchange mechanism
● Fine scalability
Client/Server Model
● RADIUS client
RADIUS clients run on the NAS to transmit user information to a specified
RADIUS server and process requests (for example, permit or reject user access
requests) based on the responses from the server. RADIUS clients can locate
at any node on a network.
As a RADIUS client, a device supports:
– standard RADIUS protocol and its extensions, including RFC 2865 and RFC
2866
– Huawei extended RADIUS attributes
– RADIUS server status detection
– retransmission of Accounting-Request(Stop) packets in the local buffer
– active/standby and load balancing functions between RADIUS servers
● RADIUS server
RADIUS servers typically run on central computers and workstations to
maintain user authentication and network service access information. The
servers receive connection requests from users, authenticate the users, and
send all required information (such as permitting or rejecting authentication
requests) to the clients. A RADIUS server generally needs to maintain three
databases, as shown in Figure 1-5.
Figure 1-5 Databases maintained by a RADIUS server
RADIUS server
Users Clients Dictionary
– Users: This database stores user information such as user names,

passwords, protocols, and IP addresses.
– Clients: This database stores RADIUS client information, such as the
shared keys and IP addresses.
– Dictionary: This database stores the attributes in the RADIUS protocol
and their value descriptions.

Secure Message Exchange Mechanism

Authentication messages between a RADIUS server and RADIUS clients are
exchanged using a shared key. The shared key is a character string that is
transmitted in out-of-band mode, is known to both clients and the server, and
does not need to be transmitted independently on the network.
A RADIUS packet has a 16-octet Authenticator field that contains the digital
signature data of the whole packet. The signature data is calculated using the
MD5 algorithm and shared key. The RADIUS packet receiver needs to verify
whether the signature is correct and discards the packet if the signature is
incorrect.
This mechanism improves security of message exchange between RADIUS clients

and the RADIUS server. In addition, user passwords contained in RADIUS packets
are encrypted using shared keys before the packets are transmitted to prevent the
user passwords from being stolen during transmission on an insecure network.
Fine Scalability
A RADIUS packet consists of a packet header and a certain number of attributes.
The protocol implementation remains unchanged even if new attributes are added
to a RADIUS packet.
1.2.4.2 RADIUS Packets
RADIUS Packet Format

RADIUS is based on the UDP protocol. Figure 1-6 shows the RADIUS packet
format.
Figure 1-6 RADIUS packet format
0 7 15 31
Code Identifier Length
Authenticator
Attribute
Each RADIUS packet contains the following information:

● Code: The Code field is one octet and identifies type of a RADIUS packet.
Value of the Code field varies depending on the RADIUS packet type. For
example, the value 1 indicates an Access-Request packet and the value 2
indicates an Access-Accept packet.

● Identifier: The identifier field is one octet, and helps the RADIUS server match
requests and responses and detect duplicate requests retransmitted within a
certain period. After a client sends a request packet, the server sends a reply
packet with the same Identifier value as the request packet.
● Length: The Length field is two octets and specifies length of a RADIUS
packet. Octets outside the range of the Length field must be treated as
padding and ignored on reception. If a packet is shorter than the Length field,
it must be silently discarded.
● Authenticator: The Authenticator field is 16 octets. This value is used to
authenticate the reply from the RADIUS server and is used in the password
hiding algorithm.
● Attribute: This field is variable in length. RADIUS attributes carry the specific
authentication, authorization, accounting information and configuration
details for the request and reply packets. The Attribute field may contain
multiple attributes, each of which consists of Type, Length, and Value. For
details, see 1.2.4.8 RADIUS Attributes.
– Type: The Type field is one octet and indicates the RADIUS attribute ID.
The value ranges from 1 to 255.
– Length: The Length field is one octet, and indicates the length of the
RADIUS attribute (including the Type, Length and Value fields). The
Length is measured in octets.
– Value: The maximum length of the Value field is 253 bytes. The Value
field contains information specific to the RADIUS attribute. The format
and length of the Value field is determined by the Type and Length fields.
RADIUS Packet Type

RADIUS defines 16 types of packets. Table 1-5 describes types of the
authentication packets, Table 1-6 describes types of the accounting packets. For
RADIUS CoA/DM packets, see 1.2.4.7 RADIUS CoA/DM.
Table 1-5 RADIUS authentication packet
Packet Name Description
Access-Request Access-Request packets are sent from a client to a RADIUS

server and is the first packet transmitted in a RADIUS
packet exchange process. This packet conveys information
(such as the user name and password) used to determine
whether a user is allowed access to a specific NAS and any
special services requested for that user.
Access-Accept After a RADIUS server receives an Access-Request packet, it

must send an Access-Accept packet if all attribute values in
the Access-Request packet are acceptable (authentication
success). The user is allowed access to requested services
only after the RADIUS client receives this packet.
Access-Reject After a RADIUS server receives an Access-Request packet, it

must send an Access-Reject packet if any of the attribute
values are not acceptable (authentication failure).

Access-Challenge During an EAP relay authentication, when a RADIUS server

receives an Access-Request packet carrying the user name
from a client, it generates a random MD5 challenge and
sends the MD5 challenge to the client through an Access-
Challenge packet. The client encrypts the user password
using the MD5 challenge, and then sends the encrypted
password in an Access-Request packet to the RADIUS
server. The RADIUS server compares the encrypted
password received from the client with the locally
encrypted password. If they are the same, the server
determines the user is valid.
Table 1-6 RADIUS accounting packet

Accounting- If a RADIUS client uses RADIUS accounting, the client sends

Request(Start) this packet to a RADIUS server before accessing network
resources.
Accounting- The RADIUS server must send an Accounting-

Response(Start) Response(Start) packet after the server successfully receives
and records an Accounting-Request(Start) packet.
Accounting- You can configure the real-time accounting function on a

Request(Interim- RADIUS client to prevent the RADIUS server from
update) continuing user accounting if it fails to receive the
Accounting-Request(Stop) packet. The client then
periodically sends Accounting-Request(Interim-update)
packets to the server, reducing accounting deviation.

Response(Interim- Response(Interim-update) packet after the server
update) successfully receives and records an Accounting-
Request(Interim-update) packet.
Accounting- When a user goes offline proactively or is forcibly

Request(Stop) disconnected by the NAS, the RADIUS client sends this
packet carrying the network resource usage information
(including the online duration and number of incoming/
outgoing bytes) to the RADIUS server, requesting the server
to stop accounting.

Response(Stop) Response(Stop) packet after receiving an Accounting-
Request(Stop) packet.

1.2.4.3 RADIUS Authentication, Authorization, and Accounting Process

A device that functions as a RADIUS client collects user information, including the
user name and password, and sends the information to the RADIUS server. The
RADIUS server then authenticates users according to the information, after which
it performs authorization and accounting for the users. Figure 1-7 shows the
information exchange process between a user, a RADIUS client, and a RADIUS
server.
Figure 1-7 RADIUS authentication, authorization, and accounting process
User RADIUS client RADIUS server
1. A user enters the user

name and password.
2. Access-Request
3. Access-Accept or Access-Reject
4. Notify the user of the
authentication result.
5. Accounting-Request(Start)
6. Accounting-Response(Start)
7. The user starts to access network resources.
8. (Optional) Accounting
-Request(Interim-update)
9. (Optional) Accounting-
Response(Interim-update)
10. The user requests for
disconnection.
11. Accounting-Request(Stop)
12. Accounting-Response(Stop)
13. Notify the user that access ends.
1. A user needs to access a network and sends a connection request containing

the user name and password to the RADIUS client (device).
2. The RADIUS client sends a RADIUS Access-Request packet containing the user
name and password to the RADIUS server.
3. The RADIUS server verifies the user identity:
– If the user identity is valid, the RADIUS server returns an Access-Accept
packet to the RADIUS client to permit further operations of the user. The
Access-Accept packet contains authorization information because RADIUS
provides both authentication and authorization functions.

– If the user identity is invalid, the RADIUS server returns an Access-Reject

packet to the RADIUS client to reject access from the user.
4. The RADIUS client notifies the user of whether authentication is successful.
5. The RADIUS client permits or rejects the user access request according to the
authentication result. If the access request is permitted, the RADIUS client
sends an Accounting-Request (Start) packet to the RADIUS server.
6. The RADIUS server sends an Accounting-Response (Start) packet to the
RADIUS client and starts accounting.
7. The user starts to access network resources.
8. (Optional) If interim accounting is enabled, the RADIUS client periodically
sends an Accounting-Request (Interim-update) packet to the RADIUS server,
preventing incorrect accounting result caused by unexpected user
disconnection.
9. (Optional) The RADIUS server returns an Accounting-Response (Interim-
update) packet and performs interim accounting.
10. The user sends a logout request.
11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS
server.
12. The RADIUS server sends an Accounting-Response (Stop) packet to the
RADIUS client and stops accounting.
13. The RADIUS client notifies the user of the processing result, and the user
stops accessing network resources.
1.2.4.4 RADIUS Packet Retransmission Mechanism
When a user is authenticated, a device sends an Access-Request packet to the

RADIUS server. To ensure that the device can receive a response packet from the
server even if a network fault or delay occurs, a retransmission upon timeout
mechanism is used. The retransmission times and retransmission interval are
controlled using timers.
As shown in Figure 1-8, 802.1X authentication and client-initiated authentication
are used as an example. After receiving an EAP packet (EAP-Response/Identity)
containing the user name of the client, the device encapsulates the packet into a
RADIUS Access-Request packet and sends the packet to the RADIUS server. The
retransmission timer is enabled at the same time. The retransmission timer is
composed of the retransmission interval and retransmission times. If the device
does not receive any response packet from the RADIUS server when the
retransmission interval expires, it sends a RADIUS Access-Request packet again.

Figure 1-8 RADIUS authentication packet retransmission flowchart
802.1X client Device RADIUS server
EAPOL-Start
EAP-Request/Identity
Send a RADIUS Access-
EAP-Response/Identity Request packet for the
first time. Retransmissio
Send a RADIUS Access- n interval
Request packet for the Command:
second time. radius-server
timeout
……
time-value
Send a RADIUS
Number of Access-Request packet
retransmission times for the nth time.
Command: radius-
server retransmit
retry-times Retransmission stops.
The device stops packet retransmission if any of the following conditions is met:
● The device receives a response packet from the RADIUS server. It then stops
packet retransmission and marks the RADIUS server status as Up.
● The device detects that the RADIUS server status is Down. After the device
marks the RADIUS server status as Down:
– If the number of retransmitted packets has reached the upper limit, the
device stops packet retransmission and retains the RADIUS server status
to Down.
– If the number of retransmitted packets has not reached the upper limit,
the device retransmits an Access-Request packet once again to the
RADIUS server. If the device receives a response packet from the server, it
stops packet retransmission and restores the RADIUS server status to Up.
Otherwise, it still stops packet retransmission and retains the RADIUS
server status to Down.
● The number of retransmitted packets has reached the upper limit. The device
then stops packet retransmission and performs the following:
– If the device receives a response packet from the RADIUS server, it marks
the RADIUS server status as Up.
– If the device has detected that the RADIUS server status is Down, it
marks the server status as Down.
– If the device receives no response packet from the RADIUS server and
does not detect that the server status is Down, the device does not
change the server status. Actually, the server does not respond.

NOTE
The device does not definitely mark the status of the server that does not respond as
Down. The device marks the server status as Down only if the corresponding
conditions are met.
For the RADIUS server status introduction and conditions for a device to mark the
server status as Down, see 1.2.4.6 RADIUS Server Status Detection.
RADIUS packet retransmission discussed here applies only to a single server. If
multiple servers are configured in a RADIUS server template, the overall
retransmission period depends on the retransmission interval, retransmission
times, RADIUS server status, number of servers, and algorithm for selecting the
servers.
You can set the timer using the following commands:
Command Description
radius-server retransmit retry-times Specifies the retransmission

times. The default value is 3.
radius-server timeout time-value Specifies the retransmission

interval. The default value is
5 seconds.
1.2.4.5 RADIUS Server Selection Mechanism
Typically, multiple RADIUS servers are deployed on a large-scale enterprise

network. If a server is faulty, user access will not be disrupted. In addition, load
balancing is performed between these servers, preventing resources of a single
server from being exhausted in the event that a large number of users access the
network. If multiple servers are configured in a RADIUS server template and a
device needs to send a packet to a server, select one of the following algorithms
to select the RADIUS server based on the command configuration.
● RADIUS server primary/secondary algorithm (default)
● RADIUS server load balancing algorithm
RADIUS Server Primary/Secondary Algorithm

The primary and secondary roles are determined by the weights configured for the
RADIUS authentication servers or RADIUS accounting servers. The server with the
largest weight is the primary server. If the weight values are the same, the earliest
configured server is the primary server. As shown in Figure 1-9, the device
preferentially sends an authentication or accounting packet to the primary server
among all servers in Up status. If the primary server does not respond, the device
then sends the packet to the secondary server.

Figure 1-9 Diagram for the RADIUS server primary/secondary algorithm
Primary RADIUS server
User
Device
Up
Secondary RADIUS server
Up
RADIUS Server Load Balancing Algorithm

If this algorithm is used and a device sends an authentication or accounting
packet to a server, the device selects a server based on the weights configured for
the RADIUS authentication servers or RADIUS accounting servers. As shown in
Figure 1-10, RADIUS server1 is in Up status and its weight is 80, and RADIUS
server2 is also in Up status and its weight is 20. The possibility for the device to
send the packet to RADIUS server1 is 80% [80/(80 + 20)], and that for RADIUS
server2 is 20% [20/(80 + 20)].
Figure 1-10 Diagram for the RADIUS server load balancing algorithm
RADIUS server1
User
Device
80% Up
20% RADIUS server2
Up
Regardless of which algorithm is used, if all the servers in Up status do not

respond to a packet sent by a device, the device retransmits the packet to a server
among the servers whose status is originally marked as Down (to which the device
has not sent any authentication or accounting packets) based on the server
weight. If the device does not receive any response in the current authentication
mode, the backup authentication mode is used, for example, local authentication
mode. The backup authentication mode needs to be already configured in the
authentication scheme. Otherwise, the authentication process ends.
1.2.4.6 RADIUS Server Status Detection
Availability and maintainability of a RADIUS server are the prerequisites of user

access authentication. If a device cannot communicate with the RADIUS server, the
server cannot perform authentication or authorization for users. To resolve this

issue, the device supports the user escape function upon transition of the RADIUS
server status to Down. To be specific, if the RADIUS server goes Down, users
cannot be authorized by the server but still have certain network access rights.
The user escape function upon transition of the RADIUS server status to Down can
be enabled only after the device marks the RADIUS server status as Down. If the
RADIUS server status is not marked as Down and the device cannot communicate
with the RADIUS server, users cannot be authorized by the server and the escape
function is also unavailable. As a result, users have no network access rights.
Therefore, the device must be capable of detecting the RADIUS server status in a
timely manner. If the device detects that the RADIUS server status transitions to
Down, users can obtain escape rights; if the device detects that the RADIUS server
status reverts to Up, escape rights are removed from the users and the users are
reauthenticated.
This section contains the following contents:
● RADIUS Server Status
● Conditions for Marking the RADIUS Server Status as Down
● Automatic Detection
● Consecutive Processing After the RADIUS Server Status Is Marked as
Down
RADIUS Server Status

A device can mark the RADIUS server status as Up, Down, or Force-up. The
following table lists descriptions of the three RADIUS server status and their
corresponding scenarios.
Status Whether the RADIUS Server Is Condition for Switching

Available the Server Status
Up The RADIUS server is available. ● The device initially marks

the RADIUS server status
as Up.
● The device marks the
RADIUS server status as
Up if receiving packets
from the server.
Down The RADIUS server is unavailable. The conditions for marking

the RADIUS server status as
Down are met.
Force-up When no RADIUS server is The device marks the

available, the device selects the RADIUS server status as
RADIUS server in Force-up status. Force-up if the timer
specified by dead-time
expires.
The RADIUS server status is initially marked as Up. After a RADIUS Access-Request
packet is received and the conditions for marking the RADIUS server status as

Down are met, the RADIUS server status transitions to Down. The RADIUS Access-
Request packet that triggers the server status transition can be sent during user
authentication or constructed by the administrator. For example, the RADIUS
Access-Request packet can be a test packet sent when the test-aaa command is
run or detection packet sent during automatic detection.
The device changes toe RADIUS server status from Down to Up or to Force-up in
the following scenarios:
● Down to Force-up: The timer specified by dead-time starts after the device
marks the RADIUS server status as Down. The timer indicates the duration for
which the server status remains Down. After the timer expires, the device
marks the RADIUS server status as Force-up. If a new user needs to be
authenticated in RADIUS mode and no RADIUS server is available, the device
attempts to re-establish a connection with a RADIUS server in Force-up
status.
● Down to Up: After receiving packets from the RADIUS server, the device
changes the RADIUS server status from Down to Up. For example, after
automatic detection is configured, the device receives response packets from
the RADIUS server.
Conditions for Marking the RADIUS Server Status as Down

Whether the status of a RADIUS server can be marked as Down depends on the
following factors:
● Number of times the RADIUS Access-Request packet is sent
● Interval of sending the RADIUS Access-Request packet
● Interval of detecting the RADIUS server status
● Maximum number of consecutive unacknowledged packets in each detection
interval
As shown in Figure 1-11, the conditions for marking the RADIUS server status as
Down are as follows:
1. In a detection interval, if the number of times the device receives no response
packet after sending RADIUS Access-Request packets (n) is greater than or
equal to the maximum number of consecutive unacknowledged packets
(dead-count), the device records a communication interruption.
2. If the device records communication interruptions with one RADIUS server in
consecutive two detection intervals, the device considers that the RADIUS
server is unavailable and the conditions for the device to mark the RADIUS
server status as Down are met.
NOTE
If the device does not record any communication interruption in the second detection
interval, the first communication interruption record is cleared.
3. When the device sends an Access-Request packet to the server for the (2n
+1)th time, it marks the server status as Down.
– If the device receives a response packet from the server, the server status
reverts to Up.
– If no response packet is received from the server and the number of
packet retransmission times is not reached, the device sends an Access-

Request packet to the server for the (2n+2)th time. If the server still does
not respond, the device no longer sends any Access-Request packet to the
server.
If multiple servers are configured in the RADIUS server template, the overall status
detection time is related to the number of servers and the server selection
algorithm. If a user terminal uses the client software for authentication and the
timeout period of the terminal client software is less than the summary of all the
status detection time, the terminal client software may dial up repeatedly and
cannot access the network. If the user escape function is configured, the summary
of all the status detection time must be less than the timeout period of the
terminal client software to ensure that escape rights can be added to the users.
Figure 1-11 Logic flowchart for marking the RADIUS server status as Down
Flowchart 1:
ARP/DHCP etc.
MAC authentication process
for new access users
Start MAC authen

(state=pre-
authen)
If config authen-server-up
Yes
action re-authen
Server status on switch: UP Dead time timer
User status on switch: authen-server- up
down Default 5min Server status on switch:
UP
NO
No
User get server-down
AAA If config authen-server-down authorization
User Online Server Status on switch: yes If config “radius-server testuser”
Accept Authentication event authorization Yes (state=authen-server-
(state=success) DOWN
result down)
No
Reject
No
User get pre-

If config If config auth-fail If config pre-authen authen
re-authentication for No Yes
event authorization event authorization authorization
online user (state=pre-auth)
Yes Yes No
User get authen-

User no any
fail authorization
authorization
(state=authen-
(state=pre-auth)
fail)
If config
authen-fail
Yes No Stay current state
or pre-authen re-authen
timer
Flowchart 2:
When the port status changes, the Link-down offline
User Offline
detection process for the delay time out ?
Yes (State=non
e)
connected user Yes
No
Down
Authentication timer
Start Port State Up
handshake-period time out ?
No
Config link-down offline delay : link-down offline delay { delay-value | unlimited }

Config authentication timer handshake-period : authentication timer handshake-period handshake-period
Config authen-server-down event authorization : authentication event authen-server-down action authorize
Config authen-fail event authorization : authentication event authen-fail action authorize
Config pre-authen event authorization : authentication event pre-authen action authorize
Config re-authentication for online user : mac-authen reauthenticate
Config authen-fail or pre-authen re-authen timer : authentication timer re-authen
Config authen-server-up action re-authen : authentication event authen-server-up action re-authen
The following table lists the related commands.
Command Description
radius-server { dead-interval dead- Configures conditions for marking the

interval | dead-count dead-count } RADIUS server status as Down during
the RADIUS server status detection.
● dead-interval dead-interval:
Specifies the detection interval. The
default value is 5 seconds.
● dead-count dead-count: Specifies
the maximum number of
consecutive unacknowledged
packets. The default value is 2.

Automatic Detection
After the RADIUS server status is marked as Down, you can configure the
automatic detection function to test the RADIUS server reachability.
The device then periodically detects servers whose status is marked as Down.
The automatic detection function needs to be manually enabled. The automatic
server status detection function can be enabled only if the user name and
password for automatic detection are configured in the RADIUS server template
view on the device rather than on the RADIUS server. Authentication success is not
mandatory. If the device can receive the authentication failure response packet,
the RADIUS server is properly working and the device marks the RADIUS server
status as Up. If the device cannot receive the response packet, the RADIUS server
is unavailable and the device marks the RADIUS server status as Down.
The following table lists commands related to automatic detection.
Command Description
radius-server testuser username user- Enables the automatic detection

name password cipher password function.
● user-name: Specifies the user name
for automatic detection.
● password: Specifies the password
for automatic detection.
radius-server detect-server interval Specifies the automatic detection

interval interval. The default value is 60
seconds.
Consecutive Processing After the RADIUS Server Status Is Marked as Down

After the device marks the RADIUS server status as Down, you can configure the
escape function to make users obtain escape authorization. After the device
detects that the RADIUS server status reverts to Up, you can configure the
reauthentication function to make users obtain authorization from the server
through reauthentication, as shown in Figure 1-12.
NOTE
For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server
status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal
authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection
authorization and can be redirected to the Portal server for authentication only if the users
attempt to access network resources.

Figure 1-12 Consecutive processing after the RADIUS server status is marked as
Down
Flowchart 1:
ARP/DHCP etc.
MAC authentication process
for new access users
Start MAC authen

(state=pre-authen)
If config authen-server-up
Yes
action re-authen
Server status on switch: UP Dead time timer
User status on switch: authen-server- up
down Default 5min Server status on switch:
UP
NO
No
User get server-down
AAA If config authen-server-down authorization
User Online Server Status on switch: yes If config “radius-server testuser”
Accept Authentication event authorization Yes (state=authen-server-
(state=success) DOWN
result down)
No
Reject
No
If config User get pre-authen

If config auth-fail If config pre-authen
re-authentication for online No Yes authorization
event authorization event authorization
user (state=pre-auth)
Yes Yes No
User get authen-fail User no any

authorization authorization
(state=authen-fail) (state=pre-auth)
If config
authen-fail
Yes No Stay current state
or pre-authen re-authen
timer
Flowchart 2:
When the port status changes, the Link-down offline
User Offline
detection process for the connected delay time out ?
Yes (State=none
)
user Yes
No
Down
Authentication timer
Start Port State Up
handshake-period time out ?
No
Config link-down offline delay : link-down offline delay { delay-value | unlimited }

Config authentication timer handshake-period : authentication timer handshake-period handshake-period
Config authen-server-down event authorization : authentication event authen-server-down action authorize
Config authen-fail event authorization : authentication event authen-fail action authorize
Config pre-authen event authorization : authentication event pre-authen action authorize
Config re-authentication for online user : mac-authen reauthenticate
Config authen-fail or pre-authen re-authen timer : authentication timer re-authen
Config authen-server-up action re-authen : authentication event authen-server-up action re-authen
The following table lists the commands for configuring the escape rights upon
transition of the RADIUS server status to Down and configuring the
reauthentication function, respectively.
Command Description
authentication event authen-server- Configures the escape function upon

down action authorize { vlan vlan-id | transition of the RADIUS server status
service-scheme service-scheme- to Down.
name } [ response-fail ]
authentication event authen-server- Configures the reauthentication
up action re-authen function for users in escape status
when the RADIUS server status reverts
to Up.
1.2.4.7 RADIUS CoA/DM
The device supports the RADIUS Change of Authorization (CoA) and Disconnect
Message (DM) functions. CoA provides a mechanism to change the rights of
online users, and DM provides a mechanism to forcibly disconnect users. This
section contains the following contents:

● RADIUS CoA/DM packet

● Exchange Procedure
● Session Flag
● Error Code Description
RADIUS CoA/DM packet

Table 1-7 describes types of the CoA/DM packets.
Table 1-7 RADIUS CoA/DM packet

CoA-Request When an administrator needs to modify the rights of an

online user (for example, prohibit the user from accessing a
website), the RADIUS server sends this packet to the
RADIUS client, requesting the client to modify the user
rights.
CoA-ACK If the RADIUS client successfully modifies the user rights, it

returns this packet to the RADIUS server.
CoA-NAK If the RADIUS client fails to modify the user rights, it

returns this packet to the RADIUS server.
DM-Request When an administrator needs to disconnect a user, the

server sends this packet to the RADIUS client, requesting
the client to disconnect the user.
DM-ACK If the RADIUS client has disconnected the user, it returns

this packet to the RADIUS server.
DM-NAK If the RADIUS client fails to disconnect the user, it returns

this packet to the RADIUS server.
Exchange Procedure
CoA allows the administrator to change the rights of an online user or perform
reauthentication for the user through RADIUS after the user passes authentication.
Figure 1-13 shows the CoA interaction process.

Figure 1-13 CoA interaction process

User Device RADIUS server
The user is online.
1. CoA-Request packet
2. Modify the user

rights.
3.CoA-ACK/NAK packet
1. The RADIUS server sends a CoA-Request packet to the device according to

service information, requesting the device to modify user authorization
information. This packet can contain authorization information including the
ACL.
2. Upon receiving the CoA-Request packet, the device performs a match check
between the packet and user information on the device to identify the user. If
the match succeeds, the device modifies authorization information of the user.
Otherwise, the device retains the original authorization information of the
user.
3. The device returns a CoA-ACK or CoA-NAK packet as follows:
– If authorization information is successfully modified, the device sends a
CoA-ACK packet to the RADIUS server.
– If authorization information fails to be modified, the device sends a CoA-
NAK packet to the RADIUS server.
When a user needs to be disconnected forcibly, the RADIUS server sends a DM
packet to the device. Figure 1-14 shows the DM interaction process.
Figure 1-14 DM interaction process
User Device RADIUS server
1. DM-Request packet
2. Notify the user to go offline.
3. DM-ACK/NAK packet

1. The administrator forcibly disconnects a user on the RADIUS server. The

RADIUS server sends a DM-Request packet to the device, requesting the
device to disconnect the user.
2. Upon receiving the DM-Request packet, the device performs a match check
between the packet and user information on the device to identify the user. If
the match succeeds, the user is notified to go offline. Otherwise, the user
remains online.
3. The device returns a DM-ACK or DM-NAK packet as follows:
– If the user successfully goes offline, the device sends a DM-ACK packet to
the RADIUS server.
– Otherwise, the device sends a DM-NAK packet to the RADIUS server.
Different from the process in which authorization is performed for an online user
or a user proactively goes offline, the server sends a request packet and the device
sends a response packet in the CoA/DM process. If CoA/DM succeeds, the device
returns an ACK packet. Otherwise, the device returns a NAK packet.
Session Identification
Each service provided by the NAS to a user constitutes a session, with the
beginning of the session defined as the point where service is first provided and
the end of the session defined as the point where service is ended.
After the device receives a CoA-Request or DM-Request packet from the RADIUS
server, it identifies the user depending on some RADIUS attributes in the packet.
The following RADIUS attributes can be used to identify users:
● User-Name (IETF attribute #1)
● Acct-Session-ID (IETF attribute #4)
● Framed-IP-Address (IETF attribute #8)
● Calling-Station-Id (IETF attribute #31)
The match methods are as follows:
● any method
The device performs a match check between an attribute and user
information on the device. The priority for identifying the RADIUS attributes
used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) >
Framed-IP-Address (8). The device searches for the attributes in the request
packet based on the priority, and performs a match check between the first
found attribute and user information on the device. If the attribute is
successfully matched, the device responds with an ACK packet; otherwise, the
device responds with a NAK packet.
● all method
The device performs a match check between all attributes and user
information on the device. The device identifies the following RADIUS
attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31),
Framed-IP-Address (8), and User-Name (1). The device performs a match
check between all the preceding attributes in the Request packet and user
information on the device. If all the preceding attributes are successfully
matched, the device responds with an ACK packet; otherwise, the device
responds with a NAK packet.

Error Code Description

When the CoA-Request or DM-Request packet from the RADIUS server fails to
match user information on the device, the device describes the failure cause using
the error code in the CoA-NAK or DM-NAK packet. For the error code description,
see Table 1-8 and Table 1-9.
Table 1-8 Error codes in a CoA-NAK packet

Name Value Description
RD_DM_ERRCODE_ 402 The request packet lacks key attributes, so that

MISSING_ATTRIBUT the integrity check of the RADIUS attributes
E fails.
RD_DM_ERRCODE_ 403 One or more attributes in the request packet

NAS_IDENTIFICATIO fail to be matched.
N_MISMATCH
RD_DM_ERRCODE_I 404 Parsing the attributes in the request packet

NVALID_REQUEST fails.
RD_DM_ERRCODE_I 407 The request packet contains attributes that are

NVALID_ATTRIBUTE not supported by the device or do not exist, so
_VALUE that the attribute check fails.
Contents of the authorization check include
VLAN, ACL, CAR, number of the ACL used for
redirection, and whether Huawei RADIUS
extended attributes RD_hw_URL_Flag and
RD_hw_Portal_URL can be authorized to the
interface-based authenticated user.
Errors that may occur are as follows:
● The authorized service scheme does not
exist.
● The authorized QoS profile does not exist
or no user queue is configured in the QoS
profile.
● The authorized values of upstream and
downstream priorities exceed the maximum
values.
● The authorized index value of the UCL
group is not within the specification.
● The ISP VLAN and outbound interface
information are incorrectly parsed.
● Reauthentication attributes and other
attributes are authorized simultaneously.

RD_DM_ERRCODE_S 503 The session request fails. The cause includes:

ESSION_CONTEXT_ ● Authorization for the current request user is
NOT_FOUND being processed.
● The temporary RADIUS table fails to be
requested.
● User information does not match or no user
is found.
● The user is a non-RADIUS authentication
user.
RD_DM_ERRCODE_R 506 This error code is used for other authorization

ESOURCES_UNAVAI failures.
LABLE
Table 1-9 Error codes in a DM-NAK packet

RD_DM_ERRCODE_I 404 Parsing the attributes in the request packet

NVALID_REQUEST fails.
RD_DM_ERRCODE_S 504 The user fails to be deleted or the user does

ESSION_CONTEXT_ not exist.
NOT_REMOVABLE
1.2.4.8 RADIUS Attributes

RADIUS attributes are Attribute fields in RADIUS packets, which carry dedicated
authentication, authorization, and accounting information. This chapter covers the
following sections:
● Standard RADIUS Attributes
● Huawei Proprietary RADIUS Attributes
● Huawei-supported Extended RADIUS Attributes of Other Vendors
● RADIUS Attributes Available in Packets
For more information about RADIUS attributes, use the AAA Attribute Query
Tool.
Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are
supported by all mainstream vendors. For details, see Table 1-10.

Table 1-10 Standard RADIUS attributes

Attri Attribu Attribu Description
bute te te Type
No. Name
1 User- string User name for authentication. The user name

Name format can be user name@domain name, or just
user name.
2 User- string User password for authentication, which is only
Passwor valid for the Password Authentication Protocol
d (PAP).
3 CHAP- string Response value provided by a PPP Challenge-

Passwor Handshake Authentication Protocol (CHAP) user in
d response to the challenge.
4 NAS-IP- ipaddr Internet Protocol (IP) address of the NAS carried in

Address authentication request packets. By default, the
attribute value is the source IP address of the
authentication request packets sent by the NAS.
You can change the attribute value to the specified
IP address on the NAS using the radius-attribute
nas-ip ip-address command.
5 NAS- integer Physical port number of the network access server

Port that is authenticating the user, which is in either of
the following formats:
● new: slot ID (8 bits) + sub-slot ID (4 bits) + port
number (8 bits) + Virtual Local Area Network
(VLAN) ID (12 bits)
● old: slot ID (12 bits) + port number (8 bits) +
VLAN ID (12 bits)
● The ADSL access physical port is in the format:
slot ID (4 bits) + sub-slot ID (2 bits) + port
number (2 bits) + VPI (8 bits) + VCI (16 bits).
6 Service- integer Service type of the user to be authenticated:

Type ● 2 (Framed): PPP or 802.1X access users
● 6 (Administrative): administrator
● 8 (Authenticate Only): reauthentication only
● 10 (Call Check): MAC address authentication
user or MAC address bypass authentication user
7 Framed integer Encapsulation protocol of Frame services:

- ● For a non-management user, the value is fixed
Protocol as 1.
● For a management user, the value is fixed as 6.


bute te te Type
No. Name
8 Framed ipaddr User IP address.

-IP-
Address
9 Framed ipaddr User IP address mask. This field must be used with
-IP- the Framed-IP-Address field.
Netmas
k
11 Filter-Id string User group name or IPv4 Access Control List (ACL)
ID.
NOTE
● When this attribute carries the IPv4 ACL ID, the IPv4
ACL IDs must range from 3000 to 3999 (wired users)
or 3000 to 3031 (wireless users).
● A RADIUS packet cannot carry the user group name or
IPv4 ACL ID simultaneously.
12 Framed integer Maximum transmission unit (MTU) of the data link

-MTU between user and NAS. For example, in 802.1X
Extensible Authentication Protocol (EAP)
authentication, the NAS specifies the maximum
length of the EAP packet in this attribute. An EAP
packet larger than the link MTU may be lost.
14 Login- ipaddr Management user IP address:

IP-Host ● If the value is 0 or 0xFFFFFFFF, the IP address of
management user is not checked.
● If this attribute uses other values, the NAS
checks whether the management user IP address
is the same as the delivered attribute value.
15 Login- integer Service to use to connect the user to the login host:
Service ● 0: Telnet
● 5: X25-PAD
● 50: SSH
● 51: FTP
● 52: Terminal
NOTE
An attribute can contain multiple service types.
18 Reply- string This attribute determines whether a user is

Messag authenticated:
e ● When an Access-Accept packet is returned, the
user is successfully authenticated.
● When an Access-Reject packet is returned, the
user fails authentication.


bute te te Type
No. Name
19 Callbac string Information sent from the authentication server

k- and to be displayed to a user, such as a mobile
Number number.
22 Framed string Routing information provided by the RADIUS server

-Route to users, in format Destination/Mask NextHop
Metric, for example, 192.168.1.0/24 192.168.1.1 1.
If the NextHop value is 0.0.0.0, the user IP address
is used as the next hop address. The device can
obtain only one Metric value. If the attribute
delivered by the RADIUS server contains multiple
Metric values, the device obtains only the first one.
24 State string This Attribute is available to be sent by the server

to the client in an Access-Challenge and MUST be
sent unmodified from the client to the server in the
new Access-Request reply to that challenge, if any.
25 Class string If the RADIUS server sends a RADIUS Access-Accept

packet carrying the Class attribute to the NAS, the
subsequent RADIUS Accounting-Request packets
sent from the NAS must carry the Class attribute
with the same value.
26 Vendor- string Vendor-specific attribute. For details, see Table

Specific 1-11. A packet can carry one or more private
attributes. Each private attribute contains one or
more sub-attributes.


bute te te Type
No. Name
27 Session- integer In the Access-Request packet, this attribute

Timeout indicates the maximum number of seconds a user
should be allowed to remain connected.
In the Access-Challenge packet, this attribute
indicates the duration for which EAP authentication
users are reauthenticated.
When the value of this attribute is 0:
● If the aaa-author session-timeout invalid-
value enable command is not configured, the
session-timeout attribute delivered by the server
does not take effect and the period for
disconnecting or reauthenticating users depends
on the device configuration.
● If the aaa-author session-timeout invalid-
value enable command is configured, the
session-timeout attribute delivered by the server
takes effect and the device does not disconnect
or reauthenticate users.
NOTE
This attribute is only valid for 802.1X, MAC address, Portal,
and PPPoE authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 29 Termination-Action is set to 0
(users are forced offline) by default.
28 Idle- integer Maximum number of consecutive seconds of idle

Timeout connection the user is allowed before termination
of the session or prompt.
NOTE
This attribute is only valid for administrators and L2TP
users.
29 Termina integer What action the NAS should take when the
tion- specified service is completed:
Action ● 0: forcible disconnection
● 1: reauthentication
NOTE
This attribute is only valid for 802.1X and MAC address
authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 27 Session-Timeout is set to 3600s (for
802.1X authentication users) or 1800s (for MAC address
authentication users) by default.
30 Called- string Identification number of the NAS.

Station- ● For wired users, it is the NAS MAC address.
Id
● For wireless users, it is the SSID and MAC
address of the AP.


bute te te Type
No. Name
31 Calling- string This Attribute allows the NAS to send in the Access-
Station- Request packet the phone number that the call
Id came from, using Automatic Number Identification
(ANI) or similar technology.
32 NAS- string String identifying the network access server

Identifie originating the Access-Request. By default, the
r attribute value is the host name of the device. You
can change the attribute value to the VLAN ID of
the user using the radius-server nas-identifier-
format { hostname | vlan-id } command.
40 Acct- integer Accounting-Request type:

Status- ● 1: Accounting-Start packet
Type
● 2: Accounting-Stop packet
● 3: Interim-Accounting packet
41 Acct- integer Number of seconds the client has been trying to

Delay- send the accounting packet (excluding the network
Time transmission time).
44 Acct- string Accounting session ID. The Accounting-Start,

Session- Interim-Accounting, and Accounting-Stop packets
Id of the same accounting session must have the
same session ID.
The format of this attribute is: Host name (7 bits) +
Slot ID (2 bits) + Subcard number (1 bit) + Port
number (2 bits) + Outer VLAN ID (4 bits) + Inner
VLAN ID (5 bits) + Central Processing Unit (CPU)
Tick (6 bits) + User ID prefix (2 bits) + User ID (5
bits).
45 Acct- integer User authentication mode:

Authent ● 1: RADIUS authentication
ic
● 2: Local authentication
● 3: Other remote authentications
46 Acct- integer How long (in seconds) the user has received
Session- service.
Time NOTE
If the administrator modifies the system time after the
user goes online, the online time calculated by the device
may be incorrect.


bute te te Type
No. Name
49 Acct- string Cause of a terminated session:

Termina ● User-Request (1): The user requests termination
te- of service.
Cause
● Lost Carrier (2): The connection is torn down
due to a handshake failure or heartbeat timeout,
such as an ARP probe failure or PPP handshake
failure.
● Lost Service (3): The connection initiated by the
peer device is torn down.
● Idle Timeout (4): The idle timer expires.
● Session Timeout (5): The session times out or
the traffic threshold is reached.
● Admin Reset (6): The administrator forces the
user to go offline.
● Admin Reboot (7): The administrator restarts the
NAS.
● Port Error (8): A port fails.
● NAS Error (9): The NAS encounters an internal
error.
● NAS Request (10): The NAS ends the session due
to resource changes.
● NAS Reboot (11): The NAS automatically
restarts.
● Port Unneeded (12): The port is Down.
● Port Preempted (13): The port is preempted.
● Port Suspended (14): The port is suspended.
● Service Unavailable (15): The service is
unavailable.
● Callback (16): NAS is terminating the current
session to perform a callback for a new session.
● User Error (17): User authentication fails or
times out.
● Host Request (18): A host sends a request.
60 CHAP- string Challenge field in CHAP authentication. This field is

Challen generated by the NAS for Message Digest
ge algorithm 5 (MD5) calculation.
61 NAS- integer NAS port type. The attribute value can be

Port- configured in the interface view. By default, the
Type type is Ethernet (15).
64 Tunnel- integer Protocol type of the tunnel. The value is fixed as 13,
Type indicating VLAN.


bute te te Type
No. Name
65 Tunnel- integer Medium type used on the tunnel. The value is fixed
Medium as 6, indicating Ethernet.
-Type
66 Tunnel- string Tunnel client address.

Client-
Endpoin
t
67 Tunnel- string Tunnel server address.

Server-
Endpoin
t
79 EAP- string Encapsulates Extended Access Protocol (EAP)

Messag packets so that RADIUS supports EAP
e authentication. When an EAP packet is longer than
253 bytes, the packet is encapsulated into multiple
attributes. A RADIUS packet can carry multiple EAP-
Message attributes.
80 Messag string Authenticates and verifies authentication packets to

e- prevent spoofing packets.
Authent
icator
81 Tunnel- string Tunnel private group ID, which is used to deliver

Private- user VLAN IDs.
Group- NOTE
ID To make the VLAN authorization function take effect,
ensure the correct access control mode is configured:
● When the link type is hybrid in untagged mode, the
access control mode can be MAC address or interface.
● When the link type is access or trunk, the access
control mode can only be interface.
82 Tunnel- string Specific ID assigned to the tunnel.

Assign
ment-Id
85 Acct- integer Interim accounting interval. The value ranges from

Interim- 60 to 3932100, in seconds. It is recommended that
Interval the interval be at least 600 seconds.


bute te te Type
No. Name
87 NAS- string Port of the NAS that is authenticating the user. The
Port-Id NAS-Port-Id attribute has the following formats:
● New:
For Ethernet access users, the NAS-Port-Id is in
the format "slot=xx; subslot=xx; port=xxx; VLAN
ID=xxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 15, "port" 0 to 255, and "VLAN ID"
1 to 4094.
For ADSL access users, the NAS-Port-Id is in the
format "slot=xx; subslot=x; port=x; VPI=xxx;
VCI=xxxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255,
and "VCI" 0 to 65535.
● Old:
For Ethernet access users, the NAS-Port-Id is in
the format "port number (2 characters) + sub-
slot ID (2 bytes) + card number (3 bytes) +
VLAN ID (9 characters)."
For ADSL access users: port number (2
characters) + sub-slot ID (2 bytes) + card
number (3 bytes) + VPI (8 characters) + VCI (16
characters). The fields are prefixed with 0s if
they contain fewer bytes than specified.
88 Framed string Address pool, which is only included in the Access-

-Pool Accept packet. It is used as authorization
information in Efficient VPN.
90 Tunnel- string Client tunnel ID used for authentication during

Client- tunnel setup.
Auth-Id
91 Tunnel- string Server tunnel ID used for authentication during

Server- tunnel setup.
Auth-Id
95 NAS- ipaddr IPv6 address carried in the authentication request

IPv6- packet sent by the NAS. Both the NAS-IPv6-Address
Address and NAS-IP-Address fields can be included in a
packet.
195 HW- string Security information of users in EAP relay

Security authentication.
Str

Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific)
defined in RFC2865 can be used to extend RADIUS for implementing functions not
supported by standard RADIUS attributes. Table 1-11 describes Huawei
proprietary RADIUS attributes.
NOTE
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei
is 2011.
Table 1-11 Huawei proprietary RADIUS attributes

Att Attribute Attri Description
rib Name bute
ut Type
e
No
.
26- HW- integ Peak rate at which the user accesses the NAS, in bit/s.
1 Input- er The value is a 4-byte integer.
Peak-
Informatio
n-Rate
26- HW- integ Average rate at which the user accesses the NAS, in
2 Input- er bit/s. The value is a 4-byte integer.
Committe
d-
Informatio
n-Rate
26- HW- integ Committed burst size (CBS) at which the user
3 Input- er accesses the NAS, in bit/s. The value is a 4-byte
Committe integer.
d-Burst-
Size
26- HW- integ Peak rate at which the NAS connects to the user, in
4 Output- er bit/s. The value is a 4-byte integer.
Peak-
Informatio
n-Rate
26- HW- integ Average rate at which the NAS connects to the user,
5 Output- er in bit/s. The value is a 4-byte integer.
Committe
d-
Informatio
n-Rate


rib Name bute
ut Type
e
No
.
26- HW- integ Committed burst size at which the NAS connects to
6 Output- er the user, in bit/s. The value is a 4-byte integer.
Committe
d-Burst-
Size
26- HW- integ Remaining traffic. The unit is KB.

15 Remanent er
-Volume
26- HW- integ Index of a user connection.

26 Connect- er
ID
26- HW-FTP- string Initial directory of an FTP user.

28 Directory
26- HW-Exec- integ Management user (such as Telnet user) priority,

29 Privilege er ranging from 0 to 15. The priority that is greater than
or equal to 16 is ineffective.
26- HW-Qos- string Name of the QoS profile. The maximum length of
31 Data the name is 31 bytes. The RADIUS server uses this
field to deliver the QoS profile. The QoS profile must
exist on the device.
26- HW-NAS- integ NAS start time, represented by the number of

59 Startup- er seconds elapsed since 00:00:00 of January 1, 1970.
Time-
Stamp
26- HW-IP- string User IP address and MAC address carried in

60 Host- authentication and accounting packets, in the format
Address A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC
address are separated by a space.
If the user's IP address is detected to be invalid
during authentication, the IP address is set to
255.255.255.255.
26- HW- ipadd Primary WINS server address delivered by the

75 Primary- r RADIUS server after a user is successfully
WINS authenticated.
26- HW- ipadd Secondary WINS server address delivered by the

76 Second- r RADIUS server after a user is successfully
WINS authenticated.


rib Name bute
ut Type
e
No
.
26- HW- integ Upstream peak rate, in bit/s.

77 Input- er
Peak-
Burst-Size
26- HW- integ Downstream peak rate, in bit/s.

78 Output- er
Peak-
Burst-Size
26- HW-VPN- string VPN instance name delivered by the RADIUS server
94 Instance after a user is successfully authenticated. It specifies
the VPN to which the user belongs.
26- HW- ipadd Primary DNS address delivered by the RADIUS server
13 Client- r after a user is successfully authenticated.
5 Primary-
DNS
26- HW- ipadd Secondary DNS address delivered by the RADIUS

13 Client- r server after a user is successfully authenticated.
6 Secondary
-DNS
26- HW- string Name of the domain used for user authentication.
13 Domain- This attribute can be the domain name contained in
8 Name a user name or the name of a forcible domain.
26- HW-AP- string AP's MAC address used for STA authentication.
14 Informatio
1 n
26- HW-User- string User security check information delivered by the

14 Informatio RADIUS server to an Extensible Authentication
2 n Protocol over LAN (EAPoL) user to notify the user of
items that require security checks.
26- HW- string Service scheme name. A service scheme contains user
14 Service- authorization information and policies.
6 Scheme


rib Name bute
ut Type
e
No
.
26- HW- integ User access type carried in the authentication and
15 Access- er accounting request packets sent by the RADIUS client
3 Type to the RADIUS server:
● 1: Dot1x user
● 2: MAC address authentication user or MAC
address bypass authentication
● 3: Portal authentication user
● 4: Static user
● 6: Management user
● 7: PPP users
26- HW-URL- integ This attribute specifies whether a Uniform Resource

15 Flag er Locator (URL) is forcibly pushed to users when it is
5 used with another attribute, for example, HW-Portal-
URL:
● 0: No
● 1: Yes
26- HW- string Forcibly pushed URL.

15 Portal- If information delivered by the RADIUS server
6 URL matches the configured URL template, the URL
configured in the template is used. Otherwise, the
character string delivered by the RADIUS server is
used.


rib Name bute
ut Type
e
No
.
26- HW-User- string Extended user information. This attribute is contained

20 Extend- in authentication and accounting request packets. A
1 Info packet can contain multiple HW-User-Extend-Info
attributes. The following describes extended user
information:
● User-Position: Service code of the location where a
user goes online
● User-Position-Type: Type of the location where a
user goes online
● AP-Device-Code: AP code
● AP-POS-X: Longitude of a moving AP
● AP-POS-Y: Latitude of a moving AP
● Wifi-Density: Field strength
● HW-Access-Time: user access time. The value is
the number of seconds elapsed since 00:00:00 of
January 1, 1970.802.1X authentication supports
only this field.
● wan-src-ip: Source IPv4/IPv6 address of the
external network
An IPv4 address is expressed by an unsigned
integer in host byte order, for example,
2880036141. An IPv6 address is expressed by a
colon-delimited hexadecimal notation string
(XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX),
for example, CDCD:910A:
2222:5498:1111:3900:2020:6328.
● wan-src-start-port: Start source IPv4/IPv6 port
numbers of the external network
A source port can be a TCP or an IP port, and the
port number range is from 0 to 65535. If only one
port is available, the start and end port numbers
are the same.
● wan-src-end-port: End source IPv4/IPv6 port
numbers of the external network
A source port can be a TCP or an IP port, and the
port number range is from 0 to 65535.
This attribute applies only to MAC address
authentication and Portal authentication.


rib Name bute
ut Type
e
No
.
26- HW-Web- string Information sent from the portal server via the device
23 Authen- (which transparently transmits the information) to
7 Info the RADIUS server. For example, a user selects the
authentication-free option and time information for
next login, based on which the RADIUS server saves
the MAC address of the user for a period of time.
Upon the next login of the user, the login page is not
displayed. Instead, MAC address authentication is
preferentially used. This attribute can be used for
transparent transmission in complex modes such as
EAP.
26- HW-User- ipadd User's address segment.

24 Addr- r
1 Network
26- HW-DNS- string DNS domain name.

24 Domain-
2 Name
26- HW-Auto- string URL address for version upgrade.

24 Update-
3 URL
26- HW- string Server reachability detection information.

24 Reachable Authentication packets carrying this attribute are
4 -Detect server detection packets.
26- HW- string Number of upstream bytes at the specified tariff level
24 Tariff- sent to the accounting server. This field is included in
7 Input- the accounting packets. The unit can be byte,
Octets kilobyte, megabyte, or gigabyte. The format is Tariff
level:Number of upstream bytes. An accounting
packet can contain the traffic of at most 8 tariff
levels.
26- HW- string Number of downstream bytes at the specified tariff

24 Tariff- level sent to the accounting server. This field is
8 Output- included in the accounting packets. The unit can be
Octets byte, kilobyte, megabyte, or gigabyte. The format is
Tariff level:Number of downstream bytes. An
accounting packet can contain the traffic of at most
8 tariff levels.
26- HW- string Number of times larger the number of upstream

24 Tariff- bytes at the specified tariff level is than 4G. This field
9 Input- and the HW-Tariff-Input-Octets field specify the
Gigawords number of upstream bytes at the specified tariff level.


rib Name bute
ut Type
e
No
.
26- HW- string Number of times larger the number of downstream

25 Tariff- bytes at the specified tariff level is than 4G. This field
0 Output- and the HW-Tariff-Output-Octets field specify the
Gigawords number of downstream bytes at the specified tariff
level.
26- HW- string Software version of the device.

25 Version
4
26- HW- string NAS product name.

25 Product-
5 ID
Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft. For
details, see Table 1-12.
Table 1-12 Huawei-supported extended RADIUS attributes of other vendors
Attri Attribute Attribute Type Description

bute Name
No.
MIC MS-MPPE- string This attribute indicates the

ROS Send-Key MPPE sending key.
OFT-
16
MIC MS-MPPE- string This attribute indicates the

ROS Recv-Key MPPE receiving key.
OFT-
17
RADIUS Attributes Available in Packets

Different RADIUS packets carry different RADIUS attributes.
● For the RADIUS attributes available in authentication packets, see Table 1-13.
● For the RADIUS attributes available in accounting packets, see Table 1-14.
● For the RADIUS attributes available in authorization packets, see Table 1-15.

NOTE
The following describes the values in the tables:

● 1: indicates that the attribute must appear once in the packet.
● 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is
contained).
● 0-1: indicates that the attribute can appear once or does not appear in the packet.
● 0+: indicates that the attribute may appear multiple times or does not appear in the
packet.
Table 1-13 RADIUS attributes available in authentication packets

Attribute No. Access- Access- Access- Access-
Request Accept Reject Challenge
User-Name(1) 1 0-1 0 0
User-Password(2) 0-1 0 0 0
CHAP-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Framed-IP-Address(8) 0-1 0-1 0 0
Framed-IP-Netmask(9) 0 0-1 0 0
Filter-Id(11) 0 0-1 0 0
Framed-Mtu(12) 0-1 0 0 0
Login-IP-Host(14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message(18) 0 0-1 0-1 0-1
Callback-Number(19) 0 0-1 0 0
Framed-Route(22) 0 0-1 0 0
State(24) 0-1 0-1 0 0-1
Class(25) 0 0-1 0 0
Session-Timeout(27) 0 0-1 0-1 0-1
Idle-Timeout(28) 0 0-1 0 0
Termination-Action(29) 0 0-1 0 0-1
Called-Station-Id(30) 0-1 0 0 0


Calling-Station-Id(31) 1 0-1 0 0
NAS-Identifier(32) 1 0 0 0
Acct-Session-id(44) 1 0 0 0
CHAP-Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
Tunnel-Client- 0-1 0-1 0 0

Endpoint(66)
Tunnel-Server- 0-1 0-1 0 0

Endpoint(67)
EAP-Message(79) 0-1 0-1 0-1 0-1
Message- 0-1 0-1 0-1 0-1

Authenticator(80)
Tunnel-Private-Group- 0 0-1 0-1 0

ID(81)
Tunnel-Assignment- 0 0-1 0 0
Id(82)
Acct-Interim-Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 0-1 0 0 0
Framed-Pool(88) 0 1 0 0
Tunnel-Client-Auth- 0 0-1 0 0
Id(90)
Tunnel-Server-Auth- 0 0-1 0 0
Id(91)
NAS-IPv6-Address(95) 0-1 0 0 0
HW-SecurityStr(195) 0-1 0 0 0
HW-Input-Peak- 0 0-1 0 0
Information-Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
HW-Input-Committed- 0 0-1 0 0
Burst-Size(26-3)


HW-Output-Peak- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Remanent- 0 0-1 0 0
Volume(26-15)
HW-Connect-ID(26-26) 1 0 0 0
Ftp-directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0
HW-Qos-Data(26-31) 0 0-1 0 0
HW-NAS-Startup-Time- 1 0 0 0
Stamp(26-59)
HW-IP-Host- 1 0 0 0
Address(26-60)
HW-Primary- 0 0-1 0 0
WINS(26-75)
HW-Second-WINS(26-76) 0 0-1 0 0
HW-Input-Peak-Burst- 0 0-1 0 0
Size(26-77)
HW-Output-Peak-Burst- 0 0-1 0 0
Size(26-78)
HW-VPN-Instance(26-94) 0 0-1 0 0
HW-Client-Primary- 0 0-1 0 0
DNS(26-135)
HW-Client-Secondary- 0 0-1 0 0
DNS(26-136)
HW-Domain- 1 0 0 0
Name(26-138)
HW-AP- 1 0 0 0
Information(26-141)
HW-User- 0 0-1 0 0
Information(26-142)
HW-Web-Proxy- 0 0-1 0 0
Name(26-143)


HW-Port-Forward- 0 0-1 0 0
Name(26-144)
HW-IP-Forwarding- 0 0-1 0 0
Name(26-145)
HW-Service- 0 0-1 0 0
Scheme(26-146)
HW-Access-Type(26-153) 1 0-1 0 0
HW-User-Extend- 0-1 0 0 0
Info(26-201)
HW-Web-Authen- 1 0 0 0
Info(26-237)
HW-User-Addr- 0 0-1 0 0
Network(26-241)
HW-DNS-Domain- 0 0-1 0 0
Name(26-242)
HW-Auto-Update- 0 0-1 0 0
URL(26-243)
HW-Reachable- 0 0 0 0
Detect(26-244)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
MS-MPPE-Send- 0 0-1 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0-1 0 0
Key(MICROSOFT-17)
Table 1-14 RADIUS attributes available in accounting packets

Attribute No. Accou Accou Accou Accou Accou Account
nting- nting- nting- nting- nting- ing-
Reque Reque Reque Respo Respo Respons
st st st nse nse e
(Start) (Interi (Stop) (start) (Interi (Stop)
m- m-
Updat Updat
e) e)
User-Name(1) 1 1 1 0 0 0


st st st nse nse e
m- m-
Updat Updat
e) e)
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP- 1 1 1 0 0 0
Address(8)
Class(25) 0-1 0-1 0-1 0 0 0
Session-Timeout(27) 0 0 0 0-1 0-1 0
Called-Station- 1 1 1 0 0 0
Id(30)
NOTE
For users who access
the network through
PPP authentication,
this attribute is
optional. If the
authentication
request packet does
not carry this
attribute, then neither
does the accounting
request packet.
Calling-Station- 1 1 1 0 0 0
Id(31)
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status-Type(40) 1 1 1 0 0 0
Acct-Delay-Time(41) 0-1 1 1 0 0 0
Acct-Output- 0-1 0-1 0-1 0 0 0

Octets(43)
Acct-Session-Id(44) 1 1 1 0 0 0
Acct-Authentic(45) 1 1 1 0 0 0
Acct-Session- 0 1 1 0 0 0
Time(46)


st st st nse nse e
m- m-
Updat Updat
e) e)
Acct-Terminate- 0 0 1 0 0 0
Cause(49)
Event- 1 1 1 0 0 0
Timestamp(55)
NAS-Port-Type(61) 1 1 1 0 0 0
Tunnel-Client- 0-1 0-1 0-1 0 0 0

Endpoint(66)
Tunnel-Server- 0-1 0-1 0-1 0 0 0

Endpoint(67)
Tunnel-Assignment- 0-1 0-1 0-1 0 0 0

Id(82)
NAS-Port-Id(87) 1 1 1 0 0 0
Tunnel-Client-Auth- 0-1 0-1 0-1 0 0 0

Id(90)
Tunnel-Server-Auth- 0-1 0-1 0-1 0 0 0

Id(91)
NAS-IPv6- 0-1 0-1 0-1 0 0 0

Address(95)
HW-Input- 1 1 1 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output- 1 1 1 0 0 0
Committed-
Information-
Rate(26-5)
HW-Connect- 1 1 1 0 0 0
ID(26-26)
HW-IP-Host- 1 1 1 0 0 0
Address(26-60)
HW-Domain- 1 1 1 0 0 0
Name(26-138)


st st st nse nse e
m- m-
Updat Updat
e) e)
HW-AP- 0-1 0-1 0-1 0 0 0

Information(26-141)
HW-User- 0 0 0 0-1 0-1 0

Information(26-142)
HW-Access- 0-1 0-1 0-1 0 0 0

Type(26-153)
HW-User-Extend- 0-1 0-1 0-1 0 0 0

Info(26-201)
HW-Reachable- 0 0 0 0 0 0
Detect(26-244)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Octets(26-247)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Octets(26-248)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Gigawords(26-249)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Gigawords(26-250)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
Table 1-15 RADIUS attributes available in CoA/DM packets

Attribute No. CoA CoA CoA DM DM DM NAK
REQUE ACK NAK REQUE ACK
ST ST
User-Name(1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address(4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port(5) 0-1 0 0 0-1 0 0


ST ST
Framed-IP- 0-1 0-1 0-1 0-1 0-1 0-1

Address(8)
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0
Idle-Timeout(28) 0-1 0 0 0 0 0
Termination- 0-1 0 0 0 0 0
Action(29)
Calling-Station- 0-1 0-1 0-1 0-1 0-1 0-1

Id(31)
NAS-Identifier(32) 0 0-1 0-1 0 0 0
Acct-Session-Id(44) 1 1 1 1 1 1
Tunnel-Type(64) 0-1 0 0 0 0 0
Tunnel-Medium- 0-1 0 0 0 0 0
Type(65)
Tunnel-Private- 0-1 0 0 0 0 0
Group-ID(81)
Acct-Interim- 0-1 0 0 0 0 0
Interval(85)
NAS-Port-Id(87) 0-1 0 0 0-1 0 0
HW-Input-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-1)
HW-Input- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-4)
HW-Output- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-5)
HW-Output- 0-1 0 0 0 0 0
Committed-Burst-
Size(26-6)


ST ST
HW-Qos- 0-1 0 0 0 0 0
Data(26-31)
HW-Input-Peak- 0-1 0 0 0 0 0
Burst-Size(26-77)
HW-Output-Peak- 0-1 0 0 0 0 0
Burst-Size(26-78)
HW-Service- 0-1 0 0 0 0 0
Scheme(26-146)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
1.2.4.9 RADIUS Attribute Disablement and Translation
Different vendors support different collections of RADIUS attributes and each

vendor may have their private attributes. As a result, RADIUS attributes of
different vendors may be incompatible and RADIUS attributes sent between
devices from different vendors fail to be parsed. To resolve this issue, the RADIUS
attribute disablement and translation functions are often used in interconnection
and replacement scenarios.
RADIUS Attribute Disablement

The RADIUS server may have RADIUS attributes with the same attribute IDs and
names as but different encapsulation formats or contents from those on the
device. In this case, you can configure the RADIUS attribute disablement function
to disable such attributes. The device then does not parse these attributes after
receiving them from the RADIUS server, and does not encapsulate these attributes
into RADIUS packets to be sent to the server.
Currently, Huawei-supported RADIUS attributes (with Huawei-supported attribute

names and IDs) in a sent or received packet can be disabled on a device.
RADIUS Attribute Translation

RADIUS attribute translation is used for achieve compatibility between RADIUS
attributes defined by different vendors. For example, a Huawei device delivers the
priority of an administrator using the Huawei proprietary attribute Exec-Privilege
(26-29), whereas another vendor's NAS and the RADIUS server deliver this priority
using the Login-service(15) attribute. In a scenario where the Huawei device and
another vendor's NAS share one RADIUS server, users want the Huawei device to
be compatible with the Login-service(15) attribute. After RADIUS attribute

translation is configured on the Huawei device, the device automatically processes

the Login-service(15) attribute in a received RADIUS authentication response
packet as the Exec-Privilege (26-29) attribute.
Devices translate RADIUS attributes in a sent or received packet based on the
Type, Length, and Value fields of the RADIUS attributes.
● If translation between attributes A and B is configured in the transmit
direction on the device and the device sends a packet containing attribute A,
the Type field of the attribute is attribute B but the Value field is encapsulated
based on the content and format of attribute A.
● If translation between attributes A and B is configured in the receive direction
on the device and the device receives a packet containing attribute A, it parses
the Value field of attribute A as that of attribute B. To be specific, it can be
understood that the device receives a packet containing attribute B instead of
attribute A after attribute translation is configured.
Huawei-supported and non-Huawei-supported RADIUS attributes can be
translated into each other. Table 1-16 shows the mode for translating Huawei-
supported and non-Huawei-supported RADIUS attributes into each other.
NOTE
● The device can translate a RADIUS attribute of another vendor only if the length of the Type
field in the attribute is 1 octet.
● The device can translate the RADIUS attribute only when the type of the source RADIUS
attribute is the same as that of the destination RADIUS attribute. For example, the types of
NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each
other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively,
they cannot be translated into each other.
Table 1-16 RADIUS attribute translation mode

Whether Whether Supp Configuration Command (RADIUS
Huawei Huawei orted Server Template View)
Supports Supports the Trans
the Source Destination latio
RADIUS RADIUS n
Attribute Attribute Direc
tion
Supported Supported Trans radius-attribute translate src-

mit attribute-name dest-attribute-name
and { receive | send | access-accept |
receiv access-request | account-request |
e account-response } *
directi
ons
Supported Not supported Trans radius-attribute translate extend src-

mit attribute-name vendor-specific dest-
directi vendor-id dest-sub-id { access-request
on | account-request } *

Whether Whether Supp Configuration Command (RADIUS

Huawei Huawei orted Server Template View)
Supports Supports the Trans
the Source Destination latio
RADIUS RADIUS n
Attribute Attribute Direc
tion
Not Supported Recei radius-attribute translate extend

supported ve vendor-specific src-vendor-id src-sub-
directi id dest-attribute-name { access-accept
on | account-response } *
1.2.5 HWTACACS AAA
1.2.5.1 Overview of HWTACACS
HWTACACS is an information exchange protocol that uses the client/server model

to provide centralized validation of users who attempt to access your switch. It
uses Transmission Control Protocol (TCP) and TCP port number 49 to transmit
data. HWTACACS provides independent authentication, authorization, and
accounting for users accessing the Internet through Point-to-Point Protocol (PPP)
or Virtual Private Dial-up Network (VPDN) and for administrators. As an
enhancement to TACACS (RFC 1492), it can be implemented on different servers.
Both HWTACACS and RADIUS have the following characteristics:
● Client/Server model
– HWTACACS client: generally resides on the Network Access Server (NAS)
and can reside on the entire network. The client is responsible for
transmitting user information to the specified HWTACACS server and
then performs operations accordingly based on the server-returned
information.
– HWTACACS server: generally runs on the central computer or
workstation. The server maintains user authentication and network
access information, and is responsible for receiving user connection
requests, authenticating users, and returning required information to
clients.
● Share key used for encrypting user information
● Good scalability
However, HWTACACS takes advantages over RADIUS in transmission and
encryption reliability, and better suitability for security control. Table 1-17 lists the
differences between HWTACACS and RADIUS.

Table 1-17 Comparisons between HWTACACS and RADIUS

Item HWTACACS RADIUS
Data transmission Uses TCP, which is more Uses UDP, which is

reliable. more efficient.
Encryption Encrypts the entire body of Encrypts only the

the packet except the password in the
standard HWTACACS packet.
header.
Authentication and Separates authentication Combines

authorization from authorization so that authentication and
they can be implemented authorization.
on different security
servers.
Command line Supported. The commands Not supported. The

authorization that a user can use are commands that a
restricted by both the user can use depend
command level and AAA. on their user level. A
When a user enters a user can only use
command, the command is the commands of
executed only after being the same level as or
authorized by the lower level than the
HWTACACS server. user level.
Application Security control. Accounting.
1.2.5.2 HWTACACS Packets
An HWTACACS client and an HWTACACS server communicate using HWTACACS

packets sent over TCP/IP networks. Unlike RADIUS packets with the same format,
HWTACACS packets (including HWTACACS Authentication Packet, HWTACACS
Authorization Packet, and HWTACACS Accounting Packet) are formatted
differently. HWTACACS packets all share the same HWTACACS Packet Header.
HWTACACS Packet Header

HWTACACS defines a 12-byte header that appears in all HWTACACS packets.
Figure 1-15 shows the header.

Figure 1-15 HWTACACS packet header
0 4 7 15 24 31
major minor
type seq_no flags
version version
session_id
length
Table 1-18 Fields in HWTACACS packet header
Field Description
major version Major HWTACACS version number.

The current version is 0xc.
minor version Minor HWTACACS version number.

The current version is 0x0.
type HWTACACS packet type. Allowed

values are:
● 0x01 (authentication)
● 0x02 (authorization)
● 0x03 (accounting)
seq_no Sequence number of the packet in a

session. The first packet in a session
has the sequence number 1 and each
subsequent packet increments the
sequence number by 1. The value
ranges from 1 to 254.
flags Encryption flag on the packet body.

This field contains 8 bits, of which
only the first bit has a valid value. The
value 0 indicates that the packet body
is encrypted, and the value 1 indicates
that the packet body is not encrypted.
session_id ID of the HWTACACS session, which is

the unique identifier of a session.
length Total length of the HWTACACS packet

body, excluding the packet header.
HWTACACS Authentication Packet Format

HWTACACS defines three types of authentication packets:

● Authentication Start: indicates the type of authentication to be performed,

and contains the user name and authentication data. This packet is only sent
as the first message in an HWTACACS authentication process.
● Authentication Continue: indicates that the authentication process has not
ended. This packet is sent by a client when the client receives an
Authentication Reply packet from the server.
● Authentication Reply: notifies the client of the current authentication status.
When the server receives an Authentication Start or Authentication Continue
packet from a client, the server sends this packet to the client.
The following figure shows the HWTACACS Authentication Start packet body.
Figure 1-16 HWTACACS Authentication Start packet body
0 7 15 24 31
action priv_lvl authen_type service
user len port len rem_addr len data len
user...
port...
rem_addr...
data...
Table 1-19 Fields in HWTACACS Authentication Start packet
Field Description
action Authentication action to be performed. Only the login

authentication (0x01) action is supported.
priv_lvl Privilege level of a user. The value ranges from 0 to 15.
authen_ty Authentication type. Allowed values are:

pe ● 0x03 (CHAP authentication)
● 0x02 (PAP authentication)
● 0x01 (ASCII authentication)
service Type of the service requesting authentication. The value varies by

user type:
● PPP users: PPP(0x03)
● Administrators: LOGIN(0x01)
● Other users: NONE(0x00)
user len Length of the user name entered by a login user.
port len Length of the port field.

Field Description
rem_addr rem_addr field length.

len
data len Authentication data length.
user Name of the user requesting authentication. The maximum length

is 129.
port Name of the user interface requesting authentication. The

maximum length is 47.
● For administrators, this field indicates the user terminal
interface, such as console0 and vty1. For example, the
authen_type of Telnet users is ASCII, service is LOGIN, and port
is vtyx.
● For other users, this field indicates the user access interface.
rem_addr IP address of the login user.
data Authentication data. Different data is encapsulated depending on

the values of action and authen_type. For example, when PAP
authentication is used, the value of this field is PAP plain-text
password.
The following figure shows the HWTACACS Authentication Continue packet body.
Figure 1-17 HWTACACS Authentication Continue packet body
0 7 15 31
user_msg len data len
flags user_msg...
data...
Table 1-20 Fields in HWTACACS Authentication Continue packet

Field Description
user_msg Length of the character string entered by a login user.

len
flags Authentication continue flag. Allowed values are:

● 0: Authentication continues.
● 1: Authentication has ended.

Field Description
user_msg Character string entered by a login user. This field carries the user
login password to respond to the server_msg field in the
Authentication Reply packet.
data Authentication data. Different data is encapsulated depending on

the values of action and authen_type. For example, when PAP
authentication is used, the value of this field is PAP plain-text
password.
The following figure shows the HWTACACS Authentication Reply packet body.
Figure 1-18 HWTACACS Authentication Reply packet body
0 7 15 31
status flags server_msg len
data len server_msg
data...
Table 1-21 Fields in HWTACACS Authentication Reply packet

Field Description
status Current authentication status. Allowed values are:

● PASS (0x01): Authentication succeeds.
● FAIL (0x02): Authentication fails.
● GETDATA (0x03): Request user information.
● GETUSER (0x04): Request user name.
● GETPASS (0x05): Request password.
● RESTART (0x06): Request reauthentication.
● ERROR (0x07): The authentication packets received by the server
have errors.
● FOLLOW (0x21): The server requests reauthentication.
flags Whether the client displays the password entered by user in plain
text. The value 1 indicates that the password is not displayed in
plain text.
server_ms Length of the server_msg field.

g len

Field Description
server_ms Optional field. This field is sent by the server to the user to provide
g additional information.
data Authentication data, providing information to the client.
HWTACACS Authorization Packet Format

HWTACACS defines two types of authorization packets:
● Authorization Request: contains a fixed set of fields that indicate how a user
is authenticated or processed and a variable set of attributes that describe the
information for which authorization is requested.
● Authorization Response: contains a variable set of attributes that can limit
or change the client's action.
The following figure shows the HWTACACS Authorization Request packet body.
Figure 1-19 HWTACACS Authorization Request packet body
0 7 15 24 31
authen_method priv_lvl authen_type authen_service
user len port len rem_addr len arg_cnt
arg 1 len arg 2 len ... arg N len
user...
port...
rem_addr...
arg 1...
arg 2...
...
arg N...
NOTE
The meanings of the following fields in the Authorization Request packet are the same as
those in the Authentication Start packet, and are not described here: priv_lvl, authen_type,
authen_service, user len, port len, rem_addr len, port, and rem_addr.

Table 1-22 Fields in HWTACACS Authorization Request packet

Field Description
authen_m Authentication method used by the client to acquire user

ethod information. Allowed values are:
● 0x00 (no authentication method configured)
● 0x01 (none authentication)
● 0x05 (local authentication)
● 0x06 (HWTACACS authentication)
● 0x10 (RADIUS authentication)
authen_se Type of the service requesting authentication. The value varies by

rvice user type:
arg_cnt Number of attributes carried in the Authorization Request packet.
argN Attribute of the Authorization Request packet, including the

following:
● cmd: first argument in the command for authorization request.
● cmd-arg: arguments in the command for authorization request.
The format is fixed as cmd-arg=command parameter. The cmd-
arg=<cr> is added at the end of the command line. The total
length of cmd-arg=command parameter cannot exceed 255
bytes, and each command parameter cannot be longer than 247
bytes.
The following figure shows the HWTACACS Authentication Reply packet body.

Figure 1-20 HWTACACS Authorization Response packet body
0 7 15 24 31
status arg_cnt server_msg len
data len arg1 len arg 2 len
... arg N len server_msg...
data...
arg 1...
arg 2...
...
arg N...
NOTE
Meanings of the following fields are the same as those in the HWTACACS Authentication
Reply packet, and are not described here: server_msg len, data len, and server_msg.
Table 1-23 Fields in HWTACACS Authorization Response packet
Field Description
status Authorization status. Allowed values are:

● 0x01 (authorization is successful)
● 0x02 (the attributes in Authorization Request packets are
modified by the TACACS server)
● 0x10 (authorization fails)
● 0x11 (an error occurs on the authorization server)
● 0x21 (an authorization server is re-specified)
arg_cnt Number of attributes carried in an Authorization Response packet.
argN Authorization attribute delivered by the HWTACACS authorization

server.
HWTACACS Accounting Packet Format

HWTACACS defines two types of accounting packets:
● Accounting Request: contains information used to provide accounting for a
service provided to a user.

● Accounting Response: After receiving and recording an Accounting Request

packet, the server returns this packet, indicating that accounting has been
completed, and the record has been securely committed.
The following figure shows the HWTACACS Accounting Request packet body.
Figure 1-21 HWTACACS Accounting Request packet body
0 7 15 24 31
flags authen_method priv_lvl authen_type
authen_service user len port len rem_addr len
arg_cnt arg 1 len arg 2 len ...
arg N len user...
port...
rem_addr...
arg 1...
arg 2...
...
arg N...
NOTE
Meanings of the following fields in the Accounting Request packet are the same as those in
the Authorization Request packet, and are not described here: authen_method, priv_lvl,
authen_type, user len, port len, rem_addr len, port, and rem_addr.
Table 1-24 Fields in HWTACACS Accounting Request packet

Field Description
flags Accounting type. Allowed values are:

● 0x02 (start accounting)
● 0x04 (stop accounting)
● 0x08 (interim accounting)

Field Description
authen_se Type of the service requesting authentication, which varies by user

rvice type:
arg_cnt Number of attributes carried in the Accounting Request packet.
argN Attribute of the Accounting Request packet.
The following figure shows the HWTACACS Accounting Response packet body.
Figure 1-22 HWTACACS Accounting Response packet body
0 7 15 31
server_msg len data len
status server_msg ...
data...
Table 1-25 Fields in HWTACACS Accounting Response packet

Field Description
server_ms Length of the server_msg field.

g len
data len Length of the data field.
status Accounting status. Allowed values are:

● 0x01 (accounting is successful)
● 0x02 (accounting fails)
● 0x03 (no response)
● 0x21 (the server requests reaccounting)
server_ms Information sent by the accounting server to the client.

g
data Information sent by the accounting server to the administrator.

1.2.5.3 HWTACACS Authentication, Authorization, and Accounting Process
This section describes how HWTACACS performs authentication, authorization,

and accounting for Telnet users. Figure 1-23 shows the message exchange
process.
Figure 1-23 HWTACACS message interaction

User HWTACACS client HWTACACS server
A user logs in
Authentication Start
Authentication Response,
requesting the user name
Requests the user name
Enters the user name

Authentication Continue,
carrying the user name
Authentication Response,
requesting the password
Requests the password
Enters the password

Authentication Continue,
carrying the password
Authentication Response, indicating

successful authentication
Authorization Request
Authorization Response, indicating

successful authorization
The user logs in successfully
Accounting Start
Accounting Start Response
The user logs out

Accounting Stop
Accounting Stop Response
The following describes the HWTACACS message exchange process shown in

Figure 1-23:
1. A Telnet user sends a request packet.
2. After receiving the request packet, the HWTACACS client sends an
Authentication Start packet to the HWTACACS server.

3. The HWTACACS server sends an Authentication Response packet to request

the user name.
4. After receiving the Authentication Response packet, the HWTACACS client
sends a packet to query the user name.
5. The user enters the user name.
6. The HWTACACS client sends an Authentication Continue packet containing
the user name to the HWTACACS server.
7. The HWTACACS server sends an Authentication Response packet to request
the password.
8. After receiving the Authentication Response packet, the HWTACACS client
queries the password.
9. The user enters the password.
10. The HWTACACS client sends an Authentication Continue packet containing
the password to the HWTACACS server.
11. The HWTACACS server sends an Authentication Response packet, indicating
that the user has been authenticated.
12. The HWTACACS client sends an Authorization Request packet to the
HWTACACS server.
13. The HWTACACS server sends an Authorization Response packet, indicating
that the user has been authorized.
14. The HWTACACS client receives the Authorization Response packet and
displays the login page.
15. The HWTACACS client sends an Accounting Request (start) packet to the
HWTACACS server.
16. The HWTACACS server sends an Accounting Response packet.
17. The user requests to go offline.
18. The HWTACACS client sends an Accounting Request (stop) packet to the
HWTACACS server.
19. The HWTACACS server sends an Accounting Response packet.
NOTE
HWTACACS and TACACS+ protocols of other vendors can implement authentication,

authorization, and accounting. HWTACACS is compatible with other TACACS+ protocols
because their authentication procedures and implementations are the same.
1.2.5.4 HWTACACS Attributes

HWTACACS uses different attributes to define authorization and accounting to be
performed. The attributes are carried by the argN field. This section describes
HWTACACS attributes in detail.
Overview of HWTACACS Attributes

Table 1-26 describes the HWTACACS attributes supported by the device. The
device can only parse the attributes included in the table.

Table 1-26 HWTACACS attributes for common use

Attribute Description
Name
acl Authorization ACL ID.
addr A network address.
autocmd An auto-command to run after a user logs in to the device.
bytes_in Number of input bytes transmitted during this connection. K, M,

and G represent KByte, MByte, and GByte. No unit is displayed if
byte is used.
bytes_out Number of output bytes transmitted during this connection. K, M,

and G represent KByte, MByte, and GByte. No unit is displayed if
byte is used.
callback- The line number to use for a callback, such as a mobile number.
line
cmd Command name for a shell command that is to be run. The

maximum length is 251 characters. The complete command is
encapsulated when the command is recorded and the first
keyword is encapsulated when the command is authorized.
cmd-arg Parameter in the command line to be authorized. The cmd-

arg=<cr> is added at the end of the command line.
disc_cause Cause for a connection to be taken offline. Only Accounting-Stop

packets carry this attribute. Disconnection causes include:
● 1 (a user requests to go offline)
● 2 (data forwarding is interrupted)
● 3 (service is interrupted)
● 4 (idle timeout)
● 5 (session timeout)
● 7 (the administrator requests to go offline)
● 9 (the NAS is faulty)
● 10 (the NAS requests to go offline)
● 12 (the port is suspended)
● 17 (user information is incorrect)
● 18 (a host requests to go offline)

Name
disc_cause Extension of the disc-cause attribute to support vendor-specific

_ext causes for a connection to be taken offline. Only Accounting-Stop
packets carry this attribute. Extended disconnection causes include:
● 1022 (unknown reason)
● 1020 (the EXEC terminal tears down the connection)
● 1022 (an online Telnet user forcibly disconnects this user)
● 1023 (the user cannot be switched to the SLIP/PPP client due to
no remote IP address)
● 1042 (PPP PAP authentication fails)
● 1045 (PPP receives a Terminate packet from the remote end)
● 1046 (the upper-layer device requests the device to tear down
the PPP connection)
● 1063 (PPP handshake fails)
● 1100 (session times out)
dnaverage Average downstream rate, in bit/s.
dnpeak Peak downstream rate, in bit/s.
dns-servers IP address of the primary DNS server.
elapsed_ti Online duration of a user, in seconds.

me
ftpdir Initial directory of an FTP user.
gw- Password for the gateway during the L2TP tunnel authentication.
password The value is a string of 1 to 248 characters. If the value contains
more than 248 characters, only the first 248 characters are valid.
idletime Period after which an idle session is terminated. If a user does not
perform any operation within this period, the system disconnects
the user.
l2tp-hello- Interval for sending L2TP Hello packets. This attribute is currently
interval not supported.
l2tp- Attribute value pair (AVP) of L2TP. This attribute is currently not
hidden-avp supported.
l2tp- Number of seconds that a tunnel remains active with no sessions

nosession- before timeout or shutdown. This attribute is currently not
timeout supported.
l2tp- L2TP group number. Other L2TP attributes take effect only if this
group-num attribute is delivered. Otherwise, other L2TP attributes are ignored.
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect

Name
l2tp- Whether an L2TP tunnel is authenticated:

tunnel- ● 0: not authenticated
authen
● 1: authenticated
l2tp-udp- Whether L2TP should perform UDP checksums for data packets.
checksum
nocallback No callback authentication is required.

-verify
nohangup Whether the device automatically disconnects a user who has

executed the autocmd command. This attribute is valid only after
the autocmd attribute is configured. The value can be true or
false:
● true: The user is not disconnected.
● false: The user is disconnected.
paks_in Number of packets received by the device.
paks_out Number of packets sent by the device.
priv-lvl User level.
protocol A protocol that is a subset of a service. It is valid only for PPP and
connection services. Legal values matching service types are as
follows:
● Connection service type: pad, telnet
● PPP service type: ip, vpdn
● Other service types: This attribute is not used.
task_id Task ID. The task IDs recorded when a task starts and ends must
be the same.
timezone Time zone for all timestamps included in this packet.
tunnel-id User name used to authenticate a tunnel in establishment. The

value is a string of 1 to 29 characters. If the value contains more
than 29 characters, only the first 29 characters are valid.
tunnel- Tunnel type. The device supports only L2TP tunnels. For L2TP
type tunnels, the value is 3.
service Service type, which can be accounting or authorization.
source-ip Local IP address of a tunnel.
upaverage Average upstream rate, in bit/s.
uppeak Peak upstream rate, in bit/s.

HWTACACS Attributes Available in Packets

Depending on usage scenarios, HWTACACS authorization packets can also be
classified into EXEC authorization packets, command line authorization packets,
and access user authorization packets. Different authorization packets carry
different attributes. For details, see Table 1-27. The following describes the use of
HWTACACS authorization packets for different usage scenarios:
● EXEC authorization packets: Used by the HWTACACS server to control rights
of the management users logging in through Telnet, console port, SSH, and
FTP.
● Command line authorization packets: Used by the device to authorize each
command line executed by the user. Only authorized command lines can be
executed.
● Access user authorization packets: Used by the HWTACACS server to control
the rights of NAC users such as 802.1X and Portal users.
Depending on connection types, HWTACACS accounting packets can also be

classified into network accounting packets, connection accounting packets, EXEC
accounting packets, system accounting packets, and command accounting
packets. Different accounting packets carry different attributes. For details, see
Table 1-28. The following describes the use of HWTACACS accounting packets for
different connection types:
● Network accounting packets: Used when networks are accessed by PPP users.
For example, when a PPP user connects to a network, the server sends an
accounting start packet; when the user is using network services, the server
periodically sends interim accounting packets; when the user goes offline, the
server sends an accounting stop packet.
● Connection accounting packets: Used when users log in to the server through
Telnet or FTP clients. When a user connects to the device, the user can run
commands to access a remote server and obtain files from the server. The
device sends an accounting start packet when the user connects to the
remote server, and an accounting stop packet when the user disconnects from
the remote server.
● EXEC accounting packets: Used when users log in to the device through Telnet
or FTP. When a user connects to a network, the server sends an accounting
start packet; when the user is using network services, the server periodically
sends interim accounting packets; when the user goes offline, the server sends
an accounting stop packet.
● System accounting packets: Used during fault diagnosis. The server records
system-level events to help administrators monitor the device and locate
network faults.
● Command accounting packets: When an administrator runs any command on
the device, the device sends the command to the HWTACACS server through a
command accounting stop packet so that the server can record the operations
performed by the administrator.
NOTE
● Y: The packet supports this attribute.

● N: The packet does not support this attribute.

Table 1-27 HWTACACS attributes available in authorization packets

Attribute Command Line EXEC Access User
Authorization Authorization Authorization
Packet Response Response
Packet Packet
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y

Table 1-28 HWTACACS attributes available in accounting packets

Attribut Net Net Net Con Con EXE EXE EXE Syst Com
e wor wor wor nect nect C C C em man
k k k ion ion Acco Acco Inte Acco d
Acco Acco Inte Acco Acco unti unti rim unti Line
unti unti rim unti unti ng ng Acco ng Acco
ng ng Acco ng ng Star Stop unti Stop unti
Star Stop unti Star Stop t Pac ng Pac ng
t Pac ng t Pac Pac ket Pac ket Stop
Pac ket Pac Pac ket ket ket Pac
ket ket ket ket
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_ou N Y Y N Y N Y Y N N
t
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ N Y Y N Y N Y Y Y N
time
paks_in N Y Y N Y N Y Y N N
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezon Y Y Y Y Y Y Y Y Y Y
e
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type
1.2.6 HACA AAA
1.2.6.1 Overview of HACA

Small- and medium-sized enterprises usually have small network scales and
dispersed network sites. In addition, there are a relatively small number of
concurrent users. Huawei provides the Cloud Managed Network Solution, which
serves small- and medium-sized enterprises utilizing the public network. This
solution supports centralized multi-tenant management, plug-and-play network
devices, and batch network service deployment. Compared with the architecture
and deployment modes of traditional networks, this solution provides a shorter
network deployment period, lower maintenance costs, and better network
scalability.
Generally, the CloudCampus Solution uses Portal authentication. The
authentication server is located on the cloud, so packets between the device and
server must traverse a NAT device. However, Portal protocol packets cannot
traverse the NAT device. HACA implements communication between the device
and server, and then Portal authentication can be performed. Only a Huawei Agile
Controller server can be used as an HACA server.
HACA is based on the mobile Internet protocol HTTP/2.
● HACA supports Portal authentication or MAC address-prioritized Portal
authentication.
● HACA does not support administrative access, IPsec, SSL VPN, IP session,
PPPoE, L2TP, VM, 802.1X, and independent MAC address authentication.
● HACA does not support wired user access.
1.2.6.2 HACA Packets

Service packets record messages exchanged between devices and the HACA server.
The following table describes service packet types specified by the msgType field.
Table 1-29 HACA service packet type

Service msgType Description
Packet Type
Registration 1 After setting up an HTTP/2 persistent

request connection with an HACA server, a device
packet sends this packet to the HACA server to
register device information.
Registration 2 The HACA server sends this packet to the

response device, indicating that a persistent connection
packet has been set up successfully and they can
exchange service packets.
Authenticatio 3 The device sends this packet to the HACA

n request server. The HACA server determines whether to
packet permit the access based on user information
carried in this packet.


Packet Type
Authenticatio 4 The HACA server sends an authentication

n response response packet to the device. If all attributes
packet in the authentication request packet are
acceptable, the server considers that the user
passes the authentication and sends this
packet. After receiving this packet, the device
grants network access rights to the user.
Proactive 6 The HACA server sends this packet to the

authorization device after the user passes authentication.
request
packet
Proactive 5 The device sends this packet to the HACA

authorization server and modifies user rights.
response
packet
Accounting- 7 The device sends this packet to the HACA

start request server when the user starts to access network
packet resources.
Accounting 8 After receiving and recording an accounting-

response start request packet, the HACA server returns
packet an accounting response packet.
Logout 9 If the HACA server logs out the user, the device
notification sends a logout notification packet and the
packet HACA server does not need to reply. If
accounting has been performed for the user,
the packet carries accounting information.
Logout 11 If the device triggers user logout, it sends a

request logout request packet to the HACA server. If
packet the HACA server triggers user logout, it sends
this packet to notify the device that a specified
user has logged out.
Logout 12 If the device triggers user logout, the HACA

response server sends a logout response packet to the
packet device. If the HACA server triggers user logout,
the device sends a logout response packet to
the HACA server and releases the related
authorization entry.
User 13 User information can be periodically

synchronizatio synchronized between the HACA server and
n request device to ensure user information consistency.
packet Either the device or the HACA server sends a
user synchronization request packet to trigger
user information synchronization.


Packet Type
User 14 When the device or HACA server triggers user

synchronizatio information synchronization, the peer end
n response returns a user synchronization response packet.
packet
CoA-Request 16 When an administrator needs to modify the

packet rights of an online user (for example, prohibit
the user from accessing a website), the HACA
server sends this packet to the device,
requesting the device to modify the user rights.
CoA-Response 15 If the device successfully modifies the user

packet rights, it sends this packet to the HACA server.
1.2.6.3 HACA Authentication, Authorization, and Accounting Process
HACA only supports MAC address-prioritized Portal authentication. The Agile

Controller server deployed on the cloud acts as an external Portal server and an
HACA server to provide authentication and accounting services. A router acts as a
Fat AP to provide wireless access. It also acts as an authentication point and works
with the HACA server to authenticate STAs. User authorization information is
configured on the HACA server. After a user passes authentication, the HACA
server authorizes network access rights to the user. Figure 1-24 shows the HACA
authentication, authorization, and accounting process.

Figure 1-24 HACA authentication, authorization, and accounting process
Router (Fat AP) HACA server

Client
1. Set up an HACA connection.

2. Set up a pre-
connection.
3. Initiate an authentication request and
redirect to the authentication page.
4. Exchange
authentication packets.
5. Authorize network access rights.
6. Send an accounting-start
request packet.
7. Send an accounting response
packet.
8. (Optional) Send a real-time
accounting request packet.
9. (Optional) Send a real-time
accounting response packet.
10. Send a logout request.

11. Send a logout request
packet.
12. Send a logout response
packet.
13. Send an accounting-stop
request packet.
14. Send an accounting-stop
response packet.
1. An access device sets up a persistent connection and register with the HACA
server using HTTP/2.
2. The client and device set up a pre-connection before authentication.
3. The client initiates an authentication request using HTTP. The HACA server
provides a web page for the client to enter the user name and password for
authentication.
4. The device and HACA server exchange authentication packets.
5. After the client passes authentication, the HACA server sends an authorization
packet to authorize network access rights to the client.

6. When the client starts to access network resources, the access device sends an
accounting-start request packet to the HACA server.
7. The HACA server sends an accounting response packet to the access device
and starts accounting.
8. (Optional) If real-time accounting is enabled, the access device periodically
sends real-time accounting request packets to the HACA server, preventing
incorrect accounting results caused by unexpected user disconnection.
9. (Optional) The HACA server returns real-time accounting response packets
and performs real-time accounting.
10. The client sends a logout request.
11. The HACA server sends a logout request packet to the access device.
12. The access device sends a logout response packet to the HACA server.
13. The access device sends an accounting-stop request packet to the HACA
server.
14. The HACA server sends an accounting-stop response packet to the access
device and stops accounting.
1.3 Application Scenarios for AAA

Deploying AAA for Internet Access Users
Figure 1-25 AAA deployment for Internet access users

AAA server AAA server
(active) (standby)
Network
User LAN switch Router
As shown in Figure 1-25, an enterprise network connects to the Router through

the LAN switch. Users on the enterprise network need to connect to the Internet.
To ensure network security, the administrator controls the Internet access rights of
the users.
The administrator configures AAA on the Router to allow the Router to
communicate with the AAA server. The AAA server then can manage users
centrally. After a user enters the user name and password on the client, the Router
forwards the authentication information including user name and password to the
AAA server, and the AAA server authenticates the user. After being successfully
authenticated, the user can access the Internet. The AAA server also records the
network resource usage of the user.

To improve reliability, two AAA servers can be deployed in active/standby mode. If

the active server fails, the standby server takes over the AAA services, ensuring
uninterrupted services.
Deploying AAA for Management Users

As shown in Figure 1-26, the management user (Administrator) connects to the
Router to manage, configure, and maintain the Router.
After the management user logs in to the Router with AAA configured, the Router
sends the user name and password of the user to the AAA server. The AAA server
then authenticates the user and records the user operations.
Figure 1-26 AAA deployment for management users

Admin.
Network
User Router
AAA server
Deploying AAA for VPN Users

AAA is also applicable to VPN users, for example, PPP dial-up users in an L2TP
VPN.
As shown in Figure 1-27, the headquarters (HQ) and a branch of an enterprise
are located in two cities, and the branch uses an Ethernet network. Users in the
branch need to access the HQ through VPDN connections. L2TP is deployed
between the branch and the HQ. The branch gateway functions as a PPPoE server
to allow PPP dial-up data to be transmitted over the Ethernet. The branch
gateway also functions as an L2TP access concentrator (LAC) to establish L2TP
tunnels with the HQ gateway that serves as the L2TP network server (LNS).
To manage access users, the LNS must have AAA authentication configured to
communicate with the AAA server. The LNS sends authentication information
received from dial-up users to the AAA server, and the AAA server centrally
processes the information.

Figure 1-27 AAA deployment for VPN users

LAC
Branch (PPPoE server) LNS
HQ
PPPoE
L2TP tunnel
PPP terminal AAA server
(PPPoE client)
Deploying HACA to Authorize Users

HACA is applicable only to MAC address-prioritized portal authentication. In
Figure 1-28, the router acts as a FAT AP and allows users to access the network
through Wi-Fi. The Agile Controller server deployed on the cloud acts as an
external portal server and HACA server to perform authentication and accounting.
The router sets up a persistent connection and registers with the HACA server
using HTTP/2. During portal authentication, the router and HACA server exchange
packets through HTTP/2.
Figure 1-28 Deploying HACA to Authorize Users
Internet
Client Router HACA server

(Fat AP) (Agile Controller)
1.4 Licensing Requirements and Limitations for AAA

Involved Network Elements
Table 1-30 Components involved in AAA networking
Role Product Model Description
AAA server Huawei servers or third- Performs authentication,

party AAA servers accounting, and
authorization on users.

Licensing Requirements
AAA is a basic feature of a device and is not under License control.
Feature Limitations
Among the AR510 series routers, only AR515GW-LM9-D, AR515CGW-L support
HWTACACS.
Among the AR550 series routers, AR550-8FE-D-H, and AR550-24FE-D-H do not

support HWTACACS.
● To prevent data transmission risks between the device and the RADIUS or
HWTACACS server, you are advised to deploy the device and RADIUS or
HWTACACS server in a security domain.
● If non-authentication is configured using the authentication-mode
command, users can pass the authentication using any user name or
password. To protect the device and improve network security, you are
advised to enable authentication to allow only authenticated users to access
the device or network.
● By default, the accounting scheme default is bound to the global default
common domain default and global default management domain
default_admin. Modifying the accounting scheme default affects
configurations of the two domains. Exercise caution when modifying the
accounting scheme to prevent user accounting failures.
● RADIUS authentication does not take effect for L2TP access users.
● The management interface of the device cannot send or receive RADIUS
packets.
1.5 Default Settings for AAA

Table 1-31 describes the default settings for AAA.
Table 1-31 Default settings for AAA
Parameter Default Setting
Local user ● Name: admin

● Password: The default username
and password are available in AR
Router Default Usernames and
Passwords (Enterprise Network or
Carrier). If you have not obtained
the access permission of the
document, see Help on the website
to find out how to obtain it.
● Access mode: SSH or HTTP (logging
in to the device through the web
system)

Parameter Default Setting
Global common default domain default: By default, the authentication

scheme radius and accounting scheme
default are bound, and no
authorization scheme is bound.
Global default management domain default_admin: By default, the

authentication scheme default and
accounting scheme default are bound,
and no authorization scheme is bound.
Authentication scheme default: Local authentication is used

by default.
radius: RADIUS authentication is used
by default.
Authorization scheme default: Local authorization is used by

default.
Accounting scheme default: Non-accounting is used by

default.
1.6 Summary of AAA Configuration Tasks

In theory, the device supports the combination of authentication, authorization,
and accounting. For example, the device can provide local authentication, local
authorization, and RADIUS accounting.
In practice, the schemes in Table 1-32 are often used separately. Multiple
authentication or authorization modes can be used in a scheme. For example,
local authentication is used as a backup of RADIUS authentication and
HWTACACS authentication, and local authorization is used as a backup of
HWTACACS authorization.

Table 1-32 AAA configuration tasks
Configuration Overview Task

Task
Local If users need to be 1.7.1 Configuring Local

authentication authenticated or authorized Authentication and
and but no RADIUS server or Authorization
authorization HWTACACS server is deployed
on the network, use local
authentication and
authorization. Local
authentication and
authorization feature fast
processing and low operation
costs; however, the amount of
local authentication and
authorization information
that can be stored is subject
to the device hardware
capacity.
Local authentication and
authorization are often used
for administrators.
RADIUS RADIUS protects a network 1.7.2 Using RADIUS to

authentication, from unauthorized access, Perform Authentication,
authorization, and is often used on networks Authorization, and
and accounting demanding high security and Accounting
control of remote user access.
HWTACACS HWTACACS protects a 1.7.3 Using HWTACACS to

authentication, network from unauthorized Perform Authentication,
authorization, access and supports Authorization, and
and accounting command-line authorization. Accounting
HWTACACS is more reliable in
transmission and encryption
than RADIUS, and is more
suitable for security control.
HACA HACA is usually used in cloud 1.7.4 Configuring HACA

authentication, management scenarios. HACA Authentication
authorization, is based on HTTP/2 and only
and accounting supports MAC address-
prioritized authentication.
1.7 Configuring AAA
1.7.1 Configuring Local Authentication and Authorization

Local Authentication and Authorization

After local authentication and authorization are configured, the device
authenticates and authorizes access users based on local user information. In local
authentication and authorization, user information, including the local user name,
password, and attributes, is configured on the device. Local authentication and
authorization feature fast processing and low operation cost. However, the
amount of local authentication and authorization information that can be stored
is subject to the device hardware capacity.
Configuration Procedure
Configur
Procedure Description
ation
Create a local user. The device

Configure a local user. authenticates the local user using
Configure the created user information.
a local Create authorization rules. The
server. Configure local authorization device authorizes the user based
rules. on the created authorization
rules.
Configure Configure authentication,

and apply Configure AAA schemes. authorization, and accounting
AAA schemes.
schemes.
User authorization information
(Optional) Configure a service
can also be configured in the
scheme.
service scheme.
The created AAA schemes and

Apply the AAA schemes to a service scheme take effect only
domain. after they are applied to the
domain to which users belong.
- Verify the configuration. Verify the configuration.
1.7.1.1 Configuring a Local Server
Context
AAA authentication and authorization can be implemented on a network access
server (NAS) device or a server. If AAA authentication and authorization are
implemented on the NAS, a local AAA server is configured on the NAS. Local
authentication features fast processing and low operation costs. However, how
much user information can be stored depends on the hardware capacity of the
device.
To configure a local server, you need to configure user authentication and
authorization information on the device, including configuring a local user and
configuring local authorization.

1.7.1.1.1 Configuring a Local User
Context
When configuring a local user, you can configure the number of connections that
can be established by the local user, local user level, idle timeout period, and login
time, and allow the local user to change the password.
NOTE
● To ensure device security, enable password complexity check and change the password
periodically.
● After you change the local account's rights (including the password, access type, FTP
directory, and level), the rights of users who are already online remain unchanged.
Rather, the rights are only changed once a user goes online again.
● Local users' access types include:
● Administrative: ftp, http, ssh, telnet, x25-pad, and terminal
● Common: 802.1x, bind, ppp, sslvpn, and web
● Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the
user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated
self-signed certificate to support HTTPs. The self-signed certificate may bring risks.
Therefore, you are advised to replace it with the officially authorized digital certificate.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Create a local user.
Procedur
Command Description
e
(Optional
) Enable
the user-password complexity- By default, the password
password check complexity check is enabled.
complexit
y check.
Create a
The default username and
local user
password are available in AR
name and
Router Default Usernames and
a local-user user-name
Passwords (Enterprise Network
password password
or Carrier). If you have not
(using
obtained the access permission of
either of
the document, see Help on the
the

Procedur
Command Description
e
website to find out how to obtain

it.
This command should be entered
in interactive mode. This is
because directly entering a plain
text password without being in
interactive mode poses potential
security risks.
If a user name contains a domain
name delimiter (such as @, |, or
%) and the domain name parsing
direction is not configured using
local-user user-name the domainname-parse-
command
password { cipher | direction right-to-left command,
s).
irreversible-cipher } password the character string before the
delimiter is considered as the user
name, and that after the delimiter
is considered as the domain
name. If a user name does not
contain a domain name delimiter,
the entire character string is
considered as the user name. By
default, common users are
authenticated in the domain
default, and administrators are
authenticated in the domain
default_admin.
Configure By default, all access types are

an access disabled for a local user.
type for The access type configured for
the local portal access users is web.
user.
If the user exists, note that:
● If the irreversible password
algorithm is used, the access
type can only be
local-user user-name service- administrative.
type { 8021x | bind | ftp | http
| ppp | ssh | sslvpn | telnet | ● If the reversible password
terminal | web | x25-pad } * algorithm is used, the access
type can be common or
administrative, but cannot be a
combination of common and
administrative. In addition,
when the access type is set to
an administrative type, the
password encryption algorithm
is automatically changed to
the irreversible algorithm.

Procedur
Command Description
e
(Optional
) Allocate
a fixed IP local-user user-name bind-ip By default, no fixed IP address is
address to ip-address allocated to the local user.
the local
user.
Step 4 (Optional) Set the user level, user group, access time range, idle timeout period,
and number of connections that can be established by the user.
Procedur
Command Description
e
Set the
local-user user-name privilege The default level of a local user is
local user
level level 0.
level.
Set the
local- user user-name user- By default, a local user does not
local user
group group-name belong to any group.
group.
Set the
access
By default, no access time range
time local-user user-name time-
is configured and the local user
range for range time-name
can access the network anytime.
the local
user.
You can specify the idle timeout

period. If the local user is idle for
longer than the specified period,
the user automatically goes
offline.
If the idle timeout period is set to
Set the
0 or a large value, the terminal
idle
local-user user-name idle- will remain in the login state,
timeout
timeout minutes [ seconds ] resulting in security risks. Instead,
period for
or local-user user-name idle- you are advised to run the lock
the
cut command to lock the connection.
specified
user. To enable idle-cut for common
users (NAC or PPP users), run the
local-user user-name idle-cut
command. To enable idle-cut for
administrators, run the local-user
user-name idle-timeout minutes
[ seconds ] command.

Procedur
Command Description
e
Set the
maximum By default, the number of
number connections that can be
of established by a user is not
connectio local-user user-name access- limited.
ns that limit max-number
can be To configure the local account to
establishe be logged in to on only one
d by the terminal, set max-number to 1.
local user.
Step 5 (Optional) Configure security of the local user.

Procedure Command Description
Enable the
local account
lock function,
By default, the local account
and set the
local-aaa-user wrong- lock function is enabled, the
retry interval,
password retry-interval retry interval is 5 minutes, the
maximum
retry-interval retry-time maximum number of
number of
retry-time block-time block- consecutive authentication
consecutive
time failures is 3, and the account
authentication
lock period is 5 minutes.
failures, and
account lock
period.
Conf
Enable
igur
the
e
passwor
the
d policy
pas
for local
swo
access
rd
users By default, the password policy
poli local-aaa-user password
and for local access users is
cy policy access-user
enter disabled.
for
the local
loca
access
l
user
acc
passwor
ess
d policy
use
view.
rs.

Set the
maximu
m
number
of
By default, a maximum of five
historica password history record
historical passwords are
l number number
recorded for each user.
passwor
ds
recorded
for each
user.
Exit the
local
access
user quit -
passwor
d policy
view.
Conf local-aaa-user password

igur Enable policy administrator
e the
the passwor
pas d policy
swo for local
rd administ
poli rators By default, the password policy
cy and of local administrators is
for enter disabled.
loca the local
l administ
ad rator
min passwor
istr d policy
ator view.
s.

Enable password alert before-

the expire day
passwor
d
expiratio
n
prompt
By default, the system displays
function
a prompt 30 days before the
and set
password expires.
the
passwor
d
expiratio
n
prompt
period.
Enable password alert original

the
initial
By default, the system prompts
passwor
users to change initial
d
passwords.
change
prompt
function.
Enable password expire day

the
passwor
d
expiratio
n
By default, the password
function
validity period is 90 days.
and set
the
passwor
d
validity
period.

Set the password history record

maximu number number
m
number
of
By default, a maximum of five
historica
historical passwords are
l
recorded for each user.
passwor
ds
recorded
for each
user.
Exit the quit

local
administ
rator -
passwor
d policy
view.
Step 6 (Optional) Set parameters of access rights for the local user.
Procedur
Command Description
e
By default, the FTP directory that

FTP users can access is not
Configure configured.
the FTP If the access type of the local user
directory local-user user-name ftp- is FTP, you must configure the
that FTP directory directory FTP directory, and set the local
users can user level to be lower than the
access. management level; otherwise, the
FTP user cannot log in to the
device.

Procedur
Command Description
e
By default, a local user is in the

active state.
The device processes requests
from users in different states as
follows:
Set the ● If the local user is in the active
local-user user-name state
local user state, the device accepts and
{ active | block }
state. processes the authentication
request from the user.
● If the local user is in the block
state, the device rejects the
authentication request from
the user.
Set the
expiration
local-user user-name expire- By default, a local account is
date for
date expire-date permanently valid.
the local
account.
Step 7 (Optional) Change the login password of the local user.

Procedur
Command Description
e
Return to return -
the user
view.
Change local-user change-password -

the login
password
of the
local user.
----End
1.7.1.1.2 Configuring Authorization Rules
Context
Table 1-33 describes authorization parameters that can be set locally during local
authorization configuration.

Table 1-33 Local authorization parameters
Authoriza Usage Scenario Description

tion
Paramete
r
VLAN VLAN-based authorization is In local authorization, you only

easy to deploy and need to configure VLANs and
maintenance costs are low. It corresponding network resources
applies to scenarios where on the device.
employees in an office or a An authorized VLAN cannot be
department have the same delivered to online Portal users.
access rights.
After a user is authorized based
on a VLAN, the user needs to
manually trigger an IP address
request using DHCP.
Service A service scheme and You need to configure a service

scheme corresponding network scheme and corresponding
resources need to be network resources on the device.
configured on the device. A service scheme can be applied
to a domain, and users in the
domain then can obtain
authorization information in the
service scheme.
User A user group consists of users In local authorization, all you

group (terminals) with the same need to do is configure user
attributes, such as the role and groups and corresponding
rights. For example, according network resources on the device.
to the enterprise department A user group can be applied to a
structure, you can divide users domain, and users in the domain
on a campus network into then can obtain authorization
different groups, such as R&D information in the user group.
group, finance group,
marketing group, and guest For details on how to configure a
group, and perform different user group, see Configure an
security policies for these authorization user group.
groups.
Procedure
● Configure an authorization VLAN.
Configure a VLAN and the network resources in the VLAN on the device.
● Configure a service scheme.
For details on how to configure a service scheme, see 1.7.1.3 (Optional)

Configuring a Service Scheme.
● Configure an authorization user group.

For details about how to configure an authorized user group, see the table
below.
Procedur
Command Description
e
Create a user-group group-name When using a user group in a

user hot standby scenario or a dual-
group link backup scenario, specify the
and enter user group index, and ensure
the user that the user group name and
group index specified on the active
view. device are the same as those
specified on the standby device.
Bind an acl-id acl-number By default, no ACL is bound to a

ACL to user group.
the user The IPv4 ACL to be bound to a
group. user group must have been
created using the acl (system
view) command.
Set the remark { 8021p 8021p-value By default, the user group

priority | dscp dscp-value | exp exp- priority is not specified.
for the value | lp lp-value }*
user
group.
----End
1.7.1.2 Configuring AAA Schemes
Context
To use local authentication and authorization, set the authentication mode in an
authentication scheme to local authentication and the authorization mode in an
authorization scheme to local authorization.
By default, the device performs local authentication and authorization for access
users.
NOTE
If non-authentication is configured using the authentication-mode command, users can

pass the authentication using any user name or password. To protect the device and
improve network security, you are advised to enable authentication to allow only
authenticated users to access the device or network.
Procedure
● Configure an authentication scheme.
a. Run system-view


b. Run aaa
c. Run authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view
is displayed, or an existing authentication scheme view is displayed.
Two default authentication schemes named default and radius are
available on the device. These two authentication schemes can be
modified but not deleted.
d. Run authentication-mode local
The authentication mode is set to local.
By default, local authentication is used.
e. (Optional) Run authentication-super [ hwtacacs | super ] * none
An authentication mode for upgrading user levels is set.
The default mode is super (local authentication).
f. Run quit
g. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the domain name is parsed is specified.
By default, a domain name is parsed from left to right.
h. Run quit
i. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication duration is set.
By default, the bypass authentication function is disabled.
● Configure an authorization scheme.
a. Run system-view
b. Run aaa
c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is
displayed, or an existing authorization scheme view is displayed.
A default authorization scheme named default is available on the device.
This authorization scheme can be modified but not deleted.
d. Run authorization-mode local [ none ]
The authorization mode is set.

By default, local authorization is used.

e. Run quit

f. (Optional) Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the

authorization server is set.
The default mode is overlay.

g. Run quit

h. (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization function is disabled.
----End
1.7.1.3 (Optional) Configuring a Service Scheme
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
Procedure
Step 2 Run aaa
Step 3 Run service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
Step 4 Run admin-user privilege level level
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Step 5 Configure server information.

Step Command Remarks
Configure
a DHCP dhcp-server group group- By default, no DHCP server group
server name is configured in a service scheme.
group.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Step 6 Configure resources delivered by the server in an Efficient VPN scenario.

Configure
the By default, no primary WINS
primary wins ip-address server is configured in a service
WINS scheme.
server.
Configure
the By default, no secondary WINS
secondary wins ip-address secondary server is configured in a service
WINS scheme.
server.
Configure
the URL
and
By default, no URL or version
version auto-update url url-string
number is configured in a service
number in version version-number
scheme.
the
service
scheme.

Configure
the
default
DNS By default, no default DNS
domain dns-name domain-name domain name is configured in a
name in service scheme.
the
service
scheme.
Configure
the local
subnet
informati By default, no local subnet
on to be route set acl acl-number information is sent to the remote
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
By default, no IP address of the
bound to
route set interface interface bound to the IPSec
the IPSec
tunnel is sent to the remote end.
tunnel to
be sent to
the
remote
end.
Step 7 Run ip-pool pool-name [ move-to new-position ]
An IP address pool is bound to the service scheme or an existing IP address pool is

moved.
By default, no IP address pool is bound to a service scheme.
NOTE
Ensure that the IP address pool has been configured before running this command.
Step 8 Run qos-profile profile-name
A QoS profile is bound to the service scheme.
By default, no QoS profile is bound to a service scheme.
NOTE
Ensure that the QoS profile has been configured before running this command.

Step 9 Run idle-cut idle-time flow-value [ inbound | outbound ]
The idle-cut function is enabled for domain users and the idle-cut parameters are
set.
By default, the idle-cut function is disabled for domain users.
NOTE
The idle-cut function takes effect only after the idle time and traffic threshold are configured. To
configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the
idle time, use the value of idle-time configured on the device or the value (carried in RADIUS
attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value
authorized by the RADIUS server has a higher priority.
The idle-cut command configured in the service scheme view takes effect only for
administrators and PPPoE users.
----End
1.7.1.4 Applying AAA Schemes to a Domain
Context
The created authentication and authorization schemes take effect only after being
applied to a domain. When local authentication and authorization are used, the
default accounting scheme non-accounting is used.
Procedure
Step 2 Run aaa
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains:

● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Step 4 Apply AAA schemes to the domain.

Procedur
Command Description
e
By default, the authentication

scheme named radius is applied
Apply an
to the default domain, the
authentic
authentication scheme named
ation authentication-scheme
default is applied to the
scheme to authentication-scheme-name
default_admin domain, and the
the
authentication scheme named
domain.
default is applied to other
domains.
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Step 5 Configure local authorization rules.

(Optional) Apply a
By default, no user group is
user group to the user-group group-name
applied to a domain.
domain.
(Optional) Apply a By default, no service

service-scheme service-
service scheme to the scheme is applied to a
scheme-name
domain. domain.
Step 6 (Optional) Specify the domain state and enable traffic statistics collection for the
domain.
When a domain is in the

state { active | block blocking state, users in this
Specify the domain
[ time-range time-name domain cannot log in. By
state.
&<1–4> ] } default, a created domain
is in the active state.
Step 7 (Optional) Run statistic enable

Traffic statistics collection is enabled for users in the domain.
By default, traffic statistics collection is disabled for users in a domain.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is
configured in both the AAA view and authentication profile view, the device
preferentially uses the configuration in the authentication profile. The
configuration in the authentication profile applies only to wireless users.)

Exit
from
the
quit -
doma
in
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
g parsed from left to right.
direct
ion.
A Set
A the A domain name delimiter can be
A doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
vi in
delimiter
e name The default domain name
w delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter The default security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
----End
1.7.1.5 Verifying the Local Authentication and Authorization Configuration
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.

● Run the display authorization-scheme [ authorization-scheme-name ]

command to verify the authorization scheme configuration.
● Run the display access-user [ domain domain-name | interface interface-
type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | ipv6-address ipv6-address |
access-slot slot-id | user-group user-group-name | username user-name ]
[ detail ], display access-user [ mac-address mac-address | service-scheme
service-scheme-name | user-id user-id | statistics | ssid ssid-name ], or
display access-user access-type { admin [ ftp | ssh | telnet | terminal |
web ] | ppp | l2tp } [ username user-name ] command to check the
summary of online users.
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display local-user [ domain domain-name | state { active | block } |
username username ] * command to check the brief information about local
users.
● Run the display local-user expire-time command to verify the time when
the local account expires.
● Run the display aaa statistics access-type-authenreq command to verify the
number of authentication requests.
----End
1.7.2 Using RADIUS to Perform Authentication, Authorization,

and Accounting
RADIUS Authentication, Authorization, and Accounting
Remote Authentication Dial-In User Service (RADIUS) is often used to implement
authentication, authorization, and accounting (AAA). It uses the client/server
model and prevents unauthorized access to networks that require high security
and control of remote user access.
1.7.2.1 Configuring an AAA Scheme
Context
An AAA scheme defines the authentication, authorization, and accounting modes
used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in
the authentication scheme, and set the accounting mode to RADIUS in the
accounting scheme. RADIUS authentication is combined with authorization and
cannot be separated. If authentication succeeds, authorization also succeeds. If
RADIUS authentication is used, you do not need to configure an authorization
scheme.
To prevent authentication failures caused by no response from a single

authentication mode, configure local authentication or non-authentication as the
backup authentication mode in the authentication scheme.

NOTE

Procedure
a. Run system-view
b. Run aaa
c. Run authentication-scheme scheme-name
is displayed, or the view of an existing authentication scheme is
displayed.
By default, two authentication schemes named default and radius are
available on the device. The two schemes can only be modified, but
cannot be deleted.
d. Run authentication-mode radius
The authentication mode is set to RADIUS.
To configure local authentication as the backup authentication mode, run
the authentication-mode radius local command.
e. Run quit
Return to the AAA view.
f. (Optional) Configure the account locking function.
i. Run remote-aaa-user authen-fail retry-interval retry-interval
retry-time retry-time block-time block-time
The remote AAA authentication account locking function is enabled,
and the authentication retry interval, maximum number of
consecutive authentication failures, and account locking period are
configured.
By default, the remote AAA account locking function is enabled, the
authentication retry interval is 300 minutes, the maximum number
of consecutive authentication failures is 30, and the account locking
period is 30 minutes.
ii. Run remote-user authen-fail unblock { all | username username }
A remote AAA authentication account that has failed authentication
is unlocked.
g. (Optional) Run aaa-author session-timeout invalid-value enable
The device is disabled from disconnecting or reauthenticating users when
the RADIUS server delivers the Session-Timeout attribute with value 0.

By default, when the RADIUS server delivers the Session-Timeout

attribute with value 0, this attribute does not take effect.
h. Run quit
Return to the system view.
i. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication timeout interval is configured.
● Configure an accounting scheme.
a. Run system-view
b. Run aaa
c. Run accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is
displayed, or the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the
device. This scheme can only be modified, but cannot be deleted.
d. Run accounting-mode radius
The accounting mode is set to RADIUS.
By default, the accounting mode is none.
e. (Optional) Configure policies for accounting failures.
▪ Configure a policy for accounting-start failures.

Run accounting start-fail { offline | online }
A policy for accounting-start failures is configured.
By default, users cannot go online if accounting-start fails.
▪ Configure a policy for real-time accounting failures.

1) Run accounting realtime interval
The real-time accounting function is enabled, and the interval
for real-time accounting is configured.
By default, the device performs accounting based on the user
online duration, and the real-time accounting function is
disabled.
2) Run accounting interim-fail [ max-times times ] { offline |
online }
The maximum number of real-time accounting failures and a
policy used after the number of real-time accounting failures
exceeds the maximum are configured.
By default, the maximum number of real-time accounting
failures is 3, and the device keeps users online after the number
of real-time accounting failures exceeds the maximum.

▪ Configure a policy for accounting-stop failures.

1) Run quit
2) Run quit
3) Run radius-server template template-name
The RADIUS server template view is displayed.
4) Run radius-server accounting-stop-packet resend [ resend-
times ]
Retransmission of accounting-stop packets is enabled, and the
number of accounting-stop packets that can be retransmitted
each time is configured.
By default, retransmission of accounting-stop packets is enabled,
and the retransmission times is 3.
f. (Optional) Run quit
g. (Optional) Run authentication-profile name authentication-profile-
name
The authentication profile view is displayed.
By default, the device has six built-in authentication profiles:
default_authen_profile, dot1x_authen_profile, mac_authen_profile,
portal_authen_profile, dot1xmac_authen_profile, and
multi_authen_profile.
h. (Optional) Run authentication { roam-accounting | update-ip-
accounting } * enable
The device is configured to send accounting packets upon roaming and
address updating.
By default, the device sends accounting packets upon roaming and
address updating.
----End
Verifying the Configuration

command to view the authentication scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to view the accounting scheme configuration.
1.7.2.2 Configuring a RADIUS Server Template
Context
You can specify the RADIUS server connected to the device in a RADIUS server
template. Such a template contains the server IP address, port number, source
interface, and shared key settings.

The settings in a RADIUS server template must be the same as those on the
RADIUS server.
Procedure
Step 2 Run radius-server template template-name
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Configure RADIUS authentication and accounting servers.
● IPv4 server: radius-server

authentication ipv4-address port
[ vpn-instance vpn-instance-name |
source { loopback interface-number |
ip-address ipv4-address | vlanif By default, no
Configure a interface-number } | weight weight- RADIUS
RADIUS value ] * authentication
authentication
● IPv6 server: radius-server server is
server.
authentication ipv6-address port configured.
[ source { loopback interface-number
| ip-address ipv6-address | vlanif
interface-number } | weight weight-
value ] *
Configure a ● IPv4 server: radius-server accounting
RADIUS ipv4-address port [ vpn-instance vpn-
accounting instance-name | source { loopback
server. interface-number | ip-address ipv4- By default, no
address | vlanif interface-number } | RADIUS
weight weight-value ] * accounting
● IPv6 server: radius-server accounting server is
ipv6-address port [ source { loopback configured.
interface-number | ip-address ipv6-
address | vlanif interface-number } |
weight weight-value ] *
Step 4 Run radius-server shared-key cipher key-string
The shared key of the RADIUS server is configured.
The default username and password are available in AR Router Default

Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.

NOTE
When a RADIUS server is configured in multiple RADIUS server templates:

● If the RADIUS server templates use different shared keys, you need to configure the shared
keys in each RADIUS server template view.
● If the RADIUS server templates use the same shared key, you can configure the shared key in
the system view using the radius-server ip-address { ipv4-address | ipv6-address } shared-
key cipher key-string command.
● When shared keys are configured in both the RADIUS server template view and system view,
the configuration in the system view takes effect.
Step 5 (Optional) Run radius-server algorithm { loading-share [ based-user ] | master-

backup }
The algorithm for selecting RADIUS servers is configured.
By default, the algorithm for selecting RADIUS servers is primary/secondary
(specified by master-backup).
When multiple authentication or accounting servers are configured in a RADIUS
server template, the device selects RADIUS servers based on the configured
algorithm and the weight configured for each server.
● When the algorithm for selecting RADIUS servers is set to primary/secondary,
the server with a larger weight is the primary server. If servers have the same
weight, the server configured first is the primary server.
● If the algorithm for selecting RADIUS servers is set to load balancing, packets
are sent to RADIUS servers according to weights of the servers.
Step 6 (Optional) Run radius-server { retransmit retry-times | timeout time-value } *
The number of times that RADIUS request packets are retransmitted and the
timeout interval are set.
By default, RADIUS request packets can be retransmitted three times, and the
timeout interval is 5 seconds.
Step 7 (Optional) Configure the format of the user name in packets sent from the device
to the RADIUS server.
● Run radius-server user-name domain-included
The device is configured to encapsulate the domain name in the user name in
the RADIUS packets sent to a RADIUS server.
● Run radius-server user-name original
The device is configured not to modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included except-eap
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server (applicable to other
authentication modes except EAP authentication).
By default, the device does not modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.

Step 8 (Optional) Run radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit used by the RADIUS server is configured.
By default, the RADIUS traffic unit is byte on the device.
Step 9 (Optional) Run radius-attribute service-type with-authenonly-reauthen
The reauthentication mode is set to reauthentication only.
By default, the reauthentication mode is reauthentication and reauthorization.
This function takes effect when the Service-Type attribute on the RADIUS server is
set to Authenticate Only.
----End

Run the display radius-server configuration [ template template-name ]
command to check the RADIUS server template configuration.
Verifying the Connectivity Between the Device and RADIUS Server

Run the test-aaa user-name user-password radius-template template-name
[ chap | pap | accounting [ start | realtime | stop ] ] command to check the
connectivity between the device and the RADIUS authentication or accounting
server. Only when they are reachable, the authentication or accounting server can
perform authentication or accounting properly for users.
If an error message is displayed in the command output, troubleshoot the fault by
referring to Testing Whether a User Can Pass RADIUS Authentication or
Accounting.
1.7.2.3 (Optional) Configuring the RADIUS Server Status Detection Function
Context
A device can detect the RADIUS server status using the RADIUS server status
detection function. If the RADIUS server status is Down, users can obtain escape
rights. If the RADIUS server status reverts to Up, escape rights are removed from
the users and the users are reauthenticated.
Procedure
● Configure conditions for setting the RADIUS server status to Down.
– Conditions for setting the RADIUS server status to Down during the
RADIUS server status detection.
i. Run system-view
ii. Run radius-server { dead-interval dead-interval | dead-count dead-
count }
The RADIUS server detection interval and maximum number of
consecutive unacknowledged packets in each detection interval are
configured.

iii. Run the return command to return to the user view.

● (Optional) Configure the automatic detection function.
a. Run system-view
b. Run radius-server template template-name
c. Run radius-server testuser username user-name password cipher
password
A user account for automatic RADIUS server detection is created.
By default, no RADIUS template-based user account for automatic
detection is configured.
After the user account for automatic RADIUS server detection is created,
the automatic detection function is enabled.
d. (Optional) Run radius-server detect-server interval interval
The automatic detection interval for RADIUS servers is configured.
By default, the automatic detection interval for RADIUS servers is 60
seconds.
e. Run the return command to return to the user view.
● (Optional) Configure the duration for which a RADIUS server remains Down,
namely, configure the Force-up timer.
NOTE
After setting the RADIUS server status to Force-up and automatic detection is enabled, the
device immediately sends a detection packet. If the device receives a response packet from
the RADIUS server within the timeout period, the device sets the RADIUS server status to
Up; otherwise, the device sets the RADIUS server status to Down.
a. Run system-view
b. Run radius-server template template-name
c. Run radius-server dead-time dead-time
The Force-up timer for RADIUS servers is configured.
By default, the Force-up timer for RADIUS servers is 5 minutes.
d. Run the return command to return to the user view.
● (Optional) Configure status synchronization between RADIUS authentication
and accounting servers.
a. Run system-view
b. Run the radius-server dead-detect-condition by-server-ip command to
configure IP address-based automatic detection for RADIUS servers.
By default, RADIUS authentication and accounting servers are detected
separately. After this function is configured, RADIUS authentication and
accounting servers with the same IP address in the same VPN instance
are detected together and their status are updated at the same time.

c. Run the return command to return to the user view.

----End

● Run the display radius-server { dead-interval | dead-count } command to
check configuration information about the RADIUS server detection interval
and maximum number of consecutive unacknowledged packets in each
detection interval.
● Run the display radius-server configuration command to check
configuration information about the user account for automatic detection,
detection interval, and timeout period for detection packets in the RADIUS
server template.
Follow-up Procedure
1. Run the authentication event authen-server-down action authorize
command in the authentication profile view to configure the user escape
function if the authentication server goes Down. For details, see 3.6.3.4
(Optional) Configuring Authentication Event Authorization Information
in NAC Configuration.
2. Run the authentication event authen-server-up action re-authen
command in the authentication profile view to configure the reauthentication
function after the authentication server reverts to the Up status. For details,
see 3.6.3.6 (Optional) Configuring Re-authentication for Users in NAC
Configuration.
1.7.2.4 (Optional) Configuring RADIUS Attributes
1.7.2.4.1 Disabling or Translating RADIUS Attributes
Context
RADIUS attributes supported by different vendors are incompatible with each
other, so RADIUS attributes must be disabled or translated in interoperation and
replacement scenarios.
Procedure
Step 3 Run radius-server attribute translate
The RADIUS attribute disabling and translation functions are enabled.

By default, the RADIUS attribute disabling and translation functions are disabled.
Step 4 Run radius-attribute disable attribute-name { receive | send } *
A RADIUS attribute is disabled.

By default, no RADIUS attribute is disabled.
Step 5 Configure the RADIUS attribute to be translated.
● radius-attribute translate src-attribute-name dest-attribute-name { receive |
send | access-accept | access-request | account-request | account-
response } *
● radius-attribute translate extend vendor-specific src-vendor-id src-sub-id
dest-attribute-name { access-accept | account-response } *
● radius-attribute translate extend src-attribute-name vendor-specific dest-
vendor-id dest-sub-id { access-request | account-request } *
By default, no RADIUS attribute is translated.
----End

● Run the display radius-attribute [ name attribute-name | type { attribute-
number1 | huawei attribute-number2 | microsoft attribute-number3 |
dslforum attribute-number4 } ] command to check the RADIUS attributes
supported by the device.
● Run the display radius-attribute [ template template-name ] disable
command to check the disabled RADIUS attributes.
● Run the display radius-attribute [ template template-name ] translate
command to check the RADIUS attribute translation configuration.
1.7.2.4.2 Configuring the RADIUS Attribute Check Function
Context
After the RADIUS attribute check function is configured, the device checks whether
the received RADIUS Access-Accept packets contain the specified attributes. If so,
the device considers that authentication is successful; if not, the device considers
that authentication fails and discards the packets.
Procedure
Step 3 Run radius-attribute check attribute-name

The device is configured to check whether the received RADIUS Access-Accept

packets contain the specified attribute.
By default, the device does not check whether RADIUS Access-Accept packets
contain the specified attribute.
----End
1.7.2.4.3 Modifying the Value of a RADIUS Attribute
Context
The value of the same RADIUS attribute may vary on RADIUS servers from
different vendors. Therefore, RADIUS attribute values need to be modified, so that
a Huawei device can successfully communicate with a third-party RADIUS server.
Procedure
Step 3 Run radius-attribute set attribute-name attribute-value [ auth-type mac | user-
type ipsession ]
The value of a RADIUS attribute is modified.
By default, values of RADIUS attributes are not modified.
----End
1.7.2.4.4 Configuring Standard RADIUS Attributes
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some standard RADIUS attributes can be
configured.
Procedure

Step 3 Configure standard RADIUS attributes.

● Configure RADIUS attribute 4 (NAS-IP-Address) or 95 (NAS-IPv6-
Address).
– Run radius-attribute nas-ip ip-address
RADIUS attribute 4 (NAS-IP-Address) is configured.
By default, the source IP address of the NAS is the value of the NAS-IP-
Address attribute.
– Run radius-attribute nas-ipv6 ipv6-address
RADIUS attribute 95 (NAS-IPv6-Address) is configured.
By default, the NAS-IPv6-Address attribute is not configured.
● Configure RADIUS attribute 5 (NAS-Port).
a. Run radius-server nas-port-format { new | old }
The format of the NAS port is configured.
By default, the new NAS port format is used.
When the new NAS port format is used, you can perform the following
operation to configure the specific format.
b. Run radius-server format-attribute nas-port nas-port-sting
The new NAS port format is configured.
By default, the default new NAS port format is used.
● Configure RADIUS attribute 30 (Called-Station-Id).
a. Run called-station-id mac-format { dot-split | hyphen-split } [ mode1 |
mode2 ] [ lowercase | uppercase ]
Or run called-station-id mac-format unformatted [ lowercase |
uppercase ]
The encapsulation format of the MAC address in the Called-Station-Id
(30) attribute is configured.
By default, the MAC address format in the Called-Station-Id (30)
attribute is XX-XX-XX-XX-XX-XX, in uppercase.
● Configure RADIUS attribute 31 (Calling-Station-Id).
Run calling-Station-Id mac-format { dot-split | hyphen-split | colon-split }
[ mode1 | mode2 ] [ lowercase | uppercase ]
Or run calling-Station-Id mac-format { unformatted [ lowercase |
uppercase ] | bin }
The encapsulation format of the MAC address in the Calling-Station-Id (31)
attribute is configured.
By default, the MAC address format in the Calling-Station-Id (31) attribute is
xxxx-xxxx-xxxx, in lowercase
● Configure RADIUS attribute 32 (NAS-Identifier).
Run radius-server nas-identifier-format { hostname | vlan-id }
The encapsulation format of the NAS-Identifier attribute is configured.
By default, the NAS-Identifier encapsulation format is the device's hostname.
● Configure RADIUS attribute 80 (Message-Authenticator).
Run radius-server attribute message-authenticator access-request

The device is configured to carry RADIUS attribute 80 (Message-

Authenticator) in RADIUS authentication packets.
By default, the device does not carry RADIUS attribute 80 (Message-
Authenticator) in RADIUS authentication packets.
● Configure RADIUS attribute 87 (NAS-Port-Id).
Run radius-server nas-port-id-format { new | old }
The format of the NAS-Port-Id attribute is configured.
By default, the new format of the NAS-Port-Id attribute is used.
----End
1.7.2.4.5 Configuring Huawei Proprietary RADIUS Attributes
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some Huawei proprietary RADIUS attributes
can be configured.
Procedure
Step 3 Configure Huawei proprietary RADIUS attributes.

● Run radius-server hw-ap-info-format include-ap-ip
The device is configured to carry the AP's IP address in Huawei proprietary
attribute 26-141 (HW-AP-Information).
By default, the device does not carry the AP's IP address in Huawei
proprietary attribute 26-141 (HW-AP-Information).
----End
1.7.2.5 (Optional) Configuring Authorization Information
1.7.2.5.1 (Optional) Configuring a Service Scheme
Context

Procedure
Step 2 Run aaa
specified.
Configure
group.
Configure
the IP
address of
the dns ip-address
primary
DNS
server.
Configure
the IP
secondary scheme.
DNS
server.
Configure
WINS scheme.
server.

Configure
WINS scheme.
server.
Configure
the URL
and
scheme.
the
service
scheme.
Configure
the
default
the
service
scheme.
Configure
the local
subnet
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
bound to
the IPSec
tunnel to
be sent to
the
remote
end.


moved.
NOTE

NOTE

set.
NOTE
----End
1.7.2.5.2 Configuring a User Group
Context
configure a user group to manage authorization information about users.
Procedure
● Configure a user group.

Create a user-group group-name When using a user group in a

user two-node or dual-link HSB
group scenario, specify the user group
and enter index and ensure that the user
the user group names and user group
group indexes configured on the
view. active and standby devices are
the same.
Bind an acl-id acl-number By default, no ACL is bound to a

ACL to user group.
the user The IPv4 ACL bound to a user
group. group must have been created
using the acl (system view)
command.
Configur remark { 8021p 8021p-value By default, the priority of a user

e the | dscp dscp-value | exp exp- group is not configured.
priority value | lp lp-value }*
of the
user
group.
----End
1.7.2.6 Creating and Configuring a Domain
Context
A NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
The device determines the domain to which a user belongs based on the user
name. Before performing authentication, authorization, and accounting on users,
you need to create the domain to which the users belong.
Procedure
Step 2 Run aaa

By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 (Optional) Run state { active | block [ time-range time-name &<1-4> ] }
The domain state is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
Step 6 (Optional) Configure the DNS function, which takes effect for all domains on the
device.
1. Run quit
2. Run domainname-parse-direction { left-to-right | right-to-left }
The domain name resolution direction is configured.
3. Run domain-name-delimiter delimiter
The domain name delimiter is configured.
By default, the domain name delimiter is @.
4. Run domain-location { after-delimiter | before-delimiter }
The position of a domain name is configured.
By default, a domain name is placed behind the domain name delimiter.
NOTE
The DNS function can also be configured in the authentication profile view. If the DNS function
is configured in both the AAA view and authentication profile view, the device preferentially
uses the configuration in the authentication profile, which applies only to wireless users.
Step 7 (Optional) Configure the security string function.

1. Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.
2. Run security-name-delimiter delimiter
The security string delimiter is configured.
By default, the security string delimiter is an asterisk (*).
NOTE
The security string delimiter can also be configured in the authentication profile view. If
the security string delimiter is configured in both the AAA view and authentication profile
view, the device preferentially uses the configuration in the authentication profile, which
applies only to wireless users.
Step 8 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)

Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
Specify a By default, no permitted domain

permitted is specified for wireless users.
domain After a permitted domain is
for permit-domain name specified in an authentication
wireless domain-name &<1-4> profile, only users in the
users. permitted domain can be subject
to authentication, authorization,
and accounting.
----End
1.7.2.7 Configuring Global Default Domains
Context
The device determines the domain to which a user belongs based on the user
name. If a user name does not contain a domain name, the device cannot
determine the domain to which the user belongs, and adds the user to a global
default domain. Based on user types (access users or administrators), global
default domains are classified into the global default common domain and global
default administrative domain.
Procedure
Step 2 Configure global default domains.
● Run domain domain-name
The global default common domain is configured.
● Run domain domain-name admin

The global default administrative domain is configured.

By default, two global default domains are available on the device: global default
common domain named default and global default administrative domain named
default_admin.
NOTE
The same domain name can be set for the global default common domain and global default
administrative domain.
----End
Verifying the Configuration of Global Default Domains

Run the display aaa configuration command to check the configuration of global
default domains.
<Huawei> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default administrative domain
Normal user default domain : default //Global default common domain
1.7.2.8 Applying an AAA Scheme, a RADIUS Server Template, and

Authorization Information to a Domain
Context
AAA schemes, server templates, and authorization information are managed in a
domain. A user uses only AAA configuration information in the domain to which
the user belongs.
Procedure
Step 2 Run aaa
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 Run authentication-scheme scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to the default domain and other domains.

Step 5 Run accounting-scheme accounting-scheme-name

An accounting scheme is applied to the domain.
By default, the default accounting scheme is applied to a domain. In the default
accounting scheme, non-accounting is used and the real-time accounting function
is disabled.
Step 6 Run radius-server template-name
A RADIUS server template is applied to the domain.
By default, no RADIUS server template is applied to the default_admin domain,
and the RADIUS server template named default is applied to the default domain
and other domains.
Step 7 (Optional) Run accounting-copy radius-server template-name
The RADIUS accounting packet copy function is enabled, and a RADIUS server
template for level-2 accounting is configured.
By default, the RADIUS accounting packet copy function is disabled.
NOTE
● Ensure that the IP address of the configured level-2 RADIUS accounting server must be
different from that of the level-1 RADIUS accounting server (including the active/standby
RADIUS accounting server).
● Ensure that the level-2 RADIUS accounting server template configured in the domain is
different from the RADIUS server template for authentication and accounting in the domain.
If they are the same, the accounting-copy radius-server command cannot be configured
and the system displays an error message during the command configuration.
Step 8 (Optional) Configure authorization information in the domain.

● Run user-group group-name
A user group is applied to the domain. That is, the device will deliver
authorization information of the user group to users in the domain.
By default, no user group is applied to a domain.
● Run service-scheme service-scheme-name
A service scheme is applied to the domain. That is, the device will deliver
authorization information in the service scheme to users in the domain.
By default, no service scheme is applied to a domain.
----End

Run the display domain [ name domain-name ] command to check the domain
configuration.

1.7.2.9 Configuring the RADIUS CoA or DM Function
Context
The device supports the RADIUS CoA and DM functions. CoA provides a
mechanism to change the rights of online users, and DM provides a mechanism to
forcibly disconnect users.
Procedure
Step 2 Configure an authorization server.
Configure radius-server authorization

a RADIUS ip-address [ vpn-instance vpn-
authorizat instance-name ] { server-
ion server. group group-name shared-key By default, no RADIUS
cipher key-string | shared-key authorization server is configured.
cipher key-string [ server-
group group-name ] } [ ack-
reserved-interval interval ]
Step 3 (Optional) Run radius-server authorization match-type { any | all }
The device is configured to match RADIUS attributes in the received CoA or DM

Request packets against user information on the device.
By default, a device matches RADIUS attributes in the received CoA or DM

Request packets against user information on the device in any mode. That is, the
device matches an attribute with a high priority in a Request packet against user
information on the device.
Step 4 (Optional) Run radius-server session-manage { ip-address [ vpn-instance vpn-

instance-name ] shared-key cipher share-key | any }
Session management is enabled for the RADIUS server.
By default, session management is disabled for the RADIUS server.
Step 5 (Optional) Configure the format of a RADIUS attribute to be parsed.

● Run radius-server authorization calling-station-id decode-mac-format
{ bin | ascii { unformatted | { dot-split | hyphen-split } [ common |
compress ] } }
The MAC address format in RADIUS attribute 31 (Calling-Station-Id) in
RADIUS CoA or DM packets is configured.
By default, the MAC address format in RADIUS attribute 31 (Calling-Station-
Id) in RADIUS CoA or DM packets is xxxxxxxxxxxx, in lowercase.
● Run radius-server authorization attribute-decode-sameastemplate

The device is configured to parse the MAC address format in RADIUS attribute
31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server
template configurations.
By default, the device is not configured to parse RADIUS attribute 31 in
RADIUS CoA or DM packets based on RADIUS server template configurations.
In a RADIUS server template, the MAC address format in RADIUS attribute 31
(Calling-Station-Id) is configured using the calling-station-id mac-format
command.
Step 6 (Optional) Configure the format of a RADIUS attribute to be encapsulated.
Run radius-server authorization attribute-encode-sameastemplate
The device is configured to encapsulate the attributes in RADIUS CoA or DM

Response packets based on RADIUS server template configurations.
By default, the device is not configured to encapsulate the attributes in RADIUS

CoA or DM Response packets based on RADIUS server template configurations.
Table 1-34 lists the RADIUS attributes that can be configured in this step.
Table 1-34 Supported RADIUS attributes
RADIUS Attribute Description Command for Configuring the

Attribute in a RADIUS Server
Template
RADIUS attribute 1 User name radius-server user-name

(User-Name) domain-included
RADIUS attribute 4 NAS IP address radius-attribute nas-ip

(NAS-IP-Address)
RADIUS attribute 31 MAC address calling-station-id mac-format

(Calling-Station-Id) format
Step 7 (Optional) Configure the update mode of user authorization information.

1. Run aaa
2. Run authorization-modify mode { modify | overlay }
The update mode of user authorization information delivered by the
authorization server is configured.
By default, the update mode of user authorization information delivered by
the authorization server is overlay.
----End

Run the display radius-server authorization configuration command to check
the RADIUS authorization server configuration.

1.7.2.10 Verifying the RADIUS AAA Configuration
Procedure
to verify the accounting scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display radius-server configuration [ template template-name ]
command to verify the RADIUS server template configuration.
● Run the display radius-server item { ip-address { ipv4-address | ipv6-
address } { accounting | authentication } | template template-name }
command to verify the RADIUS server configuration.
● Run the display radius-server { dead-interval | dead-count } command to
verify the specified RADIUS server detection interval and maximum number of
consecutive unacknowledged packets.
● Run the display radius-server authorization configuration command to
verify the RADIUS authorization server configuration.
● Run the display radius-attribute [ name attribute-name | type { attribute-
number1 | huawei attribute-number2 | microsoft attribute-number3 |
dslforum attribute-number4 } ] command to check the RADIUS attributes
supported by the device.
● Run the display radius-attribute [ template template-name ] disable
command to check the disabled RADIUS attributes.
● Run the display radius-attribute [ template template-name ] translate
command to verify the setting for RADIUS attribute translation.
● Run the display radius-server accounting-stop-packet { all | ip { ip-address |
ipv6-address } } command to verify the accounting-stop packets of the
RADIUS server.
● Run the display radius-attribute [ template template-name ] check
command to verify the to-be-tested attributes in RADIUS Access-Accept
packets.
● Run the display remote-user authen-fail [ blocked | username username ]
command to verify information about the accounts that fail in remote AAA
authentication.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
● Run the display radius-server session-manage configuration command to
verify the session management configuration for the RADIUS server.
----End

1.7.3 Using HWTACACS to Perform Authentication,

Authorization, and Accounting
HWTACACS Authentication, Authorization, and Accounting

Similar to RADIUS, HWTACACS uses the client/server model to implement AAA for
access users by communicating with the HWTACACS server.
HWTACACS protects a network from unauthorized access and supports command-

line authorization. HWTACACS is more reliable in transmission and encryption
than RADIUS, and is more suitable for security control.
1.7.3.1 Configuring an HWTACACS Server
If HWTACACS authentication and authorization are used, users' authentication,

authorization, and accounting information needs to be configured on the
HWTACACS server.
If a user wants to establish a connection with the access device through a network
to obtain rights to access other networks and network resources, the access device
transparently transmits the user's authentication, authorization, and accounting
information to the HWTACACS server. The HWTACACS server determines whether
the user can pass authentication based on the configured information. If the user
passes the authentication, the RADIUS server sends an Access-Accept packet
containing the user's authorization information to the access device. The access
device then allows the user to access the network and grants rights to the user
based on information in the Access-Accept packet.
1.7.3.2 Configuring AAA Schemes
Context
To use HWTACACS authentication, authorization, and accounting, set the
authentication mode in the authentication scheme, authorization mode in the
authorization scheme, and accounting mode in the accounting scheme to
HWTACACS.
When configuring HWTACACS authentication, you can configure local

authentication or non-authentication as the backup. This allows local
authentication to be implemented if HWTACACS authentication fails. When
configuring HWTACACS authorization, you can configure local authorization or
non-authorization as the backup.
NOTE


Procedure
a. Run system-view

b. Run aaa


is displayed, or the view of an existing authentication scheme is
displayed.

available on the device. These two authentication schemes can be
modified but not deleted.
d. Run authentication-mode hwtacacs
The HWTACACS authentication mode is specified.
To use local authentication as the backup, run the authentication-mode

hwtacacs [ local ] command.
e. (Optional) Run authentication-super { hwtacacs | super } * [ none ]
The authentication mode for upgrading user levels is specified.
The default mode is super (local authentication).

f. Run quit

g. (Optional) Configure the account locking function.
configured.
is unlocked.
h. (Optional) Run security-name enable
The security string function is enabled.
By default, the security string function is enabled.

i. (Optional) Run domainname-parse-direction { left-to-right | right-to-

left }
The direction in which the user name and domain name are parsed is
specified.
j. Run quit
k. (Optional) Run aaa-authen-bypass enable time time-value
The bypass authentication duration is set.
● Configure an authorization scheme.
a. Run system-view
b. Run aaa
c. Run authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is
displayed, or the view of an existing authorization scheme is displayed.
By default, an authorization scheme named default is available on the
device. The default authorization scheme can be modified but not
deleted.
d. Run authorization-mode hwtacacs [ local ] [ none ]
The authorization mode is specified.
By default, local authorization is used.
If HWTACACS authorization is configured, you must configure an
HWTACACS server template and apply the template to the corresponding
user domain.
e. (Optional) Run authorization-cmd privilege-level hwtacacs [ local ]
[ none ]
Command-line authorization is enabled for users at a certain level.
By default, command-line authorization is disabled for users at a certain
level.
If command-line authorization is enabled, you must configure an
HWTACACS server template and apply the template to the corresponding
user domain.
f. Run quit
g. Run quit

h. (Optional) Run aaa-author-bypass enable time time-value
The bypass authorization duration is set.
By default, the bypass authorization is disabled.

i. (Optional) Run aaa-author-cmd-bypass enable time time-value
The bypass command-line authorization duration is set.
By default, the bypass command-line authorization is disabled.

● Configure an accounting scheme.
a. Run system-view

b. Run aaa

An accounting scheme is created and the accounting scheme view is

displayed, or the view of an existing accounting scheme is displayed.
By default, the accounting scheme named default is available on the

device. The default accounting scheme can be modified but not deleted.
d. Run accounting-mode hwtacacs
The hwtacacs accounting mode is specified.
The default accounting mode is none.

e. (Optional) Run accounting start-fail { offline | online }

f. (Optional) Run accounting realtime interval
Real-time accounting is enabled and the accounting interval is set.
By default, real-time accounting is disabled. The device performs

accounting for users based on their online duration.
g. (Optional) Run accounting interim-fail [ max-times times ] { offline |
online }
The maximum number of real-time accounting failures is set, and a

policy is specified for the device if the maximum number of real-time
accounting attempts fail.
The default maximum number of real-time accounting failures is 3. The

device will keep the users online if three real-time accounting attempts
fail.
----End
1.7.3.3 Configuring an HWTACACS Server Template

Context
When configuring an HWTACACS server template, you must specify the IP address,
port number, and shared key of a specified HWTACACS server. Other settings, such
as the HWTACACS user name format and traffic unit, have default values and can
be modified based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name
format and shared key must be the same as those on the HWTACACS server.
Procedure
Step 2 Run hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
Step 3 Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template
view is displayed.
By default, no HWTACACS server template is configured on the device.
Step 4 Configure HWTACACS authentication, authorization, and accounting servers.
Configur
Command Description
ation
● Configure an IPv4 server:

hwtacacs-server
authentication ipv4-
address [ port ] [ public-net
| vpn-instance vpn-
Configure instance-name ]
an [ secondary | third ]
HWTACA [ shared-key cipher key- By default, no HWTACACS
CS string ] authentication server is
authentic configured.
ation ● Configure an IPv6 server:
server. hwtacacs-server
authentication ipv6-
address [ port ] [ public-
net ] [ secondary | third ]
[ shared-key cipher key-
string ]

Configur
Command Description
ation

hwtacacs-server
authorization ipv4-address
[ port ] [ public-net | vpn-
instance vpn-instance-
Configure name ] [ secondary |
an third ] [ shared-key cipher
HWTACA key-string ] By default, no HWTACACS
CS authorization server is configured.
authorizat ● Configure an IPv6 server:
ion server. hwtacacs-server
authorization ipv6-address
[ port ] [ public-net ]
[ secondary | third ]
string ]
Configure ● Configure an IPv4 server:
an hwtacacs-server
HWTACA accounting ipv4-address
CS [ port ] [ public-net | vpn-
accountin instance vpn-instance-
g server. name ] [ secondary |
third ] [ shared-key cipher
key-string ] By default, no HWTACACS
accounting server is configured.
hwtacacs-server
accounting ipv6-address
[ port ] [ public-net ]
[ secondary | third ]
string ]
Step 5 Set parameters for interconnection between the device and an HWTACACS server.
Se
t
th Retu
e rn
sh to
Syst
ar the
em quit -
ed syst
view
ke em
y view
fo .
r
th

Set hwtacacs-server shared- By default, no shared key is set

the key cipher key-string for an HWTACACS server.
shar
ed
key
for
the
HW
TAC
ACS
e serv
H er.
W
Ente hwtacacs-server template -
TA
r template-name
C
the
A
HW
CS
TAC
se
ACS
rv
serv
er.
er
tem
plat
e
view
.
HWTACACS hwtacacs-server shared- By default, no shared key is set

server key cipher key-string for an HWTACACS server.
template
view
(Optional) ● Configure the user name

Configure the to contain the domain
format of the name: hwtacacs-server
user name in user-name domain-
the packet sent included
by the device to By default, the device does not
● Configure the original
the HWTACACS change the user name entered
user name: hwtacacs-
server. by the user when sending
server user-name
packets to the HWTACACS
original
server.
● Configure the user name
not to contain the
domain name: undo
hwtacacs-server user-
name domain-included
(Optional) Set hwtacacs-server traffic-

The default HWTACACS traffic
the HWTACACS unit { byte | kbyte | mbyte
unit on the device is bytes.
traffic unit. | gbyte }

(Optional) Set hwtacacs-server source-ip

the source IP { ip-address | source-
address for loopback interface- By default, the device uses the
communication number } IP address of the actual
between the outbound interface as the
or hwtacacs-server source- source IP address encapsulated
device and ipv6 { ipv6-address |
HWTACACS in HWTACACS packets.
source-loopback interface-
server. number }
Step 6 (Optional) Set the response timeout interval and activation interval for the
HWTACACS server.
The default response timeout

interval for an HWTACACS server
Set the is 5 seconds.
response If the device does not receive a
timeout response packet from an
hwtacacs-server timer
interval HWTACACS server within the
response-timeout interval
for the response timeout interval, it
HWTACAC considers that the HWTACACS
S server. server is unreachable and then
tries other authentication and
authorization methods.
Set the
interval
for the
primary The default interval for the
HWTACAC hwtacacs-server timer quiet primary HWTACACS server to
S server interval restore to the active state is 5
to restore minutes.
to the
active
state.
Step 7 Run quit
Step 8 (Optional) Run hwtacacs-server accounting-stop-packet resend { disable |

enable number }
Retransmission of accounting-stop packets is enabled and the number of packets

that can be retransmitted each time is specified.
By default, retransmission of accounting-stop packets is enabled, and 100

account-stop packets can be retransmitted each time.

Step 9 Run return

The user view is displayed.
Step 10 (Optional) Run hwtacacs-user change-password hwtacacs-server template-
name
The password saved on the HWTACACS server is changed.
NOTE
To ensure device security, you are advised to frequently change the password.
Step 11 (Optional) Run test-aaa user-name user-password hwtacacs-template template-

name [ accounting [ start | realtime | stop ] ]
Connectivity between the device and authentication or accounting server is tested.
If the user passes the HWTACACS authentication or accounting, the device is
properly connected to the authentication or accounting server.
----End
1.7.3.4 (Optional) Configuring a Recording Scheme
Context
Improper operations by a network administrator may sometimes cause a network
failure. After HWTACACS authentication and authorization are configured, the
server can record administrator's operations. These records can be used to locate
the problem if a network failure occurs.
Procedure
Step 2 Run aaa
Step 3 Run recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.
By default, no recording scheme is configured on the device.
Step 4 Run recording-mode hwtacacs template-name
The recording scheme is associated with the HWTACACS server template.
By default, a recording scheme is not associated with any HWTACACS server
template.
Step 5 Run quit
Step 6 Run cmd recording-scheme recording-scheme-name

A policy is configured to record the commands that have been executed on the
device.
By default, the commands used on the device are not recorded.
Step 7 Run outbound recording-scheme recording-scheme-name
A policy is configured to record connection information.
By default, connection information is not recorded.
Step 8 Run system recording-scheme recording-scheme-name
A policy is configured to record system events.
By default, system events are not recorded.
----End
Context
Procedure
Step 2 Run aaa
specified.
Configure
group.

Configure
the IP
address of
the dns ip-address
primary
DNS
server.
Configure
the IP
secondary scheme.
DNS
server.

Configure
WINS scheme.
server.
Configure
WINS scheme.
server.
Configure
the URL
and
scheme.
the
service
scheme.
Configure
the
default
the
service
scheme.

Configure
the local
subnet
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
bound to
the IPSec
tunnel to
be sent to
the
remote
end.

moved.
NOTE

NOTE

set.

NOTE
----End
1.7.3.6 Applying AAA Schemes to a Domain
Context
The created authentication scheme, authorization scheme, accounting scheme,
and HWTACACS server template are in effect only when they are applied to a
domain.
Procedure
Step 2 Run aaa
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Step 4 Apply AAA schemes to the domain.

Procedur
Command Description
e
Apply an By default, the authentication

authentic scheme default is applied to the
ation authentication-scheme default_admin domain, and the
scheme to scheme-name authentication scheme named
the radius is applied to the default
domain. domain and other domains.
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Apply an By default, the accounting

accountin scheme default is applied to a
g scheme accounting-scheme domain. In this accounting
to the accounting-scheme-name scheme, non-accounting is used
domain. and real-time accounting is
disabled.
Step 5 Apply a service scheme and an HWTACACS server template to the domain.
(Optional)
Apply a
service service-scheme service- By default, no service scheme is
scheme to scheme-name applied to a domain.
the
domain.
Apply an
HWTACAC
S server hwtacacs-server template- By default, no HWTACACS server
template name template is applied to a domain.
to the
domain.
Step 6 (Optional) Configure other functions for the domain.

Procedur
Command Description
e
Specify When a domain is in the blocking

the state { active | block [ time- state, users in this domain cannot
domain range time-name &<1–4> ] } log in. By default, a created
state. domain is in the active state.

Procedur
Command Description
e
Apply a
user
By default, no user group is
group to user-group group-name
applied to a domain.
the
domain.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is
configured in both the AAA view and authentication profile view, the device
preferentially uses the configuration in the authentication profile. The
Exit
from
the
quit -
doma
in
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
A g parsed from left to right.
A direct
A ion.
vi
e Set
w the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name The default domain name
delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.

Set
the
securi
security-name-delimiter The default security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
----End
1.7.3.7 Verifying the HWTACACS AAA Configuration
Procedure
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
to verify the accounting scheme configuration.
● Run the display recording-scheme [ recording-scheme-name ] command to
verify the recording scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display hwtacacs-server template [ template-name ] command to
verify the HWTACACS server template configuration.
● Run the display hwtacacs-server template template-name verbose
command to check statistics about HWTACACS authentication, accounting,
and authorization.
● Run the display hwtacacs-server accounting-stop-packet { all | number | ip
{ ipv4-address | ipv6-address } } command to verify information about
accounting-stop packets of the HWTACACS server.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
----End
1.7.4 Configuring HACA Authentication

HACA Authentication
Two authentication methods are available in cloud-based management scenario:
802.1X authentication and Portal authentication. In 802.1X authentication, the

device must be connected to a third-party RADIUS server. Portal authentication is

more often used in cloud-based management. The authentication server is located
on the cloud, so packets between the device and server must traverse the NAT
device. However, Portal protocol packets cannot traverse the NAT device. HACA
implements communication between the device and server, and then Portal
authentication can be performed.
Similar to the RADIUS protocol, the HACA protocol uses the client/server model to
authenticate access users.
1.7.4.1 Configuring an HACA Server
Context
When HACA authentication and authorization are used, the authentication and
authorization information must be configured on the HACA server.
When a user requests to access the Internet, the access device forwards
authentication information to the HACA server. The HACA server then decides
whether to allow the user to pass based on the configured information. If the user
is allowed, the HACA server sends an access-accept message carrying
authorization information to the access device. The access device then authorizes
network access rights to the user according to the access-accept message.
1.7.4.2 Configuring an AAA Scheme
Context
If HACA authentication and authorization are used, set the authentication mode in
the authentication scheme to HACA and the accounting mode in an accounting
scheme to HACA.
NOTE

Procedure
a. Run system-view

b. Run aaa


An authentication scheme is created and its view is displayed, or the view

of an existing authentication scheme is displayed.

available on the device. The two authentication schemes can be modified
but not deleted.
d. Run authentication-mode haca
The authentication method is set to HACA.
To use local authentication as the backup authentication mode, run the

authentication-mode haca local command to configure local
authentication.
NOTE
If multiple authentication modes are configured in an authentication scheme, the

authentication modes are used according to the sequence in which they were
configured. The device uses the authentication mode that was configured later
only when it does not receive any response from the current authentication. The
device stops the authentication if the current authentication fails.
e. Run quit

f. (Optional) Configure the account locking function.
configured.
is unlocked.
g. (Optional) Run domainname-parse-direction { left-to-right | right-to-
left }
The direction in which the domain name is parsed is configured.
By default, the domain name is parsed from left to right.

h. (Optional) Run aaa-author session-timeout invalid-value enable
The device will not disconnect or reauthenticate users when the RADIUS
server delivers session-timeout with value 0.
By default, the device disconnects or reauthenticates users when the

RADIUS server delivers session-timeout with value 0.

i. Run quit

● Configuring an accounting scheme
a. Run system-view

b. Run aaa

An accounting scheme is created, and the corresponding accounting

scheme view or an existing accounting scheme view is displayed.
There is a default accounting scheme named default on the device. This

default accounting scheme can be modified but not deleted.
d. Run accounting-mode haca
The haca accounting mode in an accounting scheme is configured.
By default, the accounting mode is none.

e. (Optional) Run accounting start-fail { offline | online }

f. (Optional) Run accounting realtime interval
Real-time accounting is enabled and the interval for real-time accounting

is set.
By default, the device performs accounting based on user online duration,

the real-time accounting function is disabled.
g. (Optional) Run accounting interim-fail [ max-times times ] { offline |
online }
The maximum number of real-time accounting failures is set and a policy

used after the number of real-time accounting failures exceeds the
maximum is configured.
By default, the maximum number of real-time accounting failures is 3

and the device keeps users online after the number of real-time
accounting failures exceeds the maximum.
----End
1.7.4.3 Configuring an HACA Server Template
Context
In an HACA server template, specify the server IP address and port number. Other
settings such as the HACA user name format and HACA server response timeout
have default values and can be changed based on network requirements.

Procedure
Step 2 Run haca-server template template-name
An HACA server template is created and its view is displayed.
By default, no HACA server template exists on the device.
Step 3 Run haca-server server-address ip-address [ port ] pki-realm-name
The IP address and port number for the HACA server are configured.
By default, the IP address and port number of the HACA server are not configured
on the device.
Step 4 Run the following commands as required:

● To add the domain name to the user name in the packets sent to the HACA
server, run the haca-server user-name domain-included command.
● To retain the original user name in the packets sent to the HACA server, run
the haca-server user-name original command.
By default, the device does not modify the user name entered by the user in the
packets sent to the HACA server.
Step 5 Run haca-server source-ip ip-address
The source IP address is specified for HACA packets.
By default, no source IP address is specified for HACA packets. The device uses the
IP address of the actual outbound interface as the source IP address of HACA
packets.
Step 6 (Optional) Run haca-server timer response-timeout interval
The response timeout interval for the HACA server is set.
By default, the timeout duration of the HACA server is 5 seconds.
Step 7 (Optional) Run haca-server timer down-delay interval
The delay after which an HACA server is disconnected is set.
By default, the delay after which an HACA server is disconnected is 30 seconds.
Step 8 (Optional) Run haca-server timer reconnection interval
The interval for reconnecting to the HACA server is set.
By default, the interval for reconnecting to the HACA server is one minute.
Step 9 (Optional) Run haca-server timer heart-beat interval
The heartbeat interval is set.
By default, the heartbeat interval is 5 minutes.
Step 10 (Optional) Run haca-server accounting-stop-packet resend [ resend-times ]

Retransmission of accounting-stop packets is enabled, and the number of

accounting-stop packets that can be retransmitted is set.
By default, three accounting-stop packets can be retransmitted.
Step 11 Run haca enable
HACA is enabled.
By default, HACA is disabled.
Step 12 Run quit
Step 13 (Optional) Run haca-server timer user-syn interval
The interval for synchronizing user information to the HACA server is set.
By default, the interval for synchronizing user information to the HACA server is
10 minutes.
----End
Context
Procedure
Step 2 Run aaa
specified.

Configure
group.
Configure
the IP
address of
the dns ip-address
primary
DNS
server.
Configure
the IP
secondary scheme.
DNS
server.

Configure
WINS scheme.
server.
Configure
WINS scheme.
server.
Configure
the URL
and
scheme.
the
service
scheme.

Configure
the
default
the
service
scheme.
Configure
the local
subnet
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
bound to
the IPSec
tunnel to
be sent to
the
remote
end.

moved.
NOTE
NOTE

set.
NOTE
----End
1.7.4.5 Applying an AAA Scheme to a Domain
Context
The created authentication scheme and HACA server template take effect only
after being applied to a domain.
Procedure
Step 2 Run aaa
Step 3 Run domain domain-name
The device has two default domains named default and default_admin. The two
domains can be modified but not deleted.
Step 4 Run authentication-scheme authentication-scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named radius is applied to the default

domain, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to other domains.
Step 5 Run accounting-scheme accounting-scheme-name
An accounting scheme is applied to the domain.

By default, the accounting scheme named default is applied to a domain. In this

default accounting scheme, non-accounting is used and the real-time accounting
function is disabled.
A service scheme is applied to the domain.
By default, no service scheme is bound to a domain.
Step 7 Run haca-server template-name
An HACA server template is applied to the domain.
By default, no HACA server template is applied to a domain.
Step 8 (Optional) Run state { active | block [ time-range time-name &<1–4> ] }

The domain status is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
Step 9 (Optional) Configure a domain name resolution scheme. (If domain name
resolution is configured in both the AAA view and authentication profile view, the
device preferentially uses the configuration in the authentication profile. The
Exit
from
the
quit -
doma
in
view.
Confi
gure
the The domain name can be
A doma resolved from left to right, or
A in domainname-parse-direction from right to left.
A name { left-to-right | right-to-left }
vi resolu By default, the domain name is
e tion resolved from left to right.
w direct
ion.
Confi
gure A domain name delimiter can be
a any of the following: \ / : < > | @ '
doma domain-name-delimiter %.
in delimiter
name The default domain name
delim delimiter is @.
iter.

Confi
gure
the
By default, the domain name is
doma domain-location { after-
placed after the domain name
in delimiter | before-delimiter }
delimiter.
name
locati
on.
Confi
gure
a
securi security-name-delimiter By default, the security string
ty delimiter delimiter is an asterisk (*).
string
delim
iter.
----End
1.7.4.6 Verifying the HACA Authentication Configuration
Procedure
● Run the display haca-server configuration [ template template-name ]
command to check the HACA server template configuration.
● Run the display haca-server statistics { all | message | packet
[ authentication | authorization | accounting | cut-notify | cut-request |
register | user-syn ] } [ template template-name ] command to check HACA
packet statistics.
● Run the display haca-server accounting-stop-packet all command to view
information about all accounting-stop packets on the HACA server.
----End
1.8 Maintaining AAA
1.8.1 Forcing Users to Go Offline
Context
You can force online users to go offline by specifying the domain name or
interface. This function is applicable to situations such as when the online users
are unauthorized, the number of online users reaches the maximum, or the AAA
configurations are modified. For example, when you modify the AAA
configurations of online users, the new AAA configurations take effect on these
users only after you force them to go offline.

NOTE
● If you delete the AAA configuration of online users, the users may be forced to go offline.
Procedure
● Run the cut access-user { domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address
[ vpn-instance vpn-instance-name ] | mac-address mac-address | service-
scheme service-scheme-name | access-slot slot-id | ssid ssid-name | user-
group group-number | user-id begin-number [ end-number ] | username
user-name } or cut access-user access-type { admin [ ftp | ssh | telnet |
terminal | web ] | ppp | l2tp } [ username user-name ] command in the AAA
view to disconnect one or more sessions. After a session of a user is
disconnected, the user is forced to go offline.
----End
1.8.2 Testing Whether a User Can Pass RADIUS Authentication

or Accounting
Prerequisites
RADIUS authentication or accounting is configured.
NOTE
If HWTACACS authentication or accounting is configured, you can run the test-aaa user-name
user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]
commands to test connectivity between the device and authentication server or accounting
server.
Context
Test whether a user can pass RADIUS authentication or accounting, helping the
administrator locate faults.
Procedure
● Run the test-aaa user-name user-password radius-template template-name
[ chap | pap | accounting [ start | realtime | stop ] ] command in any view
to test whether a user can pass RADIUS authentication or accounting.
----End
Follow-up Procedure
● The test-aaa command returns an account test timeout message.
RADIUS authentication test for a single user times out.
<Huawei> test-aaa user1 huawei123 radius-template huawei
Info: Account test time out.
RADIUS accounting test for a single user times out.

<Huawei> test-aaa user1 huawei123 radius-template huawei accounting
Info: Account test time out.

– The possible causes are as follows:
▪ The route between the device and the server is unreachable.
▪ The NAS-IP in the RADIUS server template is different from the NAS-
IP configured on the RADIUS server.
▪ The authentication or accounting port in the RADIUS server template

is incorrect.
▪ The authentication or accounting port on the RADIUS server is

occupied by another application.
▪ The RADIUS server address in the RADIUS server template is

incorrect.
▪ The IP address of the access control device is incorrect or the RADIUS

server is not started.
– Handling procedure:
▪ Run the ping command to check whether a reachable route exists

between the device and the server. If there is no reachable route,
establish a static route or use a routing protocol to establish a
dynamic route between the device and the server.
▪ Run the display radius-server configuration [ template template-

name ] command in any view to check whether the port number and
NAS-IP in the RADIUS server template are the same as those on the
RADIUS server. If they are not the same, configure the same port
number and NAS-IP.
▪ Check whether the authentication and accounting port numbers on

the RADIUS server are 1812 and 1813, respectively. If not, configure
the correct authentication and accounting port numbers.
▪ When a controller is used as the RADIUS server, run the netstat -nao
| findstr 1812 and netstat -nao | findstr 1813 commands on the
server to check whether the ports are occupied. If yes, disable the
applications that occupy the ports.
▪ Check whether the IP address of the access control device is correct.

If not, carry out the corresponding configuration to rectify this.
● The test-aaa command returns an account test failure.
RADIUS authentication test for a single user fails.
<Huawei> test-aaa user1 huawei123 radius-template huawei
Info: Account test failed.
RADIUS accounting test for a single user fails.

<Huawei> test-aaa user1 huawei123 radius-template huawei accounting
Info: Account test failed.
▪ The shared key of the RADIUS server is not configured.
▪ The IP address of the RADIUS server is not configured.


▪ Run the display radius-server configuration [ template template-

name ] command in any view to check whether the shared key and
IP address are configured in the RADIUS server template. If they are
not the same, reconfigure the shared key and IP address in the
RADIUS server template.
● After the test-aaa command is run, the test is passed, but authentication or
accounting cannot be performed for the user.
▪ The route between the device and the server is unreachable.
▪ The user authentication or accounting domain is different from the

RADIUS authentication or accounting domain configured on the
device.
▪ Run the ping command to check whether a reachable route exists

between the user and device. If there is no reachable route, establish
a static route or use a routing protocol to establish a dynamic route
between the device and the server.
▪ Run the display this command in the AAA view to check whether
the user authentication or accounting domain is the same as the
RADIUS authentication or accounting domain configured on the
device.
○ When the user name entered by the user contains a domain
name, check whether RADIUS authentication or accounting has
been configured in the domain. If not, configure RADIUS
authentication or accounting in the domain.
○ When the user name entered by the user does not contain a
domain name, check whether RADIUS authentication or
accounting has been configured in the global default domain
(administrator uses default_admin and common users use
default). If not, configure RADIUS authentication or accounting
in the domain.
▪ Run the display this command in the AAA view to check whether
the AAA authentication or accounting scheme and RADIUS server
template have been applied to the domain. If not, apply the AAA
authentication or accounting scheme and RADIUS server template to
the domain.
▪ If NAC has been configured, check whether the NAC configuration is

correct. If not, correctly configure the NAC.
1.8.3 Configuring the AAA Alarm Report Function
Context
You can configure the alarm report function, which helps you obtain real-time
running status of AAA (for example, the status of the communication with the
RADIUS server becomes Down) and facilitates O&M.

Procedure
Step 2 Run snmp-agent trap enable feature-name radius [ trap-name
{ hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown |
hwradiusauthserverup } ]
The alarm report function is enabled for the RDS module.
By default, the alarm report function is disabled for the RDS module.
----End

Run the display snmp-agent trap feature-name radius all command to view
alarm status of the RDS module.
1.8.4 Recording Login and Logout Information
Context
Enabling the recording of information related to normal logout, abnormal logout,
and login failure helps administrators locate and analyze problems.
Procedure
● Run the aaa offline-record command in the system view to record normal
logout information.
By default, the device is enabled to record normal logout information.
● Run the aaa abnormal-offline-record command in the system view to record
abnormal logout information.
By default, the device is enabled to record abnormal logout information.
● Run the aaa online-fail-record command in the system view to record login
failure information.
By default, the device is enabled to record login failure information.
----End
Follow-up Procedure
● Run the display aaa { offline-record | abnormal-offline-record | online-fail-
record } { all | reverse-order | domain domain-name | interface interface-
type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | mac-address mac-address |
access-slot slot-number | time start-time end-time [ date start-date end-
date ] | username user-name [ time start-time end-time [ date start-date
end-date ] ] } [ brief ] to check normal logout, abnormal logout, and login
failure records.

● Run the display aaa statistics offline-reason command in any view to check
the reasons for users to go offline.
1.8.5 Clearing AAA Statistics
Context
NOTICE
The AAA statistics cannot be restored after being cleared. Clear AAA statistics with
caution.
Run the following commands to clear the statistics.
Procedure
● Run the reset aaa { abnormal-offline-record | offline-record | online-fail-
record } command in the system view to clear records of abnormal logout,
logout, and login failures.
● Run the reset aaa statistics offline-reason command in any view to clear
the statistics on reasons why users go offline.
● Run the reset access-user statistics command in any view to clear the
statistics on access user authentication.
● Run the reset hwtacacs-server statistics { accounting | all | authentication
| authorization } command in the user view to clear the statistics on
HWTACACS authentication, accounting, and authorization.
● Run the reset hwtacacs-server accounting-stop-packet { all | ip { ipv4-
address | ipv6-address } } command to clear remaining buffer information on
HWTACACS accounting-stop packets.
● Run the reset radius-server accounting-stop-packet { all | ip { ipv4-address |
ipv6-address } } command to clear remaining buffer information on RADIUS
accounting-stop packets.
● Run the reset local-user [ user-name ] password history record command in
the AAA view to clear historical passwords of local users.
● Run the reset aaa statistics access-type-authenreq command in any view to
clear the number of authentication requests.
----End
1.8.6 Clearing HACA Statistics
Context
Before collecting statistics within a certain period for fault locating, clear existing
statistics.

NOTICE
The HACA statistics cannot be restored after being cleared. Confirm your
operation before clearing the HACA statistics.
Procedure
● Run the reset haca-server statistics { all | message | packet [ register |
accounting | authentication | authorization | user-syn | cut-notify | cut-
request ] } [ template template-name ] command in the user view to clear
HACA statistics.
● Run the reset haca-server accounting-stop-packet all command in the user
view to clear the remaining buffer information of HACA accounting-stop
packets.
----End
1.9 Configuration Examples for AAA
1.9.1 Example for Configuring RADIUS Authentication and

Accounting
Networking Requirements
As shown in Figure 1-29, users belong to the domain huawei. Router functions as
the network access server on the destination network, providing access to users
only after they are remotely authenticated by the server. The remote
authentication on Router is described as follows:
● The RADIUS server will authenticate access users for Router. If RADIUS
authentication fails, local authentication is used.
● The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the
primary and secondary authentication and accounting servers, respectively.
The default authentication port and accounting port are 1812 and 1813,
respectively.

Figure 1-29 Networking diagram of RADIUS authentication and accounting
Domain: huawei
RADIUS server (primary)

10.7.66.66/24
Router
Network
RADIUS server (secondary)

Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server template.

2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting
scheme to a domain.
NOTE
● Ensure that the devices are routable before the configuration.

● Ensure that the shared key in the RADIUS server template is the same as the setting on the
RADIUS server.
● If the RADIUS server does not accept the user name containing the domain name, run the
undo radius-server user-name domain-included command in the RADIUS server template
view to configure the device to send packets that do not contain the domain name to the
RADIUS server.
● After the domain is set to the global default domain, and the user name of a user carries the
domain name or does not carry any domain name, the user uses AAA configuration
information in the global default domain.
● After the undo radius-server user-name domain-included command is run, the device
changes only the user name format in the sent packet, and the domain to which the user
belongs is not affected. For example, after this command is run, the user with the user name
user@huawei.com still uses AAA configuration information in the domain named
huawei.com.

Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template named shiva.
<Huawei> system-view
[Huawei] sysname Router
[Router] radius-server template shiva
# Set the IP address and port numbers for the primary RADIUS authentication and
accounting server.
[Router-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
[Router-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80
# Set the IP address and port numbers for the secondary RADIUS authentication
and accounting server.
[Router-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
[Router-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40
# Set the shared key and retransmission count for the RADIUS server, and
configure the device not to encapsulate the domain name in the user name when
sending RADIUS packets to the RADIUS server.
[Router-radius-shiva] radius-server shared-key cipher Huawei@2012
[Router-radius-shiva] radius-server retransmit 2
[Router-radius-shiva] undo radius-server user-name domain-included
[Router-radius-shiva] quit
Step 2 Configure authentication and accounting schemes.

# Create an authentication scheme named auth. Configure the authentication
scheme to use RADIUS authentication as the active authentication mode and local
authentication as the backup.
[Router] aaa
[Router-aaa] authentication-scheme auth
[Router-aaa-authen-auth] authentication-mode radius local
[Router-aaa-authen-auth] quit
# Create an accounting scheme named abc, and configure the accounting scheme
to use the RADIUS accounting mode. Configure a policy for the device to keep
users online upon accounting-start failures.
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] accounting start-fail online
[Router-aaa-accounting-abc] quit
Step 3 Create a domain named huawei, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template shiva to the domain.
[Router-aaa] domain huawei
[Router-aaa-domain-huawei] authentication-scheme auth
[Router-aaa-domain-huawei] accounting-scheme abc
[Router-aaa-domain-huawei] radius-server shiva
[Router-aaa-domain-huawei] quit
[Router-aaa] quit
Step 4 Set the domain huawei to the global default domain.

[Router] domain huawei
[Router] domain huawei admin
Step 5 Configure local authentication.

[Router] aaa
[Router-aaa] local-user user1 password irreversible-cipher Huawei@123
[Router-aaa] local-user user1 service-type http
[Router-aaa] local-user user1 privilege level 15
[Router-aaa] quit
Step 6 Verify the configuration.

# Run the display radius-server configuration template template-name
command on Router to verify the RADIUS server template configuration.
[Router] display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 3
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : -
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX-XX-XX-XX-XX-XX
NAS-Port-ID format : New
Service-type : -
NAS-IPv6-Address : ::
Server algorithm : master-backup
Detect-interval(in second) : 60
Authentication Server 1 : 10.7.66.66 Port:1812 Weight:80 [UP]
Vrf:- LoopBack:NULL Vlanif:NULL
Source IP: ::
Authentication Server 2 : 10.7.66.67 Port:1812 Weight:40 [UP]
Source IP: ::
Accounting Server 1 : 10.7.66.66 Port:1813 Weight:80 [UP]
Source IP: ::
Accounting Server 2 : 10.7.66.67 Port:1813 Weight:40 [UP]
Source IP: ::
------------------------------------------------------------------------------
----End
Configuration Files
Router configuration file
#
sysname Router
#
domain huawei
domain huawei admin
#
radius-server template shiva
radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
radius-server authentication 10.7.66.66 1812 weight 80
radius-server accounting 10.7.66.66 1813 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa

authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
radius-server shiva
local-user user1 password irreversible-cipher
local-user user1 privilege level 15
local-user user1 service-type http
#
return
1.9.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
For the network shown in Figure 1-30, the customer requirements are as follows:
● The HWTACACS server will authenticate access users for Router. If HWTACACS
authentication fails, local authentication is used.
● The HWTACACS server will authorize access users for Router. If HWTACACS
authorization fails, local authorization is used.
● HWTACACS accounting is used by Router for access users.
● Real-time accounting is performed every 3 minutes.
● The IP addresses of primary and secondary HWTACACS servers are
10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for
authentication, accounting, and authorization is 49.
Figure 1-30 Networking diagram of HWTACACS authentication, accounting, and

authorization
Domain: huawei
HWTACACS server 1
10.7.66.66/24
Router
Network
HWTACACS server 2
Destination 10.7.66.67/24
network

1. Configure an HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization
scheme, and accounting scheme to a domain.
NOTE
● Ensure that the devices are routable before the configuration.

● Ensure that the shared key in the HWTACACS server template is the same as the settings on
the HWTACACS server.
● If the HWTACACS server does not accept the user name containing the domain name, run
the undo hwtacacs-server user-name domain-included command in the HWTACACS
server template view to configure the device to send packets that do not contain the domain
name to the HWTACACS server.
● After the domain is set to the global default domain, and the user name of a user carries the
domain name or does not carry any domain name, the user uses AAA configuration
information in the global default domain.
● After the undo hwtacacs-server user-name domain-included command is run, the device
changes only the user name format in the sent packet, and the domain to which the user
belongs is not affected. For example, after this command is run, the user with the user name
user@huawei.com still uses AAA configuration information in the domain named
huawei.com.
Procedure
Step 1 Enable HWTACACS.
[Router] hwtacacs enable
NOTE
By default, HWTACACS is enabled. If the HWTACACS settings are not modified, you can skip
this step.
Step 2 Configure an HWTACACS server template.

# Create an HWTACACS server template named ht.
[Router] hwtacacs-server template ht
# Set the IP addresses and port numbers for the primary HWTACACS
authentication, authorization, and accounting servers.
[Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49
[Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
[Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49
# Set the IP addresses and port numbers for the secondary HWTACACS
authentication, authorization, and accounting servers.
[Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
[Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
[Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary

# Set the shared key for the HWTACACS server.
NOTE
Ensure that the shared key in the HWTACACS server template is the same as that set on the
HWTACACS server.
[Router-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
[Router-hwtacacs-ht] quit
Step 3 Configure authentication, authorization, and accounting schemes.
# Create an authentication scheme named l-h. Configure the authentication

scheme to use HWTACACS authentication as the active authentication mode and
local authentication as the backup.
[Router] aaa
[Router-aaa] authentication-scheme l-h
[Router-aaa-authen-l-h] authentication-mode hwtacacs local
[Router-aaa-authen-l-h] quit
# Create an authorization scheme named hwtacacs. Configure the authorization

scheme to use HWTACACS authorization as the active authorization mode and
local authorization as the backup.
[Router-aaa] authorization-scheme hwtacacs
[Router-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Router-aaa-author-hwtacacs] quit
# Create an accounting scheme named hwtacacs, and configure the accounting

scheme to use the HWTACACS accounting mode. Configure a policy for the device
to keep users online upon accounting-start failures.
[Router-aaa] accounting-scheme hwtacacs
[Router-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Router-aaa-accounting-hwtacacs] accounting start-fail online
# Set the real-time accounting interval to 3 minutes.

[Router-aaa-accounting-hwtacacs] accounting realtime 3
[Router-aaa-accounting-hwtacacs] quit
Step 4 Create a domain named huawei, and apply the authentication scheme l-h,
authorization scheme hwtacacs, accounting scheme hwtacacs, and the
HWTACACS server template ht to the domain.
[Router-aaa] domain huawei
[Router-aaa-domain-huawei] authentication-scheme l-h
[Router-aaa-domain-huawei] authorization-scheme hwtacacs
[Router-aaa-domain-huawei] accounting-scheme hwtacacs
[Router-aaa-domain-huawei] hwtacacs-server ht
[Router-aaa-domain-huawei] quit
[Router-aaa] quit
Step 5 Configure local authentication.

[Router] aaa
[Router-aaa] local-user user1 password irreversible-cipher Huawei@123
[Router-aaa] local-user user1 service-type http
[Router-aaa] local-user user1 privilege level 15
[Router-aaa] quit
Step 6 Configure the global default domain for administrations.

[Router] domain huawei admin

# Run the display hwtacacs-server template command on Router to verify the

HWTACACS server template configuration.
[Router] display hwtacacs-server template ht
---------------------------------------------------------------------------
HWTACACS-server template name : ht
Primary-authentication-server : 10.7.66.66:49:-
Primary-authorization-server : 10.7.66.66:49:-
Primary-accounting-server : 10.7.66.66:49:-
Secondary-authentication-server : 10.7.66.67:49:-
Secondary-authorization-server : 10.7.66.67:49:-
Secondary-accounting-server : 10.7.66.67:49:-
Third-authentication-server : -:0:-
Third-authorization-server : -:0:-
Third-accounting-server : -:0:-
Current-authentication-server : 10.7.66.66:49:-
Current-authorization-server : 10.7.66.66:49:-
Current-accounting-server : 10.7.66.66:49:-
Source-IP-address :-
Source-IPv6-address : ::
Shared-key : ****************
Quiet-interval(min) :5
Response-timeout-Interval(sec) : 5
Domain-included : Original
Traffic-unit :B
---------------------------------------------------------------------------
# Run the display domain command on Router to verify the domain

configuration.
[Router] display domain name huawei
Domain-name : huawei
Domain-index :2
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name :-
RADIUS-server-template : default
HWTACACS-server-template : ht
User-group :-
Push-url-address :-
Flow-statistic :-
Tariff-level :-
----End
Configuration Files
#
sysname Router
#
domain huawei admin
#
hwtacacs-server template ht
hwtacacs-server authentication 10.7.66.66
hwtacacs-server authentication 10.7.66.67 secondary
hwtacacs-server authorization 10.7.66.66
hwtacacs-server authorization 10.7.66.67 secondary
hwtacacs-server accounting 10.7.66.66
hwtacacs-server accounting 10.7.66.67 secondary
hwtacacs-server shared-key cipher %^%#0%i9M.C!T$8iTn7Ig-4V8GTgK[gwp3b6;k=caxl-%^%#
#
aaa
authentication-scheme l-h

authentication-mode hwtacacs local

authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain huawei
authentication-scheme l-h
accounting-scheme hwtacacs
authorization-scheme hwtacacs
hwtacacs-server ht
local-user user1 password irreversible-cipher $1a$8&/1M*R6{A$#D_UJt7Vv1L5LI*A_l=UdI)WLj|dhD~oxy=
$O[}F$
local-user user1 privilege level 15
local-user user1 service-type http
#
return
1.9.3 Example for Configuring Domain-based User

Management
As shown in Figure 1-31, enterprise users access the network through Router. The
user names do not contain any domain names.
The enterprise requires that common users access the network and obtain rights
after passing RADIUS authentication and that administrators log in to the device
for management only after passing local authentication on Router.

Figure 1-31 Configuring domain-based user management

1. Create a VLAN and a VLANIF interface for Router to communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and
apply the schemes to the default domain to authenticate common users,
such as users using 802.1X authentication. The user names of the users do not
contain domain names.
3. Configure authentication and authorization schemes for administrators and
apply the schemes to the default_admin domain to authenticate
administrators, such as a user logging in through Telnet, SSH, or FTP. The user
names of administrators do not contain domain names.
NOTE
Ensure that users have been configured on the RADIUS server. In this example, the user
with the user name test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration for Router. The configurations of the RADIUS
server are not described here.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 11 on Router.
[Router] vlan batch 11
# Set the link type of Eth2/0/1 of Router that is connected to the RADIUS server
to access, and add Eth2/0/1 to VLAN 11.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 11
[Router-Ethernet2/0/1] quit
# Create VLANIF 11, and configure the IP address of 192.168.2.29/24 for VLANIF
11.
[Router] interface vlanif 11
[Router-Vlanif11] ip address 192.168.2.29 24
[Router-Vlanif11] quit
Step 2 Configure RADIUS AAA for common users who use 802.1X authentication.
NOTE
Ensure that the shared key in the RADIUS server template is the same as that set on the RADIUS
server.
# Configure a RADIUS server template named rd1.

[Router] radius-server template rd1
[Router-radius-rd1] radius-server authentication 192.168.2.30 1812
[Router-radius-rd1] radius-server accounting 192.168.2.30 1813

[Router-radius-rd1] radius-server shared-key cipher Huawei@2012

[Router-radius-rd1] radius-server retransmit 2
[Router-radius-rd1] quit
# Create authentication and accounting schemes both named abc, and set the
authentication and accounting modes to RADIUS.
[Router] aaa
[Router-aaa] authentication-scheme abc
[Router-aaa-authen-abc] authentication-mode radius
[Router-aaa-authen-abc] quit
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] quit
# Test connectivity between Router and the RADIUS server. Ensure that the test1
user with the password 123456 has been configured on the RADIUS server.
[Router-aaa] test-aaa test1 123456 radius-template rd1
# Apply the authentication scheme abc, accounting schemes abc, and RADIUS
server template rd1 to the default domain.
[Router-aaa] domain default
[Router-aaa-domain-default] authentication-scheme abc
[Router-aaa-domain-default] accounting-scheme abc
[Router-aaa-domain-default] radius-server rd1
[Router-aaa-domain-default] quit
[Router-aaa] quit
# Enable 802.1X authentication on GE2/0/0.

[Router] dot1x-access-profile name d1
[Router-dot1x-access-profile-d1] quit
[Router] authentication-profile name p1
[Router-authen-profile-p1] dot1x-access-profile d1
[Router-authen-profile-p1] authentication mode multi-authen max-user 100
[Router-authen-profile-p1] quit
[Router] vlan batch 10
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
[Router-Ethernet2/0/0] authentication-profile p1
[Router-Ethernet2/0/0] quit
# Set the global default domain for common users to default. After common
users enter their user names in the format of user@default, the device performs
AAA authentication for the users in the default domain. If a user name does not
contain a domain name or contains a non-existing domain name, the device
authenticates the common user in the default domain for common users.
[Router] domain default
Step 3 Configure local authentication and authorization for the administrator test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY
user interface.
[Router] telnet server enable
[Router] user-interface vty 0 14
[Router-ui-vty0-14] authentication-mode aaa
[Router-ui-vty0-14] quit
# Configure a local user named test with password admin@12345, and set the
user level to 3.
[Router] aaa
[Router-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3

# Set the access type of test to Telnet.

[Router-aaa] local-user test service-type telnet
# Configure local account locking. Set the retry interval to 5 minutes, the
maximum number of consecutive authentication failures to 3, and the local
account locking duration to 5 minutes.
[Router-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
# Create an authentication scheme named auth, and configure the authentication

scheme to use local authentication.
[Router-aaa] authentication-scheme auth
[Router-aaa-authen-auth] authentication-mode local
[Router-aaa-authen-auth] quit
# Create an authorization scheme named autho, and configure the authorization

scheme to use local authorization.
[Router-aaa] authorization-scheme autho
[Router-aaa-author-autho] authorization-mode local
[Router-aaa-author-autho] quit
# Apply the authentication scheme auth and authorization scheme autho to the
default_admin domain.
[Router-aaa] domain default_admin
[Router-aaa-domain-default_admin] authentication-scheme auth
[Router-aaa-domain-default_admin] authorization-scheme autho
[Router-aaa-domain-default_admin] quit
[Router-aaa] quit
# Set the global default domain for administrators to default_admin. After

administrators enter user names in the format of user@default_admin, the device
performs AAA authentication for the administrators in the default_admin domain.
If the user name of an administrator does not contain a domain name or contains
a non-existing domain name, the device authenticates the administrator in the
default domain for administrators.
[Router] domain default_admin admin
[Router] quit

# Run the display dot1x interface command on Router to verify the 802.1X
authentication configuration.
# If you log in as a common user, enter the user name test1 and password
123456 on an 802.1X client, and run the display access-user domain and display
access-user user-id commands to check the domain to which you belong and
your access type.
<Router> display access-user domain default
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16040 test1 - 00e0-4c97-31f6 Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Router> display access-user user-id 16040
Basic:
User id : 16040
User name : test1
Domain-name : default

User MAC : 00e0-4c97-31f6

User IP address :-
User IPv6 address :-
User access time : 2009/02/15 19:10:52
User accounting session ID :
huawei255255000000000f910d2016040huawei255255000000000f****2016040
Option82 information :-
User access type : 802.1x
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# If you log in through Telnet, enter the user name test and password
admin@12345, and run the display access-user domain and display access-user
user-id commands to check the domain to which you belong and your access
type.
<Router> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16009 test 10.135.18.217 - Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Router> display access-user user-id 16009
Basic:
User id : 16009
User name : test
Domain-name : default_admin
User MAC :-
User IP address : 10.135.18.217
User IPv6 address :-
User access time : 2009/02/15 05:10:52
User accounting session ID :
huawei255255000000000f910d2016009huawei255255000000000f****2016009
Option82 information :-
User access type : Telnet
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None
----End
Configuration File
#
sysname Router
#
vlan batch 10 to 11
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server retransmit 2

#
aaa
authentication-scheme abc
authentication-mode radius
authorization-scheme autho
accounting-mode radius
domain default
authentication-scheme abc
radius-server rd1
domain default_admin
authorization-scheme autho
local-user test password irreversible-cipher $1a$KQje%Ip2q/$bBk."}ISO@KQje%Ip2q/$bBk."}ISO@$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
authentication-profile p1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
telnet server enable
#
user-interface vty 0 14
authentication-mode aaa
#
dot1x-access-profile name d1
#
return

01-01 AAA Configuration

Uploaded by

Copyright:

Available Formats

01-01 AAA Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-01 AAA Configuration

Uploaded by

Copyright:

Available Formats

Huawei AR Series IOT Gateway

CLI-based Configuration Guide - Security 1 AAA Configuration

About This Chapter

1.1 Overview of AAA

1.1 Overview of AAA

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 1

centralized user information management. AAA can be implemented using

1.2 Understanding AAA

1.2.1 Domain-based User Management

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 2

Figure 1-1 AAA configuration information in a domain

Authorization information can be delivered by a server or configured in a domain.

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-2 Two types of authorization information

Domain to Which a User Belongs

Figure 1-3 Determining domains based on user names

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 4

Table 1-1 Global default domain

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 5

Forcible domain with a specified authentication method in the authentication

Format of User Names Sent by an NAS to the RADIUS Server

Command User Name User-entered User Name Sent by

radius-server user- User-entered user- user-

radius-server user- Domain name user- user-

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 6

undo radius-server Domain name user- user-name

undo radius-server Domain name user- user-name

1.2.2 AAA Scheme

1.2.2.1 Authentication Scheme

An authentication scheme is used to define methods for user authentication and

Authentication Methods Supported by a Device

Order in Which Authentication Methods Take Effect

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 7

1.2.2.2 Authorization Scheme

Authorization Methods Supported by a Device

RADIUS authentication is combined with authorization and cannot be separated. If

In addition, the "authentication + rights level" method is typically used to control

Order in Which Authorization Methods Take Effect

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 8

Figure 1-4 Two types of authorization information

Table 1-3 Common authorization information of a RADIUS server

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 9

VLAN If dynamic VLAN delivery is configured on the server,

CAR The server delivers authorization to control the committed

Administrator Priority of an administrator (such as a Telnet user) delivered by

Service Name of a service scheme delivered by the server. You need to

Reauthenticati Remaining service availability period delivered by the server. If

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 10

Table 1-4 Authorization information that can be configured in a domain

VLAN VLAN-based authorization is easy to deploy and requires

Service scheme A service scheme and corresponding network resources in

1.2.2.3 Accounting Scheme

An accounting scheme is used to define a user accounting method. An accounting

Accounting Methods Supported by a Device

Order in Which Accounting Methods Take Effect

Issue 09 (2021-03-01) Copyright © Huawei Technologies Co., Ltd. 11

Accounting succeeds if each Accounting-Request packet sent by a device is

1.2.3 Local Authentication and Authorization

Local AAA Server

Security Policy for Local User Password