01-01 AAA Configuration
01-01 AAA Configuration
01-01 AAA Configuration
1 AAA Configuration
Definition
Authentication, Authorization, and Accounting (AAA) provide a user management
mechanism, including the following functions:
● Authentication: verifies the identity of users for network access.
● Authorization: authorizes users to use particular services.
● Accounting: records the network resources used by users.
Users can use one or more security services provided by AAA. For example, if a
company wants to authenticate employees that access certain network resources,
the network administrator only needs to configure an authentication server. If the
company also wants to record operations performed by employees on the
network, an accounting server is needed.
In summary, AAA authorizes users to access specific resources and records user
operations. AAA is widely used because it features good scalability and facilitates
Purpose
AAA prevents unauthorized users from logging in to a device and improves system
security.
Authorization
information in the
domain
User name
Whether the user Yes Is the domain Yes The domain name
name contains the name configured on contained in the
domain name? the NAS device? user name is used.
No No
The default
domain name is
used.
As shown in Table 1-1, AAA divides users into administrators and access users to
provide more refined and differentiated authentication, authorization, and
accounting services. An NAS has two global default domains, namely, the global
default administrative domain default_admin and the global default common
domain default. The two domains are used as the global default domains for
administrators and access users, respectively. Default configurations in the two
domains are different.
NOTE
The accounting scheme default is bound to the two global default domains. Modifying the
accounting scheme may affect configurations of the two domains.
The two global default domains cannot be deleted and can only be modified.
Administr Is also called a login user and default defau defaul N/A
ator refers to the user who can log in to _admi lt t
NAS through FTP, HTTP, SSH, n (local (non-
Telnet, and the console port. authe accou
nticat nting)
ion)
Access Includes SSLVPN users and PPP default radiu defaul N/A
user users and NAC users (including s t
802.1X authenticated, MAC address (local (non-
authenticated, and Portal authe accou
authenticated users). nticat nting)
ion)
The global default domain can be customized based on actual requirements. The
customized global default domain can be the global default common domain and
the global default management domain at the same time.
You can run the display aaa configuration command to check the current global
default common domain and the global default management domain on the NAS.
The command output is as follows:
<Huawei> display aaa configuration
Domain Name Delimiter :@
Domainname parse direction : Left to right
Domainname location : After-delimiter
Administrator user default domain: default_admin //Global default management domain
Normal user default domain : default //Global default common domain
For some access modes, you can specify the domain to which a user belongs using
the command provided in the corresponding authentication profile to meet
requirements of the user authentication management policy. For example, you can
configure a default domain and a forcible domain for NAC access users on the
NAS based on the authentication profile and specify the user type (802.1X, MAC
address, or Portal authenticated user), achieving flexible configuration. The
forcible domain, default domain, and domain carried in the user name are listed in
descending order of the priority.
● Only RADIUS authentication supports modification of the user-entered original user names.
● You can change the user-entered original user name based on the RADIUS server template.
An NAS can determine whether a user name sent to the RADIUS server contains
the domain name based on the RADIUS server requirements. By default, an NAS
directly sends the user-entered original user name to the RADIUS server without
changing it.
You can set the format of user names sent by an NAS to the RADIUS server using
the commands in Table 1-2.
The following commands modify only the user name format in RADIUS packets
sent to the RADIUS server and do not modify the user name format in EAP
packets. During 802.1X authentication, the RADIUS server checks whether the user
name carried in EAP packets is the same as that on the RADIUS server. Therefore,
you cannot modify the original user name using the radius-server user-name
domain-included or undo radius-server user-name domain-included command
during 802.1X authentication; otherwise, authentication may fail.
Table 1-2 Setting the format of user names sent by an NAS to the RADIUS server
user-name user-name@default
Assume that users use
the default domain
default.
user-name user-name
method listed in the scheme to authenticate users; if that method does not
respond, the NAS selects the next authentication method in the authentication
scheme. This process continues until there is successful communication with a
listed authentication method or the authentication method list is exhausted, in
which case authentication fails.
NOTE
The NAS attempts authentication with the next listed authentication method only when there is
no response from the previous method. If authentication fails at any point in this cycle —
meaning that the AAA server responds by denying the user access — the authentication process
stops and no other authentication methods are attempted.
An authorization scheme is used to define methods for user authorization and the
order in which authorization methods take effect. An authorization scheme is
applied to a domain. It is combined with the authentication scheme, accounting
scheme, and server template in the domain for user authentication, authorization,
and accounting.
method responds with an authorization failure message, the AAA server refuses to
provide services for the user. In this case, authorization ends and the next listed
method is not used.
Authorization Information
Authorization information can be delivered by a server or configured in a domain.
Whether a user obtains authorization information delivered by a server or in a
domain depends on the authorization method configured in the authorization
scheme. For details, see Figure 1-4.
● If local authorization is used, the user obtains authorization information from
the domain.
● If server-based authorization is used, the user obtains authorization
information from the server or domain. Authorization information configured
in a domain has lower priority than that delivered by a server. If the two types
of authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, the two types of authorization
information take effect simultaneously. In this manner, you can increase
authorization flexibly by means of domain management, regardless of the
authorization attributes provided by the AAA server.
Table 1-3 shows authorization information typically used by a server. Table 1-4
shows authorization information that can be configured in a domain.
Authorization Description
Information
ACL number Is delivered by the server. You need to configure ACL number-
related rules on the NAS.
ACL rule Is directly delivered by the server. As defined in the rule, users
can access all network resources included in the ACL. You do
not need to configure the corresponding ACL on the NAS.
Authorization Description
Information
User group The server delivers the user group name to the NAS. You need
to configure the corresponding group and network resources in
the group on the NAS.
Idle-cut Idle-cut time delivered by the server. After a user goes online, if
the consecutive non-operation period or the duration when
traffic is lower than a specified value exceeds the idle-cut time,
the user is disconnected.
User group A user group consists of users (terminals) with the same
attributes such as the role and rights. For example, you
can divide users on a campus network into the R&D
group, finance group, marketing group, and guest group
based on the enterprise department structure, and grant
different security policies to different departments.
You need to configure a user group and corresponding
network resources in the group on the NAS.
After the local administrator password policy is enabled, the local administrator
can set the password validity period. The default validity period is 90 days and can
be changed.
If the password of a local user expires and the local user still uses this password to
log in to the device, the device prompts the user that the password has expired,
and asks the user whether to change the password. The device then performs the
following operations depending on the user selection:
● If the user enters Y, the user needs to enter the old password, new password,
and confirm password. The password can be successfully changed only when
the old password is correct and the new password and confirm password are
the same and meet password length and complexity requirements.
● If the user enters N or fails to change the password, the user cannot log in to
the device.
The device also supports the password expiration prompt function. When a user
logs in to the device, the device checks how many days the password is valid for. If
the number of days is less than the prompt days set in the command, the device
notifies the user how long the password will expire and asks the user whether to
change the password.
● If the user changes the password, the device records the new password and
modification time.
● If the user does not change the password or fails to change the password, the
user can still log in to the device as long as the password has not expired.
During password modification, you are not advised to use old passwords. By
default, the new password cannot be the same as those used for the last five
times.
The local administrator can change the password of an equal- or lower-level local
user.
RADIUS is a protocol that uses the client/server model in distributed mode and
protects a network from unauthorized access. It is often used on networks that
require high security and control remote user access. It defines the UDP-based
RADIUS packet format and transmission mechanism, and specifies UDP ports 1812
and 1813 as the default authentication and accounting ports respectively.
At the very beginning, RADIUS was only the AAA protocol used for dial-up users.
As the user access mode diversifies, such as Ethernet access, RADIUS can also be
applied to these access modes. RADIUS provides the access service through
authentication and authorization and records the network resource usage of users
through accounting.
● Client/Server model
● Secure message exchange mechanism
● Fine scalability
Client/Server Model
● RADIUS client
RADIUS clients run on the NAS to transmit user information to a specified
RADIUS server and process requests (for example, permit or reject user access
requests) based on the responses from the server. RADIUS clients can locate
at any node on a network.
As a RADIUS client, a device supports:
– standard RADIUS protocol and its extensions, including RFC 2865 and RFC
2866
– Huawei extended RADIUS attributes
– RADIUS server status detection
– retransmission of Accounting-Request(Stop) packets in the local buffer
– active/standby and load balancing functions between RADIUS servers
● RADIUS server
RADIUS servers typically run on central computers and workstations to
maintain user authentication and network service access information. The
servers receive connection requests from users, authenticate the users, and
send all required information (such as permitting or rejecting authentication
requests) to the clients. A RADIUS server generally needs to maintain three
databases, as shown in Figure 1-5.
RADIUS server
A RADIUS packet has a 16-octet Authenticator field that contains the digital
signature data of the whole packet. The signature data is calculated using the
MD5 algorithm and shared key. The RADIUS packet receiver needs to verify
whether the signature is correct and discards the packet if the signature is
incorrect.
Fine Scalability
A RADIUS packet consists of a packet header and a certain number of attributes.
The protocol implementation remains unchanged even if new attributes are added
to a RADIUS packet.
0 7 15 31
Code Identifier Length
Authenticator
Attribute
● Identifier: The identifier field is one octet, and helps the RADIUS server match
requests and responses and detect duplicate requests retransmitted within a
certain period. After a client sends a request packet, the server sends a reply
packet with the same Identifier value as the request packet.
● Length: The Length field is two octets and specifies length of a RADIUS
packet. Octets outside the range of the Length field must be treated as
padding and ignored on reception. If a packet is shorter than the Length field,
it must be silently discarded.
● Authenticator: The Authenticator field is 16 octets. This value is used to
authenticate the reply from the RADIUS server and is used in the password
hiding algorithm.
● Attribute: This field is variable in length. RADIUS attributes carry the specific
authentication, authorization, accounting information and configuration
details for the request and reply packets. The Attribute field may contain
multiple attributes, each of which consists of Type, Length, and Value. For
details, see 1.2.4.8 RADIUS Attributes.
– Type: The Type field is one octet and indicates the RADIUS attribute ID.
The value ranges from 1 to 255.
– Length: The Length field is one octet, and indicates the length of the
RADIUS attribute (including the Type, Length and Value fields). The
Length is measured in octets.
– Value: The maximum length of the Value field is 253 bytes. The Value
field contains information specific to the RADIUS attribute. The format
and length of the Value field is determined by the Type and Length fields.
6. Accounting-Response(Start)
8. (Optional) Accounting
-Request(Interim-update)
9. (Optional) Accounting-
Response(Interim-update)
10. The user requests for
disconnection.
11. Accounting-Request(Stop)
12. Accounting-Response(Stop)
EAPOL-Start
EAP-Request/Identity
Send a RADIUS Access-
EAP-Response/Identity Request packet for the
first time. Retransmissio
Send a RADIUS Access- n interval
Request packet for the Command:
second time. radius-server
timeout
……
time-value
Send a RADIUS
Number of Access-Request packet
retransmission times for the nth time.
Command: radius-
server retransmit
retry-times Retransmission stops.
The device stops packet retransmission if any of the following conditions is met:
● The device receives a response packet from the RADIUS server. It then stops
packet retransmission and marks the RADIUS server status as Up.
● The device detects that the RADIUS server status is Down. After the device
marks the RADIUS server status as Down:
– If the number of retransmitted packets has reached the upper limit, the
device stops packet retransmission and retains the RADIUS server status
to Down.
– If the number of retransmitted packets has not reached the upper limit,
the device retransmits an Access-Request packet once again to the
RADIUS server. If the device receives a response packet from the server, it
stops packet retransmission and restores the RADIUS server status to Up.
Otherwise, it still stops packet retransmission and retains the RADIUS
server status to Down.
● The number of retransmitted packets has reached the upper limit. The device
then stops packet retransmission and performs the following:
– If the device receives a response packet from the RADIUS server, it marks
the RADIUS server status as Up.
– If the device has detected that the RADIUS server status is Down, it
marks the server status as Down.
– If the device receives no response packet from the RADIUS server and
does not detect that the server status is Down, the device does not
change the server status. Actually, the server does not respond.
NOTE
The device does not definitely mark the status of the server that does not respond as
Down. The device marks the server status as Down only if the corresponding
conditions are met.
For the RADIUS server status introduction and conditions for a device to mark the
server status as Down, see 1.2.4.6 RADIUS Server Status Detection.
RADIUS packet retransmission discussed here applies only to a single server. If
multiple servers are configured in a RADIUS server template, the overall
retransmission period depends on the retransmission interval, retransmission
times, RADIUS server status, number of servers, and algorithm for selecting the
servers.
You can set the timer using the following commands:
Command Description
User
Device
Up
Up
Figure 1-10 Diagram for the RADIUS server load balancing algorithm
RADIUS server1
User
Device
80% Up
Up
issue, the device supports the user escape function upon transition of the RADIUS
server status to Down. To be specific, if the RADIUS server goes Down, users
cannot be authorized by the server but still have certain network access rights.
The user escape function upon transition of the RADIUS server status to Down can
be enabled only after the device marks the RADIUS server status as Down. If the
RADIUS server status is not marked as Down and the device cannot communicate
with the RADIUS server, users cannot be authorized by the server and the escape
function is also unavailable. As a result, users have no network access rights.
Therefore, the device must be capable of detecting the RADIUS server status in a
timely manner. If the device detects that the RADIUS server status transitions to
Down, users can obtain escape rights; if the device detects that the RADIUS server
status reverts to Up, escape rights are removed from the users and the users are
reauthenticated.
This section contains the following contents:
● RADIUS Server Status
● Conditions for Marking the RADIUS Server Status as Down
● Automatic Detection
● Consecutive Processing After the RADIUS Server Status Is Marked as
Down
The RADIUS server status is initially marked as Up. After a RADIUS Access-Request
packet is received and the conditions for marking the RADIUS server status as
Down are met, the RADIUS server status transitions to Down. The RADIUS Access-
Request packet that triggers the server status transition can be sent during user
authentication or constructed by the administrator. For example, the RADIUS
Access-Request packet can be a test packet sent when the test-aaa command is
run or detection packet sent during automatic detection.
The device changes toe RADIUS server status from Down to Up or to Force-up in
the following scenarios:
● Down to Force-up: The timer specified by dead-time starts after the device
marks the RADIUS server status as Down. The timer indicates the duration for
which the server status remains Down. After the timer expires, the device
marks the RADIUS server status as Force-up. If a new user needs to be
authenticated in RADIUS mode and no RADIUS server is available, the device
attempts to re-establish a connection with a RADIUS server in Force-up
status.
● Down to Up: After receiving packets from the RADIUS server, the device
changes the RADIUS server status from Down to Up. For example, after
automatic detection is configured, the device receives response packets from
the RADIUS server.
Request packet to the server for the (2n+2)th time. If the server still does
not respond, the device no longer sends any Access-Request packet to the
server.
If multiple servers are configured in the RADIUS server template, the overall status
detection time is related to the number of servers and the server selection
algorithm. If a user terminal uses the client software for authentication and the
timeout period of the terminal client software is less than the summary of all the
status detection time, the terminal client software may dial up repeatedly and
cannot access the network. If the user escape function is configured, the summary
of all the status detection time must be less than the timeout period of the
terminal client software to ensure that escape rights can be added to the users.
Figure 1-11 Logic flowchart for marking the RADIUS server status as Down
Flowchart 1:
ARP/DHCP etc.
MAC authentication process
for new access users
No
Reject
No
Yes Yes No
If config
authen-fail
Yes No Stay current state
or pre-authen re-authen
timer
Flowchart 2:
When the port status changes, the Link-down offline
User Offline
detection process for the delay time out ?
Yes (State=non
e)
connected user Yes
No
Down
Authentication timer
Start Port State Up
handshake-period time out ?
No
Command Description
Automatic Detection
After the RADIUS server status is marked as Down, you can configure the
automatic detection function to test the RADIUS server reachability.
The device then periodically detects servers whose status is marked as Down.
The automatic detection function needs to be manually enabled. The automatic
server status detection function can be enabled only if the user name and
password for automatic detection are configured in the RADIUS server template
view on the device rather than on the RADIUS server. Authentication success is not
mandatory. If the device can receive the authentication failure response packet,
the RADIUS server is properly working and the device marks the RADIUS server
status as Up. If the device cannot receive the response packet, the RADIUS server
is unavailable and the device marks the RADIUS server status as Down.
The following table lists commands related to automatic detection.
Command Description
NOTE
For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server
status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal
authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection
authorization and can be redirected to the Portal server for authentication only if the users
attempt to access network resources.
Figure 1-12 Consecutive processing after the RADIUS server status is marked as
Down
Flowchart 1:
ARP/DHCP etc.
MAC authentication process
for new access users
If config authen-server-up
Yes
action re-authen
Server status on switch: UP Dead time timer
User status on switch: authen-server- up
down Default 5min Server status on switch:
UP
NO
No
User get server-down
AAA If config authen-server-down authorization
User Online Server Status on switch: yes If config “radius-server testuser”
Accept Authentication event authorization Yes (state=authen-server-
(state=success) DOWN
result down)
No
Reject
No
Yes Yes No
If config
authen-fail
Yes No Stay current state
or pre-authen re-authen
timer
Flowchart 2:
When the port status changes, the Link-down offline
User Offline
detection process for the connected delay time out ?
Yes (State=none
)
user Yes
No
Down
Authentication timer
Start Port State Up
handshake-period time out ?
No
The following table lists the commands for configuring the escape rights upon
transition of the RADIUS server status to Down and configuring the
reauthentication function, respectively.
Command Description
The device supports the RADIUS Change of Authorization (CoA) and Disconnect
Message (DM) functions. CoA provides a mechanism to change the rights of
online users, and DM provides a mechanism to forcibly disconnect users. This
section contains the following contents:
Exchange Procedure
CoA allows the administrator to change the rights of an online user or perform
reauthentication for the user through RADIUS after the user passes authentication.
Figure 1-13 shows the CoA interaction process.
1. CoA-Request packet
1. DM-Request packet
2. Notify the user to go offline.
3. DM-ACK/NAK packet
Session Identification
Each service provided by the NAS to a user constitutes a session, with the
beginning of the session defined as the point where service is first provided and
the end of the session defined as the point where service is ended.
After the device receives a CoA-Request or DM-Request packet from the RADIUS
server, it identifies the user depending on some RADIUS attributes in the packet.
The following RADIUS attributes can be used to identify users:
● User-Name (IETF attribute #1)
● Acct-Session-ID (IETF attribute #4)
● Framed-IP-Address (IETF attribute #8)
● Calling-Station-Id (IETF attribute #31)
The match methods are as follows:
● any method
The device performs a match check between an attribute and user
information on the device. The priority for identifying the RADIUS attributes
used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) >
Framed-IP-Address (8). The device searches for the attributes in the request
packet based on the priority, and performs a match check between the first
found attribute and user information on the device. If the attribute is
successfully matched, the device responds with an ACK packet; otherwise, the
device responds with a NAK packet.
● all method
The device performs a match check between all attributes and user
information on the device. The device identifies the following RADIUS
attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31),
Framed-IP-Address (8), and User-Name (1). The device performs a match
check between all the preceding attributes in the Request packet and user
information on the device. If all the preceding attributes are successfully
matched, the device responds with an ACK packet; otherwise, the device
responds with a NAK packet.
9 Framed ipaddr User IP address mask. This field must be used with
-IP- the Framed-IP-Address field.
Netmas
k
11 Filter-Id string User group name or IPv4 Access Control List (ACL)
ID.
NOTE
● When this attribute carries the IPv4 ACL ID, the IPv4
ACL IDs must range from 3000 to 3999 (wired users)
or 3000 to 3031 (wireless users).
● A RADIUS packet cannot carry the user group name or
IPv4 ACL ID simultaneously.
15 Login- integer Service to use to connect the user to the login host:
Service ● 0: Telnet
● 5: X25-PAD
● 50: SSH
● 51: FTP
● 52: Terminal
NOTE
An attribute can contain multiple service types.
29 Termina integer What action the NAS should take when the
tion- specified service is completed:
Action ● 0: forcible disconnection
● 1: reauthentication
NOTE
This attribute is only valid for 802.1X and MAC address
authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 27 Session-Timeout is set to 3600s (for
802.1X authentication users) or 1800s (for MAC address
authentication users) by default.
31 Calling- string This Attribute allows the NAS to send in the Access-
Station- Request packet the phone number that the call
Id came from, using Automatic Number Identification
(ANI) or similar technology.
46 Acct- integer How long (in seconds) the user has received
Session- service.
Time NOTE
If the administrator modifies the system time after the
user goes online, the online time calculated by the device
may be incorrect.
64 Tunnel- integer Protocol type of the tunnel. The value is fixed as 13,
Type indicating VLAN.
65 Tunnel- integer Medium type used on the tunnel. The value is fixed
Medium as 6, indicating Ethernet.
-Type
87 NAS- string Port of the NAS that is authenticating the user. The
Port-Id NAS-Port-Id attribute has the following formats:
● New:
For Ethernet access users, the NAS-Port-Id is in
the format "slot=xx; subslot=xx; port=xxx; VLAN
ID=xxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 15, "port" 0 to 255, and "VLAN ID"
1 to 4094.
For ADSL access users, the NAS-Port-Id is in the
format "slot=xx; subslot=x; port=x; VPI=xxx;
VCI=xxxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255,
and "VCI" 0 to 65535.
● Old:
For Ethernet access users, the NAS-Port-Id is in
the format "port number (2 characters) + sub-
slot ID (2 bytes) + card number (3 bytes) +
VLAN ID (9 characters)."
For ADSL access users: port number (2
characters) + sub-slot ID (2 bytes) + card
number (3 bytes) + VPI (8 characters) + VCI (16
characters). The fields are prefixed with 0s if
they contain fewer bytes than specified.
NOTE
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei
is 2011.
26- HW- integ Peak rate at which the user accesses the NAS, in bit/s.
1 Input- er The value is a 4-byte integer.
Peak-
Informatio
n-Rate
26- HW- integ Average rate at which the user accesses the NAS, in
2 Input- er bit/s. The value is a 4-byte integer.
Committe
d-
Informatio
n-Rate
26- HW- integ Committed burst size (CBS) at which the user
3 Input- er accesses the NAS, in bit/s. The value is a 4-byte
Committe integer.
d-Burst-
Size
26- HW- integ Peak rate at which the NAS connects to the user, in
4 Output- er bit/s. The value is a 4-byte integer.
Peak-
Informatio
n-Rate
26- HW- integ Average rate at which the NAS connects to the user,
5 Output- er in bit/s. The value is a 4-byte integer.
Committe
d-
Informatio
n-Rate
26- HW- integ Committed burst size at which the NAS connects to
6 Output- er the user, in bit/s. The value is a 4-byte integer.
Committe
d-Burst-
Size
26- HW-Qos- string Name of the QoS profile. The maximum length of
31 Data the name is 31 bytes. The RADIUS server uses this
field to deliver the QoS profile. The QoS profile must
exist on the device.
26- HW-VPN- string VPN instance name delivered by the RADIUS server
94 Instance after a user is successfully authenticated. It specifies
the VPN to which the user belongs.
26- HW- ipadd Primary DNS address delivered by the RADIUS server
13 Client- r after a user is successfully authenticated.
5 Primary-
DNS
26- HW- string Name of the domain used for user authentication.
13 Domain- This attribute can be the domain name contained in
8 Name a user name or the name of a forcible domain.
26- HW-AP- string AP's MAC address used for STA authentication.
14 Informatio
1 n
26- HW- string Service scheme name. A service scheme contains user
14 Service- authorization information and policies.
6 Scheme
26- HW- integ User access type carried in the authentication and
15 Access- er accounting request packets sent by the RADIUS client
3 Type to the RADIUS server:
● 1: Dot1x user
● 2: MAC address authentication user or MAC
address bypass authentication
● 3: Portal authentication user
● 4: Static user
● 6: Management user
● 7: PPP users
26- HW-Web- string Information sent from the portal server via the device
23 Authen- (which transparently transmits the information) to
7 Info the RADIUS server. For example, a user selects the
authentication-free option and time information for
next login, based on which the RADIUS server saves
the MAC address of the user for a period of time.
Upon the next login of the user, the login page is not
displayed. Instead, MAC address authentication is
preferentially used. This attribute can be used for
transparent transmission in complex modes such as
EAP.
26- HW- string Number of upstream bytes at the specified tariff level
24 Tariff- sent to the accounting server. This field is included in
7 Input- the accounting packets. The unit can be byte,
Octets kilobyte, megabyte, or gigabyte. The format is Tariff
level:Number of upstream bytes. An accounting
packet can contain the traffic of at most 8 tariff
levels.
NOTE
User-Name(1) 1 0-1 0 0
User-Password(2) 0-1 0 0 0
CHAP-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Framed-IP-Netmask(9) 0 0-1 0 0
Filter-Id(11) 0 0-1 0 0
Framed-Mtu(12) 0-1 0 0 0
Login-Service(15) 0 0-1 0 0
Callback-Number(19) 0 0-1 0 0
Framed-Route(22) 0 0-1 0 0
Class(25) 0 0-1 0 0
Idle-Timeout(28) 0 0-1 0 0
Called-Station-Id(30) 0-1 0 0 0
Calling-Station-Id(31) 1 0-1 0 0
NAS-Identifier(32) 1 0 0 0
Acct-Session-id(44) 1 0 0 0
CHAP-Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
Tunnel-Assignment- 0 0-1 0 0
Id(82)
Acct-Interim-Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 0-1 0 0 0
Framed-Pool(88) 0 1 0 0
Tunnel-Client-Auth- 0 0-1 0 0
Id(90)
Tunnel-Server-Auth- 0 0-1 0 0
Id(91)
NAS-IPv6-Address(95) 0-1 0 0 0
HW-SecurityStr(195) 0-1 0 0 0
HW-Input-Peak- 0 0-1 0 0
Information-Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
Information-Rate(26-2)
HW-Input-Committed- 0 0-1 0 0
Burst-Size(26-3)
HW-Output-Peak- 0 0-1 0 0
Information-Rate(26-4)
HW-Output-Committed- 0 0-1 0 0
Information-Rate(26-5)
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Remanent- 0 0-1 0 0
Volume(26-15)
HW-Connect-ID(26-26) 1 0 0 0
Ftp-directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0
HW-Qos-Data(26-31) 0 0-1 0 0
HW-NAS-Startup-Time- 1 0 0 0
Stamp(26-59)
HW-IP-Host- 1 0 0 0
Address(26-60)
HW-Primary- 0 0-1 0 0
WINS(26-75)
HW-Second-WINS(26-76) 0 0-1 0 0
HW-Input-Peak-Burst- 0 0-1 0 0
Size(26-77)
HW-Output-Peak-Burst- 0 0-1 0 0
Size(26-78)
HW-VPN-Instance(26-94) 0 0-1 0 0
HW-Client-Primary- 0 0-1 0 0
DNS(26-135)
HW-Client-Secondary- 0 0-1 0 0
DNS(26-136)
HW-Domain- 1 0 0 0
Name(26-138)
HW-AP- 1 0 0 0
Information(26-141)
HW-User- 0 0-1 0 0
Information(26-142)
HW-Web-Proxy- 0 0-1 0 0
Name(26-143)
HW-Port-Forward- 0 0-1 0 0
Name(26-144)
HW-IP-Forwarding- 0 0-1 0 0
Name(26-145)
HW-Service- 0 0-1 0 0
Scheme(26-146)
HW-Access-Type(26-153) 1 0-1 0 0
HW-User-Extend- 0-1 0 0 0
Info(26-201)
HW-Web-Authen- 1 0 0 0
Info(26-237)
HW-User-Addr- 0 0-1 0 0
Network(26-241)
HW-DNS-Domain- 0 0-1 0 0
Name(26-242)
HW-Auto-Update- 0 0-1 0 0
URL(26-243)
HW-Reachable- 0 0 0 0
Detect(26-244)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
MS-MPPE-Send- 0 0-1 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0-1 0 0
Key(MICROSOFT-17)
User-Name(1) 1 1 1 0 0 0
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP- 1 1 1 0 0 0
Address(8)
Called-Station- 1 1 1 0 0 0
Id(30)
NOTE
For users who access
the network through
PPP authentication,
this attribute is
optional. If the
authentication
request packet does
not carry this
attribute, then neither
does the accounting
request packet.
Calling-Station- 1 1 1 0 0 0
Id(31)
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status-Type(40) 1 1 1 0 0 0
Acct-Delay-Time(41) 0-1 1 1 0 0 0
Acct-Session-Id(44) 1 1 1 0 0 0
Acct-Authentic(45) 1 1 1 0 0 0
Acct-Session- 0 1 1 0 0 0
Time(46)
Acct-Terminate- 0 0 1 0 0 0
Cause(49)
Event- 1 1 1 0 0 0
Timestamp(55)
NAS-Port-Type(61) 1 1 1 0 0 0
NAS-Port-Id(87) 1 1 1 0 0 0
HW-Input- 1 1 1 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output- 1 1 1 0 0 0
Committed-
Information-
Rate(26-5)
HW-Connect- 1 1 1 0 0 0
ID(26-26)
HW-IP-Host- 1 1 1 0 0 0
Address(26-60)
HW-Domain- 1 1 1 0 0 0
Name(26-138)
HW-Reachable- 0 0 0 0 0 0
Detect(26-244)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0
Idle-Timeout(28) 0-1 0 0 0 0 0
Termination- 0-1 0 0 0 0 0
Action(29)
Acct-Session-Id(44) 1 1 1 1 1 1
Tunnel-Type(64) 0-1 0 0 0 0 0
Tunnel-Medium- 0-1 0 0 0 0 0
Type(65)
Tunnel-Private- 0-1 0 0 0 0 0
Group-ID(81)
Acct-Interim- 0-1 0 0 0 0 0
Interval(85)
HW-Input-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-1)
HW-Input- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-4)
HW-Output- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-5)
HW-Output- 0-1 0 0 0 0 0
Committed-Burst-
Size(26-6)
HW-Qos- 0-1 0 0 0 0 0
Data(26-31)
HW-Input-Peak- 0-1 0 0 0 0 0
Burst-Size(26-77)
HW-Output-Peak- 0-1 0 0 0 0 0
Burst-Size(26-78)
HW-Service- 0-1 0 0 0 0 0
Scheme(26-146)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
NOTE
● The device can translate a RADIUS attribute of another vendor only if the length of the Type
field in the attribute is 1 octet.
● The device can translate the RADIUS attribute only when the type of the source RADIUS
attribute is the same as that of the destination RADIUS attribute. For example, the types of
NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each
other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively,
they cannot be translated into each other.
0 4 7 15 24 31
major minor
type seq_no flags
version version
session_id
length
Field Description
The following figure shows the HWTACACS Authentication Start packet body.
0 7 15 24 31
user...
port...
rem_addr...
data...
Field Description
Field Description
The following figure shows the HWTACACS Authentication Continue packet body.
0 7 15 31
flags user_msg...
data...
Field Description
user_msg Character string entered by a login user. This field carries the user
login password to respond to the server_msg field in the
Authentication Reply packet.
The following figure shows the HWTACACS Authentication Reply packet body.
0 7 15 31
data...
flags Whether the client displays the password entered by user in plain
text. The value 1 indicates that the password is not displayed in
plain text.
Field Description
server_ms Optional field. This field is sent by the server to the user to provide
g additional information.
0 7 15 24 31
user...
port...
rem_addr...
arg 1...
arg 2...
...
arg N...
NOTE
The meanings of the following fields in the Authorization Request packet are the same as
those in the Authentication Start packet, and are not described here: priv_lvl, authen_type,
authen_service, user len, port len, rem_addr len, port, and rem_addr.
The following figure shows the HWTACACS Authentication Reply packet body.
0 7 15 24 31
data...
arg 1...
arg 2...
...
arg N...
NOTE
Meanings of the following fields are the same as those in the HWTACACS Authentication
Reply packet, and are not described here: server_msg len, data len, and server_msg.
Field Description
0 7 15 24 31
port...
rem_addr...
arg 1...
arg 2...
...
arg N...
NOTE
Meanings of the following fields in the Accounting Request packet are the same as those in
the Authorization Request packet, and are not described here: authen_method, priv_lvl,
authen_type, user len, port len, rem_addr len, port, and rem_addr.
Field Description
The following figure shows the HWTACACS Accounting Response packet body.
0 7 15 31
data...
A user logs in
Authentication Start
Authentication Response,
requesting the user name
Authentication Response,
requesting the password
Requests the password
Authorization Request
Accounting Start
NOTE
callback- The line number to use for a callback, such as a mobile number.
line
Attribute Description
Name
gw- Password for the gateway during the L2TP tunnel authentication.
password The value is a string of 1 to 248 characters. If the value contains
more than 248 characters, only the first 248 characters are valid.
idletime Period after which an idle session is terminated. If a user does not
perform any operation within this period, the system disconnects
the user.
l2tp-hello- Interval for sending L2TP Hello packets. This attribute is currently
interval not supported.
l2tp- Attribute value pair (AVP) of L2TP. This attribute is currently not
hidden-avp supported.
l2tp- L2TP group number. Other L2TP attributes take effect only if this
group-num attribute is delivered. Otherwise, other L2TP attributes are ignored.
l2tp-tos- TOS of L2TP. The device does not support this attribute.
reflect
Attribute Description
Name
l2tp-udp- Whether L2TP should perform UDP checksums for data packets.
checksum
protocol A protocol that is a subset of a service. It is valid only for PPP and
connection services. Legal values matching service types are as
follows:
● Connection service type: pad, telnet
● PPP service type: ip, vpdn
● Other service types: This attribute is not used.
task_id Task ID. The task IDs recorded when a task starts and ends must
be the same.
tunnel- Tunnel type. The device supports only L2TP tunnels. For L2TP
type tunnels, the value is 3.
NOTE
acl N Y N
addr N N Y
addr-pool N N Y
autocmd N Y N
callback-line N Y Y
cmd Y N N
cmd-arg Y N N
dnaverage N N Y
dnpeak N N Y
dns-servers N N Y
ftpdir N Y N
gw-password N N Y
idletime N Y N
ip-addresses N N Y
l2tp-group-num N N Y
l2tp-tunnel-authen N N Y
nocallback-verify N Y N
nohangup N Y N
priv-lvl N Y N
source-ip N N Y
tunnel-type N N Y
tunnel-id N N Y
upaverage N N Y
addr Y Y Y Y Y N N N N N
bytes_in N Y Y N Y N Y Y N N
bytes_ou N Y Y N Y N Y Y N N
t
cmd N N N Y Y N N N N Y
disc_caus N Y N N N N Y Y N N
e
disc_caus N Y N N N N Y Y N N
e_ext
elapsed_ N Y Y N Y N Y Y Y N
time
paks_in N Y Y N Y N Y Y N N
paks_out N Y Y N Y N Y Y N N
priv-lvl N N N N N N N N N Y
protocol Y Y Y Y Y N N N N N
service Y Y Y Y Y Y Y Y Y Y
task_id Y Y Y Y Y Y Y Y Y Y
timezon Y Y Y Y Y Y Y Y Y Y
e
tunnel-id N N N N N N N N N N
tunnel- Y N N N N N N N N N
type
Small- and medium-sized enterprises usually have small network scales and
dispersed network sites. In addition, there are a relatively small number of
concurrent users. Huawei provides the Cloud Managed Network Solution, which
serves small- and medium-sized enterprises utilizing the public network. This
solution supports centralized multi-tenant management, plug-and-play network
devices, and batch network service deployment. Compared with the architecture
and deployment modes of traditional networks, this solution provides a shorter
network deployment period, lower maintenance costs, and better network
scalability.
Generally, the CloudCampus Solution uses Portal authentication. The
authentication server is located on the cloud, so packets between the device and
server must traverse a NAT device. However, Portal protocol packets cannot
traverse the NAT device. HACA implements communication between the device
and server, and then Portal authentication can be performed. Only a Huawei Agile
Controller server can be used as an HACA server.
HACA is based on the mobile Internet protocol HTTP/2.
● HACA supports Portal authentication or MAC address-prioritized Portal
authentication.
● HACA does not support administrative access, IPsec, SSL VPN, IP session,
PPPoE, L2TP, VM, 802.1X, and independent MAC address authentication.
● HACA does not support wired user access.
Logout 9 If the HACA server logs out the user, the device
notification sends a logout notification packet and the
packet HACA server does not need to reply. If
accounting has been performed for the user,
the packet carries accounting information.
6. Send an accounting-start
request packet.
7. Send an accounting response
packet.
8. (Optional) Send a real-time
accounting request packet.
9. (Optional) Send a real-time
accounting response packet.
1. An access device sets up a persistent connection and register with the HACA
server using HTTP/2.
2. The client and device set up a pre-connection before authentication.
3. The client initiates an authentication request using HTTP. The HACA server
provides a web page for the client to enter the user name and password for
authentication.
4. The device and HACA server exchange authentication packets.
5. After the client passes authentication, the HACA server sends an authorization
packet to authorize network access rights to the client.
6. When the client starts to access network resources, the access device sends an
accounting-start request packet to the HACA server.
7. The HACA server sends an accounting response packet to the access device
and starts accounting.
8. (Optional) If real-time accounting is enabled, the access device periodically
sends real-time accounting request packets to the HACA server, preventing
incorrect accounting results caused by unexpected user disconnection.
9. (Optional) The HACA server returns real-time accounting response packets
and performs real-time accounting.
10. The client sends a logout request.
11. The HACA server sends a logout request packet to the access device.
12. The access device sends a logout response packet to the HACA server.
13. The access device sends an accounting-stop request packet to the HACA
server.
14. The HACA server sends an accounting-stop response packet to the access
device and stops accounting.
Network
Network
User Router
AAA server
PPPoE
L2TP tunnel
PPP terminal AAA server
(PPPoE client)
Internet
Licensing Requirements
AAA is a basic feature of a device and is not under License control.
Feature Limitations
Among the AR510 series routers, only AR515GW-LM9-D, AR515CGW-L support
HWTACACS.
● To prevent data transmission risks between the device and the RADIUS or
HWTACACS server, you are advised to deploy the device and RADIUS or
HWTACACS server in a security domain.
● If non-authentication is configured using the authentication-mode
command, users can pass the authentication using any user name or
password. To protect the device and improve network security, you are
advised to enable authentication to allow only authenticated users to access
the device or network.
● By default, the accounting scheme default is bound to the global default
common domain default and global default management domain
default_admin. Modifying the accounting scheme default affects
configurations of the two domains. Exercise caution when modifying the
accounting scheme to prevent user accounting failures.
● RADIUS authentication does not take effect for L2TP access users.
● The management interface of the device cannot send or receive RADIUS
packets.
Configuration Procedure
Configur
Procedure Description
ation
Context
AAA authentication and authorization can be implemented on a network access
server (NAS) device or a server. If AAA authentication and authorization are
implemented on the NAS, a local AAA server is configured on the NAS. Local
authentication features fast processing and low operation costs. However, how
much user information can be stored depends on the hardware capacity of the
device.
To configure a local server, you need to configure user authentication and
authorization information on the device, including configuring a local user and
configuring local authorization.
Context
When configuring a local user, you can configure the number of connections that
can be established by the local user, local user level, idle timeout period, and login
time, and allow the local user to change the password.
NOTE
● To ensure device security, enable password complexity check and change the password
periodically.
● After you change the local account's rights (including the password, access type, FTP
directory, and level), the rights of users who are already online remain unchanged.
Rather, the rights are only changed once a user goes online again.
● Local users' access types include:
● Administrative: ftp, http, ssh, telnet, x25-pad, and terminal
● Common: 802.1x, bind, ppp, sslvpn, and web
● Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the
user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated
self-signed certificate to support HTTPs. The self-signed certificate may bring risks.
Therefore, you are advised to replace it with the officially authorized digital certificate.
Procedure
Step 1 Run system-view
Procedur
Command Description
e
(Optional
) Enable
the user-password complexity- By default, the password
password check complexity check is enabled.
complexit
y check.
Create a
The default username and
local user
password are available in AR
name and
Router Default Usernames and
a local-user user-name
Passwords (Enterprise Network
password password
or Carrier). If you have not
(using
obtained the access permission of
either of
the document, see Help on the
the
Procedur
Command Description
e
Procedur
Command Description
e
(Optional
) Allocate
a fixed IP local-user user-name bind-ip By default, no fixed IP address is
address to ip-address allocated to the local user.
the local
user.
Step 4 (Optional) Set the user level, user group, access time range, idle timeout period,
and number of connections that can be established by the user.
Procedur
Command Description
e
Set the
local-user user-name privilege The default level of a local user is
local user
level level 0.
level.
Set the
local- user user-name user- By default, a local user does not
local user
group group-name belong to any group.
group.
Set the
access
By default, no access time range
time local-user user-name time-
is configured and the local user
range for range time-name
can access the network anytime.
the local
user.
Procedur
Command Description
e
Set the
maximum By default, the number of
number connections that can be
of established by a user is not
connectio local-user user-name access- limited.
ns that limit max-number
can be To configure the local account to
establishe be logged in to on only one
d by the terminal, set max-number to 1.
local user.
Enable the
local account
lock function,
By default, the local account
and set the
local-aaa-user wrong- lock function is enabled, the
retry interval,
password retry-interval retry interval is 5 minutes, the
maximum
retry-interval retry-time maximum number of
number of
retry-time block-time block- consecutive authentication
consecutive
time failures is 3, and the account
authentication
lock period is 5 minutes.
failures, and
account lock
period.
Conf
Enable
igur
the
e
passwor
the
d policy
pas
for local
swo
access
rd
users By default, the password policy
poli local-aaa-user password
and for local access users is
cy policy access-user
enter disabled.
for
the local
loca
access
l
user
acc
passwor
ess
d policy
use
view.
rs.
Set the
maximu
m
number
of
By default, a maximum of five
historica password history record
historical passwords are
l number number
recorded for each user.
passwor
ds
recorded
for each
user.
Exit the
local
access
user quit -
passwor
d policy
view.
Step 6 (Optional) Set parameters of access rights for the local user.
Procedur
Command Description
e
Procedur
Command Description
e
Set the
expiration
local-user user-name expire- By default, a local account is
date for
date expire-date permanently valid.
the local
account.
Return to return -
the user
view.
----End
Context
Table 1-33 describes authorization parameters that can be set locally during local
authorization configuration.
Procedure
● Configure an authorization VLAN.
Configure a VLAN and the network resources in the VLAN on the device.
● Configure a service scheme.
For details about how to configure an authorized user group, see the table
below.
Procedur
Command Description
e
----End
Context
To use local authentication and authorization, set the authentication mode in an
authentication scheme to local authentication and the authorization mode in an
authorization scheme to local authorization.
By default, the device performs local authentication and authorization for access
users.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
a DHCP dhcp-server group group- By default, no DHCP server group
server name is configured in a service scheme.
group.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Configure
the By default, no primary WINS
primary wins ip-address server is configured in a service
WINS scheme.
server.
Configure
the By default, no secondary WINS
secondary wins ip-address secondary server is configured in a service
WINS scheme.
server.
Configure
the URL
and
By default, no URL or version
version auto-update url url-string
number is configured in a service
number in version version-number
scheme.
the
service
scheme.
Configure
the
default
DNS By default, no default DNS
domain dns-name domain-name domain name is configured in a
name in service scheme.
the
service
scheme.
Configure
the local
subnet
informati By default, no local subnet
on to be route set acl acl-number information is sent to the remote
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
By default, no IP address of the
bound to
route set interface interface bound to the IPSec
the IPSec
tunnel is sent to the remote end.
tunnel to
be sent to
the
remote
end.
NOTE
Ensure that the IP address pool has been configured before running this command.
NOTE
Ensure that the QoS profile has been configured before running this command.
The idle-cut function is enabled for domain users and the idle-cut parameters are
set.
NOTE
The idle-cut function takes effect only after the idle time and traffic threshold are configured. To
configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the
idle time, use the value of idle-time configured on the device or the value (carried in RADIUS
attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value
authorized by the RADIUS server has a higher priority.
The idle-cut command configured in the service scheme view takes effect only for
administrators and PPPoE users.
----End
Context
The created authentication and authorization schemes take effect only after being
applied to a domain. When local authentication and authorization are used, the
default accounting scheme non-accounting is used.
Procedure
Step 1 Run system-view
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Procedur
Command Description
e
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
(Optional) Apply a
By default, no user group is
user group to the user-group group-name
applied to a domain.
domain.
Step 6 (Optional) Specify the domain state and enable traffic statistics collection for the
domain.
Procedure Command Description
Exit
from
the
quit -
doma
in
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
g parsed from left to right.
direct
ion.
A Set
A the A domain name delimiter can be
A doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
vi in
delimiter
e name The default domain name
w delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter The default security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
----End
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
----End
Configuration Procedure
Context
An AAA scheme defines the authentication, authorization, and accounting modes
used by users. If RADIUS AAA is used, set the authentication mode to RADIUS in
the authentication scheme, and set the accounting mode to RADIUS in the
accounting scheme. RADIUS authentication is combined with authorization and
cannot be separated. If authentication succeeds, authorization also succeeds. If
RADIUS authentication is used, you do not need to configure an authorization
scheme.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
The system view is displayed.
b. Run aaa
The AAA view is displayed.
c. Run authentication-scheme scheme-name
An authentication scheme is created and the authentication scheme view
is displayed, or the view of an existing authentication scheme is
displayed.
By default, two authentication schemes named default and radius are
available on the device. The two schemes can only be modified, but
cannot be deleted.
d. Run authentication-mode radius
The authentication mode is set to RADIUS.
By default, local authentication is used.
To configure local authentication as the backup authentication mode, run
the authentication-mode radius local command.
e. Run quit
Return to the AAA view.
f. (Optional) Configure the account locking function.
i. Run remote-aaa-user authen-fail retry-interval retry-interval
retry-time retry-time block-time block-time
The remote AAA authentication account locking function is enabled,
and the authentication retry interval, maximum number of
consecutive authentication failures, and account locking period are
configured.
By default, the remote AAA account locking function is enabled, the
authentication retry interval is 300 minutes, the maximum number
of consecutive authentication failures is 30, and the account locking
period is 30 minutes.
ii. Run remote-user authen-fail unblock { all | username username }
A remote AAA authentication account that has failed authentication
is unlocked.
g. (Optional) Run aaa-author session-timeout invalid-value enable
The device is disabled from disconnecting or reauthenticating users when
the RADIUS server delivers the Session-Timeout attribute with value 0.
Context
You can specify the RADIUS server connected to the device in a RADIUS server
template. Such a template contains the server IP address, port number, source
interface, and shared key settings.
The settings in a RADIUS server template must be the same as those on the
RADIUS server.
Procedure
Step 1 Run system-view
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
NOTE
The number of times that RADIUS request packets are retransmitted and the
timeout interval are set.
By default, RADIUS request packets can be retransmitted three times, and the
timeout interval is 5 seconds.
Step 7 (Optional) Configure the format of the user name in packets sent from the device
to the RADIUS server.
● Run radius-server user-name domain-included
The device is configured to encapsulate the domain name in the user name in
the RADIUS packets sent to a RADIUS server.
● Run radius-server user-name original
The device is configured not to modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server.
● Run undo radius-server user-name domain-included except-eap
The device is configured not to encapsulate the domain name in the user
name in the RADIUS packets sent to a RADIUS server (applicable to other
authentication modes except EAP authentication).
By default, the device does not modify the user name entered by a user in the
RADIUS packets sent to a RADIUS server.
----End
Context
A device can detect the RADIUS server status using the RADIUS server status
detection function. If the RADIUS server status is Down, users can obtain escape
rights. If the RADIUS server status reverts to Up, escape rights are removed from
the users and the users are reauthenticated.
Procedure
● Configure conditions for setting the RADIUS server status to Down.
– Conditions for setting the RADIUS server status to Down during the
RADIUS server status detection.
i. Run system-view
The system view is displayed.
ii. Run radius-server { dead-interval dead-interval | dead-count dead-
count }
The RADIUS server detection interval and maximum number of
consecutive unacknowledged packets in each detection interval are
configured.
After setting the RADIUS server status to Force-up and automatic detection is enabled, the
device immediately sends a detection packet. If the device receives a response packet from
the RADIUS server within the timeout period, the device sets the RADIUS server status to
Up; otherwise, the device sets the RADIUS server status to Down.
a. Run system-view
The system view is displayed.
b. Run radius-server template template-name
The RADIUS server template view is displayed.
c. Run radius-server dead-time dead-time
The Force-up timer for RADIUS servers is configured.
By default, the Force-up timer for RADIUS servers is 5 minutes.
d. Run the return command to return to the user view.
● (Optional) Configure status synchronization between RADIUS authentication
and accounting servers.
a. Run system-view
The system view is displayed.
b. Run the radius-server dead-detect-condition by-server-ip command to
configure IP address-based automatic detection for RADIUS servers.
By default, RADIUS authentication and accounting servers are detected
separately. After this function is configured, RADIUS authentication and
accounting servers with the same IP address in the same VPN instance
are detected together and their status are updated at the same time.
Follow-up Procedure
1. Run the authentication event authen-server-down action authorize
command in the authentication profile view to configure the user escape
function if the authentication server goes Down. For details, see 3.6.3.4
(Optional) Configuring Authentication Event Authorization Information
in NAC Configuration.
2. Run the authentication event authen-server-up action re-authen
command in the authentication profile view to configure the reauthentication
function after the authentication server reverts to the Up status. For details,
see 3.6.3.6 (Optional) Configuring Re-authentication for Users in NAC
Configuration.
Context
RADIUS attributes supported by different vendors are incompatible with each
other, so RADIUS attributes must be disabled or translated in interoperation and
replacement scenarios.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-server attribute translate
The RADIUS attribute disabling and translation functions are enabled.
By default, the RADIUS attribute disabling and translation functions are disabled.
----End
Context
After the RADIUS attribute check function is configured, the device checks whether
the received RADIUS Access-Accept packets contain the specified attributes. If so,
the device considers that authentication is successful; if not, the device considers
that authentication fails and discards the packets.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-attribute check attribute-name
----End
Context
The value of the same RADIUS attribute may vary on RADIUS servers from
different vendors. Therefore, RADIUS attribute values need to be modified, so that
a Huawei device can successfully communicate with a third-party RADIUS server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
Step 3 Run radius-attribute set attribute-name attribute-value [ auth-type mac | user-
type ipsession ]
The value of a RADIUS attribute is modified.
By default, values of RADIUS attributes are not modified.
----End
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some standard RADIUS attributes can be
configured.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run radius-server template template-name
The RADIUS server template view is displayed.
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
----End
Context
For details about RADIUS attributes supported by the device, see RADIUS
Attributes. The content or format of some Huawei proprietary RADIUS attributes
can be configured.
Procedure
Step 1 Run system-view
By default, the RADIUS server template named default is available on the device.
This template can only be modified, but cannot be deleted.
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run service-scheme service-scheme-name
A service scheme is created and the service scheme view is displayed.
By default, no service scheme is configured on the device.
Step 4 Run admin-user privilege level level
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Step 5 Configure server information.
Configure
a DHCP dhcp-server group group- By default, no DHCP server group
server name is configured in a service scheme.
group.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Configure
the By default, no primary WINS
primary wins ip-address server is configured in a service
WINS scheme.
server.
Configure
the By default, no secondary WINS
secondary wins ip-address secondary server is configured in a service
WINS scheme.
server.
Configure
the URL
and
By default, no URL or version
version auto-update url url-string
number is configured in a service
number in version version-number
scheme.
the
service
scheme.
Configure
the
default
DNS By default, no default DNS
domain dns-name domain-name domain name is configured in a
name in service scheme.
the
service
scheme.
Configure
the local
subnet
informati By default, no local subnet
on to be route set acl acl-number information is sent to the remote
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
By default, no IP address of the
bound to
route set interface interface bound to the IPSec
the IPSec
tunnel is sent to the remote end.
tunnel to
be sent to
the
remote
end.
NOTE
Ensure that the IP address pool has been configured before running this command.
NOTE
Ensure that the QoS profile has been configured before running this command.
NOTE
The idle-cut function takes effect only after the idle time and traffic threshold are configured. To
configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the
idle time, use the value of idle-time configured on the device or the value (carried in RADIUS
attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value
authorized by the RADIUS server has a higher priority.
The idle-cut command configured in the service scheme view takes effect only for
administrators and PPPoE users.
----End
Context
Users must obtain authorization information before going online. You can
configure a user group to manage authorization information about users.
Procedure
● Configure a user group.
----End
Context
A NAS performs domain-based user management. A domain is a group of users
and each user belongs to a domain. A user uses only AAA configuration
information in the domain to which the user belongs.
The device determines the domain to which a user belongs based on the user
name. Before performing authentication, authorization, and accounting on users,
you need to create the domain to which the users belong.
Procedure
Step 1 Run system-view
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 (Optional) Run state { active | block [ time-range time-name &<1-4> ] }
The domain state is configured.
By default, a domain is in active state after being created. When a domain is in
blocking state, users in this domain cannot log in.
Step 5 (Optional) Run statistic enable
Traffic statistics collection is enabled for users in the domain.
By default, traffic statistics collection is disabled for users in a domain.
Step 6 (Optional) Configure the DNS function, which takes effect for all domains on the
device.
1. Run quit
Return to the AAA view.
2. Run domainname-parse-direction { left-to-right | right-to-left }
The domain name resolution direction is configured.
By default, a domain name is parsed from left to right.
3. Run domain-name-delimiter delimiter
The domain name delimiter is configured.
By default, the domain name delimiter is @.
4. Run domain-location { after-delimiter | before-delimiter }
The position of a domain name is configured.
By default, a domain name is placed behind the domain name delimiter.
NOTE
The DNS function can also be configured in the authentication profile view. If the DNS function
is configured in both the AAA view and authentication profile view, the device preferentially
uses the configuration in the authentication profile, which applies only to wireless users.
The security string delimiter can also be configured in the authentication profile view. If
the security string delimiter is configured in both the AAA view and authentication profile
view, the device preferentially uses the configuration in the authentication profile, which
applies only to wireless users.
Step 8 (Optional) Specify a permitted domain for wireless users. (This step applies only to
wireless users.)
Procedur
Command Description
e
Return to
the
quit -
system
view.
Create an
authentic By default, the device has six
ation built-in authentication profiles:
profile default_authen_profile,
and enter authentication-profile name dot1x_authen_profile,
the authentication-profile-name mac_authen_profile,
authentic portal_authen_profile,
ation dot1xmac_authen_profile, and
profile multi_authen_profile.
view.
----End
Context
The device determines the domain to which a user belongs based on the user
name. If a user name does not contain a domain name, the device cannot
determine the domain to which the user belongs, and adds the user to a global
default domain. Based on user types (access users or administrators), global
default domains are classified into the global default common domain and global
default administrative domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure global default domains.
● Run domain domain-name
The global default common domain is configured.
● Run domain domain-name admin
NOTE
The same domain name can be set for the global default common domain and global default
administrative domain.
----End
Context
AAA schemes, server templates, and authorization information are managed in a
domain. A user uses only AAA configuration information in the domain to which
the user belongs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
By default, the default and default_admin domains are available on the device.
The default domain is used by common access users and the default_admin
domain is used by administrators.
Step 4 Run authentication-scheme scheme-name
An authentication scheme is applied to the domain.
By default, the authentication scheme named default is applied to the
default_admin domain, and the authentication scheme named radius is applied
to the default domain and other domains.
NOTE
● Ensure that the IP address of the configured level-2 RADIUS accounting server must be
different from that of the level-1 RADIUS accounting server (including the active/standby
RADIUS accounting server).
● Ensure that the level-2 RADIUS accounting server template configured in the domain is
different from the RADIUS server template for authentication and accounting in the domain.
If they are the same, the accounting-copy radius-server command cannot be configured
and the system displays an error message during the command configuration.
----End
Context
The device supports the RADIUS CoA and DM functions. CoA provides a
mechanism to change the rights of online users, and DM provides a mechanism to
forcibly disconnect users.
Procedure
Step 1 Run system-view
The device is configured to parse the MAC address format in RADIUS attribute
31 (Calling-Station-Id) in RADIUS CoA or DM packets based on RADIUS server
template configurations.
By default, the device is not configured to parse RADIUS attribute 31 in
RADIUS CoA or DM packets based on RADIUS server template configurations.
In a RADIUS server template, the MAC address format in RADIUS attribute 31
(Calling-Station-Id) is configured using the calling-station-id mac-format
command.
Table 1-34 lists the RADIUS attributes that can be configured in this step.
----End
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to verify the accounting scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display radius-server configuration [ template template-name ]
command to verify the RADIUS server template configuration.
● Run the display radius-server item { ip-address { ipv4-address | ipv6-
address } { accounting | authentication } | template template-name }
command to verify the RADIUS server configuration.
● Run the display radius-server { dead-interval | dead-count } command to
verify the specified RADIUS server detection interval and maximum number of
consecutive unacknowledged packets.
● Run the display radius-server authorization configuration command to
verify the RADIUS authorization server configuration.
● Run the display radius-attribute [ name attribute-name | type { attribute-
number1 | huawei attribute-number2 | microsoft attribute-number3 |
dslforum attribute-number4 } ] command to check the RADIUS attributes
supported by the device.
● Run the display radius-attribute [ template template-name ] disable
command to check the disabled RADIUS attributes.
● Run the display radius-attribute [ template template-name ] translate
command to verify the setting for RADIUS attribute translation.
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display radius-server accounting-stop-packet { all | ip { ip-address |
ipv6-address } } command to verify the accounting-stop packets of the
RADIUS server.
● Run the display radius-attribute [ template template-name ] check
command to verify the to-be-tested attributes in RADIUS Access-Accept
packets.
● Run the display remote-user authen-fail [ blocked | username username ]
command to verify information about the accounts that fail in remote AAA
authentication.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
● Run the display radius-server session-manage configuration command to
verify the session management configuration for the RADIUS server.
----End
Configuration Procedure
If a user wants to establish a connection with the access device through a network
to obtain rights to access other networks and network resources, the access device
transparently transmits the user's authentication, authorization, and accounting
information to the HWTACACS server. The HWTACACS server determines whether
the user can pass authentication based on the configured information. If the user
passes the authentication, the RADIUS server sends an Access-Accept packet
containing the user's authorization information to the access device. The access
device then allows the user to access the network and grants rights to the user
based on information in the Access-Accept packet.
Context
To use HWTACACS authentication, authorization, and accounting, set the
authentication mode in the authentication scheme, authorization mode in the
authorization scheme, and accounting mode in the accounting scheme to
HWTACACS.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
----End
Context
When configuring an HWTACACS server template, you must specify the IP address,
port number, and shared key of a specified HWTACACS server. Other settings, such
as the HWTACACS user name format and traffic unit, have default values and can
be modified based on network requirements.
The HWTACACS server template settings such as the HWTACACS user name
format and shared key must be the same as those on the HWTACACS server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run hwtacacs enable
HWTACACS is enabled.
By default, HWTACACS is enabled.
Step 3 Run hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template
view is displayed.
By default, no HWTACACS server template is configured on the device.
Step 4 Configure HWTACACS authentication, authorization, and accounting servers.
Configur
Command Description
ation
Configur
Command Description
ation
Step 5 Set parameters for interconnection between the device and an HWTACACS server.
Procedure Command Description
Se
t
th Retu
e rn
sh to
Syst
ar the
em quit -
ed syst
view
ke em
y view
fo .
r
th
Step 6 (Optional) Set the response timeout interval and activation interval for the
HWTACACS server.
Set the
interval
for the
primary The default interval for the
HWTACAC hwtacacs-server timer quiet primary HWTACACS server to
S server interval restore to the active state is 5
to restore minutes.
to the
active
state.
NOTE
To ensure device security, you are advised to frequently change the password.
----End
Context
Improper operations by a network administrator may sometimes cause a network
failure. After HWTACACS authentication and authorization are configured, the
server can record administrator's operations. These records can be used to locate
the problem if a network failure occurs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.
By default, no recording scheme is configured on the device.
Step 4 Run recording-mode hwtacacs template-name
The recording scheme is associated with the HWTACACS server template.
By default, a recording scheme is not associated with any HWTACACS server
template.
Step 5 Run quit
The AAA view is displayed.
Step 6 Run cmd recording-scheme recording-scheme-name
A policy is configured to record the commands that have been executed on the
device.
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
a DHCP dhcp-server group group- By default, no DHCP server group
server name is configured in a service scheme.
group.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Configure
the By default, no primary WINS
primary wins ip-address server is configured in a service
WINS scheme.
server.
Configure
the By default, no secondary WINS
secondary wins ip-address secondary server is configured in a service
WINS scheme.
server.
Configure
the URL
and
By default, no URL or version
version auto-update url url-string
number is configured in a service
number in version version-number
scheme.
the
service
scheme.
Configure
the
default
DNS By default, no default DNS
domain dns-name domain-name domain name is configured in a
name in service scheme.
the
service
scheme.
Configure
the local
subnet
informati By default, no local subnet
on to be route set acl acl-number information is sent to the remote
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
By default, no IP address of the
bound to
route set interface interface bound to the IPSec
the IPSec
tunnel is sent to the remote end.
tunnel to
be sent to
the
remote
end.
NOTE
Ensure that the IP address pool has been configured before running this command.
NOTE
Ensure that the QoS profile has been configured before running this command.
NOTE
The idle-cut function takes effect only after the idle time and traffic threshold are configured. To
configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the
idle time, use the value of idle-time configured on the device or the value (carried in RADIUS
attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value
authorized by the RADIUS server has a higher priority.
The idle-cut command configured in the service scheme view takes effect only for
administrators and PPPoE users.
----End
Context
The created authentication scheme, authorization scheme, accounting scheme,
and HWTACACS server template are in effect only when they are applied to a
domain.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run aaa
The AAA view is displayed.
Step 3 Run domain domain-name [ domain-index domain-index ]
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains:
● default: Used by common access users
● default_admin: Used by administrators
NOTE
● If a user enters a user name that does not contain a domain name, the user is authenticated
in the default domain. In this case, you need to run the domain domain-name [ admin ]
command and set domain-name to configure a global default domain on the device.
● If a user enters a user name that contains a domain name during authentication, the user
must enter the correct value of domain-name.
Procedur
Command Description
e
Apply an
authorizat
ion authorization-scheme By default, no authorization
scheme to authorization-scheme-name scheme is applied to a domain.
the
domain.
Step 5 Apply a service scheme and an HWTACACS server template to the domain.
Procedure Command Description
(Optional)
Apply a
service service-scheme service- By default, no service scheme is
scheme to scheme-name applied to a domain.
the
domain.
Apply an
HWTACAC
S server hwtacacs-server template- By default, no HWTACACS server
template name template is applied to a domain.
to the
domain.
Procedur
Command Description
e
Apply a
user
By default, no user group is
group to user-group group-name
applied to a domain.
the
domain.
Step 8 (Optional) Configure a domain name parsing scheme. (If domain name parsing is
configured in both the AAA view and authentication profile view, the device
preferentially uses the configuration in the authentication profile. The
configuration in the authentication profile applies only to wireless users.)
Exit
from
the
quit -
doma
in
view.
Specif
y the
doma The domain name can be parsed
in from left to right, or from right to
domainname-parse-direction left.
name
{ left-to-right | right-to-left }
parsin By default, the domain name is
A g parsed from left to right.
A direct
A ion.
vi
e Set
w the A domain name delimiter can be
doma any of the following: \ / : < > | @ '
domain-name-delimiter %.
in
delimiter
name The default domain name
delim delimiter is @.
iter.
Specif
y the The domain name can be placed
doma before or after the delimiter.
domain-location { after-
in By default, the domain name is
delimiter | before-delimiter }
name placed after the domain name
locati delimiter.
on.
Set
the
securi
security-name-delimiter The default security string
ty
delimiter delimiter is * (asterisk).
string
delim
iter.
----End
Procedure
● Run the display aaa configuration command to check the AAA summary.
● Run the display authentication-scheme [ authentication-scheme-name ]
command to verify the authentication scheme configuration.
● Run the display authorization-scheme [ authorization-scheme-name ]
command to verify the authorization scheme configuration.
● Run the display accounting-scheme [ accounting-scheme-name ] command
to verify the accounting scheme configuration.
● Run the display recording-scheme [ recording-scheme-name ] command to
verify the recording scheme configuration.
● Run the display service-scheme [ name name ] command to verify the
service scheme configuration.
● Run the display hwtacacs-server template [ template-name ] command to
verify the HWTACACS server template configuration.
● Run the display hwtacacs-server template template-name verbose
command to check statistics about HWTACACS authentication, accounting,
and authorization.
● Run the display hwtacacs-server accounting-stop-packet { all | number | ip
{ ipv4-address | ipv6-address } } command to verify information about
accounting-stop packets of the HWTACACS server.
● Run the display domain [ name domain-name ] command to verify the
domain configuration.
● Run the display aaa statistics access-type-authenreq command to display
the number of authentication requests.
----End
Similar to the RADIUS protocol, the HACA protocol uses the client/server model to
authenticate access users.
Configuration Procedure
Context
When HACA authentication and authorization are used, the authentication and
authorization information must be configured on the HACA server.
When a user requests to access the Internet, the access device forwards
authentication information to the HACA server. The HACA server then decides
whether to allow the user to pass based on the configured information. If the user
is allowed, the HACA server sends an access-accept message carrying
authorization information to the access device. The access device then authorizes
network access rights to the user according to the access-accept message.
Context
If HACA authentication and authorization are used, set the authentication mode in
the authentication scheme to HACA and the accounting mode in an accounting
scheme to HACA.
NOTE
Procedure
● Configure an authentication scheme.
a. Run system-view
NOTE
The device will not disconnect or reauthenticate users when the RADIUS
server delivers session-timeout with value 0.
i. Run quit
----End
Context
In an HACA server template, specify the server IP address and port number. Other
settings such as the HACA user name format and HACA server response timeout
have default values and can be changed based on network requirements.
Procedure
Step 1 Run system-view
The IP address and port number for the HACA server are configured.
By default, the IP address and port number of the HACA server are not configured
on the device.
By default, no source IP address is specified for HACA packets. The device uses the
IP address of the actual outbound interface as the source IP address of HACA
packets.
By default, the interval for reconnecting to the HACA server is one minute.
HACA is enabled.
The interval for synchronizing user information to the HACA server is set.
By default, the interval for synchronizing user information to the HACA server is
10 minutes.
----End
Context
Users must obtain authorization information before going online. You can
configure a service scheme to manage authorization information about users.
Procedure
Step 1 Run system-view
The user is configured as the administrator and the administrator level for login is
specified.
The value range of level is from 0 to 15. By default, the user level is not specified.
Configure
a DHCP dhcp-server group group- By default, no DHCP server group
server name is configured in a service scheme.
group.
Configure
the IP
address of
By default, no primary DNS server
the dns ip-address
is configured in a service scheme.
primary
DNS
server.
Configure
the IP
address of By default, no secondary DNS
the dns ip-address secondary server is configured in a service
secondary scheme.
DNS
server.
Configure
the By default, no primary WINS
primary wins ip-address server is configured in a service
WINS scheme.
server.
Configure
the By default, no secondary WINS
secondary wins ip-address secondary server is configured in a service
WINS scheme.
server.
Configure
the URL
and
By default, no URL or version
version auto-update url url-string
number is configured in a service
number in version version-number
scheme.
the
service
scheme.
Configure
the
default
DNS By default, no default DNS
domain dns-name domain-name domain name is configured in a
name in service scheme.
the
service
scheme.
Configure
the local
subnet
informati By default, no local subnet
on to be route set acl acl-number information is sent to the remote
sent to end.
the
remote
end.
Configure
the IP
address of
the
interface
By default, no IP address of the
bound to
route set interface interface bound to the IPSec
the IPSec
tunnel is sent to the remote end.
tunnel to
be sent to
the
remote
end.
NOTE
Ensure that the IP address pool has been configured before running this command.
NOTE
Ensure that the QoS profile has been configured before running this command.
The idle-cut function is enabled for domain users and the idle-cut parameters are
set.
NOTE
The idle-cut function takes effect only after the idle time and traffic threshold are configured. To
configure the traffic threshold, run the idle-cut idle-time flow-value command. To configure the
idle time, use the value of idle-time configured on the device or the value (carried in RADIUS
attribute 28 Idle-Timeout) authorized by the RADIUS server. If both values exist, the value
authorized by the RADIUS server has a higher priority.
The idle-cut command configured in the service scheme view takes effect only for
administrators and PPPoE users.
----End
Context
The created authentication scheme and HACA server template take effect only
after being applied to a domain.
Procedure
Step 1 Run system-view
A domain is created and the domain view is displayed, or the view of an existing
domain is displayed.
The device has two default domains named default and default_admin. The two
domains can be modified but not deleted.
Step 9 (Optional) Configure a domain name resolution scheme. (If domain name
resolution is configured in both the AAA view and authentication profile view, the
device preferentially uses the configuration in the authentication profile. The
configuration in the authentication profile applies only to wireless users.)
Exit
from
the
quit -
doma
in
view.
Confi
gure
the The domain name can be
A doma resolved from left to right, or
A in domainname-parse-direction from right to left.
A name { left-to-right | right-to-left }
vi resolu By default, the domain name is
e tion resolved from left to right.
w direct
ion.
Confi
gure A domain name delimiter can be
a any of the following: \ / : < > | @ '
doma domain-name-delimiter %.
in delimiter
name The default domain name
delim delimiter is @.
iter.
Confi
gure
the
By default, the domain name is
doma domain-location { after-
placed after the domain name
in delimiter | before-delimiter }
delimiter.
name
locati
on.
Confi
gure
a
securi security-name-delimiter By default, the security string
ty delimiter delimiter is an asterisk (*).
string
delim
iter.
----End
Procedure
● Run the display haca-server configuration [ template template-name ]
command to check the HACA server template configuration.
● Run the display haca-server statistics { all | message | packet
[ authentication | authorization | accounting | cut-notify | cut-request |
register | user-syn ] } [ template template-name ] command to check HACA
packet statistics.
● Run the display haca-server accounting-stop-packet all command to view
information about all accounting-stop packets on the HACA server.
----End
Context
You can force online users to go offline by specifying the domain name or
interface. This function is applicable to situations such as when the online users
are unauthorized, the number of online users reaches the maximum, or the AAA
configurations are modified. For example, when you modify the AAA
configurations of online users, the new AAA configurations take effect on these
users only after you force them to go offline.
NOTE
● If you delete the AAA configuration of online users, the users may be forced to go offline.
Procedure
● Run the cut access-user { domain domain-name | interface interface-type
interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address
[ vpn-instance vpn-instance-name ] | mac-address mac-address | service-
scheme service-scheme-name | access-slot slot-id | ssid ssid-name | user-
group group-number | user-id begin-number [ end-number ] | username
user-name } or cut access-user access-type { admin [ ftp | ssh | telnet |
terminal | web ] | ppp | l2tp } [ username user-name ] command in the AAA
view to disconnect one or more sessions. After a session of a user is
disconnected, the user is forced to go offline.
----End
Prerequisites
RADIUS authentication or accounting is configured.
NOTE
If HWTACACS authentication or accounting is configured, you can run the test-aaa user-name
user-password hwtacacs-template template-name [ accounting [ start | realtime | stop ] ]
commands to test connectivity between the device and authentication server or accounting
server.
Context
Test whether a user can pass RADIUS authentication or accounting, helping the
administrator locate faults.
Procedure
● Run the test-aaa user-name user-password radius-template template-name
[ chap | pap | accounting [ start | realtime | stop ] ] command in any view
to test whether a user can pass RADIUS authentication or accounting.
----End
Follow-up Procedure
● The test-aaa command returns an account test timeout message.
RADIUS authentication test for a single user times out.
<Huawei> test-aaa user1 huawei123 radius-template huawei
Info: Account test time out.
▪ The NAS-IP in the RADIUS server template is different from the NAS-
IP configured on the RADIUS server.
▪ When a controller is used as the RADIUS server, run the netstat -nao
| findstr 1812 and netstat -nao | findstr 1813 commands on the
server to check whether the ports are occupied. If yes, disable the
applications that occupy the ports.
▪ Run the display this command in the AAA view to check whether
the user authentication or accounting domain is the same as the
RADIUS authentication or accounting domain configured on the
device.
○ When the user name entered by the user contains a domain
name, check whether RADIUS authentication or accounting has
been configured in the domain. If not, configure RADIUS
authentication or accounting in the domain.
○ When the user name entered by the user does not contain a
domain name, check whether RADIUS authentication or
accounting has been configured in the global default domain
(administrator uses default_admin and common users use
default). If not, configure RADIUS authentication or accounting
in the domain.
▪ Run the display this command in the AAA view to check whether
the AAA authentication or accounting scheme and RADIUS server
template have been applied to the domain. If not, apply the AAA
authentication or accounting scheme and RADIUS server template to
the domain.
Context
You can configure the alarm report function, which helps you obtain real-time
running status of AAA (for example, the status of the communication with the
RADIUS server becomes Down) and facilitates O&M.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run snmp-agent trap enable feature-name radius [ trap-name
{ hwradiusacctserverdown | hwradiusacctserverup | hwradiusauthserverdown |
hwradiusauthserverup } ]
The alarm report function is enabled for the RDS module.
By default, the alarm report function is disabled for the RDS module.
----End
Context
Enabling the recording of information related to normal logout, abnormal logout,
and login failure helps administrators locate and analyze problems.
Procedure
● Run the aaa offline-record command in the system view to record normal
logout information.
By default, the device is enabled to record normal logout information.
● Run the aaa abnormal-offline-record command in the system view to record
abnormal logout information.
By default, the device is enabled to record abnormal logout information.
● Run the aaa online-fail-record command in the system view to record login
failure information.
By default, the device is enabled to record login failure information.
----End
Follow-up Procedure
● Run the display aaa { offline-record | abnormal-offline-record | online-fail-
record } { all | reverse-order | domain domain-name | interface interface-
type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-
address [ vpn-instance vpn-instance-name ] | mac-address mac-address |
access-slot slot-number | time start-time end-time [ date start-date end-
date ] | username user-name [ time start-time end-time [ date start-date
end-date ] ] } [ brief ] to check normal logout, abnormal logout, and login
failure records.
● Run the display aaa statistics offline-reason command in any view to check
the reasons for users to go offline.
Context
NOTICE
The AAA statistics cannot be restored after being cleared. Clear AAA statistics with
caution.
Procedure
● Run the reset aaa { abnormal-offline-record | offline-record | online-fail-
record } command in the system view to clear records of abnormal logout,
logout, and login failures.
● Run the reset aaa statistics offline-reason command in any view to clear
the statistics on reasons why users go offline.
● Run the reset access-user statistics command in any view to clear the
statistics on access user authentication.
● Run the reset hwtacacs-server statistics { accounting | all | authentication
| authorization } command in the user view to clear the statistics on
HWTACACS authentication, accounting, and authorization.
● Run the reset hwtacacs-server accounting-stop-packet { all | ip { ipv4-
address | ipv6-address } } command to clear remaining buffer information on
HWTACACS accounting-stop packets.
● Run the reset radius-server accounting-stop-packet { all | ip { ipv4-address |
ipv6-address } } command to clear remaining buffer information on RADIUS
accounting-stop packets.
● Run the reset local-user [ user-name ] password history record command in
the AAA view to clear historical passwords of local users.
● Run the reset aaa statistics access-type-authenreq command in any view to
clear the number of authentication requests.
----End
Context
Before collecting statistics within a certain period for fault locating, clear existing
statistics.
NOTICE
The HACA statistics cannot be restored after being cleared. Confirm your
operation before clearing the HACA statistics.
Procedure
● Run the reset haca-server statistics { all | message | packet [ register |
accounting | authentication | authorization | user-syn | cut-notify | cut-
request ] } [ template template-name ] command in the user view to clear
HACA statistics.
● Run the reset haca-server accounting-stop-packet all command in the user
view to clear the remaining buffer information of HACA accounting-stop
packets.
----End
Networking Requirements
As shown in Figure 1-29, users belong to the domain huawei. Router functions as
the network access server on the destination network, providing access to users
only after they are remotely authenticated by the server. The remote
authentication on Router is described as follows:
● The RADIUS server will authenticate access users for Router. If RADIUS
authentication fails, local authentication is used.
● The RADIUS servers at 10.7.66.66/24 and 10.7.66.67/24 function as the
primary and secondary authentication and accounting servers, respectively.
The default authentication port and accounting port are 1812 and 1813,
respectively.
Domain: huawei
Router
Network
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template named shiva.
<Huawei> system-view
[Huawei] sysname Router
[Router] radius-server template shiva
# Set the IP address and port numbers for the primary RADIUS authentication and
accounting server.
[Router-radius-shiva] radius-server authentication 10.7.66.66 1812 weight 80
[Router-radius-shiva] radius-server accounting 10.7.66.66 1813 weight 80
# Set the IP address and port numbers for the secondary RADIUS authentication
and accounting server.
[Router-radius-shiva] radius-server authentication 10.7.66.67 1812 weight 40
[Router-radius-shiva] radius-server accounting 10.7.66.67 1813 weight 40
# Set the shared key and retransmission count for the RADIUS server, and
configure the device not to encapsulate the domain name in the user name when
sending RADIUS packets to the RADIUS server.
[Router-radius-shiva] radius-server shared-key cipher Huawei@2012
[Router-radius-shiva] radius-server retransmit 2
[Router-radius-shiva] undo radius-server user-name domain-included
[Router-radius-shiva] quit
# Create an accounting scheme named abc, and configure the accounting scheme
to use the RADIUS accounting mode. Configure a policy for the device to keep
users online upon accounting-start failures.
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] accounting start-fail online
[Router-aaa-accounting-abc] quit
Step 3 Create a domain named huawei, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template shiva to the domain.
[Router-aaa] domain huawei
[Router-aaa-domain-huawei] authentication-scheme auth
[Router-aaa-domain-huawei] accounting-scheme abc
[Router-aaa-domain-huawei] radius-server shiva
[Router-aaa-domain-huawei] quit
[Router-aaa] quit
[Router] aaa
[Router-aaa] local-user user1 password irreversible-cipher Huawei@123
[Router-aaa] local-user user1 service-type http
[Router-aaa] local-user user1 privilege level 15
[Router-aaa] quit
----End
Configuration Files
Router configuration file
#
sysname Router
#
domain huawei
domain huawei admin
#
radius-server template shiva
radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
radius-server authentication 10.7.66.66 1812 weight 80
radius-server authentication 10.7.66.67 1812 weight 40
radius-server accounting 10.7.66.66 1813 weight 80
radius-server accounting 10.7.66.67 1813 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
authentication-scheme auth
accounting-scheme abc
radius-server shiva
local-user user1 password irreversible-cipher
local-user user1 privilege level 15
local-user user1 service-type http
#
return
Networking Requirements
For the network shown in Figure 1-30, the customer requirements are as follows:
● The HWTACACS server will authenticate access users for Router. If HWTACACS
authentication fails, local authentication is used.
● The HWTACACS server will authorize access users for Router. If HWTACACS
authorization fails, local authorization is used.
● HWTACACS accounting is used by Router for access users.
● Real-time accounting is performed every 3 minutes.
● The IP addresses of primary and secondary HWTACACS servers are
10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for
authentication, accounting, and authorization is 49.
Domain: huawei
HWTACACS server 1
10.7.66.66/24
Router
Network
HWTACACS server 2
Destination 10.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization
scheme, and accounting scheme to a domain.
NOTE
Procedure
Step 1 Enable HWTACACS.
<Huawei> system-view
[Huawei] sysname Router
[Router] hwtacacs enable
NOTE
By default, HWTACACS is enabled. If the HWTACACS settings are not modified, you can skip
this step.
# Set the IP addresses and port numbers for the primary HWTACACS
authentication, authorization, and accounting servers.
[Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.66 49
[Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
[Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49
# Set the IP addresses and port numbers for the secondary HWTACACS
authentication, authorization, and accounting servers.
[Router-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
[Router-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
[Router-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary
NOTE
Ensure that the shared key in the HWTACACS server template is the same as that set on the
HWTACACS server.
[Router-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
[Router-hwtacacs-ht] quit
Step 4 Create a domain named huawei, and apply the authentication scheme l-h,
authorization scheme hwtacacs, accounting scheme hwtacacs, and the
HWTACACS server template ht to the domain.
[Router-aaa] domain huawei
[Router-aaa-domain-huawei] authentication-scheme l-h
[Router-aaa-domain-huawei] authorization-scheme hwtacacs
[Router-aaa-domain-huawei] accounting-scheme hwtacacs
[Router-aaa-domain-huawei] hwtacacs-server ht
[Router-aaa-domain-huawei] quit
[Router-aaa] quit
----End
Configuration Files
Router configuration file
#
sysname Router
#
domain huawei admin
#
hwtacacs-server template ht
hwtacacs-server authentication 10.7.66.66
hwtacacs-server authentication 10.7.66.67 secondary
hwtacacs-server authorization 10.7.66.66
hwtacacs-server authorization 10.7.66.67 secondary
hwtacacs-server accounting 10.7.66.66
hwtacacs-server accounting 10.7.66.67 secondary
hwtacacs-server shared-key cipher %^%#0%i9M.C!T$8iTn7Ig-4V8GTgK[gwp3b6;k=caxl-%^%#
#
aaa
authentication-scheme l-h
Networking Requirements
As shown in Figure 1-31, enterprise users access the network through Router. The
user names do not contain any domain names.
The enterprise requires that common users access the network and obtain rights
after passing RADIUS authentication and that administrators log in to the device
for management only after passing local authentication on Router.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and a VLANIF interface for Router to communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and
apply the schemes to the default domain to authenticate common users,
such as users using 802.1X authentication. The user names of the users do not
contain domain names.
3. Configure authentication and authorization schemes for administrators and
apply the schemes to the default_admin domain to authenticate
administrators, such as a user logging in through Telnet, SSH, or FTP. The user
names of administrators do not contain domain names.
NOTE
Ensure that users have been configured on the RADIUS server. In this example, the user
with the user name test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration for Router. The configurations of the RADIUS
server are not described here.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 11 on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 11
# Set the link type of Eth2/0/1 of Router that is connected to the RADIUS server
to access, and add Eth2/0/1 to VLAN 11.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 11
[Router-Ethernet2/0/1] quit
# Create VLANIF 11, and configure the IP address of 192.168.2.29/24 for VLANIF
11.
[Router] interface vlanif 11
[Router-Vlanif11] ip address 192.168.2.29 24
[Router-Vlanif11] quit
Step 2 Configure RADIUS AAA for common users who use 802.1X authentication.
NOTE
Ensure that the shared key in the RADIUS server template is the same as that set on the RADIUS
server.
# Create authentication and accounting schemes both named abc, and set the
authentication and accounting modes to RADIUS.
[Router] aaa
[Router-aaa] authentication-scheme abc
[Router-aaa-authen-abc] authentication-mode radius
[Router-aaa-authen-abc] quit
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] quit
# Test connectivity between Router and the RADIUS server. Ensure that the test1
user with the password 123456 has been configured on the RADIUS server.
[Router-aaa] test-aaa test1 123456 radius-template rd1
# Apply the authentication scheme abc, accounting schemes abc, and RADIUS
server template rd1 to the default domain.
[Router-aaa] domain default
[Router-aaa-domain-default] authentication-scheme abc
[Router-aaa-domain-default] accounting-scheme abc
[Router-aaa-domain-default] radius-server rd1
[Router-aaa-domain-default] quit
[Router-aaa] quit
# Set the global default domain for common users to default. After common
users enter their user names in the format of user@default, the device performs
AAA authentication for the users in the default domain. If a user name does not
contain a domain name or contains a non-existing domain name, the device
authenticates the common user in the default domain for common users.
[Router] domain default
Step 3 Configure local authentication and authorization for the administrator test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY
user interface.
[Router] telnet server enable
[Router] user-interface vty 0 14
[Router-ui-vty0-14] authentication-mode aaa
[Router-ui-vty0-14] quit
# Configure a local user named test with password admin@12345, and set the
user level to 3.
[Router] aaa
[Router-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3
# Configure local account locking. Set the retry interval to 5 minutes, the
maximum number of consecutive authentication failures to 3, and the local
account locking duration to 5 minutes.
[Router-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
# Apply the authentication scheme auth and authorization scheme autho to the
default_admin domain.
[Router-aaa] domain default_admin
[Router-aaa-domain-default_admin] authentication-scheme auth
[Router-aaa-domain-default_admin] authorization-scheme autho
[Router-aaa-domain-default_admin] quit
[Router-aaa] quit
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# If you log in through Telnet, enter the user name test and password
admin@12345, and run the display access-user domain and display access-user
user-id commands to check the domain to which you belong and your access
type.
<Router> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
16009 test 10.135.18.217 - Success
------------------------------------------------------------------------------
Total: 1, printed: 1
<Router> display access-user user-id 16009
Basic:
User id : 16009
User name : test
Domain-name : default_admin
User MAC :-
User IP address : 10.135.18.217
User IPv6 address :-
User access time : 2009/02/15 05:10:52
User accounting session ID :
huawei255255000000000f910d2016009huawei255255000000000f****2016009
Option82 information :-
User access type : Telnet
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None
----End
Configuration File
Router configuration file
#
sysname Router
#
vlan batch 10 to 11
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
radius-server accounting 192.168.2.30 1813 weight 80
radius-server retransmit 2
#
aaa
authentication-scheme abc
authentication-mode radius
authentication-scheme auth
authorization-scheme autho
accounting-scheme abc
accounting-mode radius
domain default
authentication-scheme abc
accounting-scheme abc
radius-server rd1
domain default_admin
authentication-scheme auth
authorization-scheme autho
local-user test password irreversible-cipher $1a$KQje%Ip2q/$bBk."}ISO@KQje%Ip2q/$bBk."}ISO@$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
authentication-profile p1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
telnet server enable
#
user-interface vty 0 14
authentication-mode aaa
#
dot1x-access-profile name d1
#
return