Radius Configuration FSOS

Similar documents
802.1x Configuration. Page 1 of 11

802.1x Configuration. FSOS 802.1X Configuration

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Operation Manual Security. Table of Contents

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Table of Contents 1 AAA Overview AAA Configuration 2-1

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Table of Contents 1 AAA Overview AAA Configuration 2-1

Configuring 802.1x CHAPTERS. 1. Overview x Configuration 3. Configuration Example 4. Appendix: Default Parameters

Operation Manual 802.1x. Table of Contents

Controlled/uncontrolled port and port authorization status

Configuring Security for the ML-Series Card

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples

Configuring Switch-Based Authentication

Configuring Web-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Configuring RADIUS Servers

RADIUS - QUICK GUIDE AAA AND NAS?

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Configuring 802.1X Port-Based Authentication

Configuring Web-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Chapter 4 Configuring 802.1X Port Security

Configuring RADIUS and TACACS+ Servers

CCNP Switch Questions/Answers Securing Campus Infrastructure

Configuring Web-Based Authentication

802.1x Configuration Commands

IEEE 802.1X RADIUS Accounting

Configuring Port-Based and Client-Based Access Control (802.1X)

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Configuring IEEE 802.1x Port-Based Authentication

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

REMOTE AUTHENTICATION DIAL IN USER SERVICE

HP 5120 SI Switch Series

With 802.1X port-based authentication, the devices in the network have specific roles.

Operation Manual Security. Table of Contents

Configuring Web-Based Authentication

With 802.1X port-based authentication, the devices in the network have specific roles.

HPE IMC UAM 802.1X Authentication Configuration Examples

Configuring 802.1X. Finding Feature Information. Information About 802.1X

AAA Administration. Setting up RADIUS. Information About RADIUS

PPP configuration commands

Configuring the SSG. Basic SSG Configuration APPENDIX

HWTACACS Technology White Paper

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring Security on the GGSN

Configuring TACACS+ About TACACS+

Effective with Cisco IOS Release 15.0(1)M, the ssg default-network command is not available in Cisco IOS software.

Configuring Authentication, Authorization, and Accounting

FSOS Getting Started Operation

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

Operation Manual Login and User Interface. Table of Contents

NCT240 IP DSLAM with IAC4500 VLAN Tagging Implementation

thus, the newly created attribute is accepted if the user accepts attribute 26.

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Operation Manual User Access. Table of Contents

Configuring Web-Based Authentication

Configuring Virtual Port Channels

HP FlexFabric 5700 Switch Series

thus, the newly created attribute is accepted if the user accepts attribute 26.

Auto Identity. Auto Identity. Finding Feature Information. Information About Auto Identity. Auto Identity Overview. Auto Identity, page 1

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Configuring Virtual Port Channels

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

RADIUS Commands. Cisco IOS Security Command Reference SR

RADIUS Attributes. RADIUS IETF Attributes

Configuring Security Features on an External AAA Server

ppp accounting through quit

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

SM24TAT4XA. 24-Port 10/100/1000Base-T + 4 1G/10G SFP+ slots Managed POE Switch. User Guide (CLI) Rev.A1 30-Jul-13

Syslog Function Configuration

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

AAA Configuration. Terms you ll need to understand:

XonTel XT-1600G/XT-2400G PoE Switches Web Management User-Guide

Configuring the Management Interface and Security

Index. Numerics. Index 1

L2TP Network Server. LNS Service Operation

Overview. RADIUS Protocol CHAPTER

PPP Configuration Options

HPE IMC UAM Binding Access Users with PCs Configuration Examples

Security Configuration Commands

HP VSR1000 Virtual Services Router

Wireless LAN Controller Web Authentication Configuration Example

FSOS Security Configuration Guide

Configuring Authorization

DDR Routing Commands

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Command Guide of WGSW-28040

Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1

Configuring Accounting

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Implementing ADSL and Deploying Dial Access for IPv6

User Guide TL-R470T+/TL-R480T REV9.0.2

Configuring Accounting

Web and MAC Authentication

Transcription:

FSOS Radius Configuration

Contents 1. RADIUS Configuration... 1 1.1 Radius Overview...1 1.1.1 AAA Overview...1 1.1.2 AAA Realization...1 1.1.3 RADIUS Overview...2 1.2 RADIUS Configuration... 3 1.2.1 RADIUS Server Configuration... 3 1.2.2 Radius Master Server & Radius Slave Server Shift... 4 1.2.3 Configure Local User...5 1.2.4 Configure Domain...6 1.2.5 Configure RADIUS Features... 7 1.2.6 RADIUS Display and Maintenance...9 1.3 RADIUS Configuration Example...10 1.3.1 Configure the networking and requirements...10 1.3.2 Configuration steps... 11 1.3.3 Result validation... 12

1. RADIUS Configuration 1.1 Radius Overview 1.1.1 AAA Overview AAA stands for Authentication, Authorization and Accounting. AAA is actually a management of network security. Here, the network security mainly refers to the access control, including the users who can access the network server; what services are available to users with access rights; and how users are using network resources for billing. AAA generally adopts the client / server structure: the client runs on the managed resource side, and the server stores the user information centrally. Therefore, the AAA framework has good scalability, and easy to achieve the centralized management of user information. 1.1.2 AAA Realization AAA frame diagram is as shown in figure 1-1: Figure 1-1 AAA frame diagram There are two ways to realize AAA: 1

via NAS; via R ADIUS, TACACS +, etc. 1.1.3 RADIUS Overview RADIUS creates a unique user database, stores the user name and password of the user to authenticate, and stores the service type and corresponding configuration information that is passed to the user to complete the authorization. After the user is authorized, the RADIUS server performs the function of accounting for user accounts. RADIUS stands for Remote Authentication Dial in User Service. RADIUS is an AAA protocol for applications such as Network Access or IP Mobility. It works in both situations, Local and Mobile. It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users. It looks in text file, LDAP Servers, Database for authentication. After authentication services parameters passed back to NAS. It notifies when a session starts and stop. This data is used for Billing or Statistics purposes. SNMP is used for remote monitoring. It can be used as a proxy. Here is a list of all the key features of Radius: 1. Client/Server Model NAS works as a client for the Radius server. Radius server is responsible for getting user connection requests, authenticating the user, and then returning all the configuration information necessary for the client to deliver service to the user. A Radius server can act as a proxy client to other Radius servers. 2. Network Security 2

Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network. Password is encrypted before sending it over the network. 3. Flexible Authentication Mechanisms Point-to-Point Protocol - PPP Password Authentication Protocol - PAP Challenge Handshake Authentication Protocol - CHAP Simple UNIX Login 4. Extensible Protocol Radius is extensible; most vendors of Radius hardware and software implement their own dialects. 1.2 RADIUS Configuration 1.2.1 RADIUS Server Configuration RADIUS server saves valid user s identity. When authentication, system transfers user s identity to RADIUS server and transfers the validation to user. User accessing to system can access LAN resources only after authentication of RADIUS server. Configure RADIUS server Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - Create and enter RAIDUS configuration schemes radius host name required Configure primary RADIUS primary-auth-ip ipaddr port required Configure second RADIUS second-auth-ip ipaddr port Configure primary accounting server primary-acct-ip ipaddr port Configure second accounting second-acct-ip ipaddr port 3

server Configure shared key of primary RADIUS Configure shared key of second RADIUS Configure NAS-RAIDUS address Set whether the user name is to be carried with the domain name when the system passes the packet to the current RADIUS server Configure the realtime accounting Configure the realtime accounting interval auth-secret-key keystring acct -secret-key keystring nas-ipaddress ipaddr username-format { with-domain without-domain } realtime-account realtime-account interval time required Optional If there is no configurati on, the equipment IP address will also be OK. 1.2.2 Radius Master Server & Radius Slave Server Shift RADIUS offers master/slave server redundancy function, that is: if both the master server and slave server can be able to perform the regular work, it can only perform the authentication via master server; if there is something wrong with the master server, the slave server will be enabled; if the master server recovers normal again, the slave server will be disabled, and then the master server will be enabled. Realization Mechanisms: 4

When in radius authentication, if the master server cannot perform the regular work, just configure the master server as down, then the slave server will begin to work; if the master server is found had recovered the regular work, preemption timer will be enabled(time is configured as preemption-time). When the timer timeout, the master server will be configured as up, that is to say, you can perform the authentication operations via master server. Radius Master Server & Radius Slave Server Shift Operation Command Remarks Enter global configuration mode Enter AAA configuration mode Create and enter RAIDUS configuration schemes Configure the preemption timer configure terminal - AAA - radius host name Value range<0-14 40>, the unit is preemption-time Preemption-time minute; 0 by default, not preemptio n 1.2.3 Configure Local User Client needs to configure local user name, password, etc. 5

Configure Local User Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode AAA - Configure local user local-user username name password pwd [ vlan vid ] 1.2.4 Configure Domain Client needs to provide username and password during authentication. Username usually contains the corresponding user s ISP information, domain and ISP. The most important information of the domain is the RADIUS server authentication and accounting for the users in the domain. Configure Domain Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - Configure the default domain- name default domain-name enable domain-name Disable the default domain-name default domain-name disable Create and enter a domain scenario domain name required Configure to use radius server authentication scheme radius 6

Configure to use local user authentication Configure to use local authentication after the radius authentication fails Select the RADIUS server for the current domain Enable the number limit of authentication users in the domain and set the number limit of allowed users Disable the number limit of authentication users in the domain Activate the current domain Deactivate the current domain scheme local scheme radius loca radius host binding radius-name access-limit enable number access-limit disable state active required state block 1.2.5 Configure RADIUS Features Configure RADIUS some compatible or special features as below: Configure RADIUS features Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - 7

Configure accounting-on function accounting-on { enable sen-num disable } Configure H3C Cams compatibility h3c-cams { enable disable } Enable accounting function radius accounting If the accounting packet does not respond, the user radius server-disconnect drop 1x is shut down Configure RADIUS to distribute port priority radius 8021p enable Configure RADIUS to distribute port PVID radius vlan enable Configure RADIUS to distribute number limit of radius mac-address-number enable MAC address Configure RADIUS to distribute bandwidth control radius bandwidth-limit enable Note: accounting-on: After the device reboots, it sends an Accounting-On packet to the RADIUS server to notify the RADIUS server to force the user of the device to go offline. H3C Cams compatibility feature: In this feature, you can use the command of radius attribute client-version to forward the version information of the client to the RADIUS server. In this feature, you can use the command of uprate-value / dnrate-value to configure the attribute number of the upstream bandwidth / downstream bandwidth in the Vendor Specific. RADIUS distributes port priority: After this function is enabled, if the user authenticates, the priority of the port where the user is located is modified. This function is carried out through the 77 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. RADIUS distributes port PVID: After this function is enabled, if the user passes the authentication, the PVID of the port where the user is located will be modified. This function is carried out by using the tunnel-pvt-group-id. The value of this attribute is a string. Use this string to find the VLAN name descriptor that matches the VLAN value. 8

RADIUS distributes number limit of MAC address: After this function is enabled, if the user passes the authentication, the MAC address learning limit of the port where the user resides is modified. This function is carried out through the 50 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. RADIUS distributes bandwidth control: After this function is enabled, if the user passes the authentication, the bandwidth control of the port where the user is located will be modified. The uplink bandwidth control is carried out through the 75 attribute number in the Vendor Specific by default, which can be modified by using theradius config-attribute; the downlink bandwidth control is carried out through the 76 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. The unit value defaults to kbps and can be modified through the radius config-attribute access-bandwidth unit. RADIUS distributes ACL: This function has no control commands. It is enabled by default. Configure via 11 attributes of Filter-Id. 1.2.6 RADIUS Display and Maintenance RADIUS Display and Maintenance Operation Command Remarks Display the radius attribute Display the radius attribute Display the radius service configuration information Enable the radius debugging function show radius attribute - show radius config-attribute - show radius host hostname debug radius 9

1.3 RADIUS Configuration Example 1.3.1 Configure the networking and requirements As shown below, user PC is connected to Switch 0/0/1 port, Switch 0/0/4 port is connected to radius server (radius server integrated with Windows 2003), and 802.1x authentication is enabled on 0/1. Specific requirements are as follows: 1. Use radius authentication; 2. The user PC must be authenticated before accessing the internet; 3. After the user passes the authentication, the ACL is distributed through the radius server. In this case, the user can access the Internet but cannot access the FTP server; 4. After the user passes the authentication, distribute the bandwidth control via the RADIUS server to limit the uplink bandwidth to be 2M and the downstream bandwidth to be 1M. networking diagram for radius configuration example 10

1.3.2 Configuration steps 一 initial preparation work: 1). Install the 802.1X client on the PC, here adopts H3C Inode; 2). Switch configuration user interface IP10.5.3.235 / 24 to ensure to PING radius server; Switch(config-if-vlanInterface-1)#interface vlan-interface 1 Switch(config-if-vlanInterface-1)#ip address 10.5.3.235 255.255.255.0 This ipaddress will be the primary ipaddress of this interface. Config ipaddress successfully! Switch(config-if-vlanInterface-1)# Switch(config-if-vlanInterface-1)# Switch(config-if-vlanInterface-1)#exit Switch(config)#ping 10.5.3.254 PING 10.5.3.254: with 32 bytes of data: reply from 10.5.3.254: bytes=32 time<10ms TTL=128 reply from 10.5.3.254: bytes=32 time<10ms TTL=128 ----10.5.3.254 PING Statistics---- 2 packets transmitted, 2 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/0 Control-C 3). radius server adds NAS IP, and the shared key is 123456; 4).Configure the 802.1x client authentication username (test) and password (123456) on the radius server. 5). The attribute value of the 75 attribute in the Vendor Specific on the radius server is set to 2048 Kbps, and the attribute value of the 76 attribute in the Vendor Specific is set to 1024 Kbps. 6). The attribute value of the 11 attribute of the Filter-Id on the radius server is set to 100; 二 Access the switch 0/0/1 port to enable dot1x, configure the related service of RADIUS, and configure ACLs Switch(config)#dot1x method portbased interface ethernet 0/0/1 // enable 802.1X 11

Switch(config)#aaa Switch(config-aaa)#radius host ngn Switch(config-aaa-radius-ngn)#primary-auth-ip 10.5.3.254 1812 // Configure accounting function, authentication IP, and port number Switch(config-aaa-radius-ngn)#primary-acct-ip 10.5.3.254 1813 Switch(config-aaa-radius-ngn)#auth-secret-key 123456 // Configure to share the key Switch(config-aaa-radius-ngn)#acct-secret-key 123456 Switch(config-aaa-radius-ngn)#exit Switch(config-aaa)#radius bandwidth-limit enable // Enable the bandwidth sending function Switch(config-aaa)#domain ngn.com Switch(config-aaa-domain-ngn.com)#radius host binding ngn Switch(config-aaa-domain-ngn.com)#state active Switch(config-aaa-domain-ngn.com)#exit Switch(config-aaa)#default domain-name enable ngn.com Switch(config)#access-list 100 deny any 11.5.3.100 0.0.0.255 // Configure the ACL to deny access to the destination network segment Switch(config)#access-list 100 permit any any 1.3.3 Result validation Use the Inode client on the PC, and then enter the user name and password for authentication After the authentication succeeds, the user can access the external network normally. The information of the online users can be found on the Switch. The command of show dot1x radius-acl displays the status of the acl100 as enable, and the bandwidth of the ingress direction of the 0/ 0/1 port is limited to 2048 while the egress direction is limited to 1024. Switch(config)#show dot1x session port vid mac username login time e0/0/1 1 c8:3a:35:d3:e3:99 test@ngn.com 2000/12/11 15:07:00 Total [1] item(s). 12

Switch(config)#show dot1x radius-acl The format of radius acl is string. The prefix of radius acl is assignacl-. Port acl Status e0/0/1 100 enable Total entries: 1. Switch(config)#show bandwidth-control interface ethernet 0/0/1 port Ingress bandwidth control Egress bandwidth control e0/0/1 2048 kbps 1024 kbps Total entries: 1. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback