< Home

Configuring a RADIUS Server

This section describes how to set parameters for a FW to communicate with a RADIUS server or SecurID server.

Context

If a RADIUS server is deployed to implement server authentication on users, a FW sends the user names and passwords to the RADIUS server. To ensure normal communication between the FW and the RADIUS server, set parameters on the FW.

Procedure

  1. Choose Object > Authentication Server > RADIUS.
  2. Click Add.

  3. Set the parameters for communication with a RADIUS server.

    The parameters on the FW must be consistent with those on the RADIUS server.

    Parameter

    Description

    Name

    Name of a RADIUS server

    The RADIUS server name must be unique.

    Shared Key

    Shared key for the communication between a FW and a RADIUS server

    The FW and RADIUS server use this key to encrypt packets.

    Primary Authentication Server IP Address/Port/Outgoing Interface

    IP address and port of the primary RADIUS server that provides authentication services and outgoing interface for the FW to communicate with the RADIUS server. The outgoing interface can be a loopback or VLANIF interface.

    Normally, a RADIUS server provides authentication services on port 1812.

    If an outgoing interface is configured, ensure that the IP address of the specified client on the RADIUS server is consistent with the IP address of the interface.

    Secondary Authentication Server IP Address/Port/Outgoing Interface

    IP address and port of the secondary RADIUS server that provides authentication services and outgoing interface for the FW to communicate with the RADIUS server. The outgoing interface can be a loopback or VLANIF interface.

    A FW preferentially communicates with the primary RADIUS server. If the primary RADIUS server is unreachable, the FW communicates with the secondary RADIUS server.

    Primary Accounting Server IP Address/Port/Outgoing Interface

    IP address and port of the primary RADIUS server that provides accounting services and outgoing interface for the FW to communicate with the RADIUS server. The outgoing interface can be a loopback or VLANIF interface.

    Normally, a RADIUS server provides accounting services on port 1813.

    If an outgoing interface is configured, ensure that the IP address of the specified client on the RADIUS server is consistent with the IP address of the interface.

    Secondary Accounting Server IP Address/Port/Outgoing Interface

    IP address and port of the secondary RADIUS server that provides accounting services and outgoing interface for the FW to communicate with the RADIUS server. The outgoing interface can be a loopback or VLANIF interface.

    A FW preferentially communicates with the primary RADIUS server. If the primary RADIUS server is unreachable, the FW communicates with the secondary RADIUS server.

    Advanced Settings

    Retransmission Attempts

    Maximum number of request retransmission attempts on a FW

    If the FW sends a request packet to the RADIUS server but does not receive any reply packet within the specified timeout period, the FW retransmits the request packet. If the number of retransmission attempts reaches the specified value, the FW considers that the RADIUS server has failed.

    Unit

    Traffic unit a RADIUS server uses for charging

    • Byte
    • KB
    • MB
    • GB

    Reply Timeout

    Duration for which a FW waits for a reply packet from a RADIUS server

    To check whether a RADIUS server fails, the FW periodically sends a request packet to the RADIUS server. If the FW does not receive any reply packet within the specified timeout period, it retransmits the request packet.

    NAS Port

    Type of the NAS port on a RADIUS server

    • Old: The port format is "slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)".
    • New: The port format is "slot ID (8 bits) + subslot ID (4 bits) + port number (8 bits) + VLAN ID (12 bits)".

    NAS Port ID

    ID format of the NAS port on a RADIUS server

    • Old: The format of the NAS port ID is "port number (2 characters) + subslot ID (2 bytes) + card ID (3 bytes) + VLAN ID (9 characters)" for Ethernet users. If the length of a field does not meet the requirement, add 0s in the front.
    • New: The NAS port ID of the Ethernet user is in the format of "slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which slot ID ranges from 0 to 15, subslot ID 0 to 15, port 0 to 255, and VLAN ID 1 to 4094.

      In this case, you can enable Enable ending semicolon to add a semicolon (;) at the end of the NAS port ID.

    User Name Format
    • Without Authentication Domain: indicates that the user name in the packet sent by the FW to the RADIUS server does not contain the name of the authentication domain. If the user name on the RADIUS server does not contain @, select this item.
    • Include Authentication Domain: indicates that the user name in the packet sent by the FW to the RADIUS server contains the name of the authentication domain. If the user name on the RADIUS server contains @, select this item.
    • Entered User Name: indicates that the user name in the packet sent by the FW to the RADIUS server is the one entered by the user and that the FW does not change the user name. In this case, ensure that the user name entered by the user is the same as that on the RADIUS server. For example, if the user name on the RADIUS server is test@huawei, the user needs to enter test@huawei; if the user name on the RADIUS server is test, the user needs to enter test.

  4. Click Test. In the dialog box that is displayed, click OK and enter the user name, password and select PAP/CHAP authentication mode. Click Start to check the connectivity to the RADIUS server.

    After the connectivity test succeeds, click Cancel.

  5. Click OK.
Parent Topic: Configuring Authentication Servers Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >