< Home

Configuring RADIUS SSO

This section describes how to configure RADIUS Single Sign-On (SSO).

Context

To implement RADIUS SSO, a RADIUS server and a NAS must have been deployed on the network, and the FW can receive RADIUS accounting packets transmitted between the NAS and RADIUS server. Even if RADIUS accounting packets do not pass through the FW, the RADIUS accounting packets must be mirrored to the FW.

If the packets exchanged between the user and NAS or between the NAS and RADIUS server need to pass through the FW, configure an authentication policy not to authenticate these packets and ensure that the security policies on the FW can permit these packets.

If a user is authenticated by the RADIUS server and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the RADIUS server.

Procedure

  1. Access the RADIUS SSO view from the system view.

    user-manage single-sign-on radius

  2. Optional: Configure the RADIUS SSO working mode.

    mode { in-path | out-of-path | optical-splitter }

    • in-path: indicates that the RADIUS SSO working mode is in-line mode. The FW is deployed between the NAS and RADIUS server and can directly obtain RADIUS accounting packets between them.
    • out-of-path: indicates that the RADIUS SSO working mode is off-line mode. The FW is connected in off-line mode to the NAS to receive the accounting packets that the NAS proactively sends to the FW. This working mode requires that the NAS be able to send accounting packets to the FW.
    • optical-splitter: indicates that the RADIUS SSO working mode is optical splitting (mirroring) mode. The FW must use switch mirroring or optical splitting to obtain the mirrored accounting packets.

    The default RADIUS SSO working mode is off-line mode.

  3. Optional: Set the shared key to encrypt communication packets between the FW and NAS.

    shared-key shared-key

    This command applies only when the RADIUS SSO working mode is off-line. In such cases, the FW needs to exchange packets with the NAS.

  4. Configure the interface on the FW that receives RADIUS accounting packets (with destination ports 1813 and 1646).

    interface interface-type interface-number

    The interface can be a Layer-2 physical interface, Layer-3 physical interface, subinterface of a Layer-2 or Layer-3 physical interface, Layer-2 Eth-Trunk interface, Layer-3 Eth-Trunk interface, or subinterface of a Layer-2 or layer-3 Eth-Trunk interface.

    Management port (MEth 0/0/0 or GigabitEthernet 0/0/0) cannot receive mirroring packets.

    In mirroring mode, interfaces can receive only RADIUS packets and discard other packets.

    In in-path and out-of-path modes, interfaces can receive RADIUS packets and forward other packets.

  5. Specify the traffic to be analyzed by RADIUS SSO.

    traffic server-ip ipv4-address port port-number

    server-ip is the IP address of the RADIUS server, and port-number is the accounting port (usually 1813 or 1646) of the RADIUS server.

  6. Optional: Configure a RADIUS SSO user to log in to the FW with the MAC address as the user name.

    login-method ip-mac

    Before using this function, you must create a local user whose MAC address serves as the user name on the FW. Otherwise, the RADIUS SSO user must use the authenticated user name to log in.

  7. Optional: Configure the RADIUS attribute as a security group.

    user-manage radius-attribute-id [ vendor-specific ] radius-attribute-id define-as security-group [ delimiter delimiter ]

    If you need to use the RADIUS attribute as a security group and control policies based on the security group, run this command.

  8. Enable RADIUS SSO.

    enable

    Do not run the command user-trace enable in the RADIUS SSO view unless necessary. This command enables the mobile phone user source tracing function so that the session log sent from the FW can contain the mobile phone number. After you enable this function, the RADIUS SSO function for Internet access users becomes invalid, the user cannot be contained in the online user table, and the FW cannot perform user-specific policy control.

  9. Optional: Configure RADIUS SSO information synchronization. For details, see Configuring Online User Information Synchronization.
Parent Topic: Configuring SSO
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >