H3C Technologies H3C S5120 Series Switches User Manual

i

Table of Contents

1 AAA Configuration ····································································································································1-1

Introduction to AAA ·································································································································1-1

Introduction to RADIUS···························································································································1-2

Client/Server Model ·························································································································1-2

Security and Authentication Mechanisms ·······················································································1-3

Basic Message Exchange Process of RADIUS ··············································································1-3

RADIUS Packet Format···················································································································1-4

Extended RADIUS Attributes ··········································································································1-7

Protocols and Standards·························································································································1-7

AAA Configuration Task List ···················································································································1-8

AAA Configuration Task List ···········································································································1-8

RADIUS Configuration Task List ·····································································································1-9

Configuring AAA······································································································································1-9

Configuration Prerequisites ·············································································································1-9

Creating an ISP Domain··················································································································1-9

Configuring ISP Domain Attributes································································································1-10

Configuring AAA Authentication Methods for an ISP Domain·······················································1-11

Configuring AAA Authorization Methods for an ISP Domain ························································1-12

Configuring AAA Accounting Methods for an ISP Domain····························································1-13

Configuring Local User Attributes··································································································1-15

Configuring User Group Attributes ································································································1-17

Tearing down User Connections Forcibly ·····················································································1-17

Configuring a NAS ID-VLAN Binding ····························································································1-17

Displaying and Maintaining AAA ···································································································1-18

Configuring RADIUS ·····························································································································1-18

Creating a RADIUS Scheme ·········································································································1-19

Specifying the RADIUS Authentication/Authorization Servers······················································1-19

Specifying the RADIUS Accounting Servers and Relevant Parameters·······································1-20

Setting the Shared Key for RADIUS Packets················································································1-21

Setting the Upper Limit of RADIUS Request Retransmission Attempts ·······································1-21

Setting the Supported RADIUS Server Type ················································································1-22

Setting the Status of RADIUS Servers ··························································································1-22

Configuring Attributes Related to Data to Be Sent to the RADIUS Server ···································1-23

Enabling the RADIUS Trap Function·····························································································1-24

Specifying the Source IP Address for RADIUS Packets to Be Sent ·············································1-24

Setting Timers Regarding RADIUS Servers··················································································1-25

Configuring RADIUS Accounting-On·····························································································1-26

Enabling the Listening Port of the RADIUS Client ········································································1-27

Displaying and Maintaining RADIUS·····························································································1-27

AAA Configuration Examples················································································································1-28

AAA for Telnet Users by Separate Servers···················································································1-28

AAA for SSH Users by a RADIUS Server ·····················································································1-29

AAA for 802.1X Users by a RADIUS Server ·················································································1-32