AAA Configuration Huawei OLT by Radius protocol | GPON Solution

AAA Configuration Huawei OLT by Radius protocol

AAA Configuration Huawei OLT by Radius protocol:

Today i will show how to configure AAA in Huawei OLT by Radius protocol.

Service Requirements:

  • The RADIUS server performs authentication and accounting for users in the ISP1 domain.
  • The RADIUS server with the IP address 10.10.10.10 functions as the primary server for authentication and accounting.
  • The RADIUS server with the IP address 10.10.10.11 functions as the secondary server for authentication and accounting.
  • The authentication port number is 1812, and the accounting port number is 1813.
  • Other parameters adopt the default settings.

Topology Diagram: 

The below figure shows an example network Diagram of the RADIUS Authentication and Accounting application.

Procedure:

Step 1: Configure the authentication scheme.

NOTE:
– The authentication scheme specifies how all the users in an ISP1 domain are authenticated.
-The system supports up to 16 authentication schemes. The system has a default accounting scheme named default. It can only be modified, but cannot be deleted.

  • 1. Run the aaa command to enter the AAA mode.
  • 2. Run the authentication-scheme command to add an authentication scheme.
  • 3. Run the authentication-mode radius command to configure the authentication mode of the authentication scheme.
  • 4. Run the quit command to return to the AAA mode.

Configuration Example of authentication scheme:

Configure authentication scheme named newscheme (users are authenticated through RADIUS).

Huawei-OLT(config)#aaa
Huawei-OLT(config-aaa)#authentication-scheme newscheme
Info: Create a new authentication scheme
Huawei-OLT(config-aaa-authen-newscheme)#authentication-mode radius
Huawei-OLT(config-aaa-authen-newscheme)#quit

Step 2: Configure the accounting scheme.

NOTE:
-The accounting scheme specifies how all the users in an ISP1 domain are charged.
-The system supports up to 128 accounting schemes. The system has a default accounting scheme named default. It can be modified, but cannot be deleted.

  • 1. In the AAA mode, run the accounting-scheme command to add an AAA accounting scheme.
  • 2. Run the accounting-mode radius command to configure the accounting mode.
  • 3. Run the accounting interim interval command to set the interval of real-time accounting. By default, the interval is 0 minutes, that is, the real-time accounting is not performed.
  • 4. Run the quit command to return to the AAA mode.

Configuration Example of accounting scheme:

Configure accounting scheme named newscheme(users are authenticated through RADIUS). the interval is 10 minutes.

Huawei-OLT(config-aaa)#accounting-scheme newscheme
Info: Create a new accounting scheme
Huawei-OLT(config-aaa-accounting-newscheme)#accounting-mode radius
Huawei-OLT(config-aaa-accounting-newscheme)#accounting interim interval 10
Huawei-OLT(config-aaa-accounting-newscheme)#quit
Huawei-OLT(config-aaa)#quit

Step 3: Configure the RADIUS server template.

  • 1. Run the radius-server template command to create an RADIUS server template and enter
    the RADIUS server template mode.
  • 2. Run the radius-server authentication command to configure the IP address and the UDP port ID of the RADIUS server for authentication.

NOTE:
To guarantee normal communication between the MA5600T/MA5603T/MA5608Tand the RADIUS server, before configuring the IP address and UDP port of the RADIUS server, make sure that the route between the RADIUS server and the MA5600T/MA5603T/MA5608T is in the normal state.

Make sure that the configuration of the RADIUS service port of the MA5600T/MA5603T/MA5608T is consistent with the port configuration of the RADIUS server.

  • 3. Run the radius-server accounting command to configure the IP address and the UDP port ID of the RADIUS server for accounting.
  • 4. Run the radius-server shared-key command to configure the shared key of the RADIUS server.

NOTE:
-The RADIUS client (MA5600T/MA5603T/MA5608T) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS packets. They check the validity of the packets by setting the encryption key. They can receive the packets from each other and can respond to each other only when their keys are the same.
-By default, the shared key of the RADIUS server is huawei.

  • 5. (Optional) Run the radius-server timeout command to set the response timeout time of the RADIUS server. By default, the timeout time is 5s. The MA5600T/MA5603T/MA5608T sends the request packets to the RADIUS server. If the RADIUS server does not respond within the response timeout time, the MA5600T/MA5603T/MA5608Tre-transmits the request packets to the RADIUS to ensure that users can get corresponding services from the RADIUS server.
  • 6. (Optional) Run the radius-server retransmit command to set the maximum re-transmit time of the RADIUS request packets. By default, the maximum re-transmit time is 3. When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds the maximum re-transmit time, the MA5600T/MA5603T/MA5608T considers that its communication with the RADIUS server is interrupted, and therefore transmits the RADIUS request packets to another RADIUS server.
  • 7. Run the (undo)radius-server user-name domain-included command to configure the user name (not) to carry the domain name when transmitted to the RADIUS server. By default, the user name of the RADIUS server carries the domain name.

-An access user is named in the format of userid@domain-name, and the part after @ is the domain name. The MA5600T/MA5603T/MA5608T classifies a user into a domain according to the domain name.

-If an RADIUS server group rejects the user name carrying the domain name, the RADIUS server group cannot be set or used in two or more domains. Otherwise, when some access users in different domains have the same user name, the RADIUS server considers that these users are the same because the names transmitted to the server are the same.

  • 8. Run the quit command to return to the global config mode.

Configuration Example of RADIUS server template:

Create RADIUS server template named radtest with the RADIUS server 10.10.10.10 as the primary authentication and accounting server, and the RADIUS server 10.10.10.11 as the secondary authentication and accounting server.

Huawei-OLT(config)#radius-server template radtest
Note: Create a new server template
Huawei-OLT(config-radius-radtest)#radius-server authentication 10.10.10.10 1812
Huawei-OLT(config-radius-radtest)#radius-server authentication 10.10.10.11 1812 secondary
Huawei-OLT(config-radius-radtest)#radius-server accounting 10.10.10.10 1813
Huawei-OLT(config-radius-radtest)#radius-server accounting 10.10.10.11 1813 secondary
Huawei-OLT(config-radius-radtest)#quit

Step 4: Create a domain.

A domain is a group of users of the same type.

-In the user name format userid@domain-name (for example, shahed@huawei.net), “userid” indicates the user name for authentication and “domain-name” followed by “@” indicates the domain name.

-The domain name for user login cannot exceed 15 characters, and the other domain names cannot exceed 20 characters.

1. Run the aaa command to enter the AAA mode.
2. In the AAA mode, run the domain command to create a domain.

Configuration Example of domain name:

Create a domain named isp1.

Huawei-OLT(config)#aaa
Huawei-OLT(config-aaa)#domain isp1
Info: Create a new domain

Step 5: Use the authentication scheme.

-You can use an authentication scheme in a domain only after the authentication scheme is created.
-In the domain mode, run the  authentication-scheme command to use the authentication scheme.

Configuration Example of authentication scheme:

Huawei-OLT(config-aaa-domain-isp1)#authentication-scheme newscheme

Step 6: Use the accounting scheme.

-You can use an accounting scheme in a domain only after the accounting scheme is created.
-In the domain mode, run the accounting-scheme command to use the accounting scheme.

Configuration Example of accounting scheme:

Huawei-OLT(config-aaa-domain-isp1)#accounting-scheme newscheme

Step 7: Use the RADIUS server template.

NOTE:
You can use a RADIUS server template in a domain only after the RADIUS server template is created.

  • 1. In the domain mode, run the radius-server template command to use the RADIUS server template.
  • 2. Run the quit command to return to the AAA mode.

Configuration Example of RADIUS server template use:

Huawei-OLT(config-aaa-domain-isp1)#radius-server radtest
Huawei-OLT(config-aaa-domain-isp1)#quit

Example of full AAA Configuration Huawei OLT:

  • User1 in the isp1 domain adopts the RADIUS protocol for authentication and accounting.
  • The accounting interval is 10 minutes, the authentication password is a123456.
  • RADIUS server 10.10.10.10 functions as the primary authentication and accounting server.
  • RADIUS server 10.10.10.11 functions as the standby authentication and accounting server.
  • On the RADIUS server, the authentication port ID is 1812, accounting port ID 1813, and other parameters adopt the default values.

To perform the preceding configuration, do as follows:

Huawei-OLT(config)#aaa
Huawei-OLT(config-aaa)#authentication-scheme newscheme
Huawei-OLT(config-aaa-authen-newscheme)#authentication-mode radius
Huawei-OLT(config-aaa-authen-newscheme)#quit
Huawei-OLT(config-aaa)#accounting-scheme newscheme
Huawei-OLT(config-aaa-accounting-newscheme)#accounting-mode radius
Huawei-OLT(config-aaa-accounting-newscheme)#accounting interim interval 10
Huawei-OLT(config-aaa-accounting-newscheme)#quit
Huawei-OLT(config)#radius-server template radtest
Huawei-OLT(config-radius-radtest)#radius-server authentication 10.10.10.10 1812
Huawei-OLT(config-radius-radtest)#radius-server authentication 10.10.10.11 1812 secondary
Huawei-OLT(config-radius-radtest)#radius-server accounting 10.10.10.10 1813
Huawei-OLT(config-radius-radtest)#radius-server accounting 10.10.10.11 1813 secondary
Huawei-OLT(config-radius-radtest)#quit
Huawei-OLT(config)#aaa
Huawei-OLT(config-aaa)#domain isp1
Huawei-OLT(config-aaa-domain-isp1)#authentication-scheme newscheme
Huawei-OLT(config-aaa-domain-isp1)#accounting-scheme newscheme
Huawei-OLT(config-aaa-domain-isp1)#radius-server radtest
Huawei-OLT(config-aaa-domain-isp1)#quit

Look like bellow format in olt:

AAA Configuration Huawei OLT by Radius protocol

AAA Configuration Huawei OLT by Radius protocol

email

Shahed

Hi! I am Shahed. I currently work as a Sr. Network Engineer. I want to build up my carrier in Networking field.

Follow Me:
TwitterFacebookLinkedInPinterestGoogle PlusDiggYouTubeRedditDelicious

AAA Configuration Huawei OLT by Radius protocol was last modified: October 24th, 2015 by Shahed

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

error: Content is protected !!