Feature Description - User Access(Nonx1x2)(V600R003C00_02)

HUAWEI NetEngine80E/40E RouterV600R003C00

Feature Description - User Access

Issue 02Date 2011-09-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.comEmail: [email protected]

Issue 02 (2011-09-10) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.

i

About This Document

PurposeThis document describes the user access feature in terms of its overview, principle, andapplications.This document together with other types of document helps intended readers get a deepunderstanding of the user access feature.

Related VersionsThe following table lists the product versions related to this document.

Product Name VersionHUAWEI NetEngine80E/40ERouter

V600R003C00

Intended AudienceThis document is intended for:l Network planning engineersl Commissioning engineersl Data configuration engineersl System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

HUAWEI NetEngine80E/40E RouterFeature Description - User Access About This Document


ii

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 02 (2011-09-10)There is no update compared with the previous issue.

Changes in Issue 01 (2011-06-30)Initial field commercial release.

HUAWEI NetEngine80E/40E RouterFeature Description - User Access About This Document


iii

Contents

About This Document.....................................................................................................................ii1 AAA and User Management.......................................................................................................1

1.1 Introduction to AAA and User Management.....................................................................................................21.2 References..........................................................................................................................................................31.3 Enhancement......................................................................................................................................................41.4 Principles............................................................................................................................................................4

1.4.1 AAA...........................................................................................................................................................41.4.2 RADIUS....................................................................................................................................................71.4.3 HWTACACS...........................................................................................................................................101.4.4 User Management....................................................................................................................................11

1.5 Applications......................................................................................................................................................161.5.1 RADIUS Authentication and Accounting...............................................................................................171.5.2 HWTACACS Authentication, Accounting, and Authorization..............................................................17

1.6 Terms and Abbreviations..................................................................................................................................18

HUAWEI NetEngine80E/40E RouterFeature Description - User Access Contents


iv

1 AAA and User ManagementAbout This Chapter

1.1 Introduction to AAA and User Management1.2 References1.3 Enhancement1.4 Principles1.5 Applications1.6 Terms and Abbreviations

HUAWEI NetEngine80E/40E RouterFeature Description - User Access 1 AAA and User Management


1

1.1 Introduction to AAA and User ManagementDefinition

AAA, short for Authentication, Authorization, and Accounting, provides the following types ofsecurity functions:l Authentication: determines the users who can access the network.l Authorization: authorizes users to use specific services.l Accounting: records the utilization of network resources.The NE80E/40E implements AAA through the Remote Authentication Dial in User Service(RADIUS) protocol or the Huawei Terminal Access Controller Access Control System(HWTACACS) protocol.l RADIUS

RADIUS is one of the most commonly used protocols to implement AAA. As anapplication-layer protocol running between the NE80E/40E and a RADIUS server,RADIUS defines the procedure for transmitting user information and accountinginformation between theNE80E/40E and the RADIUS server and the format of packetsexchanged between them.

l HWTACACSAAA can also be implemented through HWTACACS. HWTACACS is the enhancementof TACACS that is an access control protocol defined in RFC 1492. Similar to RADIUS,HWTACACS adopts the client/server model to communicate with the HWTACACSserver, thus implementing AAA for various users, including Point-to-Point Protocol (PPP)users, Virtual Private Dial Network (VPDN) users, and login users.

A broadband remote access server (BRAS) is used to manage access users. Currently, the BRASmanages users in the following modes:l Domain-based user management

All users belong to a same domain. By default, users are added to a default domain. TheBRAS manages users by configuring service attributes for a domain. Thus, the users in thesame domain have the same service attributes.

l User account-based user managementUser accounts and related service attributes are configured on an AAA server such as theRADIUS server or the HWTACACS server, and are then delivered to users when the usersget online or dynamically delivered to users after the users get online.

In actual applications (except the applications of non-authentication and non-accounting) on theNE80E/40E, all user accounts must be configured on an AAA server, and all the domains towhich the user accounts belong must be configured on the NE80E/40E. The NE80E/40Esupports the configuration and management of local user accounts.Commonly, the service attributes configured in a domain have a lower priority than the serviceattributes delivered by an AAA server. Therefore, when service attributes are configured in adomain and are also delivered by an AAA server, the NE80E/40E adopts the service attributesthat are delivered by the AAA server. The service attributes configured in a domain take effectonly when the AAA server does not support or deliver the service attributes.



2

PurposeThe NE80E/40E implements AAA through either RADIUS or HWTACACS.The NE80E/40E supports domain-based or user account-based user management and supportsmultiple authentication and accounting policies.By authorizing and managing user attributes, the NE80E/40E implements the enhanced the usermanagement function, including user bandwidth control, access authority control, and QoSattribute control.

BenefitsThis feature brings the following benefits to operators:l Access users are identified to guarantee legal service access.l Authorities of access users are controlled through domain-based or user account-based user

management.l The reliability of access user accounting is ensured through the RADIUS or HWTACACS

accounting protocol and the local accounting function in case of the remote accountingfailure.

1.2 ReferencesDocument DescriptionRFC 2903 Generic AAA ArchitectureRFC 2904 AAA Authorization FrameworkRFC 2905 AAA Authorization Application ExamplesRFC 2906 AAA Authorization RequirementsRFC 2989 Criteria for Evaluating AAA Protocols for Network AccessRFC 3539 Authentication, Authorization and Accounting (AAA)RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUSRFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000)RFC 2866 RADIUS Accounting (June 2000)RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol SupportRFC 2868 RADIUS Attributes for Tunnel Protocol SupportRFC 2869 RADIUS Extensions (June 2000)RFC 2882 Network Access Servers Requirements: Extended RADIUS

PracticesRFC 3162 RADIUS and IPv6



3

Document DescriptionRFC 3575 IANA Considerations for RADIUS (Remote Authentication Dial In

User Service)RFC 3579 RADIUS (Remote Authentication Dial In User Service) Support For

Extensible Authentication Protocol (EAP)RFC 3580 IEEE 802.1X Remote Authentication Dial In User Service

(RADIUS) Usage GuidelinesRFC 4014 Remote Authentication Dial-In User Service (RADIUS) Attributes

Suboption for the Dynamic Host Configuration Protocol (DHCP)Relay Agent Information Option

RFC 0927 TACACS user identification Telnet optionRFC 1492 An Access Control Protocol, Sometimes Called TACACS (July

1993)

1.3 EnhancementVersion Feature EnhancementV600R003C00 fail-time and interval parameters are added to the

local-user state command to set the maximum timesthat a user fails the authentication and the period oftime between two authentication attemptsrespectively. If the two parameters are specified, auser will be blocked for a while if the user fails to login N times. This reduces the possibility for invalidusers to obtain a correct login password and improvessecurity.

1.4 Principles1.4.1 AAAAuthentication

The NE80E/40E supports the following authentication modes. The three modes can be used incombination.l Non-authentication

In this mode, users are completely trusted without the check on their validity. This modeis rarely used.

l Local authentication



4

In this mode, user information, including the user name, password, and attributes, isconfigured on the NE80E/40E. This mode features fast processing speed and low operationcosts. The major limitation is that the information storage capacity is subject to the capacityof device hardware.

l Remote authenticationIn this mode, user information, including the user name, password, and attributes, isconfigured on an authentication server. The NE80E/40E supports remote authenticationthrough RADIUS or HWTACACS. As a client, the NE80E/40E communicates with theRADIUS or HWTACACS server. The RADIUS protocol can be either a standard RADIUSprotocol or an extended RADIUS protocol of Huawei, that is, RADIUS+V1.0 or RADIUS+V1.1.

l First local authentication and later remote authenticationIt is a local-authentication-preferred policy. That is, remote authentication is performedonly after local authentication fails.

l First remote authentication and later local authenticationIt is a remote-authentication-preferred policy. That is, local authentication is performedonly after the AAA server gives no response.

l First remote authentication and later non-authenticationIt is also a remote-authentication-preferred policy. That is, non-authentication is performedonly after the AAA server gives no response.

AuthorizationThe NE80E/40E supports user authorization during user login as well as dynamic authorizationfor online users. During user login, the NE80E/40E supports various types of authorizationschemes.l Authorization during user login

The NE80E/40E supports the following authorization modes during user login: Direct authorization

In this mode, users are completely trusted and directly authorized. Local authorization

In this mode, users are authorized based on the attributes of local user accountsconfigured on the NE80E/40E. HWTACACS authorization

In this mode, users are authorized through a HWTACACS server. If-authenticated authorization

In this mode, users pass the authorization after passing authentication (not in non-authentication mode). RADIUS authorization

RADIUS integrates authentication and authorization. Therefore, RADIUSauthorization cannot be performed independently.

l Authorization for online usersThe NE80E/40E supports dynamic authorization for online users.In dynamic authorization, attributes such as the user group, committed access rate (CAR),and policy name, are re-configured on the AAA server. The AAA server then delivers theattributes to the AAA module through Change of Authorization (CoA) packets and the



5

AAA module dynamically updates the users' authorization information. For descriptionabout CoA packets, refer to RFC 3576.

NOTEThe NE80E/40E can update the following user information by sending CoA packets.Filter-Id ,Session-Timeout,Idle-Timeout ,Acct_Interim_Interval,HW-Input-Committed-Information-Rate,HW-Input-Peak-Information-Rate,HW-Output-Committed-Information-Rate,HW-Output-Peak-Information-Rate,HW-Remanent-Volume ,HW-Subscriber-QoS-Profile ,HW-Priority.

Accountingl Accounting mode

AAA supports the following accounting modes: Non-accounting

Free services are provided. Remote accounting

The NE80E/40E supports remote accounting through an AAA server. Local accounting protection

The NE80E/40E supports the local accounting protection function to avoid bill loss orerror bills when a link fault occurs (for example, the AAA server is disconnected). Whenthe AAA server fails to charge users, user bills are saved locally. Later, when the AAAserver recovers, the NE80E/40E uploads the locally saved bills to the accounting serverthrough the Trivial File Transfer Protocol (TFTP).There must be a local bill pool before you can implement the local accounting protectionfunction on the NE80E/40E. The local accounting protection function does not takeeffect in the absence of a local bill pool. You can create or delete a local bill pool throughcommands. Note that after the local bill pool is deleted, the locally saved bills are alsodeleted correspondingly and the NE80E/40E cannot automatically back up the bills toa bill server. Real-time accounting

During real-time accounting for online users, the NE80E/40E periodically generatesaccounting packets and then sends them to a remote accounting server. Real-timeaccounting is also a bill protection measure. It furthest reduces error bills and ensuresaccuracy of accounting information in case of a link failure.Working together with an AAA server, the NE80E/40E also supports the time-basedpre-paid service and traffic-based pre-paid service. It also supports charge rate switchingand charge discounting functions. Then, users are accounted at different charge ratesbased on their access types.

l Accounting failure policyThe NE80E/40E supports the configuration of a remote accounting failure policy. Remoteaccounting failure policies include: Policy for start-accounting failures

When start-accounting fails, If the policy is set to "offline", the user cannot go online. If the policy is set to "online", the user remains online but no real-time accounting

packets can be exchanged between the user and the AAA server, even though theAAA server gives a response again. The user still needs to send an accounting packetto the AAA server for going offline. If the AAA server fails to charge the user, theuser bill is saved locally.



6

Policy for real-time accounting failuresWhen real-time accounting fails, If the policy is set to "offline", the NE80E/40E terminates user access and saves the

offline bills locally. If the policy is set to "online", the user remains online and sends real-time accounting

packets to the AAA server. If the user needs to go offline, it sends an accountingpacket to the AAA server. When the AAA server fails to charge the user, the userbill is saved locally. Policy for remote offline-accounting failures

When a user goes offline and the AAA server fails in accounting, the user bill is savedlocally; if the local bill pool is full, the bill is lost.

l Accounting packet copyAccounting packet copy indicates that during accounting, accounting packets are sent totwo AAA servers synchronously for separate accounting. This function is used when theoriginal accounting information need be saved on multiple devices, for example, in thescenario of the multi-operator networking. In this case, the accounting packets are sent totwo AAA servers and are used as original accounting information in subsequent billaccounting.There are the following accounting packet copy modes: Physical accounting

For physical accounting, an accounting copy server is configured on the BAS interfacefor user access. After the user logs in, the NE80E/40E searches for the accounting copyserver based on the user access interface and VLAN information and then copies theaccounting packets to this accounting server. Two-level accounting

For two-level accounting, a main accounting server and an accounting copy server areconfigured for a domain. During accounting, the main accounting server copies theaccounting packets to the accounting copy server.

1.4.2 RADIUSFormat of a RADIUS Message

Figure 1-1 shows the format of a RADIUS message.

Figure 1-1 Format of a RADIUS message

Code Identifier Length

Authenticator

Attribute

123456

0-1- 2- 3- 4- 5- 6-7- 0-1- 2- 3- 4- 5- 6-7- 0-1- 2- 3- 4- 5- 6-7-0-1- 2- 3- 4- 5- 6-7



7

The meaning of each field is described as follows:l Code: indicates the message type, such as the access request, access permission, and

accounting request.l Identifier: is a string of numbers in ascending order for matching the request and response

packets.l Length: indicates the total length of all fields.l Authenticator: is used for checking the validity of a RADIUS message.l Attribute: indicates the contents of a message, describing user attributes.

Process of Exchanging RADIUS MessagesThe RADIUS server builds a unique database to store user names and passwords that are requiredfor authentication. To obtain the right to access certain networks or to use certain networkresources, a user needs to set up a connection with the NE80E/40E through a device. In this case,the NE80E/40E functions in connecting the user and the device.The NE80E/40E is responsible for sending AAA information about the user to the RADIUSserver. RADIUS prescribes how to transmit AAA information between the NE80E/40E and theRADIUS server. The RADIUS server receives connection requests from users, authenticatesusers, and then sends the required configuration information back to the NE80E/40E.The authentication information between the NE80E/40E and the RADIUS server is transmittedwith a key. This protects the user password from theft on an insecure network. Figure 1-2 showsthe process of exchanging RADIUS messages between the RADIUS server and client.

Figure 1-2 Process of exchanging RADIUS messages between the RADIUS server and client1.User name

password 2.Request

3.ResponseUser RADIUS severRouter

1. A user initiates authentication and sends a user name and password to the NE80E/40E.2. After the RADIUS client configured on the NE80E/40E receives the user name and

password, it sends an authentication request to the RADIUS server.3. If the request is valid, the RADIUS server completes the authentication and sends the

required authorization information back to the RADIUS client.Authentication information is encrypted before being transmitted between the RADIUS clientand RADIUS server. This prevents theft of information on an insecure network.The process of exchanging accounting messages is similar to that of exchanging authenticationor authorization messages.

Features of RADIUSRADIUS adopts the server/client model and has the following characteristics:



8

l RADIUS features excellent real-time performance by using the User Datagram Protocol(UDP) as the transmission protocol.

l RADIUS possesses high reliability owing to the retransmission mechanism and backupserver mechanism.

l RADIUS is easy to implement and is applicable to the multi-threaded server in the case ofa large number of users.

Versions of RADIUSThe NE80E/40E supports standard RADIUS, RADIUS+V1.0, and RADIUS+V1.1. RADIUS+V1.1 and RADIUS+V1.0, derived from the standard RADIUS protocol, are private protocolsdefined by Huawei. With these protocols, the RADIUS server works more effectively in flowcontrol, charge rate switching, and control over the BRAS. The two protocols are both applicableto IPHotel and Portal services though they are different in expansion.l RADIUS+V1.0

In RADIUS+V1.0, a private attribute set is suffixed to the standard attribute set. That is,the private attributes are simply added to the standard attribute set. Such an extension mayconflict with the subsequent extension of the standard RADIUS protocol.

l RADIUS+V1.1In RADIUS+V1.1, all private attributes are considered a subset to be contained in thevendor-specific attribute defined in RFC 2865. This ensures the interworking andcontrollability between extended RADIUS+V1.1 of Huawei and the extended RADIUSprotocols defined by other vendors, and avoids the conflict between extended RADIUS+v1.1 of Huawei and the subsequent extension of the standard RADIUS protocol.

For Huawei private RADIUS attributes, refer to "Appendix A RADIUS Attributes" in theHUAWEI NE80E/40E Router Configuration Guide - BRAS Service.

Implementation of RADIUS on the NE80E/40EAs a RADIUS client, the NE80E/40E implements the following functions:l Actively detects the status of the RADIUS server.

After receiving an AAA authentication or accounting message, the NE80E/40E enables theserver detection process if the server is Down. The NE80E/40E then transforms the messageinto a packet and sends the packet to the current server to detect the server. If a responsepacket is received from the RADIUS server, the NE80E/40E considers the server available.

l Caches the accounting-stop packets locally and retransmits them.If the number of retransmission failures exceeds the set value, the accounting-stop packetsare saved to the buffer queue. The system periodically scans the queue, extracts the packets,sends them to the specific server, and enables the waiting timer. If the transmission fails orno response packet is received from the server within the timeout period, the packets areput to the buffer queue again.

l Automatically switches to another RADIUS server in the server group.If the current server does not work or the number of retransmission events exceeds the setmaximum number, the NE80E/40E selects another server in the server group to transmitpackets.

l Performs load balancing between RADIUS servers.



9

Enabled with load balancing, the NE80E/40E selects the RADIUS server in the Up stateaccording to the costs of the RADIUS servers. Commonly, the higher the priority, the higherthe possibility that the RADIUS server is selected.

l Switches RADIUS attributes.The NE80E/40E supports the RADIUS attribute switching function. When the RADIUSattribute switching function is enabled and then configured, the NE80E/40E encapsulatesor parses the original attribute value in accordance with the post-switching attribute formatduring the transmission of RADIUS messages. In this manner, the NE80E/40E caninterwork with other devices.

l Carries CAR in the class attributeIn the standard RADIUS protocol, the client is required to add the class attribute carried inthe authentication message received from the RADIUS server to the accounting packet,and send the accounting packet to the accounting server without changing the class attribute.The NE80E/40E extends the standard RADIUS protocol by adding CAR to the classattribute.

l RADIUS user priority configurableUsers on the NE80E/40E can have different priorities.

l User-name specified in RADIUS to be separated the delimiter.The delimiter shall be as specified below: "\", "/", ":", "", "|", "@","'", "%".If the RADIUS server is configured to resolve user names from left to right, it considersthe left part of a delimiter as a user name and the right part of the delimiter as a domainname; if the RADIUS server is configured to resolve user names from right to left, itconsiders the right part of a delimiter as a user name and the right part of the delimiter asa domain name.

1.4.3 HWTACACSFormat of an HWTACACS message

The process of transmitting HWTACACS messages is similar to that of transmitting RADIUSmessages.

Features of HWTACACSCompared with RADIUS, HWTACACS is more reliable in transmission and encryption andthus is more suitable for security control. Table 1-1 shows comparisons between HWTACACSand RADIUS.

Table 1-1 Comparisons between HWTACACS and RADIUSHWTACACS RADIUSUses the Transmission Control Protocol(TCP) to provide reliable transmission.

Uses UDP.

Encrypts the main structure of a packetexcept the standard HWTACACS header.

Encrypts only the password field in theauthentication packet.

Separates authorization fromauthentication.

Performs authentication together withauthorization.



10

HWTACACS RADIUSIs suitable for security control. Is suitable for accounting.Authorizes the commands executed byadministrative users.

Does not authorize the commands executed byadministrative users.

In HWTACACS, authentication is separated from authorization. Therefore, you can useRADIUS for authentication and HWTACACS for authorization. In such a case, though RADIUSauthorization is performed, only HWTACACS authorization takes effects.

Command-Line Authorization in HWTACACSHWTACACS supports command-line authorization for the users with specific levels in aspecified domain or a specified Secure Shell (SSH) user.In command-line authorization mode, after a user logs in to the router through Telnet or SSH,every command input by the user needs to be authorized by the HWTACACS server. Thecommand can be run only after command-line authorization is passed. Otherwise, theHWTACACS server displays a message to inform the user that command-line authorizationfails and the command cannot be run.If the router does not receive any authorization response from the HWTACACS server withinthe timeout period set by the user, it considers that the command-line authorization times out,and thus the command cannot be run.Figure 1-3 shows the process of command-line authorization in HWTACACS.

Figure 1-3 Process of command-line authorization in HWTACACS

User Router TACACSServer

1.command 2.author-cmd REQ

3.author-cmd ACK

1. The user enters a command on the NE80E/40E.2. The NE80E/40E sends a command-line authorization request to the TACACS server.3. The TACACS server returns the authorization result to the NE80E/40E. If authorization

succeeds, the user can run the command of the corresponding level; otherwise, the usercannot run the command.

1.4.4 User ManagementOverview

The BRAS is used to manage access users. Currently, the BRAS manages users in the followingmodes:



11

l Domain-based user managementAll users belong to a same domain. By default, users are added to the default domain. TheBRAS manages users by configuring service attributes in a domain. Thus, the users in thesame domain have the same service attributes.

l User account-based user managementUser accounts and related service attributes are configured on an AAA server such as theRADIUS server or the HWTACACS server, and are then delivered to users when the usersget online, or dynamically delivered to users after the users get online.

In practical applications (except in non-authentication and non-accounting modes) on theNE80E/40E, all user accounts must be configured on an AAA server, and the domain to whichthe user accounts belong must be configured on the NE80E/40E. The NE80E/40E supports theconfiguration and management of local user accounts.The service attributes configured for a domain have a lower priority than the service attributesdelivered by an AAA server. Therefore, when service attributes are both configured for a domainand delivered by an AAA server, the NE80E/40E adopts the service attributes that are deliveredby the AAA server. The service attributes configured for a domain take effect only when theAAA server does not support or deliver the service attributes.

Overview of a DomainThe NE80E/40E supports a user account in the format of username@domain ordomain@username. Here, @ is a domain name delimiter. The positions of the domain name andthe user name can be exchanged. If the user account that is input when a user accesses the NE80E/40E does not contain a domain name, it indicates that the user belongs to the default domain ofthe system.l Default domain

A default domain is fixed in the system. The service attributes of the default domain canbe modified rather than deleted.The NE80E/40E has three default domains: default0, default1, and default_admin, asshown in Table 1-2.

Table 1-2 Default domains of the NE80E/40EName Description Default

Attributesdefault0 It is a domain to which a user belongs before

authentication. When a user access the NE80E/40Eand is not authenticated, the NE80E/40E does notknow the domain of the user, and thus by defaultconsiders that the user belongs to default0.

Non-authenticationNon-accounting

default1 It is a domain to which a user belongs duringauthentication. During authentication, if a user inputsa user account that does not contain a domain name,the NE80E/40E by default considers that the userbelongs to default1.

RADIUSauthenticationRADIUSaccounting



12

Name Description DefaultAttributes

default_admin It is a domain to which an operation user belongs. Inthe case that an operation user logs in to the NE80E/40E through Telnet or SSH, if the operation user inputsa user account that does not contain a domain nameduring authentication, the NE80E/40E by defaultconsiders that the operation user belongs todefault_admin.

First localauthentication andlater RADIUSauthenticationNon-accounting

l Domain typeThe NE80E/40E supports the following types of domains: Default-domain pre-authentication Default-domain authentication Default-domain authentication force Default-domain authentication replace Authentication domain Roam-domain Permit-domainThe following describes the functions of each type of domain: Default-domain pre-authentication

This domain is used for only Web authentication users and fast authentication users toobtain IP addresses. A user binds the user name to this domain and then obtains an IPaddress after passing Web authentication. Then, the user obtains corresponding rightsaccording to the user group name in this domain. After passing the Web authenticationin this domain, the users can access only the Web authentication server and the DNS.(The access rights are controlled through the UCL-group and ACLs.)If the default-domain pre-authentication is not configured on a BAS interface, default0is adopted as the default-domain pre-authentication. Default-domain authentication

If a user inputs a user account that does not contain a domain name during authentication,the user adopts the authentication scheme, accounting scheme, and RADIUS server thatare configured in the default-domain authentication.If the default-domain authentication is not configured on a BAS interface, default1 isadopted as the default-domain authentication. Default-domain authentication force

A user adopts the authentication scheme, accounting scheme, and RADIUS server thatare configured in this domain, regardless of whether a domain name is contained in theinput user account or what the domain name is. If a domain name is contained in theuser account, the domain name remains unchanged during authentication; if no domainname is contained, the default-domain authentication force is added to the user account. Default-domain authentication replace

A user adopts the authentication scheme, accounting scheme, and RADIUS server thatare configured in this domain, regardless of whether a domain name is contained in the



13

input user account or what the domain name is. If a domain name is contained in theuser account, the domain name is replaced with the default-domain authenticationreplace during authentication; if no domain name is contained, the default-domainauthentication replace is added to the user account. Authentication domain

It is a domain name that is contained in the user account input by a user. When a userinputs a normal user account (a domain name is contained and is configured on theNE80E/40E, and the BAS interface is not configured with the default-domainauthentication force or default-domain authentication replace), the user adopts theauthentication scheme, accounting scheme, and RADIUS server that are configured inthe input domain name. Roam-domain

A user must input a user account containing a domain name; otherwise, the user cannotadopt the roam-domain policy. If the domain name is not configured on the NE80E/40E, the user adopts the authentication scheme, accounting scheme, and RADIUS serverthat are configured in the roam-domain. The user account remains unchanged duringauthentication.If the roam-domain is not configured on a BAS interface, default1 is adopted as theroam domain. Permit-domain

It is a domain that is allowed to access when users are getting online through a BASinterface.

l Domain application Users getting online with a domain name

Assume that a user inputs a user account, namely, user@A. The BAS interface that accesses the user is not configured with the default-domain

authentication. If domain A is configured on the NE80E/40E, the user adopts theauthentication and accounting schemes that are configured in domain A, and the useraccount for authentication is user@A. If domain A is not configured on the NE80E/40E, and the roam-domain is disabled, the user authentication fails. If the roam-domain is enabled, the user adopts the authentication and accounting schemes thatare configured in the roam-domain. The BAS interface that accesses the user is configured with domain B as the default-

domain authentication. If domain A is configured on the NE80E/40E, the user adoptsthe authentication and accounting schemes that are configured in domain A, and theuser account for authentication is user@A. If domain A is not configured on theNE80E/40E, and the roam-domain is disabled, the user authentication fails. If theroam-domain is enabled, the user adopts the authentication and accounting schemesthat are configured in the roam-domain. The BAS interface that accesses the user is configured with domain E as the roam-

domain. If domain A is not configured on the NE80E/40E, the user adopts theauthentication and accounting schemes that are configured in domain E. If domainA is configured on the NE80E/40E, the user adopts the authentication and accountingschemes that are configured in domain A, and the user account for authentication isuser@A. The BAS interface that accesses the user is configured with domain F as the default-

domain authentication force. In this case, the user adopts the authentication andaccounting schemes that are configured in domain F (regardless of whether domain



14

A is configured on the NE80E/40E or whether a roam-domain is configured), andthe user account for authentication is still user@A. The BAS interface that accesses the user is configured with domain G as the default-

domain authentication replace. In this case, the user adopts the authentication andaccounting schemes that are configured in domain G (regardless of whether domainA is configured on the NE80E/40E or whether a roam-domain is configured), andthe user account for authentication is changed into user@G. Users getting online without a domain name

Assume that a user inputs a user account, namely, user. If the BAS interface that accesses the user is not configured with the default-domain

authentication, the user adopts the authentication and accounting schemes that areconfigured in default1, and the user account for authentication is user@default1. If the BAS interface that accesses the user is configured with domain B as the default-

domain authentication, the user adopts the authentication and accounting schemesthat are configured in domain B (domain B here is a default domain), and the useraccount for authentication is user@B. If the BAS interface that accesses the user is configured with domain H as the default-

domain authentication force, the user adopts the authentication and accountingschemes that are configured in domain H, and the user account for authentication isuser@H. If the BAS interface that accesses the user is configured with domain J as the default-

domain authentication replace, the user adopts the authentication and accountingschemes that are configured in domain J, and the user account for authentication isuser@J.

No matter a user gets online with or without a domain name, after confirming theauthentication domain of the user, the NE80E/40E still has to determine whether theauthentication domain is allowed to access the BAS interface on which a permit-domainis configured.

NOTE

The user account mentioned above is not the one that is sent to an AAA server. Instead, whether the useraccount sent to the AAA server contains a domain name depends on whether the device is configured tosend a domain name to the AAA server.

Domain ManagementA domain or an AAA server manages users by configuring service attributes for the users.Domain management includes access management and service management.l Access management

In a domain, you can configure the authorization, authentication, and accounting schemesand corresponding server that are used when a user accesses the BAS interface; configurethe authentication mode used in user authentication; specify the IP address pool and theDNS server that are used to assign an IP address to a user; and control the user access bysetting a limit on access numberThe following functions are highlighted: Time period control

In a specified time period, a domain automatically enters the blocked state. At this time,the users in the domain cannot get online, and the online users are forced to get offline.When the time period expires, the domain is activated and users in the domain can get



15

online. Four time periods can be set in a domain, and all of them can take effectindependent of each other. Mandatory PPP authentication

Generally, the authentication mode (PAP/CHAP/MSCHAP) for PPP users isdetermined through the negotiation between the PPP client and the virtual template (VT)interface. After an authentication mode is configured in a domain for PPP users, thePPP users are authenticated according to the configured authentication mode. IP address alarm

After the upper threshold (in percentage) of IP addresses is set, the NE80E/40E sendsa trap to the NMS when the IP address utilization exceeds the upper threshold. If thethreshold of IP addresses is not set, the NE80E/40E does not generate any alarm nomatter how the IP addresses in the domain are used. Mandatory Web authentication

Mandatory Web authentication: If the user that requires Web authentication or fastauthentication attempts to access an unauthorized address before authentication, theNE80E/40E redirects the access request to the mandatory Web authentication server forthe user to be authenticated.

l Service managementAfter a user gets online, the user can be managed through a domain in terms of basic accessservices (such as access the Internet) or the right, bandwidth, and QoS of the value-addedservices.The involved service attributes include: QoS profile, user priority, captive portal, multicastgroup, time period, traffic statistics, accounting packet copy, and idle-cut. The followingfunctions are described: Captive portal

Captive portal means that when a user accesses the external network for the first timeafter passing the authentication, the NE80E/40E forcibly redirects the access request toa certain server, which is usually the portal server of a carrier. In this manner, a serviceprovided by the carrier is immediately accessed after the user is connected to theInternet. Idle-cut

Idle-cut means that when the traffic from a user is smaller than the lower threshold ina certain time period, the NE80E/40E considers that the user is idle, and thus cut off theconnection with the user. In the configuration of the idle-cut function, you need tospecify two parameters, namely, the time period and the traffic. Traffic statistics collection

This function can be classified into two categories: function of collecting total trafficin a domain and function of collecting the upstream and downstream traffic of a user. QoS control based on the time period

QoS control is implemented for domain users within a specific time period. When thetime period expires, there will be no QoS control for domain users.

1.5 Applications



16

1.5.1 RADIUS Authentication and AccountingUser 1, user 2, and user 3 access the Internet through the NE80E/40E. The users sendauthentication packets to the RADIUS server for authentication and authorization. When themaster server goes Down, the packets are switched to the backup server for authentication oraccounting. After the authentication succeeds, the RADIUS server delivers corresponding rightsto the users, and thus the users can access the Internet.

Figure 1-4 Network diagram of RADIUS authentication and accounting

user1@isp1

user2@isp2

user3@isp3

Router

RADIUS(master)

RADIUS(backup)

Internet

129.7.66.67129.7.66.66

1.5.2 HWTACACS Authentication, Accounting, and AuthorizationUser 1, user 2, and user 3 access the Internet through the NE80E/40E. The users sendauthentication packets to the HWTACACS server for authentication and authorization. Whenthe master server goes Down, the packets are switched to the backup server for authenticationor accounting. After the authentication succeeds, the HWTACACS server deliverscorresponding rights to the users, and then the users can access the Internet. The accounting billscan also be copied to the bill server the same time they are being sent to the HWTACACS server.

Figure 1-5 Networking diagram of HWTACACS authentication, accounting, and authorization

user1@isp1

user2@isp2

user3@isp3

Router

HWTACACS(master)

HWTACACS(backup)

Internet

130.7.66.67130.7.66.66

Bill sever10.10.10.1



17

1.6 Terms and AbbreviationsAbbreviation Full SpellingAAA Authentication Authorization AccountingRADIUS Remote Authentication Dial In User ServiceHWTACACS HUAWEI Terminal Access Controller Access Control System



18

About This DocumentContents1 AAA and User Management1.1 Introduction to AAA and User Management1.2 References1.3 Enhancement1.4 Principles1.4.1 AAA1.4.2 RADIUS1.4.3 HWTACACS1.4.4 User Management

1.5 Applications1.5.1 RADIUS Authentication and Accounting1.5.2 HWTACACS Authentication, Accounting, and Authorization

1.6 Terms and Abbreviations

Feature Description - User Access(Nonx1x2)(V600R003C00_02)

Documents

Transcript of Feature Description - User Access(Nonx1x2)(V600R003C00_02)