3Com Router User Manual

							EXEC Configuration Example 527
■An administrator user using the console port
■An operator user using telnet
Configureng Administrator User Login Authentication from a Console Port
In this example, the user name is abc and the password is hello. The RADIUS server 
first authenticates the user, and then local authentication is used when the former 
authentication cannot be carried out normally. When logging in the router 
connected through the console port, only the user whose user name is abc and 
password is hello can log on successfully. Otherwise, access to the router is denied.
1Enable AAA 
[Router]aaa-enable
2Configure the login authentication of entering EXEC from Console port
[Router]login con
3Configure the local authentication user name and password of EXEC user type.
[Router] local-user abc service-type exec-adminstrator password 
cipher hello
4Configure the default authentication method list of EXEC users
[Router]aaa authentication-scheme login default radius local
5Configure RADIUS server and the shared secret
[Router]radius server 172.17.0.30 authentication-port 1645 
accouting-port 1646
[Router]radius shared-key 3Com
Configuring Operator User Login Authentication Through Telnet
In this example, the user name is abcd and the password is hello. Local 
authentication is conducted directly and only users who pass the local 
authentication can log on successfully. Otherwise, access to the router is denied.
1Enable AAA 
[Router]aaa-enable
2Configure the login authentication of entering EXEC via Telnet port
[Router]login telnet
3Configure the local authentication user name and password of EXEC user type.
[Router] local-user abcd service-type exec-operator password cipher 
hello
4Configure the authentication method list of EXEC users
[Router]aaa authentication-scheme login default local 
						

							528CHAPTER 37: CONFIGURING TERMINAL ACCESS SECURITY 
						

							38
CONFIGURING AAA AND RADIUS 
P
ROTOCOL
This chapter covers the following topics:
■AAA Overview
■RADIUS Overview
■Configuring AAA and RADIUS
■Displaying and Debugging AAA and RADIUS
■AAA and RADIUS Configuration Examples 
■Troubleshooting AAA and RADIUS 
AAA OverviewAAA implements the following network security services:
■Authenticating user access rights 
■Authorizing users for certain types of services
■Accounting for the network resources used by users 
Network security refers mainly to access control which determines:
■Users who can access the network server
■ Services that the users with access authority can obtain
■ Accounting of users using network resources
RADIUS OverviewRemote Authentication Dial-In User Service (RADIUS) is a distributed client/server 
system that provides AAA functions and protects networks from being intruded by 
unauthorized visitors, so it is mainly applied in network environments that require 
high security and support remote login.
RADIUS consists of three components:
■Protocol: Based on UDP/IP layer, RFC2865 and 2866 define the RADIUS frame 
relay format and message transmission mechanism, and define 1812 as the 
authentication port and 1813 as the accounting port. 
■Server: A RADIUS server runs on a central computer or workstation, and 
contains the information for user authentication and network service visits.
■Client: A client is located at the Network Access Server (NAS) side. It can be 
placed anywhere in the network.
As the RADIUS client, a NAS (such as a 3Com router) is responsible for 
transmitting user information to a specified RADIUS server and for processing 
according to the information returned from the server. The RADIUS server is  
						

							530CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
responsible for receiving a users request for connection, authenticating the user, 
and returning the required information to NAS.
The RADIUS server maintains three databases: 
■Users: stores user information, such as username, password, applied protocols, 
IP address
■Clients: stores information about the RADIUS client, such as the shared key
■Dictionary: explains the meaning of RADIUS protocol attributes
The following figure shows the three components of a RADIUS server.
Figure 165   Components of RADIUS server
In addition, a RADIUS server can act as the client of other AAA servers to perform 
authentication or accounting. A RADIUS server supports multiple ways to 
authenticate the user, such as PPP-based PAP, CHAP and UNIX-based login.
Basic Information 
Interaction Procedure of 
RADIUSThe RADIUS server usually uses the agent authentication function of the devices 
like NAS to authenticate the user. The RADIUS client and server authenticate their 
interactive messages through shared keys, and the user password is transmitted 
over the network in ciphertext mode to enhance security. The RADIUS protocol 
integrates the authentication and authority processes and the response packet 
carries authority information. The operation process is shown in the following 
figure.
RADIUS Server
UsersClientsDictionary 
						

							RADIUS Overview531
Figure 166   Basic message interaction process of RADIUS
The basic operation is described as follows:
1The user enters a username and password.
2Having received the username and password, teh RADIUS client sends an 
authentication request packet (Access-Request) to the RADIUS server.
3The RADIUS server authenticates the user information in the user database. If the 
authentication succeeds, it sends the users right information in an authentication 
response packet (Access-Accept) to the RADIUS client. If the authentication fails, it 
returns the Access-Request packet.
4According to the authentication result, the RADIUS client accepts or denies the 
user. If it accepts, the RADIUS client sends an accounting start request packet 
(Accounting-Request) to the RADIUS server. The value of Status-Type is start.
5The RADIUS server returns an accounting start response packet 
(Accounting-Response).
6The RADIUS client sends an accounting stop request packet (Accounting-Request) 
to the RADIUS server. The value of Status-Type is stop.
7The RADIUS server returns an accounting stop response packet 
(Accounting-Response).
Packet Structure of the 
RADIUS protocolRADIUS uses UDP to transmit messages. By employing a timer management 
mechanism, retransmission mechanism, and slave server mechanism, it can ensure 
that the interactive message between the RADIUS server and client can be 
processed correctly. 
Figure 167 illustrates the contents of a RADIUS packet.
PSTN/
ISDN
RADIUS Server
Enter username and password
Access-Request
PCRADIUS Client
Access-Accept
Accounting-Request
£ ¨start
£ ©
Accounting-Response
Accounting-Request
£ ¨ stop
£ ©
Accounting-Response
Notify the end of access
The user visits the resource
PSTN/
ISDN
RADIUS Server
Enter username and password
Access-Request
PCRADIUS Client
Access-Accept
Accounting-Request
£ ¨start
£ ©
Accounting-Response
Accounting-Request
£ ¨ stop
£ ©
Accounting-Response
Notify the end of access
The user visits the resource 
						

							532CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
Figure 167   RADIUS packet structure
The Identifier field is used to match request packets and response requests. It 
varies with the Attribute field and the valid received response packets, but remains 
unchanged during retransmission. The Authenticator field (16 bytes) is used to 
authenticate the request transmitted by the RADIUS server, and it can also be used 
on the password hidden algorithm. There are two kinds of Authenticator packets: 
■Request Authenticator: Adopts 16-byte random code.
■Response Authenticator: Is the result of performing the MD5 algorithm on 
Code, Identifier, Request Authenticator, Length, Attribute and shared-key.
The Code field decides the type of RADIUS packets, as shown in Ta b l e 597.
Ta b l e 597   The Type of Packets Decided by Code Field
The Attribute field carries special AAA information, and provides the configuration 
details of request and response packets in the triplet form of type, length, and 
value. 
Ta b l e 598 lists the explanation of Attribute fields defined by RFC.
CodePacket typeExplanation of the packet
1Access-RequestDirection: Client -> Server. 
The Client transmits the user information to Server to decide 
whether or not to allow the user to access. 
The packet must contain User-Name attribute, and may 
contain such attributes as NAS-IP-Address, User-Password or 
NAS-Port.
2Access-Accept Direction: Server->Client.
If all the Attribute values in the Access-Request packets are 
acceptable (i.e., the authentication is successful), this type of 
packet can be transmitted.
3Access-Reject Direction: Server->Client.
If none of the Attribute values in the Access-Request packet is 
acceptable (i.e., the authentication has failed), this type of 
packet can be transmitted.
4Accounting-Request Direction: Client->Server.
Client transmits the user information to Server and request 
accounting. The Acct-Status-Type attribute in this packet 
differentiates accounting start request and accounting stop 
request. The attributes in this packet is almost the same as 
those in Access-Request packet. 
5Accounting-Response Direction: Server->Client.
Server informs Client that the Accounting-Request packet is 
received and the accounting information is correctly recorded. 
The packet includes inbound/outbound bytes, 
inbound/outbound packets and session time on the interface.
CodeIdentifier Length
Authenticator
Attribute 
						

							Configuring AAA and RADIUS533
Ta b l e 598   Attribute Fields 
Attribute field 26 (Vender-Specific) in the RADIUS protocol can be easily extended, 
so that the user can define extension attributes. 
Figure 168 shows the packet 
structure:
Figure 168   Fragment of the RADIUS packet that includes extension attribute
Configuring AAA and 
RADIUSConfiguring AAA and RADIUS includes tasks that are described in the following 
sections:
■Enabling and Disabling AAA
■Configuring the Authentication Method List for Login Users
■Configuring an Authentication Method List for PPP Users
■Configuring the Local-First Authentication of AAA 
■Configuring the AAA Accounting Option
■Configuring a Local IP Address Pool
TypeAttribute typeTypeAttribute type
1User-Name23Framed-IPX-Network
2User-Password24State
3CHAP-Password25Class
4NAS-IP-Address26Vendor-Specific
5NAS-Port27Session-Timeout
6Service-Type28Idle-Timeout
7Framed-Protocol29Termination-Action
8Framed-IP-Address30Called-Station-Id
9Framed-IP-Netmask31Calling-Station-Id
10Framed-Routing32NAS-Identifier
11Filter-ID33Proxy-State
12Framed-MTU34Login-LAT-Service
13Framed-Compression35Login-LAT-Node
14Login-IP-Host36Login-LAT-Group
15Login-Service37Framed-AppleTalk-Link
16Login-TCP-Port38Framed-AppleTalk-Network
17(unassigned)39Framed-AppleTalk-Zone
18Reply_Message40-59(reserved for accounting)
19Callback-Number60CHAP-Challenge
20Callback-ID61NAS-Port-Type
21(unassigned)62Port-Limit
22Framed-Route63Login-LAT-Port
Vendor-ID TypeLength
Vendor-IDlength
(specified) type
(specified)
specified attribute value ¡-¡- 
						

							534CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
■Assigning an IP Address for a PPP User
■Configuring a Local User Database
■Configure RADIUS Server
Enabling and Disabling 
AAAPlease perform the following configurations in the system view.
Ta b l e 599   Enable/Disable AAA
By default, AAA is disabled.
Configuring the 
Authentication Method 
List for Login UsersAn authentication method list defines the authentication methods, including the 
authentication types, which can be executed, and their execution sequence. This 
list is used in sequence to authenticate users.
Login users are divided into FTP users and EXEC users. EXEC means logging on the 
router through Telnet or other methods, such as the console port, asynchronous 
serial port, telnet, X.25 PAD calling, for router configuration. The two types of 
users have to be authorized in a local user database with the command 
local-user service-type. If a RADIUS server is used for authentication, the 
authorization details for the corresponding user (defining user name and 
password) should be set on the RADIUS server, before it is started.
Perform the following configuration in system view.
Ta b l e 600   Configure AAA Login Authentication
By default, the login method list is aaa authentication-scheme login default 
local
.
If the user does not define the methods-list, the execution sequence of default 
method list will be used.
Method here refers to the authentication method. The Authentication method 
includes the following:
■radius --- authentication with the RADIUS server
■local ---  local authentication
■none --- access authority to all users without authentication
While configuring the authentication method list, at least one authentication 
method should be designated. If multiple authentication methods are designated, 
then at the time of login authentication, if there is no response to the preceding 
OperationCommand
Enable AAAaaa-enable
Disable AAAundo aaa-enable
OperationCommand
Configure login authentication method list 
of AAAaaa authentication-scheme login { 
default | methods-list } [ template 
server-template-name ] [ method1 ] [ 
method2 ]…
Delete login authentication method list of 
AAAundo aaa authentication-scheme login 
{ default | methods-list } 
						

							Configuring AAA and RADIUS535
methods the subsequent methods can be used. If authentication again, the 
authentication is terminated. The none method is meaningful only when it is the 
last item of the method list. Note that only one login method list can be 
configured, which can use a different name from the previously configured list. 
The latest configured authentication method list replaces the former one. All the 
login services using AAA use this method list.
Five legal combinations of the methods are as follows:
■aaa authentication-scheme login default none
■aaa authentication-scheme login default local
■aaa authentication-scheme login default radius
■aaa authentication-scheme login default radius none
■aaa authentication-scheme login default radius local
Configuring an 
Authentication Method 
List for PPP UsersPerform the following configuration in system view.
Ta b l e 601   Configure PPP Authentication Method List of AAA
By default, the method list combination for the PPP login users is aaa 
authentication-scheme ppp default local
.
If users do not define the method methods-list, the executing sequence defined in 
the default method list (defined by 
default) is used.
Method here refers to the authentication method. The authentication method 
includes the following:
■radius ---  authentication using the RADIUS server
■local ---  local authentication
■none -- access authority to all users without authentication
While configuring the authentication method list, at least one authentication 
method should be designated. If multiple authentication methods are designated, 
then in PPP authentication, only when there is no response to the preceding 
methods, can the subsequent methods be used. If authentication fails after the 
preceding methods are used, then the authentication is terminated. The none 
method is meaningful only when it is the last item of the method list.
There are five legal combinations of the methods:
■aaa authentication-scheme ppp default none
■aaa authentication-scheme ppp default local
■aaa authentication-scheme ppp default radius
■aaa authentication-scheme ppp default radius none
OperationCommand
Configure PPP authentication method list 
of AAAaaa authentication-scheme ppp { 
default | methods-list } { method1 [ 
method2 ... ] }
Cancel PPP authentication method list of 
AAAundo aaa authentication-scheme ppp { 
default | methods-list } 
						

							536CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
■aaa authentication-scheme ppp default radius local
Different PPP authentication method lists can be configured for different 
interfaces.
Configuring the 
Local-First 
Authentication of AAAWhen local-first authentication is configured, the user is authenticated locally first. 
If local authentication fails, then the authentication method configured in the 
method list is used instead. Once local-first authentication is configured, it is 
applied to all users using PPP and login. 
Perform the following configurations in system view.
Ta b l e 602   Configure AAA Local-First Authentication
By default local-first authentication is disabled.
Configuring the AAA 
Accounting OptionIn case there is no available RADIUS accounting server or if communication with 
the RADIUS accounting server fails, and if only 
aaa accounting-scheme 
optional
 command is configured then the user is be disconnected and can still 
use the network resources.
Perform the following configurations in system view.
Ta b l e 603   Configure AAA Accounting Option
By default, the accounting option is disabled and users are charged. When the 
method list designated by the user is none, accounting is unnecessary.
Configuring a Local IP 
Address PoolA local address pool is mainly used to assign an IP address for users who log in 
remote PPP. If the end IP address of the pool is not specified when the IP address 
pool is defined, there will be only one IP address in the address pool.
Perform the following configurations in system view.
Ta b l e 604   Configure Local IP Address Pool
By default no address pool is defined by the system.
OperationCommand
Enable local-first authenticationaaa authentication-scheme 
local-first
Disable local-first authenticationundo aaa authentication-scheme 
local-first
OperationCommand
Turn on accounting option switchaaa accounting-scheme-scheme 
optional
Turn off accounting option switchundo aaa accounting-scheme-scheme 
optional
OperationCommand
Configure local IP address poolip pool pool-number low-ip-address [ 
high-ip-address ]
Cancel local IP address poolundo ip pool pool-number