3Com Router User Manual

							Configuring AAA and RADIUS537
The pool-number ranges from 0 to 99. Addresses in each address pool must be 
consecutive, and each address pool can have at most 256 addresses.
Assigning an IP Address 
for a PPP UserFor a user accessing the Internet through remote PPP dialing, the system either 
specifies an address or allocates an unoccupied address selected from a local 
address pool to the user.
Perform the following configurations in interface view.
Ta b l e 605   Assign IP Address for PPP User
By default pool-number is 0. 
Configuring a Local User 
DatabaseWhen a user dials in to access the network, user information is looked up 
according to the following steps in the local user database:
1Information about the user is sought in the local database. If the information is 
present, the login of the user is permitted.
2If the user information is not in the local database and if the RADIUS server 
authentication is configured, the user information is sent to the RADIUS server for 
authentication. If authentication succeeds, the user can log on normally. 
Otherwise, the user is rejected.
3If the user information is not in the local database and the RADIUS server 
authentication is not configured, the login of the user is rejected.
Various configuration tasks conducted in the local user database can be nested or 
combined and all local user databases can be configured in one command.
Perform the following configurations in system view.
Configure a User and Password
The user and the local authentication password can be configured in the local 
database
Ta b l e 606   Configure Ordinary User and Password
user-name can be a 1-32-bit character string or number. Password can be a 
1-16-bit character string or number.
Configure Callback User
In the callback technique, first the client, on the user side, originates a call and 
requires callback from the server. The server receives the call and decides whether 
to call back.
OperationCommand
Assign IP address for PPP userremote address { ip-address | pool [ 
pool-number ] }
Cancel IP address of PPP userundo remote address
OperationCommand
Configure the user and passwordlocal-user user-name [ password { 
simple | cipher } password ] ...
Delete the userundo local-user user-name 
						

							538CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
The Callback technique enhances security. In the processing of a Callback, the 
server calls the client according to the call number configured locally. This avoids 
security risks caused by leakage of user name or password. The server can also 
classify call-in requests according to its configuration as refuse call, accept call (no 
call back) or accept callback. This serves to exert different limitations upon 
different clients and take initiative in ensuring resource access when there are 
incoming calls.
The callback technique has the following advantages:
■Saves communication expenses, especially when the call charge rates of two 
directions are different)
■Changes the call charge bearer
■Combines call charge lists
The security devices in 3Com routers support the callback technique that is divided 
into ISDN caller authentication callback and callback participated in by PPP.
ISDN caller authentication callback does not involve PPP, it directly authenticates 
whether the call-in number matches with the number configured by the server. 
Hence, only the server end needs a corresponding configuration and the client 
needs no modification.
Ta b l e 607   Configure Callback User and the Callback Number
A RADIUS server can be configured with callback-number, equivalent to number, 
which is defined locally. If 
aaa authentication-scheme ppp default radius is 
configured then number, which is configured locally, is invalid and the number to 
be transmitted to PPP will be decided by callback-number set on RADIUS server. If 
aaa authentication-scheme ppp default radius local is configured, local 
authentication is used only when the RADIUS server does not respond, and here 
number defined locally can work. If 
aaa authentication-scheme ppp default 
none
 is configured, number defined locally does not work.
Configure User with Caller Number
After users with caller numbers are configured, the call-in caller numbers of users 
calling in can be authenticated in order.   At present, only ISDN users can be 
configured to be such type of users.
Ta b l e 608   Configure User with Caller Number
Configure FTP User and the Usable Directory
An FTP user and the FTP directory available for the user can be configured in the 
local database. The function is reserved temporarily for future extension.
OperationCommand
Configure the callback user and the 
callback numberlocal-user user [ callback-number 
number ] ...
Delete the callback user and the callback 
numberundo local-user user
OperationCommand
Configure a user with caller numberlocal-user user [ call-number number 
] [ :sub-number ] ...
Delete a user with caller numberundo local-user user-name 
						

							Configuring AAA and RADIUS539
Ta b l e 609   Configure FTP User and the Usable Directory
Authorize a User with Usable Service Types 
The services, which can be used by a user, are authorized in the local database. 
Presently there are five service types, which are listed as follows:
■exec refers to operations that include logging in to the router and configuring 
it via Telnet or other means (such as Console port, AUX port, X25PAD call, etc). 
■exec-administrator: Authorized “administrator” user can use EXEC. EXEC 
refers to the operation of logging into the router by means of Telnet or through 
console port, AUX port and X.25PAD.
■exec-guest: Authorized “guest” user can use EXEC.
■exec-operator: Authorized “operator” user can use EXEC.
■ftp refers to operations that include logon to the router via file transmission so 
as to share corresponding services.
■ppp refers to remote dial-in service used by the user.
When a single service is authorized to a user, it is only necessary to configure any 
one of the parameters of 
exec, ftp, and ppp after the service type. When 
multiple services are authorized to a user, it is necessary to configure over 2 types 
of the above-mentioned parameters, other than to use this command repeatedly, 
because the new service type will overwrite the old one, not to pack the service 
type.
Ta b l e 610   Configure Authorizing a User with Usable Service Types
By default users are authorized to use services of PPP type. 
Configure RADIUS 
ServerPerform the following configurations in system view.
Configure IP Address, Authentication Port Number and Accounting Port 
Number of the Server Host
At most 3 RADIUS servers can be configured for a user.
RADIUS follows the principles below to select authentication and accounting 
server:
■Servers are used in the sequence in which they are configured.
OperationCommand
Configure an FTP user and the usable 
directorylocal-user user [ ftp-directory 
directory ] ...
Delete an FTP user and the usable 
directoryundo local-user user
OperationCommand
Configure authorizing a user with usable 
serviceslocal-user user [ service-type { 
exec-administrator | exec-guest | 
exec-operator | ftp | ppp } ... ] ...
Delete authorizing a user with usable 
servicesundo local-user user-name 
						

							540CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
■When the RADIUS server used first does not respond, the succeeding servers 
are used in sequence.
When the authentication or accounting port number is configured to 0, the client 
does not use the authentication or accounting function provided by the server.
Ta b l e 611   Configure IP Address, Authentication Port Number and Accounting Port 
Number 
The default authentication port number is 1812. When configured as 0, this server 
is not used as an authentication server. The default accounting port number is 
1813. When configured as 0, this server is not used as an accounting server.
Configure RADIUS Server Shared Secret
The shared secret is used to encrypt user password and generate a response 
authenticator. When RADIUS sends authentication messages, MD5 encryption is 
applied to important information such as passwords, so the security of the 
authentication information transmission in the network can be insured. To insure 
the identification validity of the two parties, the secret key of the router must be 
the same as the one set on the RADIUS server, so that it can pass the 
authentication of the RADIUS server. 
Ta b l e 612   Configure RADIUS Server Shared Secret
By default, no key is configured for the RADIUS server.
Configure the Time Interval at Which the Request Packet is Sent Before the 
RADIUS Server Fails
To determine whether a RADIUS server is invalid, the router will send 
authentication request packets to the RADIUS server periodically.
Ta b l e 613   Configure the Time Interval at which the Request Packet is Sent Before RADIUS 
Server Fails
By default, the timeout interval is 10 seconds. The range is from 1 to 65535 
seconds.
OperationCommand
Configure IP address (or host name), 
authentication port number and 
accounting port number of RADIUS server 
host.radius server { hostname | ip-address 
} [authentication-port port-number ] 
[accounting-port port-number ]
Cancel RADIUS server with designated 
host address or host nameundo radius server { hostname | 
ip-address }
OperationCommand
Configure shared secret of RADIUS serverradius shared-key string
Delete shared secret of RADIUS serverundo radius shared-key
OperationCommand
Configure the time interval at which the 
authentication request packet is sentradius timer response-timeout 
seconds
Restore default value of the time interval 
at which the authentication request 
packet is sentundo radius timer response-timeout 
						

							Configuring AAA and RADIUS541
Configure the Request Retransmission Times 
If the RADIUS server fails to respond, the router sends the authentication request 
packet again periodically. If no RADIUS server response is received after the 
configured value of timeout, the authentication request packet needs to be 
transmitted again. The user can set the maximum number of times for the request 
retransmission, when the number of request retransmission exceed it, the system 
will consider the server fails to work normally and set it to dead.
Ta b l e 614   Configure the Times of Request Retransmission 
By default, the times of request retransmission are three and the number ranges 
from 1 to 255.
Configure the Time Interval at Which the Inquiry Packet is Sent 
After the first RADIUS server breaks down (due to line failure between NAS and 
the server or RADIUS process failure, the system sets this server to dead, and 
periodically queries whether it can work normally or not. If the server is found to 
work normally, then after the currently used server breaks down, the system will 
automatically uses the first one.
Ta b l e 615   Configure the Time Interval for the Inquiry Packet 
By default, the inquiry packet is sent at intervals of 5 minutes after the RADIUS 
server fails, and the interval ranges from 1 to 255 minutes.
Configure the Time Interval at Which the Real-Time Accounting Packet is 
Sent to the RADIUS Server
After a user passes authentication, NAS sends the users real-time accounting 
information to the RADIUS server periodically. If the real-time accounting request 
fails, the user is handled according to the 
aaa accounting-scheme optional 
command. If the 
aaa accounting-scheme optional command has been 
configured, the user can continue to use the network services, otherwise, NAS 
disconnects the user.
Usually, the server sends the accounting packet only according to the access time 
and disconnection time. But for higher reliability, the time interval at which the 
real-time accounting packet is sent to the RADIUS server can be configured.
Ta b l e 616   Configure the Time Interval
OperationCommand
Configure the times of request 
retransmission radius retry times
Restore default value of times of request 
retransmissionundo radius retry
OperationCommand
Configure the time interval at which the 
inquiry packet is sent after RADIUS server 
breaks downradius timer quiet minutes
Restore default value of time interval at 
which the inquiry packet is sent undo radius timer quiet
OperationCommand 
						

							542CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
By default, the real-time accounting packet is sent to the RADIUS server at an 
interval of 0 minutes, indicating that real-time accounting is disabled. The interval 
ranges from 0 to 32767 minutes.
Displaying and 
Debugging AAA and 
RADIUSUse the debugging and display commands in all modes.
Ta b l e 617   Display and debug AAA and RADIUS
AAA and RADIUS 
Configuration 
Examples This section provides examples of using AAA and Radius within a network, with a 
suggested procedure for each configuration
Accessing User 
Authentication Case 1The RADIUS server is used for authentication. 129.7.66.66 acts as the first 
authentication and accounting server, and 129.7.66.67 as the second 
authentication and accounting server, both using default authentication port 
number 1812 and default accounting port number 1813.
Configure the time interval at which the 
real-time accounting packet is sent to 
RADIUS serverradius timer 
realtime-accounting-scheme minutes
Restore default value of the time interval 
at which the real-time accounting packet 
is sentundo radius timer 
realtime-accounting
OperationCommand
Display status of dial-in usersdisplay aaa user
View local user databasedisplay user
Enable RADIUS event debuggingdebugging radius event
Enable RADIUS packet debuggingdebugging radius packet
Enable RADIUS primitive language 
debuggingdebugging radius primitive 
						

							AAA and RADIUS Configuration Examples 543
Figure 169   Networking diagram of typical AAA and RADIUS configuration
1Enable AAA and configure default authentication method list of PPP user.
[Router]aaa-enable
[Router]aaa authentication-scheme ppp default radius 
2Configure IP address and port of RADIUS server.
[Router]radius server 129.7.66.66 
[Router]radius server 129.7.66.67 
3Configure RADIUS server shared secret, retransmission times, and accounting 
option
[Router] radius shared-key this-is-my-secret
[Router] radius retry 2
[Router] aaa accounting-scheme optional
[Router] radius timer response-timeout 5
Accessing User 
Authentication Case 2129.7.66.66 acts as the first authentication and accounting server, port numbers 
being 1000 and 1001 respectively.
129.7.66.67 acts as the second authentication and accounting server, port 
numbers being 1812 and 1813 respectively.
Authenticate by the local database first, and if there is no response, use the 
RADIUS server.
Charge all users in real time. The real-time accounting packet is sent at the interval 
of 5 minutes.
See Figure 169.
1Enable AAA and configure default authentication method list of PPP user.
[Router] aaa-enable
[Router] aaa authentication-scheme ppp default radius
2Configure local-first authentication
[Router] aaa authentication-scheme local-first
Router2 Router1
ModemModemISDN\PSTN
Network to
be accessed lqz lst
RADTUS authentication server
129.7.66.66
RADTUS accounting server
129.7.66.67
RADTUS authentication & accounting server
129.7.66.68 
						

							544CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL
3Configure RADIUS server
[Router] radius server 129.7.66.66 authentication-port 1000 
accounting-port 1001 
[Router] radius server 129.7.66.67
4Configure RADIUS server shared secret, retransmission times, and time length of 
timeout timer
[Router] radius shared-key this-is-my-secret
[Router] radius retry 2
5Configure real-time accounting with interval of 5 minutes
[Router] radius timer realtime-accounting 5
Authenticating an FTP 
Use
r
The authentication server is 129.7.66.66, numbers of ports being 1812 and 1813.
Authenticate and charge FTP users using RADIUS server first, and if there is no 
response, do not authenticate or charge them.
See Figure 169.
1Enable AAA and configure default authentication method list of FTP user.
[Router]aaa-enable
[Router]aaa authentication-scheme login default radius none
2Enable FTP server
[Router]ftp-server enable
3Configure user abc and authorize the user to use FTP service.
[Router] local-user abc service-type ftp password simple hello
4Configure RADIUS server IP address and port, using default port number
[Router]radius server 129.7.66.66
5Configure RADIUS server shared secret, retransmission times, timeout and RADIUS 
server dead time.
[Router] rad shared-key this-is-my-secret
[Router] radius retry 4
[Router] radius timer response-timeout 2
[Router] radius timer quiet 1
Troubleshooting AAA 
and RADIUS Local user authentication is always rejected
Follow the steps below.
1Check whether correct password has been configured in local-user command.
2Check whether the authorized service-type is correct.
3When RADIUS server accounting is used, and the command aaa 
accounting-scheme optional
 is not configured, check whether the RADIUS 
server can be pinged through. Also check whether the address, port number and 
key of RADIUS server configured on the router for accounting are identical with 
those on the RADIUS server in use.
4If the operation above does not work, use the radius server command to 
reconfigure the RADIUS server. Because of the communication failure with the 
RADIUS server mentioned. RADIUS server is considered by the system as  
						

							Troubleshooting AAA and RADIUS 545
unavailable. Moreover as the radius timer quiet command has not been 
configured (defaulted as 5 minutes), or a relative long dead-time has been 
configured, the system does not know that the server has recovered. Use 
undo 
radius server
 command to delete the original RADIUS server, and reconfigure it 
by 
radius server command to activate the server immediately.
5If none of the above operations work, check whether the RADIUS server has been 
configured correctly, and whether the modification has been activated
A users RADIUS authentication is always rejected
Follow the steps below.
1Check whether the user name, password and service type are set correctly on 
RADIUS server.
2Check whether the RADIUS server can be pinged through Check whether the 
address, port number and key of RADIUS server configured on the router are 
identical with those of the RADIUS server in use.
3Use the radius server command to reconfigure the RADIUS server. Because of 
the communication failure with the server, RADIUS server may be considered by 
the system as unavailable by the system. And as the 
radius timer quiet 
command has not been configured (defaulted as 5 minutes), or a relative long 
dead-time has been configured, the system does not know that the server has 
recovered. Use 
undo radius server command to delete the original RADIUS 
server, and reconfigure it by 
radius server command to activate the server 
immediately.
4Check whether the RADIUS server has been configured correctly, and whether the 
modification made just now has been activated.
A connected user cannot be seen in display aaa user
Follow the steps below.:
1Check whether AAA has been enabled.
2Check whether the authentication methods contain none, because users using 
none method will not be displayed in the command 
display aaa user.
No authentication is configured, yet users are still authenticated
Follow the step below:
1AAA has been enabled, and the default authentication method in AAA default 
authentication method list is “local”. To disable the authentication, 
aaa 
authentication-scheme ppp default none
 should be configured. Meanwhile, it 
should be noted that 
undo aaa authentication-scheme ppp default can 
delete the default method; it can only restore the local authentication. 
						

							546CHAPTER 38: CONFIGURING AAA AND RADIUS PROTOCOL