Some FAQs in the implementation of RADIUS authentication:
Q: By default, the reported username for RADIUS authentication is with domain name. You can run the undo radius-server user-name domain-included command to exclude it. After this configuration, whether the domain name needs to be included in the username for logging in to the device?
A:Yes, the domain name must be included in the user username for logging in to the device no matter whether the user of RADIUS authentication has configured the username that excludes the domain name by running the undo radius-server user-name domain-included command.
Q:There are two domains existing on the MA5600T after the Radius authentication is configured: a default domain, and a huawei domain authenticated by Radius. If the default domain is deleted, does the domain name need to be included in the username for login?
A: Huawei MA5600T(V800R006C02): No matter whether the user uses the default username or configured username, the domain name must be included in the username for logging in. MA5600T (V800R007 and later versions): The username can be configured by running the terminal user authentication-mode AAA domain-name command. After the configuration, system will add a domain name for the username automatically when the user logs in to the RADIUS server for authentication.
Q: Can the username of RADIUS authentication can be displayed by running the display terminal user command?
A: The display terminal user command is used to query users without domain names.
Q:Why the user authority for Radius authentication is limited and does not support config mode?
A:The user with domain name has limited authority on the Radius server, and needs to configure the priority to 2 on the Radius to enter the config mode.
Q:Does Huawei OLT support the configuration that the local account can be used only when the user logs in through a serial port but cannot be used when the user logs in remotely?
A:MA5600T of version V800R006C02 does not support it. The V800R007 and later versions of MA5600T can support this configuration for some accounts (excluding the root and admin account): run the terminal user authentication-mode AAA domain-name command to set the authentication mode of the terminal user to AAA. In this case:
- The system can add an .@huawei to the username that has no domain name.
- The AAA account can be used to log in remotely, and the account can pass the authentication. If the local account is used to log in remotely, then the account cannot pass the authentication. However, the root and admin account can pass the authentication for remote login, other local accounts cannot.
Hi,
ReplyDeleteThank you for sharing this helpful information.
Please write more blogs like this as well.
We provide network security for Radius Authentication to all sizes of businesses. Contact the Foxpass team if you or anyone else wants this security system for their business.