R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
172
# Specify the accounting method for Telnet users as none.
[FirewallA-isp-bbb] accounting login none
# Configure the RADIUS server type as standard. When a network device is configured to be a RADIUS
server, the server type must be set to standard.
[FirewallA-isp-bbb] server-type standard
[FirewallA-isp-bbb] quit
# Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at
login, the authentication and accounting methods of the default domain will be used for the user.
[FirewallA] domain default enable bbb
2. Configure the RADIUS server
# Create RADIUS user aaa and enter its view.
<FirewallB> system-view
[FirewallB] radius-server user aaa
# Configure the simple-text password for user aaa as aabbcc.
[FirewallB-rdsuser-aaa] password simple aabbcc
[FirewallB-rdsuser-aaa] quit
# Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc.
[FirewallB] radius-server client-ip 10.1.1.1 key abc
3. Verify the configuration
After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Firewall A. Use
the display connection command to view the connection information on Firewall A.
<FirewallA> display connection
Index=1 ,Username=aaa@bbb
IP=192.168.1.2
IPv6=N/A
Total 1 connection(s) matched.
Troubleshooting AAA
Troubleshooting RADIUS
Symptom 1
User authentication/authorization always fails.
Analysis
1. A communication failure exists between the NAS and the RADIUS server.
2. The username is not in the format of userid@isp-name or the ISP domain for the user authentication
is not correctly configured on the NAS.
3. The user is not configured on the RADIUS server.
4. The password entered by the user is incorrect.
5. The RADIUS server and the NAS are configured with different shared keys.