Download Cisco ACS Radius Migration with Huawei

Cisco ACS Radius Migration with
Huawei Network Elements
IT department
Introduction
This document is generated to explain how to migrate the Cisco Radius server (ACS) with Huawei
network elements (routers, switches, and firewalls). The procedure focused on two main criteria:
1- Cisco ACS configuration
2- Network elements configuration
These will be covered respectively.
Notes:
1- The procedure will depend on Cisco ACS V 4.x
2- The procedure will explain simple configuration for the document purpose and not covering
all the available features.
3- The procedure will consider:
a. the Radius serve IP is: 10.1.8.241
b. A network element with this IP: 10.1.8.240.
c. Shared key: 123456
d. Ports (ACS default ports)
Cisco ACS configuration
Requirements:
1- Valid Cisco ACS server (please check online documentation how to install cisco ACS server)
2- Huawei vendor VSA file (ext: filename.ini)
Procedure:
1- Creating file with extension of .ini (ex. Huawei.ini). with the below configuration:
[User Defined Vendor]
Name = Huawei
IETF Code = 2011
VSA 29 = hw_Exec_Privilege
[Hw_Exec_Privilege]
Type = INTEGER
Profile = IN OUT
Enums = Encryption-Types
[Encryption-Types]
0=0
1=1
2=2
3=3
2- From the command prompt open the directory of CSUtil.exe
Ex: cd c:\program files\ciscoacs\util\
3- Run the following command to add the vendor ini file:
CSUtil.exe -addUDV [slot] [File directory]
Ex: CSUtil.exe –addUDV 0 c:\CSUtil.exe
Warning: it should request to restart all the services to apply the above commands
Page | 1
Cisco ACS Radius Migration with
Huawei Network Elements
IT department
4- After restarting all the services open the ACS web-access page and apply the following steps
as below:
a. From the network configuration panel add the radius server details as shown below:
b. From the network configuration add the client details as shown below:
c. From the interface configuration panel – Radius (Huawei) check the boxes as shown
below:
Page | 2
Cisco ACS Radius Migration with
Huawei Network Elements
IT department
d. From the group and user settings assign the privilege level as shown below:
e. Assign access privilege level (1-15)
Client configuration (Huawei Switch)
Procedure:
1- Create a radius scheme and assign the radius details to access the radius server
[Huawei_S5600_SW]radius scheme temp
[Huawei _S5600_SW-radius-temp] server-type huawei
[Huawei _S5600_SW-radius-temp] primary authentication 10.1.8.241 1645
[Huawei _S5600_SW-radius-temp] primary accounting 10.1.8.241 1646
[Huawei _S5600_SW-radius-temp] key authentication 123456
[Huawei _S5600_SW-radius-temp] key accounting 123456
[Huawei _S5600_SW-radius-temp] user-name-format without-domain
2- Create a domain to use the current radius scheme (in our example named “temp”).
[Huawei _S5600_SW]domain system
[Huawei _S5600_SW-isp-system] scheme radius-scheme temp
3- At the user interface assign the authentication scheme to use the radius credentials
[Huawei _S5600_SW]user-interface vty 0 4 //radius access
[Huawei _S5600_SW-ui-vty0-4] authentication-mode scheme command-authorization
[Huawei _S5600_SW-ui-vty0-4] accounting commands scheme
[Huawei _S5600_SW-ui-vty0-4] user privilege level 3
Result
After the required configuration at both side server and client would be applied, the Huawei
elements should be accessed using the authentication credentials which would be created at the
server side.
Note: this procedure was implemented and tested successfully using Cisco ACS V4.2 and Huawei LSW S5600
Haider Alshami
Senior Network Engineer
Iraq – Baghdad
Email: [email protected]
Page | 3
Cisco ACS Radius Migration with
Huawei Network Elements
IT department
Page | 4