freeradius添加华为华三交换机telnet做radius

在这里说下 华三除了那些很新的交换机Exec_Privilege是H3C-Exec-Privilege外，其它华为和华三老点的交换机都是使用的Huawei-Exec-Privilege，这一点在网上没有说明，所以一般情况下华为华三交换机都只要使用Huawei-Exec-Privilege就可以得到权限控制
另外 交换机的话 raddius认证模板里service-type设置一定要设置为huawei或者是extended，在华为华三都是同一个公司时期，如Version 3.10版本的交换机就只有huawei的tpye设置，Version 5.20 就可以设置为extended，但Version 5.70 以后好像就不用设置了，默认就支持标准和私有的
1.在freeradius上添加好client信息
文件在/etc/raddb/client.conf

client 192.168.0.0/16 {
        secret          = Clifford-Group
        shortname       = Layer-2-Switch
}

client 10.0.0.0/8 {
        secret          = Clifford-Group
        shortname       = Layer-2-Switch
}

client 172.16.0.0/12 {
        secret          = Clifford-Group
        shortname       = Layer-2-Switch
}

以上就添加了所有私网地址来认证时的共享密码是Clifford-Group，shortname 可以随便写
2.在数据库里修改表

![~@CN]DO]{U1M(NL1487_G_U.png](https://img.haomeiwen.com/i2701907/41aa3b19c7457e09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

radcheck就是telnet进行认证时的用户名和密码保存表
radreply就是你telnet后所要回复的相关操作，如要什么权限等

W75D{AM(0JZJK}H%4))DA$K.png

![CCCW9JX9}T]O@TOYGD74]$5.png](https://img.haomeiwen.com/i2701907/38c0fdfca85ed5ef.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

华为华三交换机一定要在radreply表添加如上信息才能登录并获取最高权限

可以打开交换机的DEBUGING模式来查看

*16.3833032462 Admin-3F-B-255.224 RDS/8/DEBUG:Receive Raw Packet is:
*16.3833032462 Admin-3F-B-255.224 RDS/8/DEBUG:
 02 11 00 2c 8b cf af 85 c6 ad e8 66 8f b3 aa 1b 
 a0 63 51 03 1a 0c 00 00 07 db 1d 06 00 00 00 03 
 06 06 00 00 00 01 0f 06 00 00 00 00 
 
*16.3833032472 Admin-3F-B-255.224 RDS/8/DEBUG:Receive:IP=[192.168.99.23],Code=[2],Length=[44]
*16.3833032472 Admin-3F-B-255.224 RDS/8/DEBUG:
[hw-29 Exec_Privilege           ] [6 ] [3]
[6  Service-Type                ] [6 ] [1]
[15 Login-Service               ] [6 ] [0]
%Sep  1 13:49:12 2016 Admin-3F-B-255.224 SHELL/5/LOGIN: test@isc login from 192.168.99.23
*16.3833032512 Admin-3F-B-255.224 RDS/8/DEBUG:Recv MSG,[MsgType=Leaving request Index = 188, ulParam3=0]

radius服务器也可以看到相关日志

[sql_log]       expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/radacct/sql-relay
++[sql_log] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 23 to 10.255.255.93 port 1024
        Huawei-Exec-Privilege := 3
        Service-Type := Login-User
        Login-Service := Telnet
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 3 ID 23 with timestamp +39
Ready to process requests.

Version 3.10 admin@system

radius scheme clifford
 server-type huawei
 primary authentication 192.168.99.23 1812
 accounting optional
 key authentication Clifford-Group
 user-name-format without-domain
quit

domain isc
 radius-scheme clifford
quit
domain default enable isc

quit

---

Version 5.20 H3C S5500-28C-SI
Version 5.20.99 H3C S2626 admin@system

radius scheme clifford
 server-type extended
 primary authentication 192.168.99.23
 primary accounting 192.168.99.23
 key authentication Clifford-Group
 user-name-format without-domain
quit

domain isc
 authentication login radius-scheme clifford
 authorization login radius-scheme clifford
 accounting login none
quit

 domain default enable isc

---

Version 5.70  Quidway S2326TP-SI Quidway S2700-52P-EI-AC
Version 5.110

radius-server template radius-temp
 radius-server shared-key simple Clifford-Group
 radius-server authentication 192.168.99.23 1812
 radius-server accounting 192.168.99.23 1813
 radius-server retransmit 2
 undo radius-server user-name domain-included

aaa
authentication-scheme default
authentication-mode none 
 authentication-scheme auth
  authentication-mode radius local
 accounting-scheme acc
  accounting-mode radius
  accounting start-fail online
 domain isc
  authentication-scheme auth
  accounting-scheme acc
  radius-server  radius-temp
quit
quit

domain isc

---