28
• When you remove a server in use, communication with the server times out. The device looks for a
server in active state by first checking the primary server, and then checking secondary servers in
the order they are configured.
• When the primary server and secondary servers are all in blocked state, the device tries to
communicate with the primary server.
• When one or more servers are in active state, the device tries to communicate with these servers in
active state only, even if the server is unavailable.
• When the status of a RADIUS server changes automatically, the device changes the status of this
server accordingly in all RADIUS schemes in which this server is specified.
By default, the device sets the status of all RADIUS servers to active. However, in some situations, you
must change the status of a server. For example, if a server fails, you can change the status of the server
to blocked to avoid communication attempts to the server.
To set the status of RADIUS servers:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name N/A
3. Set the RADIUS server status.
• Set the status of the primary RADIUS
authentication server:
state primary authentication { active |
block }
• Set the status of the primary RADIUS
accounting server:
state primary accounting { active |
block }
• Set the status of a secondary RADIUS
authentication server:
state secondary authentication
[ { host-name | ipv4-address | ipv6
ipv6-address } [ port-number |
vpn-instance vpn-instance-name ] * ]
{ active | block }
• Set the status of a secondary RADIUS
accounting server:
state secondary accounting
[ { host-name | ipv4-address | ipv6
ipv6-address } [ port-number |
vpn-instance vpn-instance-name ] * ]
{ active | block }
By default, every server
specified in a RADIUS scheme
is in active state.
The configured server status
cannot be saved to any
configuration file, and can
only be viewed by using the
display radius scheme
command. After the device
restarts, all servers are
restored to the active state.
The host-name argument is
available in Release 2310
and later versions.
Specifying the source IP address for outgoing RADIUS packets
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS
configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a
RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of
a managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.
The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the
NAS to communicate with the RADIUS server. However, in some situations, you must change the source
IP address. For example, if the NAS is configured with VRRP for stateful failover, the source IP address of
outgoing RADIUS packets can be the virtual IP address of the uplink VRRP group.
To Next Page
Loading...
