28
You can enable the server status detection feature. With the feature, the device periodically sends an
authentication request to check whether or not the target RADIUS authentication/authorization
server is reachable. If the server can be reached, the device sets the status of the server to active. If
the server cannot be reached, the device sets the status of the server to block. This feature can
promptly notify authentication modules of latest server status information. For example, server status
detection can work with the 802.1X critical VLAN feature, so that the device can trigger 802.1X
authentication for users in the critical VLAN immediately on detection of a reachable RADIUS
authentication/authorization server.
To specify RADIUS authentication/authorization servers for a RADIUS scheme:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter RADIUS scheme view.
radius scheme
radius-scheme-name
N/A
3. Specify RADIUS
authentication/authorization
servers.
• Specify the primary RADIUS
authentication/authorization
server:
primary authentication
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name
[ interval interval ] |
vpn-instance
vpn-instance-name ] *
• Specify a secondary RADIUS
authentication/authorization
server:
secondary authentication
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name
[ interval interval ] |
vpn-instance
vpn-instance-name ] *
Configure at least one
command.
By default, no
authentication/authorization
server is specified.
In FIPS mode, the shared key
for secure RADIUS
authentication/authorization
communication must be at least
eight characters that contain
digits, uppercase letters,
lowercase letters, and special
characters, and must use 3DES
for encryption and decryption.
The IP addresses of the primary
and secondary
authentication/authorization
servers for a scheme must be
different. Otherwise, the
config
uration will fail.
All servers for
authentication/authorization and
accounting, primary or
secondary, must use IP
addresses of the same IP
version.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a
RADIUS scheme. When the primary server is not available, a secondary server is used. When
redundancy is not required, specify only the primary server. A RADIUS accounting server can
function as the primary accounting server for one scheme and a secondary accounting server for
another scheme at the same time.
When the device receives a connection teardown request from a host or a connection teardown
command from an administrator, it sends a stop-accounting request to the accounting server. When
the maximum number of real-time accounting attempts is reached, the device disconnects users
who have no accounting responses. You can enable buffering of non-responded stop-accounting
requests to allow the device to buffer and resend a stop-accounting request until it receives a
response. If the number of stop-accounting attempts reaches the upper limit, the device discards the
buffered request.
To Next Page
Loading...
Need help?
General
