32
Step Command Remarks
3. Set the maximum number of
RADIUS request transmission
attempts.
retry
retry-times
Optional.
The default setting is 3.
Setting the status of RADIUS servers
By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with
which the device communicates when the current servers are no longer available. In practice, you
can specify one primary RADIUS server and multiple secondary RADIUS servers, with the
secondary servers functioning as the backup of the primary servers. Typically, the device chooses
servers based on these rules:
• When the primary server is in active state, the device communicates with the primary server.
If the primary server fails, the device changes the server's status to blocked, starts a quiet timer
for the server, and tries to communicate with a secondary server in active state (a secondary
server configured earlier has a higher priority).
If the secondary server is unreachable, the device changes the server's status to blocked, starts
a quiet timer for the server, and continues to check the next secondary server in active state.
This search process continues until the device finds an available secondary server or has
checked all secondary servers in active state.
If the quiet timer of a server expires or an authentication or accounting response is received
from the server, the status of the server changes back to active automatically, but the device
does not check the server again during the authentication or accounting process.
If no server is found reachable during one search process, the device considers the
authentication or accounting attempt a failure.
• Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server.
• If you remove the accounting server, real-time accounting requests and stop-accounting
requests for the user are no longer delivered to the server.
• If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in active state by checking
the primary server first and then the secondary servers in the order they are configured.
• When the primary server and secondary servers are all in blocked state, the device
communicates with the primary server. If the primary server is available, its status changes to
active. Otherwise, its status remains to be blocked.
• If one server is in active state and all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
• After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
The device does not change the status of an unreachable authentication or accounting server if the
server quiet timer is set to 0. Instead, the device keeps the server status as active and sends
authentication or accounting packets to another server in active state, so subsequent authentication
or accounting packets can still be sent to that server. For more information about the server quiet
timer, see "Setting RADIUS timers."
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you
need to change the status of a server. For example, if a server fails, you can change the status of the
server to blocked to avoid communication attempts to the server.
To set the status of RADIUS servers in a RADIUS scheme:
To Next Page
Loading...
Need help?
General
