Setting the shared key for radius packets – H3C Technologies H3C S5120 Series Switches User Manual

1-21

z

It is recommended to specify only the primary RADIUS accounting server if backup is not required.

z

If both the primary and secondary accounting servers are specified, the secondary one is used

when the primary one is not reachable.

z

In practice, you can specify two RADIUS servers as the primary and secondary accounting servers

respectively, or specify one server to function as the primary accounting server in a scheme and

the secondary accounting server in another scheme. Besides, because RADIUS uses different

UDP ports to receive authentication/authorization and accounting packets, the port for

authentication/authorization must be different from that for accounting.

z

You can set the maximum number of stop-accounting request transmission buffer, allowing the

device to buffer and resend a stop-accounting request until it receives a response or the number of

transmission retries reaches the configured limit. In the latter case, the device discards the packet.

z

You can set the maximum number of accounting request transmission attempts on the device,

allowing the device to disconnect a user when the number of accounting request transmission

attempts for the user reaches the limit but it still receives no response to the accounting request.

z

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,

the configuration fails.

z

Currently, RADIUS does not support keeping accounts on FTP users.

Setting the Shared Key for RADIUS Packets

The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between

them and a shared key to verify the packets. Only when the same key is used can they properly receive

the packets and make responses.

Follow these steps to set the shared key for RADIUS packets:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter RADIUS scheme view

radius scheme
radius-scheme-name

—

Set the shared key for RADIUS
authentication/authorization or
accounting packets

key { accounting |
authentication } string

Required

No key by default

The shared key configured on the device must be the same as that configured on the RADIUS server.

Setting the Upper Limit of RADIUS Request Retransmission Attempts

Because RADIUS uses UDP packets to carry data, the communication process is not reliable. If a NAS

receives no response from the RADIUS server before the response timeout timer expires, it is required