beautypg.com

Refer to – H3C Technologies H3C S3600 Series Switches User Manual

Page 529

background image

2-13

To do…

Use the command…

Remarks

Enter system view

system-view

Create a RADIUS scheme and
enter its view

radius scheme
radius-scheme-name

Required

By default, a RADIUS scheme
named "system" has already
been created in the system.

Set the IP address and port
number of the primary RADIUS
authentication/authorization
server

primary authentication
ip-address [ port-number ]

Required

By default, the IP address and
UDP port number of the
primary server are 0.0.0.0 and
1812 respectively for a newly
created RADIUS scheme.

Set the IP address and port
number of the secondary
RADIUS
authentication/authorization
server

secondary authentication
ip-address [ port-number ]

Optional

By default, the IP address and
UDP port number of the
secondary server are 0.0.0.0
and 1812 respectively for a
newly created RADIUS
scheme.

z

The authentication response sent from the RADIUS server to the RADIUS client carries

authorization information. Therefore, you need not (and cannot) specify a separate RADIUS

authorization server.

z

In an actual network environment, you can specify one server as both the primary and secondary

authentication/authorization servers, as well as specifying two RADIUS servers as the primary and

secondary authentication/authorization servers respectively.

z

The IP address and port number of the primary authentication server used by the default RADIUS

scheme "system" are 127.0.0.1 and 1645.

Configuring Ignorance of Assigned RADIUS Authorization Attributes

A RADIUS server can be configured to assign multiple authorization attributes, such as authorization

VLAN and idle timeout. Some users may need the attributes but some users may not. Such conflict

occurs if the RADIUS server does not support user-based attribute assignment or it performs uniformed

user management.

The RADIUS authorization attribute ignoring function can solve this issue. It is configured as per

RADIUS scheme. Users using a RADIUS scheme with this function enabled can ignore certain

unexpected attributes.

As shown in

Figure 2-1

, NAS 1 and NAS 2 are connected to the same RADIUS server for authentication.

For easy management, the RADIUS server issues the same authorization attributes to all the users.

However, users attached to NAS 1 need these attributes while users attached to NAS 2 do not want to

use the assigned Attribute 28, idle-timeout. You can configure the attribute ignoring function on NAS 2

to ignore Attribute 28.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: