beautypg.com

Configuring timers for radius servers – H3C Technologies H3C S3600 Series Switches User Manual

Page 536

background image

2-20

z

If you adopt the local RADIUS server function, the UDP port number of the

authentication/authorization server must be 1645, the UDP port number of the accounting server

must be 1646, and the IP addresses of the servers must be set to the addresses of this switch.

z

The message encryption key set by the local-server nas-ip ip-address key password command

must be identical with the authentication/authorization message encryption key set by the key

authentication command in the RADIUS scheme view of the RADIUS scheme on the specified

NAS that uses this switch as its authentication server.

z

The switch supports IP addresses and shared keys for up to 16 network access servers (NAS).

That is, when acting as the local RADIUS server, the switch can provide authentication service to

up to 16 network access servers (including the switch itself) at the same time.

z

When acting as the local RADIUS server, the switch does not support EAP authentication (that is

you cannot set the 802.1x authentication method as eap by using the dot1x

authentication-method eap command).

Configuring Timers for RADIUS Servers

After sending out a RADIUS request (authentication/authorization request or accounting request) to a

RADIUS server, the switch waits for a response from the server. The maximum time that the switch can

wait for the response is called the response timeout time of RADIUS servers, and the corresponding

timer in the switch system is called the response timeout timer of RADIUS servers. If the switch gets no

answer within the response timeout time, it needs to retransmit the request to ensure that the user can

obtain RADIUS service.

For the primary and secondary servers (authentication/authorization servers, or accounting servers) in

a RADIUS scheme:

When the switch fails to communicate with the primary server due to some server trouble, the switch will

turn to the secondary server and exchange messages with the secondary server.

After the primary server remains in the block state for a specific time (set by the timer quiet command),

the switch will try to communicate with the primary server again when it has a RADIUS request. If it finds

that the primary server has recovered, the switch immediately restores the communication with the

primary server instead of communicating with the secondary server, and at the same time restores the

status of the primary server to active while keeping the status of the secondary server unchanged.

To control the interval at which users are charged in real time, you can set the real-time accounting

interval. After the setting, the switch periodically sends online users' accounting information to RADIUS

server at the set interval.

Follow these steps to set timers for RADIUS servers:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a RADIUS scheme and
enter its view

radius scheme
radius-scheme-name

Required

By default, a RADIUS scheme
named "system" has already
been created in the system.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: