Setting the status of radius servers, Setting the status of, Radius servers – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

27

Step Command

Remarks

2.

Enter RADIUS scheme view.

radius scheme
radius-scheme-name

N/A

3.

Set the maximum number of
RADIUS request transmission

attempts.

retry retry-times

Optional.
3 by default.

NOTE:
•

The maximum number of transmission attempts of RADIUS packets multiplied by the RADIUS server
response timeout period cannot be greater than 75 seconds.

•

For more information about the RADIUS server response timeout period, see "

Setting timers for

controlling communication with RADIUS servers

."

Setting the status of RADIUS servers

By setting the status of RADIUS servers to blocked or active, you can control which servers the device

communicates with for authentication, authorization, and accounting or turns to when the current servers

are no longer available. In practice, you can specify one primary RADIUS server and multiple secondary

RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally,
the device chooses servers based on these rules:

•

When the primary server is in active state, the device communicates with the primary server. If the
primary server fails, the device changes the server's status to blocked and starts a quiet timer for the

server, and then turns to a secondary server in active state (a secondary server configured earlier

has a higher priority). If the secondary server is unreachable, the device changes the server's status

to blocked, starts a quiet timer for the server, and continues to check the next secondary server in
active state. This search process continues until the device finds an available secondary server or

has checked all secondary servers in active state. If the quiet timer of a server expires or an

authentication or accounting response is received from the server, the status of the server changes

back to active automatically, but the device does not check the server again during the
authentication or accounting process. If no server is found reachable during one search process,

the device considers the authentication or accounting attempt a failure.

•

Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove the

accounting server, real-time accounting requests and stop-accounting requests for the user are no
longer delivered to the server.

•

If you remove an authentication or accounting server in use, the communication of the device with
the server will soon time out, and the device will look for a server in active state from scratch: it

checks the primary server (if any) first and then the secondary servers in the order they are

configured.

•

When the primary server and secondary servers are all in blocked state, the device communicates
with the primary server. If the primary server is available, its status changes to active. Otherwise, its
status remains to be blocked.

•

If one server is in active state and all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.

•

After receiving an authentication/accounting response from a server, the device changes the status
of the server identified by the source IP address of the response to active if the current status of the

server is blocked.