beautypg.com

Verifying the configuration, Configuration guidelines – H3C Technologies H3C MSR 50 User Manual

Page 367

background image

346

5.

Use either approach to configure the AAA methods for domain bbb:

Configure the same scheme for authentication and authorization in domain bbb because
RADIUS authorization information is included in the authentication response message.

[Router] domain bbb

[Router-isp-bbb] authentication login radius-scheme system

[Router-isp-bbb] authorization login radius-scheme system

[Router-isp-bbb] accounting login radius-scheme system

[Router-isp-bbb] quit

Configure default AAA methods for all types of users in domain bbb.

[Router] domain bbb

[Router-isp-bbb] authentication default radius-scheme system

[Router-isp-bbb] authorization default radius-scheme system

[Router-isp-bbb] accounting default radius-scheme system

Verifying the configuration

After the configuration, the user can Telnet to the router and use the configured account (username

hello@bbb and password abc) to enter the user interface of the router, and access all the commands of

level 0 through level 3.

Configuration guidelines

When you configure the RADIUS client, follow these guidelines:

Accounting for FTP users is not supported.

If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the

stop-accounting messages are not buffered locally.

The status of RADIUS servers, blocked or active, determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify

one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers

that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:

When the primary server is in the active state, the device communicates with the primary server.
If the primary server fails, the device changes the state of the primary server to blocked, starts

a quiet timer for the server, and turns to a secondary server in the active state (a secondary

server configured earlier has a higher priority). If the secondary server is unreachable, the
device changes the state of the secondary server to blocked, starts a quiet timer for the server,

and continues to check the next secondary server in the active state. This search process

continues until the device finds an available secondary server or has checked all secondary

servers in the active state. If the quiet timer of a server expires or an authentication or
accounting response is received from the server, the status of the server changes back to active

automatically, but the device does not check the server again during the authentication or

accounting process. If no server is found reachable during one search process, the device

considers the authentication or accounting attempt a failure.

Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user

cannot be delivered to the server any more.

This manual is related to the following products: