Configuring radius, Configuration guidelines – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

561

Configuring RADIUS

The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,

Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks

against unauthorized access, and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,

and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812

for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services. Its accounting function collects and

records network resource usage information.
For more information about AAA and RADIUS, see H3C Access Controllers Security Configuration

Guide.

Configuration guidelines

When you configure RADIUS, use the following guidelines:

•

Accounting for FTP users is not supported.

•

If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the

stop-accounting messages are not buffered locally.

•

The status of RADIUS servers (blocked or active) determines which servers the device will

communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers

that function as the backup of the primary servers. Generally, the device chooses servers based on

these rules:

When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server

configured earlier has a higher priority). If the secondary server is unreachable, the device

changes the state of the secondary server to blocked, starts a quiet timer for the server, and

continues to check the next secondary server in active state. This search process continues until

the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is

received from the server, the status of the server changes back to active automatically, but the

device does not check the server again during the authentication or accounting process. If no

server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.

Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove

the accounting server, real-time accounting requests and stop-accounting requests for the user

cannot be delivered to the server any more.