H3C Technologies H3C SecPath F1000-E User Manual
Page 182
172
Item Description
Username Format
Select the format of usernames to be sent to the RADIUS server.
A username is generally in the format of userid@isp-name, of which isp-name is
used by the firewall to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept
a username that contains an ISP domain name, you can configure the firewall to
remove the domain name of a username before sending it to the RADIUS server.
The username format options include:
•
Original format—Specifies to send the username of a user on an "as is"
basis.
•
With domain name—Specifies to include the domain name in a username to
be sent to the RADIUS server.
•
Without domain name—Specifies to remove any domain name of a
username that is sent to the RADIUS server.
Authentication Key
Confirm Authentication Key
Accounting Key
Confirm Accounting Key
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
The RADIUS client and the RADIUS authentication/accounting server use MD5
to encrypt RADIUS packets, and they verify the validity of packets through the
specified shared key. The client and the server receive and respond to packets
from each other only when they use the same shared key.
IMPORTANT:
•
The shared keys configured on the firewall must be consistent with those
configured on the RADIUS servers.
•
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Quiet Time
Set the time the firewall keeps an unreachable RADIUS server in blocked state.
If you set the quiet time to 0, when the firewall attempts to send an authentication
or accounting request but finds that the current server is unreachable, it does not
change the server's status that it maintains. It simply sends the request to the next
server in active state. As a result, when the firewall attempts to send a request of
the same type for another user, it still tries to send the request to the server
because the server is in active state.
You can use this parameter to control whether the firewall changes the status of
an unreachable server. For example, if you determine that the primary server is
unreachable because the firewall's port for connecting the server is out of service
temporarily or the server is busy, you can set the time to 0 so that the firewall uses
the primary server as much.
Server Response Timeout
Time
Set the RADIUS server response timeout time.
If the firewall sends a RADIUS request to a RADIUS server but receives no
response within the specified server response timeout time, it retransmits the
request. Setting a proper value according to the network conditions helps in
improving the system performance.
IMPORTANT:
The server response timeout time multiplied by the maximum number of RADIUS
packet transmission attempts must not exceed 75.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS