H3C Technologies H3C SecPath F1000-E User Manual

183

Specifying the RADIUS authentication/authorization servers

You can specify one primary authentication/authorization server and up to 16 secondary

authentication/authorization servers for a RADIUS scheme so that the NAS can find a server for user
authentication/authorization when using the scheme. When the primary server is not available, a

secondary server is used. In a scenario where redundancy is not required, specify only the primary

server.
In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS
clients. It is neither allowed nor needed to specify a separate RADIUS authorization server.
Follow these guidelines when you configure RADIUS authentication/authorization servers:

•

The IP addresses of the primary and secondary authentication/authorization servers for a scheme
must be different from each other. Otherwise, the configuration fails.

•

All servers for authentication/authorization and accountings, primary or secondary, must use IP
addresses of the same IP version.

•

You can specify a RADIUS authentication/authorization server as the primary
authentication/authorization server for one scheme and simultaneously as a secondary
authentication/authorization server for another scheme.

To specify RADIUS authentication/authorization servers for a RADIUS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter RADIUS scheme view. radius scheme radius-scheme-name N/A

3.

Specify RADIUS
authentication/authorizatio

n servers.

•

Specify the primary RADIUS

authentication/authorization server:
primary authentication { ip-address |

ipv6 ipv6-address } [ port-number |

key [ cipher | simple ] key |

vpn-instance vpn-instance-name ] *

•

Specify a secondary RADIUS

authentication/authorization server:

secondary authentication { ip-address
| ipv6 ipv6-address } [ port-number |

key [ cipher | simple ] key |

vpn-instance vpn-instance-name ] *

Configure at least one
command.
No

authentication/authorization

server is specified by default.
In FIPS mode, the firewall
supports only ciphertext

shared keys of at least 8

characters comprising
case-sensitive letters,

numbers, and special

characters.

Specifying the RADIUS accounting servers and the relevant parameters

You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS

scheme. When the primary server is not available, a secondary server is used. When redundancy is not

required, specify only the primary server.
By setting the maximum number of real-time accounting attempts for a scheme, you make the firewall
disconnect users for whom no accounting response is received before the number of accounting attempts

reaches the limit.
When the firewall receives a connection teardown request from a host or a connection teardown

notification from an administrator, it sends a stop-accounting request to the accounting server. You can

enable buffering of non-responded stop-accounting requests to allow the firewall to buffer and resend a
stop-accounting request until it receives a response or the number of stop-accounting attempts reaches

the configured limit. In the latter case, the firewall discards the packet.