H3C Technologies H3C SecPath F1000-E User Manual

189

To specify a source IP address for all RADIUS schemes in a VPN or the public network:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Specify a source IP address

for outgoing RADIUS packets.

radius nas-ip { ip-address | ipv6
ipv6-address } [ vpn-instance
vpn-instance-name ]

By default, the IP address of the
outbound interface is used as the
source IP address.

To specify a source IP address for a specific RADIUS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter RADIUS scheme view.

radius scheme
radius-scheme-name

N/A

3.

Specify a source IP address

for outgoing RADIUS packets.

nas-ip { ip-address | ipv6
ipv6-address }

By default, the IP address of the
outbound interface is used as the
source IP address.

Setting timers for controlling communication with RADIUS servers

The firewall uses the following types of timers to control the communication with a RADIUS server:

•

Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission
interval. After sending a RADIUS request (authentication/authorization or accounting request), the

firewall starts this timer. If the firewall receives no response from the RADIUS server before this timer

expires, it resends the request.

•

Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If
a server is not reachable, the firewall changes the server status to blocked, starts this timer for the

server, and tries to communicate with another server in active state. After this timer expires, the

firewall changes the status of the server back to active.

•

Real-time accounting timer (realtime-accounting)—Defines the interval at which the firewall sends
real-time accounting packets to the RADIUS accounting server for online users. To implement

real-time accounting, the firewall must periodically send real-time accounting packets to the
accounting server for online users.

Follow these guidelines when you set timers for controlling communication with RADIUS servers:

•

For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server
response timeout period must be less than the client connection timeout time and must not exceed

75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the
primary/secondary server switchover cannot take place. For example, the product of the two

parameters must be less than 10 seconds for voice users, and less than 30 seconds for Telnet users

because the client connection timeout period for voice users is 10 seconds and that for Telnet users

is 30 seconds.

•

When you configure the maximum number of RADIUS packet transmission attempts and the
RADIUS server response timeout period, take the number of secondary servers into account. If the
retransmission process takes too much time, the client connection in the access module may be

timed out while the firewall is trying to find an available server.

•

When a number of secondary servers are configured, the client connections of access modules that
have a short client connection timeout period may still be timed out during initial authentication or

accounting, even if the packet transmission attempt limit and server response timeout period are