Radius scheme configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual

193

Task Command

Remarks

Clear RADIUS statistics.

reset radius statistics

Available in user view

Clear the buffered stop-accounting
requests for which no responses have
been received.

reset stop-accounting-buffer
{ radius-scheme radius-server-name |

session-id session-id | time-range
start-time stop-time | user-name

user-name }

Available in user view

RADIUS scheme configuration guidelines

When you configure RADIUS, follow these guidelines:

•

Accounting for FTP users is not supported.

•

If you remove the accounting server used for online users, the firewall cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the

stop-accounting messages are not buffered locally.

•

The status of RADIUS servers, blocked or active, determines which servers the firewall
communicates with or turns to when the current servers are not available. In practice, you can

specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary
servers that function as the backup of the primary servers. Generally, the firewall chooses servers

based on these rules:

{

When the primary server is in active state, the firewall communicates with the primary server. If
the primary server fails, the firewall changes the state of the primary server to blocked, starts a

quiet timer for the server, and turns to a secondary server in active state (a secondary server

configured earlier has a higher priority). If the secondary server is unreachable, the firewall
changes the state of the secondary server to blocked, starts a quiet timer for the server, and

continues to check the next secondary server in active state. This search process continues until

the firewall finds an available secondary server or has checked all secondary servers in active

state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the

firewall does not check the server again during the authentication or accounting process. If no

server is found reachable during one search process, the firewall considers the authentication or

accounting attempt a failure.

{

Once the accounting process of a user starts, the firewall keeps sending the user's real-time

accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user

are no longer delivered to the server.

{

If you remove an authentication or accounting server in use, the communication of the firewall
with the server soon times out, and the firewall looks for a server in active state from scratch by

checking any primary server first and then the secondary servers in the order they are
configured.

{

When the primary server and secondary servers are all in blocked state, the firewall
communicates with the primary server. If the primary server is available, its statues changes to

active. Otherwise, its status remains to be blocked.

{

If one server is in active state but all the others are in blocked state, the firewall only tries to
communicate with the server in active state, even if the server is unavailable.