Verification, Configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual
Page 427
19
[Device-isp-bbb] authorization login radius-scheme system
[Device-isp-bbb] accounting login radius-scheme system
[Device-isp-bbb] quit
// You can achieve the same result by configuring default AAA methods for all types of users in domain
bbb. (You can use either approach as needed)
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme system
[Device-isp-bbb] authorization default radius-scheme system
[Device-isp-bbb] accounting default radius-scheme system
Verification
After the above configuration, the Telnet user should be able to telnet to the device and use the
configured account (username hello@bbb and password abc) to enter the user interface of the device,
and access all the commands of level 0 to level 3.
Configuration Guidelines
When configuring the RADIUS client, note that:
1.
The specified server status is dynamic information, which cannot be saved in the configuration file.
After the device reboots, the status of servers becomes active.
2.
At present, RADIUS does not support accounting for FTP users.
3.
If the accounting server in use by online users is removed, the device cannot send real-time
accounting requests and stop-accounting messages of the users to the server, and the
stop-accounting messages are not buffered locally.
4.
The system allows you to configure multiple secondary servers for a RADIUS scheme through CLI.
On the web interface, the system displays the first secondary server in the scheme system. When
you configure a secondary server on the web interface:
•
If the specified IP address is 0.0.0.0, all secondary servers in the scheme system are deleted.
•
If the specified IP address is not 0.0.0.0, and does not conflict with the IP addresses of the existing
secondary servers, the first secondary server in the scheme is replaced by the one you specified.
•
If the specified IP address is not 0.0.0.0, and conflicts with the IP address of an existing secondary
server, the configuration fails.
5.
For the primary and secondary servers (assume only one secondary server exists) in a RADIUS
scheme, the device follows these rules to exchange packets with the servers:
•
If the primary server and secondary server are in the same state, the device communicates with the
primary server.
•
If both the primary server and secondary server are in active state, the device communicates with
the primary server. When the primary server becomes unavailable, the device sets the server’s
status to block and turns to the secondary server for communication. When the quiet timer expires,
the device resumes the status of the primary server to active while keeping the status of the
secondary server unchanged. In the case of authentication/authorization, the device resumes the
communication with the primary server; in the case of accounting, however, the device keeps
communicating with the secondary server no matter whether the primary server recovers or not.
•
If one server is in active state and the other is in block state, the device only tries to communicate
with the server in active state, even if the server is unavailable.