H3C Technologies H3C SecBlade LB Cards User Manual

56

You can specify one primary authentication/authorization server and up to 16 secondary

authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a
secondary server is used. If no redundancy is needed, specify only the primary server.
A RADIUS authentication/authorization server can function as the primary authentication/authorization

server for one scheme and a secondary authentication/authorization server for another scheme at the

same time.
You can enable the server status detection feature. With the feature, the device periodically sends an

authentication request to check whether or not the target RADIUS authentication/authorization server is

reachable. If the server can be reached, the device sets the status of the server to active. If the server

cannot be reached, the device sets the status of the server to block. This feature can promptly notify
authentication modules of latest server status information. For example, server status detection can work

with the 802.1X critical VLAN feature, so that the device can trigger 802.1X authentication for users in the

critical VLAN immediately on detection of a reachable RADIUS authentication/authorization server.
To specify RADIUS authentication/authorization servers for a RADIUS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter RADIUS scheme view.

radius scheme radius-scheme-name N/A

3.

Specify RADIUS

authentication/authorization
servers.

•

Specify the primary RADIUS

authentication/authorization server:
primary authentication { ip-address

| ipv6 ipv6-address } [ port-number

| key [ cipher | simple ] key | probe
username name [ interval interval ]

| vpn-instance vpn-instance-name ]

*

•

Specify a secondary RADIUS

authentication/authorization server:

secondary authentication

{ ip-address | ipv6 ipv6-address }
[ port-number | key [ cipher |

simple ] key | probe username

name [ interval interval ] |
vpn-instance vpn-instance-name ] *

Configure at least one
command.
By default, no

authentication/authorization
server is specified.
The IP addresses of the
primary and secondary

authentication/authorization

servers for a scheme must be
different. Otherwise, the

configuration will fail.
All servers for

authentication/authorization
and accounting, primary or

secondary, must use IP

addresses of the same IP
version.

Specifying the RADIUS accounting servers and the relevant parameters

You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS

scheme. When the primary server is not available, a secondary server is used. When redundancy is not

required, specify only the primary server. A RADIUS accounting server can function as the primary
accounting server for one scheme and a secondary accounting server for another scheme at the same

time.
When the device receives a connection teardown request from a host or a connection teardown

command from an administrator, it sends a stop-accounting request to the accounting server. When the
maximum number of real-time accounting attempts is reached, the device disconnects users who have no

accounting responses. You can enable buffering of non-responded stop-accounting requests to allow the

device to buffer and resend a stop-accounting request until it receives a response. If the number of

stop-accounting attempts reaches the upper limit, the device discards the buffered request.