H3C Technologies H3C SecBlade LB Cards User Manual

60

functioning as the backup of the primary servers. Typically, the device chooses servers based on these

rules:

•

When the primary server is in active state, the device communicates with the primary server.
If the primary server fails, the device changes the server's status to blocked, starts a quiet timer for

the server, and tries to communicate with a secondary server in active state (a secondary server
configured earlier has a higher priority).
If the secondary server is unreachable, the device changes the server's status to blocked, starts a
quiet timer for the server, and continues to check the next secondary server in active state. This

search process continues until the device finds an available secondary server or has checked all

secondary servers in active state.
If the quiet timer of a server expires or an authentication or accounting response is received from

the server, the status of the server changes back to active automatically, but the device does not
check the server again during the authentication or accounting process.
If no server is found reachable during one search process, the device considers the authentication
or accounting attempt a failure.

•

Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server.

•

If you remove the accounting server, real-time accounting requests and stop-accounting requests for
the user are no longer delivered to the server.

•

If you remove an authentication or accounting server in use, the communication of the device with
the server will soon time out, and the device will look for a server in active state by checking the
primary server first and then the secondary servers in the order they are configured.

•

When the primary server and secondary servers are all in blocked state, the device communicates
with the primary server. If the primary server is available, its status changes to active. Otherwise, its

status remains to be blocked.

•

If one server is in active state and all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.

•

After receiving an authentication/accounting response from a server, the device changes the status
of the server identified by the source IP address of the response to active if the current status of the

server is blocked.

The device does not change the status of an unreachable authentication or accounting server if the server

quiet timer is set to 0. Instead, the device keeps the server status as active and sends authentication or

accounting packets to another server in active state, so subsequent authentication or accounting packets

can still be sent to that server. For more information about the server quiet timer, see "

Setting RADIUS

timers

."

By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may

need to change the status of a server. For example, if a server fails, you can change the status of the

server to blocked to avoid communication attempts to the server.
To set the status of RADIUS servers in a RADIUS scheme:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter RADIUS

scheme view.

radius scheme radius-scheme-name N/A