HP 5120 SI Series Security Configuration Manual page 37

When the primary server is in the active state, the device communicates with the primary server. If
•
the primary server fails, the device changes the state of the primary server to blocked and starts a
quiet timer for the server, and then turns to a secondary server in the active state (a secondary
server configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the server's status to blocked, starts a quiet timer for the server, and continues to check the
next secondary server in the active state. This search process continues until the device finds an
available secondary server or has checked all secondary servers in the active state. If the quiet
timer of a server expires or an authentication or accounting response is received from the server, the
state of the server changes back to active automatically, but the device does not check the server
again. If no server is found reachable during one search process, the device considers the
authentication or accounting attempt a failure.
• Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove the
accounting server, real-time accounting requests and stop-accounting requests of the user cannot
be delivered to the server anymore.
If you remove an authentication or accounting server in use, the communication of the device with
•
the server will soon time out, and the device will look for a server in the active state from scratch: it
checks the primary server (if any) first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in the blocked state, the device
•
communicates with the primary server. If the primary server is available, its state changes to active;
otherwise, its state remains to be blocked.
If one server is in the active state and the others are in the blocked state, the device only tries to
•
communicate with the server in the active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the state
•
of the server identified by the source IP address of the response to active if the current state of the
server is blocked.
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may
need to change the status of a server. For example, if a server fails, you can change the status of the
server to blocked to avoid communication with the server.
Follow these steps to set the status of RADIUS servers:
To do...
Enter system view
Enter RADIUS scheme view
Set the status of the primary RADIUS
authentication/authorization server
Set the status of the primary RADIUS
accounting server
Set the status of the secondary RADIUS
authentication/authorization server
Set the status of the secondary RADIUS
accounting server
Use the command...
system-view
radius scheme radius-scheme-name
state primary authentication { active
| block }
state primary accounting { active |
block }
state secondary authentication [ ip
ipv4-address | ipv6 ipv6-address ]
{ active | block }
state secondary accounting [ ip
ipv4-address | ipv6 ipv6-address ]
{ active | block }
25
Remarks
—
—
Optional
active for every server
specified in the RADIUS
scheme by default