HP 5120 SI Series Security Configuration Manual page 40

To do...
Set the RADIUS server response
timeout timer
Set the quiet timer for the servers
Set the real-time accounting timer
NOTE:
• For an access module, the maximum number of transmission attempts multiplied by the RADIUS server
response timeout period must be less than the client connection timeout time and must not exceed 75
seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server
switchover cannot take place. For example, because the client connection timeout time for voice access
is 10 seconds, the product of the two parameters must be less than 10 seconds; because the client
connection timeout time for Telnet access is 30 seconds, the product of the two parameters must be less
than 30 seconds.
When configuring the maximum number of RADIUS packet transmission attempts and the RADIUS
•
server response timeout period, be sure to take the number of secondary servers into account. If the
retransmission process takes too much time, the client connection in the access module may be timed out
while the device is trying to find an available server.
When a number of secondary servers are configured, the client connections of access modules that
•
have a short client connection timeout period may still be timed out during initial authentication or
accounting, even if the packet transmission attempt limit and server response timeout period are
configured with small values. In this case, the next authentication or accounting attempt may succeed
because the device has set the state of the unreachable servers to blocked and the time for finding a
reachable server is shortened.
Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication
•
or accounting failures because the device has to repeatedly attempt to communicate with a server that
is in the active state but is unreachable.
For more information about the maximum number of RADIUS packet retransmission attempts, see
•
"Setting the maximum number of RADIUS request transmission
Configuring RADIUS accounting-on
The accounting-on feature enables a device to send accounting-on packets to the RADIUS server after it
reboots, making the server log out users who logged in through the device before the reboot. Without this
feature, users who were online before the reboot cannot re-log in after the reboot, because the RADIUS
server considers they are already online.
If a device sends an accounting-on packet to the RADIUS server but receives no response, it resends the
packet to the server at a particular interval for a specified number of times.
Follow these steps to configure the accounting-on feature for a RADIUS scheme:
To do...
Enter system view
Enter RADIUS scheme view
Use the command...
timer response-timeout seconds
timer quiet minutes
timer realtime-accounting minutes
Use the command...
system-view
radius scheme
radius-scheme-name
28
Remarks
Optional
3 seconds by default
Optional
5 minutes by default
Optional
12 minutes by default
attempts."
Remarks
—
—