HP 5500 HI Series Configuration Manual page 44

When a number of secondary servers are configured, the client connections of access modules that
•
have a short client connection timeout period may still be timed out during initial authentication or
accounting, even if the packet transmission attempt limit and server response timeout period are
configured with small values. In this case, the next authentication or accounting attempt may
succeed because the switch has set the state of the unreachable servers to blocked and the time for
finding a reachable server is shortened.
Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent
•
authentication or accounting failures because the switch has to repeatedly attempt to communicate
with an unreachable server that is in active state.
For more information about the maximum number of RADIUS packet transmission attempts, see
•
"Setting the maximum number of RADIUS request transmission
Configuring RADIUS accounting-on
The accounting-on feature enables a switch to send accounting-on packets to the RADIUS server after it
reboots, making the server log out users who logged in through the switch before the reboot. Without this
feature, users who were online before the reboot cannot re-log in after the reboot, because the RADIUS
server considers they are already online.
If a switch sends an accounting-on packet to the RADIUS server but receives no response, it resends the
packet to the server at a particular interval for a specified number of times.
To configure the accounting-on feature for a RADIUS scheme:
Step
1. Enter system view.
2. Enter RADIUS scheme
view.
3. Enable accounting-on and
configure parameters.
NOTE:
The accounting-on feature requires the cooperation of the HP IMC network management system.
Configuring the IP address of the security policy server
The core of the HP EAD solution is integration and cooperation, and the security policy server is the
management and control center. Using a collection of software, the security policy server provides
functions such as user management, security policy management, security status assessment, security
cooperation control, and security event audit.
The NAS checks the validity of received control packets and accepts only control packets from known
servers. To use a security policy server that is independent of the AAA servers, you must configure the IP
address of the security policy server on the NAS. To implement all EAD functions, configure both the IP
address of the security policy server and that of the IMC Platform on the NAS.
To configure the IP address of the security policy server for a scheme:
Step
1. Enter system view.
Command
system-view
radius scheme
radius-scheme-name
accounting-on enable
[ interval seconds | send
send-times ] *
Command
system-view
31
attempts."
Remarks
N/A
N/A
Disabled by default.
The default interval is 3 seconds and the
default number of send-times is 50.
Remarks
N/A