HP FlexFabric 5700 Series Security Configuration Manual page 41

Step
2. Specify a source IP address
for outgoing RADIUS packets.
To specify a source IP address for a RADIUS scheme:
Step
1. Enter system view.
2. Enter RADIUS scheme view.
3. Specify a source IP address
for outgoing RADIUS packets.
Setting RADIUS timers
The device uses the following types of timers to control communication with a RADIUS server:
Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission
•
interval. The timer starts immediately after a RADIUS request is sent. If the device does not receive
a response from the RADIUS server before the timer expires, it resends the request.
Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If
•
one server is not reachable, the device changes the server status to blocked, starts this timer for the
server, and tries to communicate with another server in active state. After the server quiet timer
expires, the device changes the status of the server back to active.
• Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends
real-time accounting packets to the RADIUS accounting server for online users.
When you set RADIUS timers, follow these guidelines:
When you configure the maximum number of RADIUS packet transmission attempts and the
•
RADIUS server response timeout timer, consider the number of secondary servers. If the
retransmission process takes too much time, the client connection in the access module (for example,
Telnet) might time out during the process.
When a number of secondary servers are configured, the client connections of access modules that
•
have a short client connection timeout period might still be timed out during initial authentication or
accounting, even if the packet transmission attempt limit and server response timeout period are
configured with small values. However, the next authentication or accounting attempt can succeed,
because the device has set the unreachable servers to blocked, which shortens the amount of time
for finding a reachable server.
Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent
•
authentication or accounting failures. This is because the device will continue to attempt to
communicate with an unreachable server that is in active state. A timer that is too long might
temporarily block a reachable server that has recovered from a failure. This is because the server
will remain in blocked state until the timer expires.
• A short real-time accounting interval helps improve accounting precision but requires many system
resources. When there are 1000 or more users, set the interval to 15 minutes or longer.
Command
radius nas-ip { ipv4-address | ipv6
ipv6-address }
Command
system-view
radius scheme
radius-scheme-name
nas-ip { ipv4-address | ipv6
ipv6-address }
29
Remarks
By default, the IP address of the
RADIUS packet outbound interface
is used as the source IP address.
Remarks
N/A
N/A
By default, the source IP address
specified by the radius nas-ip
command in system view is used. If
the source IP address is not
specified, the IP address of the
outbound interface is used.