HP 3600 v2 Series Configuration Manual page 36
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (441 pages) ,
- Security configuration manual (398 pages)
Table of Contents
Advertisement
In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS
clients. There is no separate RADIUS authorization server.
You can enable the server status detection feature. With the feature, the switch periodically sends an
authentication request to check whether or not the target RADIUS authentication/authorization server is
reachable. If yes, the switch sets the status of the server to active. If not, the switch sets the status of the
server to block. This feature can promptly notify authentication modules of latest server status information.
For example, server status detection can work with the 802.1X critical VLAN feature, so that the switch
can trigger 802.1X authentication for users in the critical VLAN immediately on detection of a reachable
RADIUS authentication/authorization server.
Follow these guidelines when you specify RADIUS authentication/authorization servers:
•
The IP addresses of the primary and secondary authentication/authorization servers for a scheme
must be different from each other. Otherwise, the configuration fails.
All servers for authentication/authorization and accounting, primary or secondary, must use IP
•
addresses of the same IP version.
You can specify a RADIUS authentication/authorization server as the primary
•
authentication/authorization server for one scheme and as a secondary
authentication/authorization server for another scheme at the same time.
To specify RADIUS authentication/authorization servers for a RADIUS scheme:
Step
1.
Enter system view.
2.
Enter RADIUS scheme
view.
3.
Specify RADIUS
authentication/authorizati
on servers.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS
scheme. When the primary server is not available, the switch searches for the secondary servers in the
order they are configured. The first secondary server in active state is used for communication.
If redundancy is not required, specify only the primary server.
By setting the maximum number of real-time accounting attempts for a scheme, you make the switch
disconnect users for whom no accounting response is received before the number of accounting attempts
reaches the limit.
Command
system-view
radius scheme radius-scheme-name
•
Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address |
ipv6 ipv6-address } [ port-number |
key [ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
•
Specify a secondary RADIUS
authentication/authorization server:
secondary authentication { ip-address
| ipv6 ipv6-address } [ port-number |
key [ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
23
Remarks
N/A
N/A
Configure at least one
command.
No
authentication/authorization
server is specified by default.
Advertisement
Table of Contents
Troubleshooting
