Setting The Status Of Radius Servers - H3C S9500E Series Security Configuration Manual

Setting the status of RADIUS servers

By setting the status of RADIUS servers to block or active, you can control which servers the
switch will communicate with for authentication, authorization, and accounting or turn to when the
current servers are not available any more. In practice, you can specify one primary RADIUS
server and multiple secondary RADIUS servers, with the secondary ones as the backup of the
primary one. Generally, the switch chooses servers based on these rules:
•
When the primary server is in active state, the switch communicates with the primary server.
If the primary server fails, the switch changes the state of the primary server to block and
starts a quiet timer for the server, and then turns to a secondary server in active state (a
secondary server configured earlier has a higher priority). If the secondary server is
unreachable, the switch changes the state of the secondary server to block, starts a quiet
timer for the server, and continues to check the next secondary server in active state. This
search process continues until the switch finds an available secondary server or has checked
all secondary servers in active state. If the quiet timer of a server expires or an
authentication or accounting response is received from the server, the state of the server
changes back to active automatically, but the switch does not come back to check the server
any more. If no server is found reachable during one search process, the switch considers the
authentication or accounting request a failure.
•
Once the accounting process of a user starts, the switch keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you
remove the accounting server, real-time accounting requests and stop-accounting requests of
the user cannot be delivered to the server any more.
•
If you remove an authentication server in use, the communication of the switch with the server
will soon time out, and the switch will look for a server in active state from scratch: it checks
the primary server (if any) first and then the secondary servers in the order they are
configured.
•
When the primary server and secondary servers are all in block state, the switch
communicates with the primary server. If the primary server is available, its state changes to
active; otherwise, its state remains block.
•
If one server is in active state while the others are in block state, the switch only tries to
communicate with the server in active state, even if the server is unavailable.
•
After receiving an authentication/accounting response from a server, the switch changes the
state of the server identified by the source IP address of the response to active if the current
state of the server is block.
By default, the switch sets the status of all RADIUS servers to active. In some cases, however, you
may need to change the status of a server. For example, if a server fails, you can change the
status of the server to block to avoid communication with the server.
Follow these steps to set the status of RADIUS servers:
To do...
1. Enter system view
2. Enter RADIUS scheme view
3. Set the status of the primary RADIUS
authentication/authorization server
Use the command...
system-view
radius scheme radius-scheme-name
state primary authentication {
active | block }
43
Remarks
—
—
Optional