HPE FlexFabric 7900 Series Security Configuration Manual page 31

•
The search process continues until the device finds an available secondary server or has
checked all secondary servers in active state. If no server is available, the device considers the
authentication or accounting attempt a failure.
•
When the quiet timer of a server expires or you manually set the server to the active state, the
status of the server changes back to active. The device does not check the server again during
the authentication or accounting process.
•
When you remove a server in use, communication with the server times out. The device looks
for a server in active state by first checking the primary server, and then checking secondary
servers in the order they are configured.
•
When the primary server and secondary servers are all in blocked state, the device tries to
communicate with the primary server.
•
When one or more servers are in active state, the device tries to communicate with these active
servers only, even if the servers are unavailable.
•
When the status of a RADIUS server changes automatically, the device changes the status of
this server accordingly in all RADIUS schemes in which this server is specified.
By default, the device sets the status of all RADIUS servers to active. However, in some situations,
you must change the status of a server. For example, if a server fails, you can change the status of
the server to blocked to avoid communication attempts to the server.
To set the status of RADIUS servers:
Step
1. Enter system view.
2. Enter RADIUS scheme
view.
3. Set the RADIUS server
status.
Specifying the source IP address for outgoing RADIUS packets
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS
configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon
receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is
the IP address of a managed NAS.
•
If the source IP address of the packet is the IP address of a managed NAS, the server
processes the packet.
Command
system-view
radius scheme radius-scheme-name
•
Set the status of the primary
RADIUS authentication server:
state primary authentication
{ active | block }
•
Set the status of the primary
RADIUS accounting server:
state primary accounting { active |
block }
•
Set the status of a secondary
RADIUS authentication server:
state secondary authentication
[ { host-name | ipv4-address }
[ port-number | vpn-instance
vpn-instance-name ] * ] { active |
block }
•
Set the status of a secondary
RADIUS accounting server:
state secondary accounting
[ { host-name | ipv4-address }
[ port-number | vpn-instance
vpn-instance-name ] * ] { active |
block }
23
Remarks
N/A
N/A
By default, every server
specified in a RADIUS
scheme is in active state.
The configured server status
cannot be saved to any
configuration file, and can
only be viewed by using the
display radius scheme
command. After the device
restarts, all servers are
restored to the active state.