HPE FlexFabric 7900 Series Security Configuration Manual page 33

When you set RADIUS timers, follow these guidelines:
•
Consider the number of secondary servers when you configure the maximum number of
RADIUS packet transmission attempts and the RADIUS server response timeout timer. If the
RADIUS scheme includes many secondary servers, the retransmission process might be too
long and the client connection in the access module, such as Telnet, can time out.
•
When the client connections have a short timeout period, a large number of secondary servers
can cause the initial authentication or accounting attempt to fail. In this case, reconnect the
client rather than adjusting the RADIUS packet transmission attempts and server response
timeout timer. Typically, the next attempt will succeed, because the device has blocked the
unreachable servers to shorten the time to find a reachable server.
•
Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent
authentication or accounting failures. The reason is that the device will continue to attempt to
communicate with an unreachable server that is in active state. A timer that is too long might
temporarily block a reachable server that has recovered from a failure. The reason is that the
server will remain in blocked state until the timer expires.
•
A short real-time accounting interval helps improve accounting precision but requires many
system resources. When there are 1000 or more users, set the interval to 15 minutes or longer.
To set RADIUS timers:
Step
1. Enter system view.
2. Enter RADIUS scheme view.
3. Set the RADIUS server
response timeout timer.
4. Set the quiet timer for the
servers.
5. Set the real-time accounting
timer.
Configuring the accounting-on feature
When the accounting-on feature is enabled, the device automatically sends an accounting-on packet
to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the
RADIUS server logs out all online users so they can log in again through the device. Without this
feature, users cannot log in again after the reboot, because the RADIUS server considers them to
come online.
You can configure the interval for which the device waits to resend the accounting-on packet and the
maximum number of retries.
The RADIUS server must run on IMC to correctly log out users when a card reboots on the
distributed device to which the users connect.
To configure the accounting-on feature for a RADIUS scheme:
Step
1. Enter system view.
2. Enter RADIUS scheme view.
3. Enable accounting-on.
Command
system-view
radius scheme
radius-scheme-name
timer response-timeout
seconds
timer quiet minutes
timer realtime-accounting
minutes
Command
system-view
radius scheme
radius-scheme-name
accounting-on enable [ interval
seconds | send send-times ] *
25
Remarks
N/A
N/A
The default setting is 3 seconds.
The default setting is 5 minutes.
The default setting is 12 minutes.
Remarks
N/A
N/A
By default, the accounting-on
feature is disabled.