HP 10500 Series Configuration Manual page 31

Task
Configuring RADIUS accounting-on
Configuring the IP address of the security policy server
Configuring interpretation of the RADIUS class attribute as CAR parameters
Enabling the trap function for RADIUS
Enabling the RADIUS client service
Setting the DSCP value for RADIUS packets
Displaying and maintaining RADIUS
Creating a RADIUS scheme
A RADIUS scheme can be referenced by multiple ISP domains at the same time.
Before performing other RADIUS configurations, you must first create a RADIUS scheme and enter
RADIUS scheme view.
To create a RADIUS scheme and enter RADIUS scheme view:
Step
1. Enter system view.
2. Create a RADIUS scheme and
enter RADIUS scheme view.
Specifying the RADIUS authentication/authorization servers
In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS
clients. It is neither allowed nor needed to specify a separate RADIUS authorization server.
You can specify one primary authentication/authorization server and up to 16 secondary
authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a
secondary server is used. In a scenario where redundancy is not required, specify only the primary
server.
A RADIUS authentication/authorization server can function as the primary authentication/authorization
server for one scheme and a secondary authentication/authorization server for another scheme at the
same time.
You can enable the server status detection feature. With the feature, the device periodically sends an
authentication request to check whether or not the target RADIUS authentication/authorization server is
reachable. If yes, the device sets the status of the server to active. If not, the device sets the status of the
server to block. This feature can promptly notify authentication modules of latest server status information.
For example, server status detection can work with the 802.1X critical VLAN feature, so that the device
can trigger 802.1X authentication for users in the critical VLAN immediately on detection of a reachable
RADIUS authentication/authorization server.
Follow these guidelines when you specify RADIUS authentication/authorization servers:
• The IP addresses of the primary and secondary authentication/authorization servers for a scheme
must be different from each other. Otherwise, the configuration fails.
All servers for authentication/authorization and accounting, primary or secondary, must use IP
•
addresses of the same IP version.
Command
system-view
radius scheme
radius-scheme-name
21
Remarks
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Remarks
N/A
By default, no RADIUS scheme is
created.