HPE FlexNetwork 10500 Series Security Configuration Manual page 53
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Step
3.
Specify a source IP address
for outgoing RADIUS
packets.
Setting RADIUS timers
The device uses the following types of timers to control communication with a RADIUS server:
•
Server response timeout timer (response-timeout)—Defines the RADIUS request
retransmission interval. The timer starts immediately after a RADIUS request is sent. If the
device does not receive a response from the RADIUS server before the timer expires, it
resends the request.
•
Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked
state. If one server is not reachable, the device changes the server status to blocked, starts this
timer for the server, and tries to communicate with another server in active state. After the
server quiet timer expires, the device changes the status of the server back to active.
•
Real-time accounting timer (realtime-accounting)—Defines the interval at which the device
sends real-time accounting packets to the RADIUS accounting server for online users.
When you set RADIUS timers, follow these guidelines:
•
Consider the number of secondary servers when you configure the maximum number of
RADIUS packet transmission attempts and the RADIUS server response timeout timer. If the
RADIUS scheme includes many secondary servers, the retransmission process might be too
long and the client connection in the access module, such as Telnet, can time out.
•
When the client connections have a short timeout period, a large number of secondary servers
can cause the initial authentication or accounting attempt to fail. In this case, reconnect the
client rather than adjusting the RADIUS packet transmission attempts and server response
timeout timer. Typically, the next attempt will succeed, because the device has blocked the
unreachable servers to shorten the time to find a reachable server.
•
Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent
authentication or accounting failures. This is because the device will continue to attempt to
communicate with an unreachable server that is in active state. A timer that is too long might
temporarily block a reachable server that has recovered from a failure. This is because the
server will remain in blocked state until the timer expires.
•
A short real-time accounting interval helps improve accounting precision but requires many
system resources. When there are 1000 or more users, set the interval to 15 minutes or longer.
To set RADIUS timers:
Step
1.
Enter system view.
2.
Enter RADIUS scheme view.
3.
Set the RADIUS server
response timeout timer.
4.
Set the quiet timer for the
servers.
5.
Set the real-time accounting
timer.
Command
nas-ip { ipv4-address | ipv6
ipv6-address }
Command
system-view
radius scheme
radius-scheme-name
timer response-timeout
seconds
timer quiet minutes
timer realtime-accounting
interval [ second ]
36
Remarks
By default, the source IP
address specified by using the
radius nas-ip command in
system view is used. If the
source IP address is not
specified, the primary IP address
of the outbound interface is
used.
Remarks
N/A
N/A
The default setting is 3 seconds.
The default setting is 5 minutes.
The default setting is 12 minutes.
Advertisement
Table of Contents
Troubleshooting
