Table of Contents
Advertisement
number of currently served users for each active server, and then determines the most appropriate
server in performance to receive an accounting request.
The device sends a stop-accounting request to the accounting server in the following situations:
•
The device receives a connection teardown request from a host.
•
The device receives a connection teardown command from an administrator.
When the maximum number of realtime accounting attempts is reached, the device disconnects
users who have no accounting responses.
RADIUS does not support accounting for FTP, SFTP, and SCP users.
To specify a RADIUS server by hostname in an MPLS VPN network, first complete one of the
following tasks on the device:
•
Configure hostname-to-IP address mappings for the VPN instance by using the ip host or ipv6
host command.
•
Configure a DNS server for the VPN instance by using the dns server or ipv6 dns server
command.
For more information about these commands, see Layer 3—IP Services Command Reference.
To specify RADIUS accounting servers and the relevant parameters for a RADIUS scheme:
Step
1.
Enter system view.
2.
Enter RADIUS scheme view.
3.
Specify RADIUS accounting
servers.
4.
(Optional.) Set the maximum
number of realtime
accounting attempts.
Specifying the shared keys for secure RADIUS communication
The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator
value for packet authentication and user password encryption. The client and server must use the
same key for each type of communication.
A key configured in this task is for all servers of the same type (accounting or authentication) in the
scheme. The key has a lower priority than a key configured individually for a RADIUS server.
To specify a shared key for secure RADIUS communication:
Step
1.
Enter system view.
Command
system-view
radius scheme radius-scheme-name
•
Specify the primary RADIUS
accounting server:
primary accounting { host-name
| ipv4-address | ipv6
ipv6-address } [ port-number | key
{ cipher | simple } string |
vpn-instance vpn-instance-name
| weight weight-value ] *
•
Specify a secondary RADIUS
accounting server:
secondary accounting
{ host-name | ipv4-address | ipv6
ipv6-address } [ port-number | key
{ cipher | simple } string |
vpn-instance vpn-instance-name
| weight weight-value ] *
retry realtime-accounting retry-times
Command
system-view
25
Remarks
N/A
N/A
By default, no accounting
server is specified.
Two accounting servers in a
scheme, primary or
secondary, cannot have the
same combination of
hostname, IP address, port
number, and VPN instance.
The weight keyword takes
effect only when the RADIUS
server load sharing feature is
enabled for the RADIUS
scheme.
The default setting is 5.
Remarks
N/A
Advertisement
Table of Contents
Troubleshooting
