H3C S5500-EI Series Security Configuration Manual page 42

Step
3. Specify RADIUS
authentication/authorization
servers.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS
scheme. When the primary server is not available, a secondary server is used. When redundancy is not
required, specify only the primary server.
By setting the maximum number of real-time accounting attempts for a scheme, you make the switch
disconnect users for whom no accounting response is received before the number of accounting attempts
reaches the limit.
When the switch receives a connection teardown request from a host or a connection teardown
notification from an administrator, it sends a stop-accounting request to the accounting server. You can
enable buffering of non-responded stop-accounting requests to allow the switch to buffer and resend a
stop-accounting request until it receives a response or the number of stop-accounting attempts reaches
the configured limit. In the latter case, the switch discards the packet.
Follow these guidelines when you specify RADIUS accounting servers:
The IP addresses of the primary and secondary accounting servers must be different from each other.
•
Otherwise, the configuration fails.
• All servers for authentication/authorization and accountings, primary or secondary, must use IP
addresses of the same IP version.
If you delete an accounting server that is serving users, the switch can no longer send real-time
•
accounting requests and stop-accounting requests for the users to that server, or buffer the
stop-accounting requests.
• You can specify a RADIUS accounting server as the primary accounting server for one scheme and
as the secondary accounting server for another scheme at the same time.
RADIUS does not support accounting for FTP users.
•
To specify RADIUS accounting servers and set relevant parameters for a scheme:
Step
1. Enter system view.
2. Enter RADIUS scheme view.
Command
•
Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
•
Specify a secondary RADIUS
authentication/authorization server:
secondary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
Command
system-view
radius scheme radius-scheme-name
23
Remarks
Configure at least one
command.
No
authentication/authorizat
ion server is specified by
default.
Remarks
N/A
N/A