3Com 7757 Configuration Manual page 527

Configuring Shared Keys
for RADIUS Packets
c
CAUTION:
In an actual network environment, you can either specify two RADIUS servers
■
as the primary and secondary accounting servers respectively, or specify only
one server as both the primary and secondary accounting servers. In addition,
because RADIUS adopts different UDP ports to transceive
authentication/authorization packets and the accounting packets, you must set
a port number for accounting different from that set for
authentication/authorization.
Stop-accounting requests are critical to billing and will eventually affect the
■
charges of the users; they are important for both the users and the ISP.
Therefore, the switch should do its best to transmit them to the RADIUS
accounting server. If the RADIUS server does not respond to such a request, the
switch should first buffer the request on itself, and then retransmit the request
to the RADIUS accounting server until it gets a response, or the maximum
number of transmission attempts is reached (in this case, it discards the
request).
You can set the maximum number of real-time accounting request attempts in
■
the case that the accounting fails. If the switch makes all the allowed real-time
accounting request attempts but fails to perform accounting, it cuts down the
connection of the user.
The IP address and the port number of the default primary accounting server
■
"system" are 127.0.0.1 and 1646.
Currently, RADIUS does not support the accounting of FTP users.
■
The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets
exchanged with each other. The two parties verify the validity of the exchanged
packets by using the shared keys that have been set on them, and can accept and
respond to the packets sent from each other only if both of them have the same
shared keys.
Table 410 Configure shared keys for RADIUS packets
Operation
Enter system view
Create a RADIUS
scheme and enter its
view
Set a shared key for
the RADIUS
authentication/authori
zation packets
Set a shared key for
the RADIUS
accounting packets
c
CAUTION: You must set the share keys separately for the
authentication/authorization packets and the accounting packets if the
authentication/authorization server and the accounting server are different devices
and the shared keys on the two servers are also different.
Command
system-view
radius scheme
radius-scheme-name
key authentication string
key accounting string
RADIUS Configuration
Description
-
Required
By default, a RADIUS scheme named
"system" has already been created in
the system.
Required
By default, no shared key is set.
Required
By default, no shared key is set.
527