Configuring Radius Authentication And Accounting Servers; Server Access - Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring RADIUS Authentication and Accounting Servers

The number of RADIUS servers you can configure depends on available memory.
The order in which you configure servers determines the order in which the router
contacts those servers on behalf of clients.
Initially, a RADIUS client sends a request to a RADIUS authentication or accounting
server. The RADIUS server uses the configured IP address, the UDP port number,
and the secret key to make the connection. The RADIUS client waits for a response
for a configurable timeout period and then retransmits the request. The RADIUS
client retransmits the request for a user-configurable retry limit.
For example, suppose that you have configured the following authentication servers:
Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an
authentication request to Auth1. If Auth1 is unavailable, the router submits the request
to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last
configured authentication server, is not available, the router attempts the next method
in the methods list. If the only method configured is RADIUS, then the router notifies
the client that the request has been denied.

Server Access

The router offers two options by which servers are accessed:
Use the radius algorithm command to specify the server access method.
When you configure the first RADIUS accounting server, a RADIUS Acct-On message
is sent. When you delete the last accounting server, a RADIUS Acct-Off message is
sent.
18
Configuring RADIUS Authentication and Accounting Servers
If there is no response from the primary RADIUS server, the RADIUS client
submits the request to the secondary RADIUS server using the timeout period
and retry limit configured for the secondary RADIUS server.
If the connection attempt fails for the secondary RADIUS server, the router
submits the request to the tertiary server and so on until it either is granted
access on behalf of the client or there are no more configured servers.
If another authentication server is not configured, the router attempts the next
method in the method list; for accounting server requests, the information is
dropped.
Direct The first authentication or accounting server that you configure is treated
as the primary authentication or accounting server, the next server configured
is the secondary, and so on.
Round-robin The first configured server is treated as a primary for the first
request, the second server configured as primary for the second request, and so
on. When the router reaches the end of the list of servers, it starts again at the
top of the list until it comes full cycle through the list.