To specify RADIUS authentication/authorization servers for a RADIUS scheme:
Step
1.
Enter system view.
2.
Enter RADIUS scheme view.
3.
Specify RADIUS
authentication/authorization
servers.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS
scheme. When the primary server is not available, a secondary server is used. When redundancy is not
required, specify only the primary server. A RADIUS accounting server can function as the primary
accounting server for one scheme and a secondary accounting server for another scheme at the same
time.
When the device receives a connection teardown request from a host or a connection teardown
command from an administrator, it sends a stop-accounting request to the accounting server. By setting
the maximum number of real-time accounting attempts for a scheme, the device disconnects users when
no accounting response is received before the number of attempts reaches the limit. You can enable
buffering of non-responded stop-accounting requests to allow the device to buffer and resend a
stop-accounting request until it receives a response. If the number of stop-accounting attempts reaches the
upper limit, the device discards the buffered request.
Follow these guidelines when you specify RADIUS accounting servers:
The IP addresses of the primary and secondary accounting servers must be different from each other.
•
Otherwise, the configuration fails.
All servers for authentication/authorization and accounting, primary or secondary, must use IP
•
addresses of the same IP version.
If you delete an accounting server that is serving users, the device can no longer send real-time
•
accounting requests and stop-accounting requests for the users to that server or buffer the
stop-accounting requests.
•
RADIUS does not support accounting for FTP users.
To specify RADIUS accounting servers and set relevant parameters for a scheme:
Step
1.
Enter system view.
Command
system-view
radius scheme radius-scheme-name
•
Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address
| ipv6 ipv6-address } [ port-number
| key [ cipher | simple ] key | probe
username name [ interval interval ]
| vpn-instance vpn-instance-name ]
*
•
Specify a secondary RADIUS
authentication/authorization server:
secondary authentication
{ ip-address | ipv6 ipv6-address }
[ port-number | key [ cipher |
simple ] key | probe username
name [ interval interval ] |
vpn-instance vpn-instance-name ] *
Command
system-view
22
Remarks
N/A
N/A
Configure at least one
command.
No
authentication/authorization
server is specified by default.
Remarks
N/A