HP 12500 Series Configuration Manual page 40

Setting the status of RADIUS servers
By setting the status of RADIUS servers to blocked or active, you can control which servers the switch will
communicate with for authentication, authorization, and accounting or turn to when the current servers
are not available anymore. In practice, you can specify one primary RADIUS server and multiple
secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Generally, the switch chooses servers based on these rules:
When the primary server is in active state, the switch communicates with the primary server. If the
•
primary server fails, the switch changes the server's status to blocked and starts a quiet timer for the
server, and then turns to a secondary server in active state (a secondary server configured earlier
has a higher priority). If the secondary server is unreachable, the switch changes the server's status
to blocked, starts a quiet timer for the server, and continues to check the next secondary server in
active state. This search process continues until the switch finds an available secondary server or
has checked all secondary servers in active state. If the quiet timer of a server expires or an
authentication or accounting response is received from the server, the status of the server changes
back to active automatically, but the switch does not check the server again during the
authentication or accounting process. If no server is found reachable during one search process,
the switch considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the switch keeps sending the user's real-time
•
accounting requests and stop-accounting requests to the same accounting server. If you remove the
accounting server, real-time accounting requests and stop-accounting requests for the user cannot
be delivered to the server anymore.
If you remove an authentication or accounting server in use, the communication of the switch with
•
the server will soon time out, and the switch will look for a server in active state from scratch: it
checks the primary server first and then the secondary servers in the order they are configured.
When the primary server and secondary servers are all in blocked state, the switch communicates
•
with the primary server. If the primary server is available, its status changes to active; otherwise, its
status remains to be blocked.
If one server is in active state and all the others are in blocked state, the switch only tries to
•
communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the switch changes the status
•
of the server identified by the source IP address of the response to active if the current status of the
server is blocked.
By default, the switch sets the status of all RADIUS servers to active. In some cases, however, you may
need to change the status of a server. For example, if a server fails, you can change the status of the
server to blocked to avoid communication with the server.
To set the status of RADIUS servers in a RADIUS scheme:
Step
1. Enter system view.
2. Enter RADIUS scheme view.
Command
system-view
radius scheme radius-scheme-name
30
Remarks
N/A
N/A