F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

221

222

223

224

225

226

227

228

229

230

216

provides functions such as user management, security policy management, security status assessment,

security cooperation control, and security event audit.

The NAS checks the validity of received control packets and accepts only control packets from known

servers. To use a security policy server that is independent of the AAA servers, you must configure the IP

address of the security policy server on the NAS. To implement all EAD functions, configure both the IP

address of the security policy server and the IP address of the IMC Platform on the NAS.

To configure the IP address of the security policy server for a scheme:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter RADIUS scheme view.

radius scheme

radius-scheme-name

N/A

3. Specify a security policy

server.

security-policy-server ip-address

No security policy server is

specified by default.

You can specify up to eight security

policy servers for a RADIUS scheme.

442BConfiguring interpretation of the RADIUS class attribute as CAR parameters

This task is required when the RADIUS server supports assigning CAR parameters through the class

attribute.

According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS

client. However, the RFC only requires the RADIUS client to send the attribute to the accounting server on

an "as is" basis. It does not require the RADIUS client to interpret the attribute. When RADIUS servers use

the class attribute to deliver the assigned CAR parameters, the device must interpret the attribute as the

CAR parameters to implement user-based traffic monitoring and controlling.

To configure the device to interpret the RADIUS class attribute as CAR parameters:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter RADIUS scheme view.

radius scheme

radius-scheme-name

N/A

3. Interpret the class attribute as

CAR parameters.

attribute 25 car

By default, RADIUS attribute 25 is not

interpreted as CAR parameters.

443BEnabling the trap function for RADIUS

With the trap function, the NAS sends a trap message when either of the following events occurs:

• The status of a RADIUS server changes. If the NAS receives no response to an accounting or

authentication request before the specified maximum number of RADIUS request transmission

attempts is exceeded, it considers the server unreachable, sets the status of the server to block and

sends a trap message. If the NAS receives a response from a RADIUS server that it considers

unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the

server to active, and sends a trap message.

• The ratio of the number of failed transmission attempts to the total number of authentication request

transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to

30%. This threshold can only be configured through the MIB.