R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

141

142

143

144

145

146

147

148

149

150

139

To do… Use the command…

Remarks

Enable buffering of

stop-accounting requests to

which no responses are

received

stop-accounting-buffer enable

Optional

Enabled by default

Set the maximum number of

stop-accounting attempts

retry stop-accounting retry-times

Optional

500 by default

NOTE:

• The IP addresses of the primary and secondary accounting servers must be different from each other.

Otherwise, the configuration fails.

• All servers for authentication/authorization and accountings, primary or secondary, must use IP

addresses of the same IP version.

• If you delete an accounting server that is serving users, the device can no longer send real-time

accounting requests and stop-accounting requests for the users to that server, or buffer the

stop-accounting requests.

• You can specify a RADIUS accounting server as the primary accounting server for one scheme and as

the secondary accounting server for another scheme at the same time.

• RADIUS does not support accounting for FTP users.

Specifying the shared keys for authenticating RADIUS packets

The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between

them and use shared keys to authenticate the packets. They must use the same shared key for the same

type of packets.

A shared key configured in this task is for all servers of the same type (accounting or authentication) in

the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.

Follow these steps to specify shared keys for authenticating RADIUS packets:

To do… Use the command…

Remarks

Enter system view system-view —

Enter RADIUS scheme view

radius scheme

radius-scheme-name

—

Specify a shared key for

authenticating RADIUS

authentication/authorization or

accounting packets

key { accounting | authentication }

key

Required

No shared key by default

NOTE:

shared key configured on the device must be the same as that configured on the RADIUS server.

Setting the username format and traffic statistics units

A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP

domain the user belongs to and is used by the device to determine which users belong to which ISP

domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP

domain name. In this case, the device must remove the domain name of each username before sending

the username. You can set the username format on the device for this purpose.