R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
142
checks the primary server (if any) first and then the secondary servers in the order they are
configured.
• When the primary server and secondary servers are all in the blocked state, the device
communicates with the primary server. If the primary server is available, its status changes to active;
otherwise, its status remains to be blocked.
• If one server is in the active state and all the others are in the blocked state, the device only tries to
communicate with the server in the active state, even if the server is unavailable.
• After receiving an authentication/accounting response from a server, the device changes the status
of the server identified by the source IP address of the response to active if the current status of the
server is blocked.
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may
need to change the status of a server. For example, if a server fails, you can change the status of the
server to blocked to avoid communication with the server.
Follow these steps to set the status of RADIUS servers in a RADIUS scheme:
To do… Use the command…
Remarks
Enter system view system-view —
Enter RADIUS scheme view radius scheme radius-scheme-name
—
Set the status of the primary RADIUS
authentication/authorization server
state primary authentication { active
| block }
Optional
active for every server
specified in the RADIUS
scheme by default
Set the status of the primary RADIUS
accounting server
state primary accounting { active |
block }
Set the status of the secondary RADIUS
authentication/authorization server
state secondary authentication
{ active | block }
Set the status of the secondary RADIUS
accounting server
state secondary accounting { active
| block }
NOTE:
• The server status set by the state command cannot be saved to the configuration file. After the device
restarts, the status of each server is restored to active.
• To display the states of the servers, use the display radius scheme command.
Specifying the source IP address for outgoing RADIUS packets
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS
configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a
RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of
any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
Usually, the source address of outgoing RADIUS packets can be the IP address of the NAS’s any
interface that can communicate with the RADIUS server. In some special scenarios, however, you must
change the source IP address. For example, if a Network Address Translation (NAT) device is present
between the NAS and the RADIUS server, the source IP address of outgoing RADIUS packets must be a
public IP address of the NAS. If the NAS is configured with the Virtual Router Redundancy Protocol (VRRP)
for stateful failover, the source IP address of outgoing RADIUS packets can be the virtual IP address of the
VRRP group that the uplink belongs to.