R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

151

152

153

154

155

156

157

158

159

160

146

To do… Use the command…

Remarks

Interpret the class attribute as CAR

parameters

attribute 25 car

Required

Be default, RADIUS attribute 25 is not

interpreted as CAR parameters.

NOTE:

hether interpretation of the RADIUS class attribute as CAR parameters is supported depends on two

factors:

• Whether the device supports CAR parameters assignment.

• Whether the RADIUS server supports assigning CAR parameters through the class attribute.

Enabling the trap function for RADIUS

With the trap function, a NAS sends a trap message when either of the following events occurs:

• The status of a RADIUS server changes. If a NAS receives no response to an accounting or

authentication request before the specified maximum number of RADIUS request transmission

attempts is exceeded, it considers the server unreachable, sets the status of the server to block and

sends a trap message. If the NAS receives a response from a RADIUS server that it considers

unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the

server to active, and sends a trap message.

• The ratio of the number of failed transmission attempts to the total number of authentication request

transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to

30%. This threshold can only be configured through the MIB.

The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than

the threshold, troubleshoot the configuration on and the communication between the NAS and the

RADIUS server.

Follow these steps to enable the trap function for RADIUS:

To do… Use the command…

Remarks

Enter system view system-view —

Enable the trap function for

RADIUS

radius trap { accounting-server-down |

authentication-server-down }

Required

Disabled by default

Enabling the RADIUS listening port of the RADIUS client

Only after you enable the RADIUS listening port of a RADIUS client, can the client receive and send

RADIUS packets. If RADIUS is not required, disable the RADIUS listening port to avoid attacks that exploit

RADIUS packets.

Follow these steps to enable the RADIUS listening port of a RADIUS client:

To do… Use the command…

Remarks

Enter system view system-view —

Enable the RADIUS listening port of

a RADIUS client

radius client enable

Optional

Enabled by default