R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

151

152

153

154

155

156

157

158

159

160

147

To do… Use the command…

Remarks

Set the maximum number of

accounting request transmission

attempts

retry realtime-accounting

retry-times

Optional

5 by default

NOTE:

• The IP addresses of the primary and secondary accounting servers must be different from each other.

Otherwise, the configuration fails.

• All servers for authentication/authorization and accountings, primary or secondary, must use IP

addresses of the same IP version.

• You can specify a RADIUS accounting server as the primary accounting server for one scheme and as

the secondary accounting server for another scheme at the same time.

• RADIUS does not support accounting for FTP users.

Setting the shared key for RADIUS packets

The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between

them and use shared keys to authenticate the packets. They must use the same shared key for the same

type of packets.

A shared key configured in this task is for all servers of the same type (accounting or authentication) in

the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.

Follow these steps to set the shared key for RADIUS packets:

To do… Use the command…

Remarks

Enter system view system-view —

Enter RADIUS scheme view radius scheme radius-scheme-name —

Set the shared key for RADIUS

authentication/authorization or

accounting packets

key { accounting | authentication } string

Required

No key by default

NOTE:

shared key configured on the LB module must be the same as that configured on the RADIUS server.

Setting the maximum number of RADIUS request transmission

attempts

Because RADIUS uses UDP packets to carry data, the communication process is not reliable. If a NAS

receives no response from the RADIUS server before the response timeout timer expires, it is required to

retransmit the RADIUS request. If the number of transmission attempts exceeds the specified limit but it still

receives no response, it considers that the authentication has failed.

Follow these steps to set the maximum number of RADIUS request retransmission attempts:

To do… Use the command…

Remarks

Enter system view system-view —

Enter RADIUS scheme view radius scheme radius-scheme-name

—