R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

151

152

153

154

155

156

157

158

159

160

150

To do… Use the command…

Remarks

Specify the format of the username

to be sent to a RADIUS server

user-name-format { keep-original

| with-domain | without-domain }

Optional

By default, the ISP domain name is

included in the username.

Specify the unit for data flows or

packets to be sent to a RADIUS

server

data-flow-format { data { byte |

giga-byte | kilo-byte |

mega-byte } | packet

{ giga-packet | kilo-packet |

mega-packet | one-packet } }*

Optional

The defaults are as follows:

byte for data flows, and

one-packet for data packets.

NOTE:

• If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the

RADIUS scheme to more than one ISP domain. Otherwise, users using the same username but in

different ISP domains will be considered the same user.r.

• For level switching authentication, the user-name-format keep-original and user-name-format

without-domain commands produce the same results: they ensure that usernames sent to the RADIUS

server carry no ISP domain name.

Enabling the RADIUS trap function

With the trap function, the LB module sends a trap message when either of the following events occurs:

• The status of a RADIUS server changes. If the LB module receives no response to an accounting or

authentication request before the specified maximum number of RADIUS request transmission

attempts is exceeded, it considers the server unreachable, sets the status of the server to block and

sends a trap message. If the LB module receives a response from a RADIUS server that it considers

unreachable, the LB module considers that the RADIUS server is reachable again, sets the status of

the server to active, and sends a trap message.

• The ratio of the number of failed transmission attempts to the total number of authentication request

transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to

30%. This threshold can only be configured through the MIB.

The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than

the threshold, troubleshoot the configuration on and the communication between the LB module and the

RADIUS server.

Follow these steps to enable the RADIUS trap function:

To do… Use the command…

Remarks

Enter system view system-view —

Enable the RADIUS trap

function

radius trap { accounting-server-down |

authentication-error-threshold |

authentication-server-down }

Required

Disabled by default

Specifying the source IP address for outgoing RADIUS packets

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS

configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a

RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of

any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.