R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

172

Item Descri

tion

Username Format

Select the format of usernames to be sent to the RADIUS server.

A username is generally in the format of userid@isp-name, of which isp-name is

used by the firewall to determine the ISP domain to which a user belongs. If a

RADIUS server (such as a RADIUS server of some early version) does not accept a

username that contains an ISP domain name, you can configure the firewall to

remove the domain name of a username before sending it to the RADIUS server.

The username format options include:

• Original format—Specifies to send the username of a user on an "as is" basis.

• With domain name—Specifies to include the domain name in a username to be

sent to the RADIUS server.

• Without domain name—Specifies to remove any domain name of a username

that is sent to the RADIUS server.

Authentication Key

Set the shared key for RADIUS authentication packets and that for RADIUS

accounting packets.

The RADIUS client and the RADIUS authentication/accounting server use MD5 to

encrypt RADIUS packets, and they verify the validity of packets through the

specified shared key. The client and the server receive and respond to packets from

each other only when they use the same shared key.

IMPORTANT:

• The shared keys configured on the firewall must be consistent with those

configured on the RADIUS servers.

• The shared keys configured in the common configuration part are used only

when no corresponding shared keys are configured in the RADIUS server

configuration part.

Confirm Authentication

Key

Accounting Key

Confirm Accounting Key

Quiet Time

Set the time the firewall keeps an unreachable RADIUS server in blocked state.

If you set the quiet time to 0, when the firewall attempts to send an authentication or

accounting request but finds that the current server is unreachable, it does not

change the server's status that it maintains. It simply sends the request to the next

server in active state. As a result, when the firewall attempts to send a request of the

same type for another user, it still tries to send the request to the server because the

server is in active state.

You can use this parameter to control whether the firewall changes the status of an

unreachable server. For example, if you determine that the primary server is

unreachable because the firewall's port for connecting the server is out of service

temporarily or the server is busy, you can set the time to 0 so that the firewall uses

the primary server as much.