R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

174

Item Descri

tion

Unit for Packets

Specify the unit for data packets sent to the RADIUS server:

• One-packet

• Kilo-packet

• Mega-packet

• Giga-packet

IMPORTANT:

The units specified on the NAS must be consistent with those configured on the

RADIUS server. Otherwise, accounting might be wrong.

VPN

Specify the VPN to which the RADIUS scheme belongs.

This setting is effective to all RADIUS authentication servers and accounting servers

configured in the RADIUS scheme, but the VPN individually specified for a RADIUS

authentication or accounting server takes priority.

Security Policy Server Specify the IP address of the security policy server.

RADIUS Packet Source IP

Specify the source IP address for the firewall to use in RADIUS packets sent to the

RADIUS server.

IMPORTANT:

• Specifying this source IP address can make sure the response packets from the

server can reach the firewall if the physical interface is down. HP recommends

you to use a loopback interface address.

• This source IP address and the RADIUS server IP address specified in the RADIUS

scheme must be of the same version. Otherwise, the configuration cannot take

effect.

RADIUS Packet Backup

Source IP

Specify the backup source IP address for the firewall to use in RADIUS packets sent

to the RADIUS server.

In a stateful failover environment, the backup source IP address must be the source

IP address for the remote firewall to use in RADIUS packets sent to the RADIUS

server.

Configuring the backup source IP address in a stateful failover environment makes

sure that the backup server can receive the RADIUS packets sent from the RADIUS

server when the master firewall fails.

Buffer stop-accounting

packets

Enable or disable buffering of stop-accounting requests for which no responses are

received.

Stop-Accounting

Attempts

Set the maximum number of stop-accounting attempts.

The maximum number of stop-accounting attempts, together with some other

parameters, controls how the NAS deals with stop-accounting request packets.

Suppose that the RADIUS server response timeout period is three seconds, the

maximum number of transmission attempts is five, and the maximum number of

stop-accounting attempts is 20. For each stop-accounting request, if the firewall

receives no response within three seconds, it retransmits the request. If it receives no

responses after retransmitting the request five times, it considers the stop-accounting

attempt a failure, buffers the request, and makes another stop-accounting attempt.

If 20 consecutive attempts fail, the firewall discards the request.