R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

183

Follow these guidelines when you configure RADIUS accounting servers:

• The IP addresses of the primary and secondary accounting servers must be different from each other.

Otherwise, the configuration fails.

• All servers for authentication/authorization and accountings, primary or secondary, must use IP

addresses of the same IP version.

• If you delete an accounting server that is serving users, the firewall can no longer send real-time

accounting requests and stop-accounting requests for the users to that server, or buffer the

stop-accounting requests.

• You can specify a RADIUS accounting server as the primary accounting server for one scheme and

simultaneously as a secondary accounting server for another scheme.

• RADIUS does not support accounting for FTP users.

To specify RADIUS accounting servers and set relevant parameters for a scheme:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter RADIUS scheme

view.

radius scheme radius-scheme-name N/A

3. Specify RADIUS

accounting servers.

• Specify the primary RADIUS accounting

server:

primary accounting { ip-address | ipv6

ipv6-address } [ port-number | key [ cipher |

simple ] key | vpn-instance

vpn-instance-name ] *

• Specify a secondary RADIUS accounting

server:

secondary accounting { ip-address | ipv6

ipv6-address } [ port-number | key [ cipher |

simple ] key | vpn-instance

vpn-instance-name ] *

Configure at least one

command.

No accounting server is

specified by default.

In FIPS mode, the firewall

supports only ciphertext

shared keys of at least 8

characters that must

contain uppercase

letters, lowercase letters,

digits, and special

characters.

4. Set the maximum number

of real-time accounting

attempts.

retry realtime-accounting retry-times

Optional.

The default setting is 5.

5. Enable buffering of

stop-accounting requests to

which no responses are

received.

stop-accounting-buffer enable

Optional.

Enabled by default.

6. Set the maximum number

of stop-accounting

attempts.

retry stop-accounting retry-times

Optional.

The default setting is

500.

Specifying the shared keys for authenticating RADIUS packets

The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between

them and use shared keys to authenticate the packets. They must use the same shared key for the same

type of packets.

A shared key configured in this task is for all servers of the same type (accounting or authentication) in

the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.

To specify shared keys for authenticating RADIUS packets: