R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

191

192

193

194

195

196

197

198

199

200

186

the authentication or accounting process. If no server is found reachable during one search process,

the firewall considers the authentication or accounting attempt a failure.

• Once the accounting process of a user starts, the firewall keeps sending the user's real-time

accounting requests and stop-accounting requests to the same accounting server. If you remove the

accounting server, real-time accounting requests and stop-accounting requests for the user are no

longer delivered to the server.

• If you remove an authentication or accounting server in use, the communication of the firewall with

the server soon times out, and the firewall looks for a server in active state from scratch by checking

any primary server first and then the secondary servers in the order they are configured.

• When the primary server and secondary servers are all in blocked state, the firewall communicates

with the primary server. If the primary server is available, its status changes to active. Otherwise, its

status remains to be blocked.

• If one server is in active state and all the others are in blocked state, the firewall only tries to

communicate with the server in active state, even if the server is unavailable.

• After receiving an authentication/accounting response from a server, the firewall changes the status

of the server identified by the source IP address of the response to active if the current status of the

server is blocked.

By default, the firewall sets the status of all RADIUS servers to active. In some cases, however, you can

change the status of a server. For example, if a server fails, you can change the status of the server to

blocked to avoid communication with the server.

To set the status of RADIUS servers in a RADIUS scheme:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter RADIUS

scheme view.

radius scheme radius-scheme-name N/A

3. Set the RADIUS

server status.

• Set the status of the primary RADIUS

authentication/authorization server:

state primary authentication { active | block }

• Set the status of the primary RADIUS accounting server:

state primary accounting { active | block }

• Set the status of a secondary RADIUS

authentication/authorization server:

state secondary authentication [ ip ipv4-address | ipv6

ipv6-address ] { active | block }

• Set the status of a secondary RADIUS accounting

server:

state secondary accounting [ ip ipv4-address | ipv6

ipv6-address ] { active | block }

Optional.

The default status is

active for every server

specified in the

RADIUS scheme.

NOTE:

• The server status set by the state command cannot be saved to the configuration file. After the firewall

restarts, the status of each server is restored to active.

• To display the states of the servers, use the display radius scheme command.