R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

191

192

193

194

195

196

197

198

199

200

188

You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific

RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public

network. Before sending a RADIUS packet, a NAS selects a source IP address in this order:

• The source IP address specified for the RADIUS scheme.

• The source IP address specified in system view for the VPN or public network, depending on where

the RADIUS server resides.

• The IP address of the outbound interface specified by the route.

To specify a source IP address for all RADIUS schemes in a VPN or the public network:

Step Command Remarks

1. Enter system view. system-view N/A

2. Specify a source IP

address for outgoing

RADIUS packets.

radius nas-ip { ip-address |

ipv6 ipv6-address }

[ vpn-instance

vpn-instance-name ]

By default, the IP address of the outbound

interface is used as the source IP address.

To specify a source IP address for a specific RADIUS scheme:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter RADIUS scheme

view.

radius scheme

radius-scheme-name

N/A

3. Specify a source IP

address for outgoing

RADIUS packets.

nas-ip { ip-address | ipv6

ipv6-address }

By default, the IP address of the outbound

interface is used as the source IP address.

Setting timers for controlling communication with RADIUS servers

The firewall uses the following types of timers to control the communication with a RADIUS server:

• Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission

interval. After sending a RADIUS request (authentication/authorization or accounting request), the

firewall starts this timer. If the firewall receives no response from the RADIUS server before this timer

expires, it resends the request.

• Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If

a server is not reachable, the firewall changes the server status to blocked, starts this timer for the

server, and tries to communicate with another server in active state. After this timer expires, the

firewall changes the status of the server back to active.

• Real-time accounting timer (realtime-accounting)—Defines the interval at which the firewall sends

real-time accounting packets to the RADIUS accounting server for online users. To implement

real-time accounting, the firewall must periodically send real-time accounting packets to the

accounting server for online users.

Follow these guidelines when you set timers for controlling communication with RADIUS servers:

• For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server

response timeout period must be less than the client connection timeout time and must not exceed

75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the

primary/secondary server switchover cannot take place. For example, the product of the two

parameters must be less than 10 seconds for voice users, and less than 30 seconds for Telnet users