R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

191

192

193

194

195

196

197

198

199

200

191

Step Command Remarks

2. Enter RADIUS scheme view.

radius scheme

radius-scheme-name

N/A

3. Interpret the class attribute as

CAR parameters.

attribute 25 car

Be default, RADIUS attribute 25 is not

interpreted as CAR parameters.

NOTE:

hether

interpretation of RADIUS class attribute as CAR parameters is supported depends on two factors:

• Whether the firewall supports CAR parameters assignment.

• Whether the RADIUS server supports assigning CAR parameters through the class attribute.

Enabling the trap function for RADIUS

With the trap function, a NAS sends a trap message when either of the following events occurs:

• The status of a RADIUS server changes. If a NAS receives no response to an accounting or

authentication request before the specified maximum number of RADIUS request transmission

attempts is exceeded, it considers the server unreachable, sets the status of the server to block and

sends a trap message. If the NAS receives a response from a RADIUS server that it considers

unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the

server to active, and sends a trap message.

• The ratio of the number of failed transmission attempts to the total number of authentication request

transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to

30%. This threshold can only be configured through the MIB.

The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than

the threshold, troubleshoot the configuration on and the communication between the NAS and the

RADIUS server.

To enable the trap function for RADIUS:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable the trap

function for RADIUS.

radius trap { accounting-server-down |

authentication-error-threshold |

authentication-server-down }

Disabled by default.

Enabling the RADIUS listening port of the RADIUS client

Only after you enable the RADIUS listening port of a RADIUS client, can the client receive and send

RADIUS packets. If RADIUS is not required, disable the RADIUS listening port to avoid attacks that exploit

RADIUS packets.

To enable the RADIUS listening port of a RADIUS client:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enable the RADIUS listening

port of a RADIUS client.

radius client enable

Optional.

Enabled by default.