R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

191

192

193

194

195

196

197

198

199

200

192

Displaying and maintaining RADIUS

Task Command

Remarks

Display the configuration information

of RADIUS schemes.

display radius scheme

[ radius-scheme-name ] [ | { begin |

exclude | include } regular-expression ]

Available in any view

Display the statistics for RADIUS

packets.

display radius statistics [ | { begin |

exclude | include } regular-expression ]

Available in any view

Display information about buffered

stop-accounting requests for which no

responses have been received.

display stop-accounting-buffer

{ radius-scheme radius-server-name |

session-id session-id | time-range

start-time stop-time | user-name

user-name } [ | { begin | exclude |

include } regular-expression ]

Available in any view

Clear RADIUS statistics. reset radius statistics Available in user view

Clear the buffered stop-accounting

requests for which no responses have

been received.

reset stop-accounting-buffer

{ radius-scheme radius-server-name |

session-id session-id | time-range

start-time stop-time | user-name

user-name }

Available in user view

RADIUS scheme configuration guidelines

When you configure RADIUS, follow these guidelines:

• Accounting for FTP users is not supported.

• If you remove the accounting server used for online users, the firewall cannot send real-time

accounting requests and stop-accounting messages for the users to the server, and the

stop-accounting messages are not buffered locally.

• The status of RADIUS servers, blocked or active, determines which servers the firewall

communicates with or turns to when the current servers are not available. In practice, you can

specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary

servers that function as the backup of the primary servers. Generally, the firewall chooses servers

based on these rules:

{ When the primary server is in active state, the firewall communicates with the primary server.

If the primary server fails, the firewall changes the state of the primary server to blocked, starts

a quiet timer for the server, and turns to a secondary server in active state (a secondary server

configured earlier has a higher priority). If the secondary server is unreachable, the firewall

changes the state of the secondary server to blocked, starts a quiet timer for the server, and

continues to check the next secondary server in active state. This search process continues until

the firewall finds an available secondary server or has checked all secondary servers in active

state. If the quiet timer of a server expires or an authentication or accounting response is

received from the server, the status of the server changes back to active automatically, but the

firewall does not check the server again during the authentication or accounting process. If no

server is found reachable during one search process, the firewall considers the authentication

or accounting attempt a failure.

{ Once the accounting process of a user starts, the firewall keeps sending the user's real-time

accounting requests and stop-accounting requests to the same accounting server. If you remove