R2511-HP MSR Router Series Security Configuration Guide(V5)
29
Ste
p
Command
Remarks
3. Specify RADIUS
authentication/authorization
servers.
• Specify the primary RADIUS
authentication/authorization
server:
primary authentication
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name [ interval
interval ] | vpn-instance
vpn-instance-name ] *
• Specify a secondary RADIUS
authentication/authorization
server:
secondary authentication
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name [ interval
interval ] | vpn-instance
vpn-instance-name ] *
Configure at least one command.
By default, no
authentication/authorization
server is specified.
In FIPS mode, the shared key for
secure RADIUS
authentication/authorization
communication must be at least
eight characters that contain
digits, uppercase letters,
lowercase letters, and special
characters, and must use 3DES
for encryption and decryption.
The IP addresses of the primary
and secondary
authentication/authorization
servers for a scheme must be
different. Otherwise, the
configuration will fail.
All servers for
authentication/authorization and
accounting, primary or
secondary, must use IP addresses
of the same IP version.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS
scheme. When the primary server is not available, a secondary server is used. When redundancy is not
required, specify only the primary server. A RADIUS accounting server can function as the primary
accounting server for one scheme and a secondary accounting server for another scheme at the same
time.
When the device receives a connection teardown request from a host or a connection teardown
command from an administrator, it sends a stop-accounting request to the accounting server. When the
maximum number of real-time accounting attempts is reached, the device disconnects users who have no
accounting responses. You can enable buffering of non-responded stop-accounting requests to allow the
device to buffer and resend a stop-accounting request until it receives a response. If the number of
stop-accounting attempts reaches the upper limit, the device discards the buffered request.
If you delete an accounting server that is serving users, the device no longer sends real-time accounting
requests or stop-accounting requests for the users to that server, or buffers the stop-accounting requests.
RADIUS does not support accounting for FTP users.
To specify RADIUS accounting servers and set relevant parameters for a scheme:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view.
radius scheme
radius-scheme-name
N/A