R0106-HP MSR Router Series Security Configuration Guide(V7)
32
Ste
p
Command
Remarks
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name N/A
3. Specify a security policy
server.
security-policy-server { ipv4-address
| ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ]
By default, no security policy server
is specified for a scheme.
You can specify up to eight security
policy servers for a RADIUS scheme.
Interpreting the RADIUS class attribute as CAR parameters
A RADIUS server might deliver CAR parameters for user-based traffic monitoring and control by using the
RADIUS class attribute (attribute 25). You can configure the device to interpret the class attribute to CAR
parameters in the RADIUS packets to be forwarded to users.
To configure the device to interpret the RADIUS class attribute as CAR parameters:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view.
radius scheme
radius-scheme-name
N/A
3. Interpret the RADIUS class
attribute as CAR parameters.
attribute 25 car
By default, the RADIUS class attribute is
not interpreted.
Configuring the attribute 15 check mode for SSH, FTP, and terminal users
Login-Service attribute (RADIUS attribute 15) check is performed when the device receives an
Access-Accept packet for a user. The check is passed if the value of the Login-Service attribute in the
packet matches the service type of the user.
Service types comply with the standard Login-Service attributes in RFC 2865. The device also supports
SSH, FTP, and terminal services, which are extended Login-Service attributes using the following values:
• 50—Represents the SSH service.
• 51 —Represents the FTP service.
• 52—Represents the terminal service.
To assign correct login services to SSH, FTP, and terminal users, the server must support the extended
Login-Service attributes.
If extended attributes are not supported on the server, the device provides a loose check mode for SSH,
FTP, and terminal users. In this mode, the service types of all SSH, FTP, and terminal users match the Telnet
login service. To support the loose check mode, the server must assign the Telnet service in the
Login-Service attribute with a value of 0.
Use the loose check mode only when the server does not issue the extended Login-Service attribute
values for SSH, FTP, and terminal users.
To configure the attribute 15 check mode for SSH, FTP, and terminal users:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name N/A