3Com Switch 4200G Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

191

192

193

194

195

196

197

198

199

200

184 CHAPTER 23: AAA&RADIUS CONFIGURATION

■ For a RADIUS scheme, if you have specified that no ISP domain names are carried

in the user names, you should not adopt this RADIUS scheme in more than one ISP

domain. Otherwise, such errors may occur: the RADIUS server regards two

different users having the same name but belonging to different ISP domains as

the same user (because the usernames sent to it are the same).

■ In the default RADIUS scheme “system”, no ISP domain names are carried in the

user names by default

Configuring a Local

RADIUS

Authentication

Server

CAUTION:

■ When you use the local RADIUS authentication server function, the UDP port

number for the authentication/authorization service must be 1645, the UDP port

number for the accounting service is 1646, and the IP addresses of the servers

must be set to the addresses of the switch.

■ The packet encryption key set by the local-server command with the key password

parameter must be identical with the authentication/authorization packet encryption

key set by the key authentication command in RADIUS scheme view.

■ The switch supports up to 16 local RADIUS authentication servers (including the

default local RADIUS authentication server).

Configuring the

Timers of RADIUS

Servers

If the switch gets no response from the RADIUS server after sending out a RADIUS

request (authentication/authorization request or accounting request) and waiting for

a period of time, it should retransmit the packet to ensure that the user can obtain

the RADIUS service. This wait time is called response timeout time of RADIUS servers;

and the timer in the switch system that is used to control this wait time is called the

response timeout timer of RADIUS servers.

For the primary and secondary servers (authentication/authorization servers, or

accounting servers) in a RADIUS scheme:

When the switch fails to communicate with the primary server due to some server

trouble, the switch will actively exchange packets with the secondary server.

After the time the primary server keeps in the block state exceeds the time set with

the timer quiet command, the switch will try to communicate with the primary

server again when it has a RADIUS request. If the primary server recovers, the switch

immediately restores the communication with the primary server instead of

communicating with the secondary server, and at the same time restores the primary

server to the active state while keeping the state of the secondary server unchanged.

Table 150 Configure local RADIUS authentication server

Operation Command Description

Enter system view system-view —

Create a local RADIUS

authentication server

local-server nas-ip ip-address

key password

Required

By default, a local RADIUS

authentication server has already

been created, whose NAS-IP and

key are 127.0.0.1 and 3Com

respectively.