HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

251

252

253

254

255

256

257

258

259

260

246

Table 49 Configuration items

Item Descri

tion

• Authentication Key

• Confirm Authentication

Key

• Accounting Key

• Confirm Accounting Key

Set the shared key for RADIUS authentication packets and that for

RADIUS accounting packets.

The RADIUS client and the RADIUS authentication/accounting server use

MD5 to encrypt RADIUS packets. They verify packets through the

specified shared key. The client and the server can receive and respond

to packets from each other only when they use the same shared key.

IMPORTANT:

• The shared keys configured on the device must be consistent with

those configured on the RADIUS servers.

• The shared keys configured in the common configuration part are

used only when no corresponding shared keys are configured in the

RADIUS server configuration part.

Quiet Time

Set the time the device keeps an unreachable RADIUS server in the

blocked state.

The device does not change the status of an unreachable RADIUS

authentication or accounting server if the server quiet timer is 0. Instead,

the device keeps the server status as active and sends authentication or

accounting packets to another server in active state, so subsequent

authentication or accounting packets can still be sent to that server.

To use the primary server as much, you can set this parameter to 0 if the

primary server might be temporarily unreachable because of port down

or overload.

• Server Response Timeout

Time

• Request Transmission

Attempts

Set the RADIUS server response timeout time and the maximum number

of attempts for transmitting a RADIUS packet to a single RADIUS server.

RADIUS uses UDP packets to transfer data, but UDP communication is

not reliable. To improve the reliability, RADIUS uses a retransmission

mechanism. The device retransmits the RADIUS request if no response to

the previous request is received within the server response timeout time.

If the device cannot receive any response within the request transmission

attempts, it tries to communicate with other RADIUS servers in active

state. If no other servers are in active state at the time, it considers the

authentication or accounting attempt a failure.

IMPORTANT:

The server response timeout time multiplied by the maximum number of

RADIUS packet transmission attempts must not exceed 75.

Realtime Accounting Interval

Set the interval for sending real-time accounting information. The interval

must be a multiple of 3.

To implement real-time accounting, the device must send real-time

accounting packets to the accounting server for online users periodically.

Different real-time accounting intervals impose different performance

requirements on the NAS and the RADIUS server. A shorter interval helps

achieve higher accounting precision but requires higher performance.

Use a longer interval when a large number of users (1000 or more) exist.

For more information about the recommended real-time accounting

intervals, see "Configuration guidelines."

Realtime Accounting Attempts

Set the maximum number of attempts for sending a real-time accounting

request.