HP VPN Firewall Appliances Access Control Configuration Guide
249
Table 50 Configuration items
Item Descri
p
tion
Server Type
Select the type of the RADIUS server to be configured. Options include primary
authentication server, primary accounting server, secondary authentication server, and
secondary accounting server.
IP Address Specify the IP address of the RADIUS server.
Port Specify the UDP port of the RADIUS server.
• Key
• Confirm Key
Specify the shared key for communication with the RADIUS server.
If no shared key is specified here, the shared key specified in the common configuration
part is used.
VPN
Specify the VPN to which the RADIUS server belongs.
If no VPN is specified here, the VPN specified in the common configuration part is used.
10. To configure more RADIUS servers for the RADIUS scheme, repeat steps 7 through 9.
11. Click Apply on the RADIUS scheme configuration page.
Configuration guidelines
When you configure RADIUS, follow these guidelines:
• Accounting for FTP users is not supported.
• If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
• The status of RADIUS servers, blocked or active, determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
{ When the primary server is in the active state, the device communicates with the primary server.
If the primary server fails, the device changes the state of the primary server to blocked, starts
a quiet timer for the server, and turns to a secondary server in the active state (a secondary
server configured earlier has a higher priority). If the secondary server is unreachable, the
device changes the state of the secondary server to blocked, starts a quiet timer for the server,
and continues to check the next secondary server in the active state. This search process
continues until the device finds an available secondary server or has checked all secondary
servers in the active state. If the quiet timer of a server expires or an authentication or
accounting response is received from the server, the status of the server changes back to active
automatically, but the device does not check the server again during the authentication or
accounting process. If no server is found reachable during one search process, the device
considers the authentication or accounting attempt a failure.
{ Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
{ If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in the active state by