Verifying the configuration, Configuration guidelines – H3C Technologies H3C MSR 50 User Manual
Page 367
346
5.
Use either approach to configure the AAA methods for domain bbb:
Configure the same scheme for authentication and authorization in domain bbb because
RADIUS authorization information is included in the authentication response message.
[Router] domain bbb
[Router-isp-bbb] authentication login radius-scheme system
[Router-isp-bbb] authorization login radius-scheme system
[Router-isp-bbb] accounting login radius-scheme system
[Router-isp-bbb] quit
Configure default AAA methods for all types of users in domain bbb.
[Router] domain bbb
[Router-isp-bbb] authentication default radius-scheme system
[Router-isp-bbb] authorization default radius-scheme system
[Router-isp-bbb] accounting default radius-scheme system
Verifying the configuration
After the configuration, the user can Telnet to the router and use the configured account (username
hello@bbb and password abc) to enter the user interface of the router, and access all the commands of
level 0 through level 3.
Configuration guidelines
When you configure the RADIUS client, follow these guidelines:
•
Accounting for FTP users is not supported.
•
If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
•
The status of RADIUS servers, blocked or active, determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in the active state, the device communicates with the primary server.
If the primary server fails, the device changes the state of the primary server to blocked, starts
a quiet timer for the server, and turns to a secondary server in the active state (a secondary
server configured earlier has a higher priority). If the secondary server is unreachable, the
device changes the state of the secondary server to blocked, starts a quiet timer for the server,
and continues to check the next secondary server in the active state. This search process
continues until the device finds an available secondary server or has checked all secondary
servers in the active state. If the quiet timer of a server expires or an authentication or
accounting response is received from the server, the status of the server changes back to active
automatically, but the device does not check the server again during the authentication or
accounting process. If no server is found reachable during one search process, the device
considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.