Configuring radius, Configuration guidelines – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 582
561
Configuring RADIUS
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access, and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services. Its accounting function collects and
records network resource usage information.
For more information about AAA and RADIUS, see H3C Access Controllers Security Configuration
Guide.
Configuration guidelines
When you configure RADIUS, use the following guidelines:
•
Accounting for FTP users is not supported.
•
If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
•
The status of RADIUS servers (blocked or active) determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.