H3C Technologies H3C SecPath F1000-E User Manual

172

Item Description

Username Format

Select the format of usernames to be sent to the RADIUS server.
A username is generally in the format of userid@isp-name, of which isp-name is

used by the firewall to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept

a username that contains an ISP domain name, you can configure the firewall to

remove the domain name of a username before sending it to the RADIUS server.
The username format options include:

•

Original format—Specifies to send the username of a user on an "as is"

basis.

•

With domain name—Specifies to include the domain name in a username to

be sent to the RADIUS server.

•

Without domain name—Specifies to remove any domain name of a

username that is sent to the RADIUS server.

Authentication Key
Confirm Authentication Key
Accounting Key
Confirm Accounting Key

Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
The RADIUS client and the RADIUS authentication/accounting server use MD5
to encrypt RADIUS packets, and they verify the validity of packets through the

specified shared key. The client and the server receive and respond to packets

from each other only when they use the same shared key.

IMPORTANT:

•

The shared keys configured on the firewall must be consistent with those
configured on the RADIUS servers.

•

The shared keys configured in the common configuration part are used only

when no corresponding shared keys are configured in the RADIUS server
configuration part.

Quiet Time

Set the time the firewall keeps an unreachable RADIUS server in blocked state.
If you set the quiet time to 0, when the firewall attempts to send an authentication
or accounting request but finds that the current server is unreachable, it does not

change the server's status that it maintains. It simply sends the request to the next

server in active state. As a result, when the firewall attempts to send a request of
the same type for another user, it still tries to send the request to the server

because the server is in active state.
You can use this parameter to control whether the firewall changes the status of

an unreachable server. For example, if you determine that the primary server is

unreachable because the firewall's port for connecting the server is out of service
temporarily or the server is busy, you can set the time to 0 so that the firewall uses

the primary server as much.

Server Response Timeout
Time

Set the RADIUS server response timeout time.
If the firewall sends a RADIUS request to a RADIUS server but receives no
response within the specified server response timeout time, it retransmits the

request. Setting a proper value according to the network conditions helps in
improving the system performance.

IMPORTANT:

The server response timeout time multiplied by the maximum number of RADIUS

packet transmission attempts must not exceed 75.