H3C Technologies H3C SecPath F1000-E User Manual
Page 197
187
•
If you remove an authentication or accounting server in use, the communication of the firewall with
the server soon times out, and the firewall looks for a server in active state from scratch by checking
any primary server first and then the secondary servers in the order they are configured.
•
When the primary server and secondary servers are all in blocked state, the firewall communicates
with the primary server. If the primary server is available, its status changes to active. Otherwise, its
status remains to be blocked.
•
If one server is in active state and all the others are in blocked state, the firewall only tries to
communicate with the server in active state, even if the server is unavailable.
•
After receiving an authentication/accounting response from a server, the firewall changes the status
of the server identified by the source IP address of the response to active if the current status of the
server is blocked.
By default, the firewall sets the status of all RADIUS servers to active. In some cases, however, you can
change the status of a server. For example, if a server fails, you can change the status of the server to
blocked to avoid communication with the server.
To set the status of RADIUS servers in a RADIUS scheme:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter RADIUS scheme view. radius scheme radius-scheme-name N/A
3.
Set the RADIUS server status.
•
Set the status of the primary RADIUS
authentication/authorization server:
state primary authentication { active |
block }
•
Set the status of the primary RADIUS
accounting server:
state primary accounting { active | block }
•
Set the status of a secondary RADIUS
authentication/authorization server:
state secondary authentication [ ip
ipv4-address | ipv6 ipv6-address ] { active
| block }
•
Set the status of a secondary RADIUS
accounting server:
state secondary accounting [ ip
ipv4-address | ipv6 ipv6-address ] { active
| block }
Optional.
The default status is
active for every server
specified in the RADIUS
scheme.
NOTE:
•
The server status set by the state command cannot be saved to the configuration file. After the firewall
restarts, the status of each server is restored to active.
•
To display the states of the servers, use the display radius scheme command.
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP
domain to which the user belongs and is used by the firewall to determine which users belong to which
ISP domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP
domain name. In this case, the firewall must remove the domain name of each username before sending
the username. You can set the username format on the firewall for this purpose.