Radius scheme configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual
Page 203
193
Task Command
Remarks
Clear RADIUS statistics.
reset radius statistics
Available in user view
Clear the buffered stop-accounting
requests for which no responses have
been received.
reset stop-accounting-buffer
{ radius-scheme radius-server-name |
session-id session-id | time-range
start-time stop-time | user-name
user-name }
Available in user view
RADIUS scheme configuration guidelines
When you configure RADIUS, follow these guidelines:
•
Accounting for FTP users is not supported.
•
If you remove the accounting server used for online users, the firewall cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
•
The status of RADIUS servers, blocked or active, determines which servers the firewall
communicates with or turns to when the current servers are not available. In practice, you can
specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary
servers that function as the backup of the primary servers. Generally, the firewall chooses servers
based on these rules:
{
When the primary server is in active state, the firewall communicates with the primary server. If
the primary server fails, the firewall changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the firewall
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the firewall finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
firewall does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the firewall considers the authentication or
accounting attempt a failure.
{
Once the accounting process of a user starts, the firewall keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
are no longer delivered to the server.
{
If you remove an authentication or accounting server in use, the communication of the firewall
with the server soon times out, and the firewall looks for a server in active state from scratch by
checking any primary server first and then the secondary servers in the order they are
configured.
{
When the primary server and secondary servers are all in blocked state, the firewall
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
{
If one server is in active state but all the others are in blocked state, the firewall only tries to
communicate with the server in active state, even if the server is unavailable.