H3C Technologies H3C WX3000 Series Unified Switches User Manual

25-15

z

For a RADIUS scheme, if you have specified to remove ISP domain names from user names, you
should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may
occur: the RADIUS server regards two different users having the same name but belonging to
different ISP domains as the same user (because the usernames sent to it are the same).

z

In the default RADIUS scheme "system", ISP domain names are removed from user names by
default.

z

The purpose of setting the MAC address format of the Calling-Station-Id (Type 31) field in RADIUS
packets is to improve the device’s compatibility with different RADIUS servers. This setting is
necessary when the format of Calling-Station-Id field recognizable to RADIUS servers is different
from the default MAC address format on the device. For details about field formats recognizable to
RADIUS servers, refer to the corresponding RADIUS server manual.

Configuring the Local RADIUS Authentication Server Function

The device provides the local RADIUS server function (including authentication and authorization), also
known as the local RADIUS authentication server function, in addition to RADIUS client service, where
separate authentication/authorization server and the accounting server are used for user
authentication.

Follow these steps to configure the local RADIUS authentication server function:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable UDP port for local RADIUS
authentication server

local-server enable

Optional
By default, the UDP port for local
RADIUS authentication server is
enabled.

Configure the parameters of the
local RADIUS server

local-server nas-ip

ip-address

key password

Required
By default, a local RADIUS
authentication server is configured with
an NAS IP address of 127.0.0.1.

z

If you adopt the local RADIUS authentication server function, the UDP port number of the
authentication/authorization server must be 1645, the UDP port number of the accounting server
must be 1646, and the IP addresses of the servers must be set to the addresses of this device.

z

The message encryption key set by the local-server nas-ip ip-address key password command
must be identical with the authentication/authorization message encryption key set by the key

authentication

command in the RADIUS scheme view of the RADIUS scheme on the specified

NAS that uses this device as its authentication server.

z

The device supports IP addresses and shared keys for up to 16 network access servers (NAS).
That is, when acting as the local RADIUS authentication server, the device can provide
authentication service to up to 16 network access servers (including the device itself) at the same
time.