HP A 5120 Manual

							21 
Task Remarks 
Configuring RADIUS accounting-on Optional 
Specifying a security policy server Optional 
Configuring interpretation of RADIUS class attribute as CAR 
parameters Optional 
Enabling the RADIUS trap function Optional 
Enabling the listening port of the RADIUS client Optional 
Displaying and maintaining RADIUS Optional 
 
Creating a RADIUS scheme 
Before performing other RADIUS configurations, follow these steps to create a RADIUS  scheme and enter 
RADIUS scheme view: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a RADIUS scheme and 
enter RADIUS scheme view 
radius scheme radius-scheme-
name 
Required 
No RADIUS scheme by default 
 
 NOTE: 
A RADIUS scheme can be referenced by multiple ISP domains at the same time.  
Specifying the RADIUS authentication/authorization servers 
Follow these steps to specify the RADIUS authentication/authorization servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-name — 
Specify the primary RADIUS 
authentication/authorization 
server 
primary authentication { ip-address [ port-
number | key string] * | ipv6 ipv6-address [ 
port-number | key string ] * } 
Required 
Configure at least one 
command. 
No 
authentication/authorizat
ion server is specified by 
default. 
Specify the secondary 
RADIUS 
authentication/authorization 
server 
secondary authentication { ip-address [ port-
number | key string] * | ipv6 ipv6-address [ 
port-number | key string ] * } 
  
						

							22 
 NOTE: 
 If both the primary and secondary authentication/authorization servers are specified, the secondary one is used 
when the primary one is not reachable.  
 If redundancy is not required, specify only the primary RADIUS authentication/authorization server. 
 In practice, you may specify one RADIUS server as the primary authentication/authorization server, and up to 
16 RADIUS servers as the secondary authentication/authorization servers, or specify a server as the primary 
authentication/authorization server for a scheme and as the secondary authentication/authorization servers for 
another scheme at the same time. 
 The IP addresses of the primary and secondary authentication/authorization servers for a scheme must be 
different from each other. Otherwise, the configuration will fail.  
 All servers for authentication/authorization and accountings, primary or secondary, must use IP addresses of the 
same IP version.  
Specifying the RADIUS accounting servers and relevant parameters 
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS 
scheme. When the primary server is not available, a secondary server is used, if any. When redundancy 
is not required, specify only the primary server. 
By setting the  maximum  number  of real-time accounting attempts for  a  scheme, you  make the  device 
disconnect users for whom no accounting response is received before the number of accounting attempts 
reaches the limit. 
When  the  device  receives  a  connection  teardown  request  from  a  host  or  a  connection  teardown 
notification from  an  administrator,  it  sends  a  stop-accounting  request  to  the  accounting  server. You  can 
enable  buffering  of non-responded stop-accounting  requests to allow  the  device  to  buffer and  resend a 
stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the 
configured limit. In the latter case, the device discards the packet. 
Follow these steps to specify the RADIUS accounting servers and perform related configurations: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-name — 
Specify the primary RADIUS 
accounting server 
primary accounting { ip-address [ port-number 
| key string ] * | ipv6 ipv6-address [ port-
number | key string ] * } 
Required 
Configure at least one 
command. 
No accounting server is 
specified by default. 
Specify the secondary RADIUS 
accounting server 
secondary accounting { ip-address [ port-
number | key string ] * | ipv6 ipv6-address [ 
port-number | key string ] * } 
Enable the device to buffer 
stop-accounting requests to 
which no responses are 
received 
stop-accounting-buffer enable Optional 
Enabled by default 
Set the maximum number of 
stop-accounting attempts retry stop-accounting retry-times Optional 
500 by default 
Set the maximum number of 
real-time accounting attempts retry realtime-accounting retry-times Optional 
5 by default 
  
						

							23 
 NOTE: 
 The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, 
the configuration fails. 
 All servers for authentication/authorization and accountings, primary or secondary, must use IP addresses of the 
same IP version. 
 If you delete an accounting server serving users, the device can no longer send real-time accounting requests 
and stop-accounting requests for the users to that server, or buffer the stop-accounting requests. 
 You can specify a RADIUS accounting server as the primary accounting server for one scheme and as the 
secondary accounting server for another scheme at the same time. 
 RADIUS does not support accounting for FTP users.  
Setting the shared keys for RADIUS packets 
The  RADIUS  client  and  RADIUS  server  use  the  MD5  algorithm  to  encrypt  packets  exchanged  between 
them and use shared  keys to verify  the  packets. They must use the  same shared key for  the  same  type  of 
packets. 
A  shared  key  configured  in  this  task is  for  all  servers  of  the  same  type  (accounting  or  authentication)  in 
the scheme, and has a lower priority than a shared key configured individually for a RADIUS server. 
Follow these steps to set the shared keys for RADIUS packets: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Set the shared key for RADIUS 
authentication/authorization or 
accounting packets 
key { accounting | authentication 
} string 
Required 
No shared key by default 
 
 NOTE: 
A shared key configured on the device must be the same as that configured on the RADIUS server.  
Setting the maximum number of RADIUS request transmission attempts 
Because RADIUS  uses  UDP  packets  to transfer data,  the  communication  process  is  not  reliable. RADIUS 
uses  a  retransmission  mechanism  to  improve  reliability. If a  NAS sends  a RADIUS  request to a RADIUS 
server but receives no response before the response timeout timer expires, it retransmits the request. If the 
number  of  transmission  attempts  exceeds  the  specified limit  but  it  still  receives  no  response, it tries  to 
communicate with other RADIUS servers in the active state. If no other servers are in the active state at the 
time,  it considers  the authentication a  failure. For more information  about  RADIUS  server  states, see 
―Setting the status of RADIUS servers.― 
Follow these steps to set the maximum number of RADIUS request transmission attempts: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Set the maximum number of 
RADIUS request transmission 
attempts  
retry retry-times Optional 
3 by default  
						

							24 
. 
 NOTE: 
 The maximum number of transmission attempts of RADIUS packets multiplied by the RADIUS server response 
timeout period cannot be greater than 75 seconds. 
 For more information about the RADIUS server response timeout period, see “Setting timers for controlling 
communication with RADIUS servers.“  
Setting the supported RADIUS server type 
The  supported  RADIUS  server  type  determines  the  type  of  the  RADIUS  protocol  that  the  device  uses  to 
communicate with the RADIUS server. It can be standard or extended: 
 Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. 
 Extended—Uses the proprietary RADIUS protocol of HP. 
When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS 
server  runs third-party  RADIUS server software, either RADIUS  server type applies. For  the device  to 
function as a RADIUS server to authenticate login users, you must set the RADIUS server type to standard. 
Follow these steps to set the RADIUS server type: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Set the RADIUS server type server-type { extended | 
standard } 
Optional 
standard by default 
 
 NOTE: 
Changing the RADIUS server type will restore the unit for data flows and that for packets that are sent 
to the RADIUS server to the defaults.  
Setting the status of RADIUS servers 
By setting the status of RADIUS servers to blocked or active, you can control which servers the device will 
communicate  with  for authentication,  authorization,  and  accounting  or  turn  to  when  the  current  servers 
are  not  available  anymore. In  practice,  you  can  specify  one primary RADIUS server  and multiple 
secondary RADIUS servers,  with  the  secondary  ones  as  the  backup  of  the  primary  one.  Generally,  the 
device chooses servers based on these rules: 
 When the  primary  server is in the active state,  the  device  communicates  with  the  primary  server.  If 
the  primary server  fails,  the  device  changes  the state of  the  primary  server  to blocked and  starts a 
quiet  timer  for  the  server, and then turns  to a secondary  server in the active state  (a  secondary 
server  configured  earlier  has  a  higher  priority). If  the  secondary  server  is  unreachable,  the  device 
changes  the server’s status to blocked,  starts a quiet  timer  for  the  server,  and continues  to  check  the 
next  secondary  server in the active state.  This  search  process  continues  until  the  device  finds  an 
available secondary server or has checked all secondary servers in the active state. If the quiet timer 
of a server expires or an authentication or accounting response is received from the server, the state 
of the server changes back to active automatically, but the device does not check the server again. If 
no  server  is  found  reachable  during  one  search  process,  the  device  considers  the  authentication  or 
accounting attempt a failure.  
 Once  the accounting process  of  a  user starts,  the  device  keeps  sending  the  user’s  real-time 
accounting  requests  and  stop-accounting  requests  to  the  same  accounting  server.  If you  remove the  
						

							25 
accounting server, real-time accounting requests and stop-accounting requests of the user cannot be 
delivered to the server anymore.  
 If  you  remove an  authentication or  accounting  server  in  use, the  communication of  the device with 
the  server  will soon time out,  and  the  device  will  look  for  a  server  in the active state  from  scratch: it 
checks the  primary  server (if  any)  first  and then  the  secondary  servers in the order  they  are 
configured. 
 When  the  primary  server  and  secondary  servers  are  all  in the blocked state,  the  device 
communicates  with  the  primary  server.  If  the  primary  server  is  available,  its state changes  to active; 
otherwise, its state remains to be blocked.  
 If  one  server  is  in the active state and the  others are in the blocked  state,  the  device  only  tries  to 
communicate with the server in the active state, even if the server is unavailable.  
 After receiving an authentication/accounting response from a server, the device changes the state of 
the  server identified  by the  source  IP  address of the  response  to active if  the  current  state  of  the 
server is blocked. 
By default,  the  device  sets  the  status  of  all  RADIUS  servers  to active. In  some  cases,  however, you may 
need  to  change  the  status  of  a  server. For example, if  a  server  fails, you  can  change  the  status  of  the 
server to blocked to avoid communication with the server.  
Follow these steps to set the status of RADIUS servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-name — 
Set the status of the primary RADIUS 
authentication/authorization server 
state primary authentication { 
active | block } 
Optional 
active for every server 
specified in the RADIUS 
scheme by default 
Set the status of the primary RADIUS 
accounting server 
state primary accounting { active | 
block } 
Set the status of the secondary 
RADIUS authentication/authorization 
server 
state secondary authentication [ ip 
ipv4-address | ipv6 ipv6-address ] 
{ active | block } 
Set the status of the secondary 
RADIUS accounting server 
state secondary accounting [ ip 
ipv4-address | ipv6 ipv6-address ] 
{ active | block } 
 
 NOTE: 
 The server status set by the state command cannot be saved in the configuration file and will be restored to 
active every time the server restarts.  
 To display the states of the servers, use the display radius scheme command.   
Setting the username format and traffic statistics units 
A username  is usually in  the  format  of userid@isp-name,  where isp-name represents  the  name  of the ISP 
domain  the  user  belongs  to  and  is  used  by  the  device  to  determine  which  users  belong  to  which  ISP 
domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP domain 
name.  In  this  case, the device must  remove  the  domain  name of  each  username before  sending the 
username. You can set the username format on the device for this purpose. 
The  device  periodically  sends  accounting  updates  to  RADIUS  accounting  servers  to  report  the  traffic 
statistics  of  online  users.  For  normal  and  accurate  traffic  statistics,  make  sure  that  the  unit for data flows 
and that for packets on the device are consistent with those on the RADIUS server.  
						

							26 
Follow these steps to set the username format and the traffic statistics units for a RADIUS scheme: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Set the format for usernames sent 
to the RADIUS servers 
user-name-format { keep-original 
| with-domain | without-domain 
} 
Optional 
By default, the ISP domain name 
is included in the username. 
Specify the unit for data flows or 
packets sent to the RADIUS 
servers 
data-flow-format { data { byte | 
giga-byte | kilo-byte | mega-byte 
} | packet { giga-packet | kilo-
packet | mega-packet | one-
packet } }* 
Optional 
byte for data flows and one-
packet for data packets by 
default. 
 
 NOTE: 
 If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS 
scheme to more than one ISP domain. Otherwise, users using the same username but in different ISP domains 
will be considered the same user. 
 For level switching authentication, the user-name-format keep-original and user-name-format without-domain 
commands produce the same results: they ensure that usernames sent to the RADIUS server carry no ISP domain 
name.   
Specifying a source IP address for outgoing RADIUS packets 
The  source  IP  address  of  RADIUS  packets  that  a  NAS  sends  must  match the  IP  address of  the  NAS 
configured  on  the  RADIUS  server.  A  RADIUS  server  identifies  a  NAS  by its IP  address.  Upon  receiving  a 
RADIUS packet, a RADIUS  server checks  whether the source IP address of the packet is the IP address of 
any managed NAS. If yes, the server processes the packet. If not, the server drops the packet. 
Usually, the source address of outgoing RADIUS packets can be the IP address of the NAS’s any interface 
that can communicate with the RADIUS server. 
You  can  specify a source  IP  address for outgoing RADIUS  packets  in  RADIUS  scheme  view  for  a  specific 
RADIUS  scheme,  or  in  system  view  for  all RADIUS  schemes.  Before  sending  a  RADIUS  packet,  a  NAS 
selects a source IP address in this order: 
1. The source IP address specified for the RADIUS scheme. 
2. The source IP address specified in system view. 
3. The IP address of the outbound interface specified by the route. 
Follow these steps to specify a source IP address for all RADIUS schemes: 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify a source IP address 
for outgoing RADIUS packets 
radius nas-ip { ip-address | 
ipv6 ipv6-address } 
Required 
By default, the IP address of the outbound 
interface is used as the source IP address. 
 
Follow these steps to specify a source IP address for a specific RADIUS scheme:  
						

							27 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Specify a source IP address 
for outgoing RADIUS packets 
nas-ip { ip-address | ipv6 
ipv6-address } 
Required 
By default, the IP address of the outbound 
interface is used as the source IP address. 
 
Setting timers for controlling communication with RADIUS servers 
The device uses the following types of timers to control the communication with a RADIUS server:  
 Server  response  timeout timer (response-timeout)—Defines the RADIUS  request  retransmission 
interval. After  sending  a  RADIUS  request  (authentication/authorization  or  accounting  request),  the 
device starts  this  timer.  If  the  device receives  no  response  from the  RADIUS  server before  this  timer 
expires, it resends the request. 
 Server quiet  timer  (quiet)—Defines  the  duration  to  keep  an  unreachable  server  in  the blocked state. 
If a server is not reachable, the device changes the server’s status to blocked, starts this timer for the 
server,  and tries  to  communicate  with another  server  in  the active state.  After  this  timer  expires,  the 
device changes the status of the server back to active.  
 Real-time  accounting timer (realtime-accounting)—Defines  the  interval  at  which  the  device  sends 
real-time  accounting  packets  to  the  RADIUS  accounting  server  for  online  users.  To  implement  real-
time  accounting,  the  device  must  periodically  send  real-time  accounting  packets  to  the  accounting 
server for online users. 
Follow these steps to set timers for controlling communication with RADIUS servers: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Set the RADIUS server response 
timeout timer timer response-timeout seconds Optional 
3 seconds by default 
Set the quiet timer for the servers timer quiet minutes Optional 
5 minutes by default 
Set the real-time accounting timer timer realtime-accounting minutes Optional 
12 minutes by default 
  
						

							28 
 NOTE: 
 For an access module, the maximum number of transmission attempts multiplied by the RADIUS server response 
timeout period must be less than the client connection timeout time and must not exceed 75 seconds. Otherwise, 
stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place. 
For example, because the client connection timeout time for voice access is 10 seconds, the product of the two 
parameters must be less than 10 seconds; because the client connection timeout time for Telnet access is 30 
seconds, the product of the two parameters must be less than 30 seconds. 
 When configuring the maximum number of RADIUS packet transmission attempts and the RADIUS server 
response timeout period, be sure to take the number of secondary servers into account. If the retransmission 
process takes too much time, the client connection in the access module may be timed out while the device is 
trying to find an available server.  
 When a number of secondary servers are configured, the client connections of access modules that have a short 
client connection timeout period may still be timed out during initial authentication or accounting, even if the 
packet transmission attempt limit and server response timeout period are configured with small values. In this 
case, the next authentication or accounting attempt may succeed because the device has set the state of the 
unreachable servers to blocked and the time for finding a reachable server is shortened. 
 Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or 
accounting failures because the device has to repeatedly attempt to communicate with a server that is in the 
active state but is unreachable. 
 For more information about the maximum number of RADIUS packet retransmission attempts, see “Setting the 
maximum number of RADIUS request transmission attempts.“  
Configuring RADIUS accounting-on 
The  accounting-on feature  enables a device to send  accounting-on  packets  to  the  RADIUS  server after it 
reboots, making the server log out users who logged in through the device before the reboot. Without this 
feature,  users  who  were  online  before  the  reboot  cannot  re-log  in  after  the  reboot,  because  the  RADIUS 
server considers they are already online. 
If  a  device  sends  an  accounting-on  packet  to  the  RADIUS  server  but  receives  no  response,  it  resends  the 
packet to the server at a particular interval for a specified number of times. 
Follow these steps to configure the accounting-on feature for a RADIUS scheme: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-
name — 
Enable accounting-on and 
configure parameters 
accounting-on enable [ 
interval seconds | send send-
times ] * 
Required 
Disabled by default. 
The default interval is 3 seconds and the 
default number of send-times is 5.  
 
 NOTE: 
The accounting-on feature requires the cooperation of the iMC network management system.  
Specifying a security policy server 
The  core  of  the  EAD  solution  is  integration  and  cooperation,  and  the  security  policy  server  is  the 
management  and  control  center.  As  a  collection  of  software,  the  security  policy  server  provides  functions 
such  as  user  management,  security  policy  management,  security  status  assessment,  security  cooperation 
control, and security event audit.  
						

							29 
The  NAS  checks  the  validity  of  received  control  packets  and  accepts  only  control  packets  from  known 
servers.  To  use  a  security  policy  server  that  is  independent  of  the  AAA  servers,  you  must  configure  the  IP 
address  of  the  security  policy  server  on the NAS.  To  implement all EAD functions, configure  both the  IP 
address of the iMC security policy server and that of the iMC configuration platform on the NAS. 
Follow these steps to specify a security policy server: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-scheme-name — 
Specify a security policy server security-policy-server ip-address 
Required 
No security policy server is 
specified by default 
 
 NOTE: 
You can specify up to eight security policy servers for a RADIUS scheme.  
Configuring interpretation of RADIUS class attribute as CAR parameters 
According  to  RFC  2865,  a  RADIUS  server  assigns  the RADIUS class  attribute  (attribute  25)  to  a  RADIUS 
client. However, the RFC only requires the RADIUS client to send the attribute to the accounting server on 
an ―as is‖ basis; it does not require the RADIUS client to interpret the attribute. Some RADIUS servers use 
the  class  attribute  to  deliver  the  assigned committed  access  rate (CAR)  parameters.  In  this  case,  the 
access  devices  need  to  interpret  the  attribute  to  implement  user-based  traffic  monitoring  and  controlling. 
To  support  such  applications,  configure  the access  devices to  interpret  the  class  attribute as the  CAR 
parameters. 
Follow these steps to configure the RADIUS client to interpret the class attribute as the CAR parameters: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter RADIUS scheme view radius scheme radius-
scheme-name — 
Specify to interpret the class 
attribute as the CAR parameters attribute 25 car 
Required 
Be default, RADIUS attribute 25 is not 
interpreted as CAR parameters.  
 
 NOTE: 
Whether to configure this feature depends on the implementation of the device and the RADIUS server.   
Enabling the RADIUS trap function 
With the RADIUS trap function, a NAS sends a trap message in either of these situations: 
 The  status  of  a  RADIUS  server  changes. If  a  NAS  sends and  retransmits an accounting or 
authentication  request to a RADIUS  server but gets no  response before  the  maximum  number  of 
transmission  attempts  is  reached,  it considers  the  server  unavailable  and sends  a  trap  message.  If 
the NAS receives a response from a RADIUS server in the blocked state, the NAS considers that the 
RADIUS server is reachable again and also sends a trap message. 
 The  ratio  of  the  number  of  failed  transmission  attempts  to  the  total  number  of  authentication  request 
transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to 
30%. This threshold can only be configured through the MIB.   
						

							30 
The failure  ratio  is generally small.  If  you  see  a  trap  message  triggered  due  to  a  higher  failure  ratio, 
check the configurations on the NAS and the RADIUS server and the communications between them. 
Follow these steps to enable the RADIUS trap function: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the RADIUS trap 
function 
radius trap { accounting-server-down | 
authentication-error-threshold | authentication-
server-down } 
Required 
Disabled by default 
 
Enabling the listening port of the RADIUS client 
Follow these steps to enable the listening port of the RADIUS client:  
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the listening port of the 
RADIUS client radius client enable Optional 
Enabled by default 
 
Displaying and maintaining RADIUS 
To do… Use the command… Remarks 
Display the configuration information 
of RADIUS schemes 
display radius scheme [ radius-scheme-
name ] [ slot slot-number ] [ | { begin 
| exclude | include } regular-
expression ] 
Available in any view 
Display statistics about RADIUS 
packets 
display radius statistics [ slot slot-
number ] [ | { begin | exclude | 
include } regular-expression ] 
Available in any view 
Display information about buffered 
stop-accounting requests that get no 
responses 
display stop-accounting-buffer { 
radius-scheme radius-server-name | 
session-id session-id | time-range 
start-time stop-time | user-name user-
name } [ slot slot-number ] [ | { begin 
| exclude | include } regular-
expression ] 
Available in any view 
Clear RADIUS statistics reset radius statistics [ slot slot-number 
] Available in user view 
Clear buffered stop-accounting 
requests that get no responses 
reset stop-accounting-buffer { radius-
scheme radius-server-name | session-
id session-id | time-range start-time 
stop-time | user-name user-name } [ 
slot slot-number ] 
Available in user view 
 
Configuring HWTACACS schemes  
 NOTE: 
You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS 
servers in use.