< Home

(Optional) Configuring the RADIUS Server Status Detection Function

Context

A device can detect the RADIUS server status using the RADIUS server status detection function. If the RADIUS server status is Down, users can obtain escape rights. If the RADIUS server status reverts to Up, escape rights are removed from the users and the users are reauthenticated.

Procedure

  • Configure conditions for setting the RADIUS server status to Down. Two scenarios are involved in this configuration.

    • Conditions for setting the RADIUS server status to Down during the RADIUS server status detection.

      1. Run system-view

        The system view is displayed.

      2. Run radius-server { dead-interval dead-interval | dead-count dead-count | detect-cycle detect-cycle }

        The RADIUS server detection interval, number of times the detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval are configured.

        By default, the RADIUS server detection interval is 5 seconds, the number of times the detection interval cycles is 2, and the maximum number of consecutive unacknowledged packets in each detection interval is 2.

      3. Run the return command to return to the user view.

    • Set the status of a RADIUS server to Down if no response is received from the server for a long period of time. With this function enabled, you can run the following commands to adjust the maximum unresponsive interval of the RADIUS server.

      1. Run system-view

        The system view is displayed.

      2. Run radius-server max-unresponsive-interval interval

        The longest unresponsive interval for the RADIUS server is configured.

        By default, the longest unresponsive interval for a RADIUS server is 300 seconds.

      3. Run the return command to return to the user view.

  • (Optional) Configure the automatic detection function.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server template template-name

      The RADIUS server template view is displayed.

    3. Run radius-server testuser username user-name password cipher password

      A user account for automatic RADIUS server detection is created.

      By default, no RADIUS template-based user account for automatic detection is configured.

      After the user account for automatic RADIUS server detection is created, the automatic detection function is enabled. By default, the automatic detection function takes effect only for RADIUS servers in Down status.

    4. (Optional) Run radius-server detect-server interval interval

      The automatic detection interval for RADIUS servers in Down status is configured.

      By default, the automatic detection interval for RADIUS servers in Down status is 60 seconds.

    5. (Optional) Run radius-server detect-server up-server interval interval

      Automatic detection for RADIUS servers in Up status is enabled and the automatic detection interval is configured.

      By default, a device does not automatically detect RADIUS servers in Up status.

      On a large-scale network, you are not advised to enable automatic detection for RADIUS servers in Up status. This is because if automatic detection is enabled on multiple NAS devices, the RADIUS server periodically receives a large number of detection packets when processing RADIUS Access-Request packets source from users, which may deteriorate processing performance of the RADIUS server.

    6. (Optional) Run radius-server detect-server timeout timeout

      The timeout period for RADIUS detection packets is configured.

      By default, the timeout period for RADIUS detection packets is 3 seconds.

    7. Run the return command to return to the user view.

  • (Optional) Configure the duration for which a RADIUS server remains Down, namely, configure the Force-up timer.

    After setting the RADIUS server status to Force-up and automatic detection is enabled, the device immediately sends a detection packet. If the device receives a response packet from the RADIUS server within the timeout period, the device sets the RADIUS server status to Up; otherwise, the device sets the RADIUS server status to Down.

    1. Run system-view

      The system view is displayed.

    2. Run radius-server template template-name

      The RADIUS server template view is displayed.

    3. Run radius-server dead-time dead-time

      The Force-up timer for RADIUS servers is configured.

      By default, the Force-up timer for RADIUS servers is 5 minutes.

    4. Run the return command to return to the user view.

  • (Optional) Configure status synchronization between RADIUS authentication and accounting servers.

    1. Run system-view

      The system view is displayed.

    2. Run the radius-server dead-detect-condition by-server-ip command to configure IP address-based automatic detection for RADIUS servers.

      By default, RADIUS authentication and accounting servers are detected separately. After this function is configured, RADIUS authentication and accounting servers with the same IP address in the same VPN instance are detected together and their status are updated at the same time.

    3. Run the return command to return to the user view.

Verifying the Configuration

  • Run the display radius-server { dead-interval | dead-countdetect-cycle } command to check configuration information about the RADIUS server detection interval, number of times the RADIUS server detection interval cycles, and maximum number of consecutive unacknowledged packets in each detection interval.
  • Run the display radius-server configuration command to check configuration information about the user account for automatic detection, detection interval, and timeout period for detection packets in the RADIUS server template.
  • Run the display radius-server max-unresponsive-interval command to check the configuration information about the longest unresponsive interval of the RADIUS server.

Follow-up Procedure

  1. Run the authentication event authen-server-down action authorize command in the authentication profile view to configure the user escape function if the authentication server goes Down. For details, see (Optional) Configuring Authentication Event Authorization Information in NAC Configuration (Unified Mode).
  2. Run the authentication event authen-server-up action re-authen command in the authentication profile view to configure the reauthentication function after the authentication server reverts to the Up status. For details, see (Optional) Configuring Re-authentication for Users in NAC Configuration (Unified Mode).
Parent Topic: Using RADIUS to Perform Authentication, Authorization, and Accounting
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >