Configure RADIUS accounting.
Run the dot1x authentication-method eap command to configure EAP relay authentication for 802.1X users.
Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to configure the device to return the EAP packets with type value of 10 and data type of 25 to the RADIUS server.
Run the radius-attribute translate HW-Up-Priority HW-User-Information receive command to convert the HW-Up-Priority attribute in received RADIUS packets into HW-User-Information.
If the RADIUS server needs to dynamically authorize AAA users, the attributes delivered based on the security check policy may be different from the attributes delivered during CoA. Therefore, run the authorization-modify mode modify command to set the update mode for user authorization information delivered by the RADIUS server to Modify. After the command is executed, the attributes delivered by CoA will not overwrite the attributes delivered by the security check policy.
(In V200R010C00 and later versions) To use the session management function, run the radius-server session-manage ip-address shared-key cipher share-key command to enable session management on the RADIUS server and set the IP address and shared key for the RADIUS session management server.
If the active server fails, the switch sends the authentication request packets to the standby server. The timeout interval of the security check session on the iNode client is short. Therefore, you are advised to run the following command to ensure non-stop services:
Run the radius-server retransmit retry-times timeout time-value command to set the number of RADIUS request packet retransmissions to 1 and timeout interval to be shorter than 5s.