Configuring RADIUS Authentication and Accounting Servers

Procedure

1. Run system-view

   The system view is displayed.

2. Run radius-server group group-name

   The RADIUS server group view is displayed.

3. Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher } [ { authentication | accounting } { ipv4-address [ vpn-instance instance-name ] | ipv6-address } [ source { { interface-name | interface-type interface-number } | ip-address source-ip-address } ] port-number [ weight weight ] ]

   A shared key is configured for the communication with the RADIUS server.

4. Run radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weight weight-value ]

   A RADIUS authentication server is configured.

   To specify a different authentication port for PPP users, run the radius-server authentication ip-address [ vpn-instance instance-name ] ppp-user-port port command to configure a RADIUS authentication server.

5. (Optional) Run radius-server authentication rollover-on-reject

   The function to poll RADIUS servers after receiving a RADIUS Access-Reject packet is enabled.

6. (Optional) Run radius-server { retransmit retry-times | timeout timeout-value }^*

   The maximum number of times the packets can be retransmitted to the RADIUS server and the interval for retransmitting such packets are configured.

   When you run this command, pay attention to the following:

   • If neither the authentication nor the accounting parameter is specified, the configuration of this command takes effect for all RADIUS authentication and accounting servers in the RADIUS server group.
   • If only the authentication parameter is specified, the configuration of this command takes effect for all RADIUS authentication servers in the RADIUS server group.
   • If only the accounting parameter is specified, the configuration of this command takes effect for all RADIUS accounting servers in the RADIUS server group.

7. Run radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weight weight-value ]

   A RADIUS accounting server is configured.

   To specify a different accounting port for PPP users, run the radius-server accounting ip-address [ vpn-instance instance-name ] ppp-user-port port command to configure a RADIUS accounting server.

8. (Optional) Run radius-server accounting-start-packet resend [ resend-times ]

   The maximum number of times a buffered Accounting-Start packet can be retransmitted to the RADIUS accounting server is configured.

9. (Optional) Run radius-server accounting-stop-packet resend [ resend-times ] ]

   The maximum number of times an Accounting-Stop packet can be retransmitted to the RADIUS accounting server is configured.

10. (Optional) Run radius-server accounting-stop-packet send force

    The function to forcibly send an Accounting-Stop packet is enabled.

    In normal cases, a RADIUS server generates user entries only after accounting succeeds. However, some user entries may be generated in the database after authentication succeeds but before accounting is started. For example, if users have requested IP addresses and authentication succeeds but accounting fails due to an exception, the requested IP addresses cannot be released and users fail to go online using these IP addresses. In this case, you need to run this command on the NetEngine 8000 F to forcibly send an Accounting-Stop packet to the RADIUS server to release the requested IP addresses.

    This command applies only to scenarios where user authentication succeeds but accounting fails and residual user entries generated by the RADIUS server exist in the database.

11. (Optional) Run radius-server accounting-interim-packet resend [ resend-times ]

    The function to buffer RADIUS Accounting-Interim packets is enabled, and the maximum number of times a buffered RADIUS Accounting-Interim packet can be retransmitted is configured.

12. (Optional) Run radius-server alarm disable

    The device is configured not to generate a RADIUS server down alarm when the communication between the device and RADIUS server is interrupted.

13. (Optional) Run radius-server accounting cache max-packet-number

    The maximum number of accounting packets that can be buffered is configured.

    

    If the value specified by max-packet-number is not 8192, the maximum number of accounting packets that can be buffered equals the specified value and the number of users whose accounting packets can be buffered is not limited.

14. (Optional) Run radius-server accounting cache retransmit retransmit timeout timeout

    The interval for retransmitting buffered RADIUS accounting packets and the number of users whose accounting packets are triggered to be retransmitted each time are configured.

15. (Optional) Run radius-server accounting cache memory-threshold memory-threshold-value

    A memory usage threshold is configured for the main control board.

16. (Optional) Run radius-server accounting cache-warning-threshold upper-limit upper-limit lower-limit lower-limit

    The function to generate an accounting packet buffer alarm is enabled, and the upper and lower limits are configured for buffering accounting packets.

    Buffer usage of accounting packets = Number of buffered accounting packets/Maximum number of accounting packets that can be buffered

17. (Optional) Run radius-server cache keep packet

    The device is configured not to delete buffered packets when the number of times these packets are retransmitted reaches the specified threshold.

    By default, buffered packets are deleted when the number of times these packets are retransmitted reaches the specified threshold.

18. (Optional) Run radius-server cache resend packet

    The function to retransmit buffered packets is manually triggered.

19. Run commit

    The configuration is committed.