(Optional) Configuring a RADIUS Authorization Server

You can configure multiple RADIUS authorization servers to authorize users who access dynamic services.

Context

You need to configure a RADIUS authorization server for a dynamic service so that the RADIUS server can dynamically authorize a user when the user accesses the dynamic service.

The NetEngine 8000 F supports Change of Authorization (CoA). Authorization information about online users can be dynamically changed. While maintaining the online status of users, the network administrator can modify the service attributes on the RADIUS server and then send CoA packets to dynamically change the services accessed by users. This authorization mode is referred to as dynamic authorization.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run radius-server authorization ip-address [ vpn-instance string ] [ destination-ip destination-ip-addr ] [ destination-port destination-port-id ] { { shared-key key | shared-key-cipher { key2 | key3 } } | server-group groupname } * [ ack-reserved-interval interval ]

    A global RADIUS authorization server is configured.

    To retain the RADIUS authorization response packet to respond to the retransmitted packets from the RADIUS authorization server, set the period of retaining the authorization response when configuring the RADIUS authorization server.

    If destination-ip destination-ip-addr or destination-port destination-port-id has been configured, the device checks the destination IP address or port number in the CoA packets and discards the packets if the destination IP address or port number does not match.

  3. Run radius-server authorization error-reply { version1 | version2 }

    The rule for configuring CoA response packets sent by the NetEngine 8000 F is executed.

  4. Run radius-server authorization accounting-realtime-packet disable

    The NetEngine 8000 F is disabled from automatically responding with a real-time accounting packet upon receipt of a CoA message delivered by the RADIUS server.

    After this command is run, the NetEngine 8000 F does not automatically respond with a real-time accounting packet upon receipt of a CoA message from the RADIUS server. As a result, the RADIUS server cannot learn the latest user status in a timely manner. To resolve this problem, run the accounting interim interval interval [ second ] [ traffic ] [ hash ] command to set an interval at which the RADIUS server advertises the latest user status.

  5. Run commit

    The configuration is committed.

Parent Topic: Configuring RADIUS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >