(Optional) Configuring the RADIUS Server Group
Context
To prevent risks in communication between the device and the RADIUS server, deploy the communication network between the device and the RADIUS server in a security zone.
Procedure
- Run system-view
The system view is displayed.
- Run radius enable
The RADIUS service is disabled.
By default, the RADIUS service is enabled.
- (Optional) Run radius-server { dead-count dead-count [ fail-rate fail-rate-value ] | dead-interval dead-interval | dead-time dead-time [ recover-count invalid ] } *
The parameters used to determine the status of the RADIUS server are set.
If the router does not receive any response packets after sending RADIUS packets for the number of times configured in this command, and the interval between the first packet and the last packet (specified by dead-count) that the RADIUS server fails to respond to is longer than dead-interval, the router determines that the RADIUS server works abnormally and changes the status of the RADIUS server to Down.
After setting the status of the RADIUS server to Down, the router waits for a certain period configured in this command before setting the status of the RADIUS server to Up. At the same time, the router attempts to reestablish a connection with the RADIUS server. If the connection cannot be established, the router sets the status of the RADIUS server to Down again.
- Run radius-server group group-name
The RADIUS server group is created, and the RADIUS server group view is displayed.
- Run radius-server { shared-key key-string | shared-key-cipher key-string-cipher } [ { authentication | accounting } { ipv4-address [ vpn-instance instance-name ] | ipv6-address } [ source { { interface-name | interface-type interface-number } | ip-address source-ip-address } ] port-number [ weight weight ] ]
The shared key for the communication with the RADIUS server is configured.
- radius-server authentication ip-address [ vpn-instance instance-name | source { interface-name | interface-type interface-number | ip-address source-ip-address } | { shared-key key-string | shared-key-cipher cipher-string } ] * port [ weight weight-value ]
Or run radius-server authentication ip-address port { vpn-instance instance-name | { shared-key key-string | shared-key-cipher cipher-string } | source { { interface-name | interface-type interface-number } | ip-address ip-address } } * [ weight weight-value ]
The address and shared key of the primary (secondary) RADIUS authentication server are configured.
- Run radius-server user-name { domain-included | original }
Whether the user name of the RADIUS server contains the domain name is determined.
By default, the user name contains the domain name.
- Run radius-server source interface interface-type interface-number
The source interface of the RADIUS server is configured. The router uses the IP address of this source interface to send packets to the RADIUS server.
By default, source interface is not configured.
When a RADIUS server is deployed in a VPN and the router sends a packet to the RADIUS server, the IP address of the source interface configured using the radius-server source interface command is preferentially selected. If no source interface is configured, select the outbound interface with reachable route based on the VPN ID and destination IP address as the source IP address. If the required route is not found, select the IP address of any interface within the VPN as the source IP address.
- Run radius-server nas-ip-address ip-address
The IP address of NAS (Network Access Server) for the group is configured.
A device's NAS-IP address is used as the destination IP address of a response packet to be sent from the RADIUS server.
- (Optional) Configure the transmission reliability of RADIUS packets.
- Run commit
The configuration is committed.