(Optional) Configuring IP Addresses for Web Authentication and RADIUS Authorization Servers

In hot backup scenarios, the mapping between address pools and BAS-IP addresses must be specified on the web authentication server for each pair of master and backup devices. An IP address pool is shared only by the master and backup devices. Therefore, each pair of master and backup devices must have a source address to communicate with the web authentication server. The source IP address of portal packets sent by a device to the web authentication server can be configured as the BAS-IP address using the web-auth-server source [ vpn-instance vpn-instance-name ] source-ip-address command.

In Change-of-Authorization (CoA) and DM applications, the RADIUS authorization server sends requests to the router, and the router responds to the RADIUS authorization server. The RADIUS server then checks the source IP address of reply packets for security. In N:1 hot backup scenarios, the RADIUS authorization server determines the IP address of the router to which authorization packets are sent based on user's bill information. This IP address can be a NAS-IP address or the address that the router uses to exchange accounting-start packets with the RADIUS server.

To ensure that the RADIUS authorization server sends authorization packets to the exact router, run the radius-authorization source command to specify a source IP address for each pair of master and backup devices. To ensure that the source IP address in the reply packets sent by the router to the RADIUS server is the same as the NAS-IP address, run the radius-authorization source same-as nas-logic-ip command. Alternatively, run the radius-authorization source [ vpn-instance vpn-instance-name ] source-ip-address command to specify a source IP address.

Perform the following operations on both devices that back up each other: