2-17
z If you adopt the local RADIUS authentication server function, the UDP port number of the
authentication/authorization server must be 1645, the UDP port number of the accounting server
must be 1646, and the IP addresses of the servers must be set to the addresses of this device.
z The message encryption key set by the local-server nas-ip ip-address key password command
must be identical with the authentication/authorization message encryption key set by the key
authentication command in the RADIUS scheme view of the RADIUS scheme on the specified
NAS that uses this device as its authentication server.
z The device supports IP addresses and shared keys for up to 16 network access servers (NAS).
That is, when acting as the local RADIUS authentication server, the device can provide
authentication service to up to 16 network access servers (including the device itself) at the same
time.
z When acting as the local RADIUS authentication server, the device does not support EAP
authentication.
After sending out a RADIUS request (authentication/authorization request or accounting request) to a
RADIUS server, the device waits for a response from the server. The maximum time that the device can
wait for the response is called the response timeout time of RADIUS servers, and the corresponding
timer in the device system is called the response timeout timer of RADIUS servers. If the device gets no
answer within the response timeout time, it needs to retransmit the request to ensure that the user can
obtain RADIUS service.
For the primary and secondary servers (authentication/authorization servers, or accounting servers) in
a RADIUS scheme:
When the device fails to communicate with the primary server due to some server trouble, the device
will turn to the secondary server and exchange messages with the secondary server.
After the primary server remains in the block state for a specific time (set by the timer quiet command),
the device will try to communicate with the primary server again when it has a RADIUS request. If it
finds that the primary server has recovered, the device immediately restores the communication with
the primary server instead of communicating with the secondary server, and at the same time restores
the status of the primary server to active while keeping the status of the secondary server unchanged.
To control the interval at which users are charged in real time, you can set the real-time accounting
interval. After the setting, the device periodically sends online users' accounting information to RADIUS
server at the set interval.
Follow these steps to set timers for RADIUS servers:
To do… Use the command… Remarks
Enter system view system-view —
Create a RADIUS scheme and
enter its view radius scheme
radius-scheme-name
Required
By default, a RADIUS scheme
named "system" has already
been created in the system.