Operation Manual – AAA-RADIUS-HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA/RADIUS/HWTACACS
Configuration
1-26
Note:
z
In practice, you can specify two RADIUS servers as the primary and secondary
accounting servers respectively; or specify one server to function as both. Besides,
because RADIUS uses different UDP ports to receive authentication/authorization
and accounting packets, the port for authentication/authorization must be different
from that for accounting.
z
You can set the maximum number of stop-accounting request transmission buffer,
allowing the device to buffer and resend a stop-accounting request until it receives a
response or the number of transmission retries reaches the configured limit. In the
latter case, the device discards the packet.
z
You can set the maximum number of accounting request transmission attempts on
the device, allowing the device to disconnect a user when the number of accounting
request transmission attempts for the user reaches the limit but it still receives no
response to the accounting request.
z
The IP addresses of the primary and secondary accounting servers cannot be the
same. Otherwise, the configuration fails.
z
Currently, RADIUS does not support keeping accounts on FTP users.
1.4.4 Setting the Shared Key for RADIUS Packets
The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets
exchanged between them and a shared key to verify the packets. Only when the same
key is used can they properly receive the packets and make responses.
Follow these steps to set the shared key for RADIUS packets:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a RADIUS scheme
and enter RADIUS
scheme view
radius scheme
radius-scheme-name
Required
Not defined by default
Set the shared key for
RADIUS
authentication/authorizati
on or accounting packets
key
{
accounting
|
authentication
}
string
Required
No key by default
Note:
The shared key configured on the device must be the same as that configured on the
RADIUS server.