29
The NAS checks the validity of received control packets and accepts only control packets from known
servers. To use a security policy server that is independent of the AAA servers, you must configure the IP
address of the security policy server on the NAS. To implement all EAD functions, configure both the IP
address of the iMC security policy server and that of the iMC configuration platform on the NAS.
Follow these steps to specify a security policy server:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter RADIUS scheme view
radius scheme
radius-scheme-name
—
Specify a security policy server
security-policy-server
ip-address
Required
No security policy server is
specified by default
NOTE:
You can specify up to eight security policy servers for a RADIUS scheme.
Configuring interpretation of RADIUS class attribute as CAR parameters
According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS
client. However, the RFC only requires the RADIUS client to send the attribute to the accounting server on
an ―as is‖ basis; it does not require the RADIUS client to interpret the attribute. Some RADIUS servers use
the class attribute to deliver the assigned committed access rate (CAR) parameters. In this case, the
access devices need to interpret the attribute to implement user-based traffic monitoring and controlling.
To support such applications, configure the access devices to interpret the class attribute as the CAR
parameters.
Follow these steps to configure the RADIUS client to interpret the class attribute as the CAR parameters:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter RADIUS scheme view
radius scheme
radius-
scheme-name
—
Specify to interpret the class
attribute as the CAR parameters
attribute 25 car
Required
Be default, RADIUS attribute 25 is not
interpreted as CAR parameters.
NOTE:
Whether to configure this feature depends on the implementation of the device and the RADIUS server.
Enabling the RADIUS trap function
With the RADIUS trap function, a NAS sends a trap message in either of these situations:
The status of a RADIUS server changes. If a NAS sends and retransmits an accounting or
authentication request to a RADIUS server but gets no response before the maximum number of
transmission attempts is reached, it considers the server unavailable and sends a trap message. If
the NAS receives a response from a RADIUS server in the blocked state, the NAS considers that the
RADIUS server is reachable again and also sends a trap message.
The ratio of the number of failed transmission attempts to the total number of authentication request
transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to
30%. This threshold can only be configured through the MIB.