Configuring RADIUS schemes

A RADIUS scheme specifies RADIUS servers that the device can cooperate with and defines a set of parameters that the device uses to exchange information with the RADIUS servers. There can be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the server IP addresses, shared keys, and RADIUS server type.

RADIUS scheme configuration task list

Creating a RADIUS scheme

A RADIUS scheme can be referenced by multiple ISP domains at the same time.

Before performing other RADIUS configurations, you must first create a RADIUS scheme and enter RADIUS scheme view.

To create a RADIUS scheme and enter RADIUS scheme view:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a RADIUS scheme and enter RADIUS scheme view.

radius scheme radius-scheme-name

By default, no RADIUS scheme is created.

Specifying the RADIUS authentication/authorization servers

In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS clients. It is neither allowed nor needed to specify a separate RADIUS authorization server.

You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. In a scenario where redundancy is not required, specify only the primary server.

A RADIUS authentication/authorization server can function as the primary authentication/authorization server for one scheme and a secondary authentication/authorization server for another scheme at the same time.

You can enable the server status detection feature. With the feature, the device periodically sends an authentication request to check whether or not the target RADIUS authentication/authorization server is reachable. If the server can be reached, the device sets the status of the server to active. If the server cannot be reached, the device sets the status of the server to block. This feature can promptly notify authentication modules of latest server status information. For example, server status detection can work with the 802.1X critical VLAN feature, so that the device can trigger 802.1X authentication for users in the critical VLAN immediately on detection of a reachable RADIUS authentication/authorization server.

Follow these guidelines when you specify RADIUS authentication/authorization servers:

To specify RADIUS authentication/authorization servers for a RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify RADIUS authentication/authorization servers.

  • Specify the primary RADIUS authentication/authorization server:primary authentication { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] *

  • Specify a secondary RADIUS authentication/authorization server:secondary authentication { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] *

Configure at least one command.

No authentication/authorization server is specified by default.

Specifying the RADIUS accounting servers and the relevant parameters

You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. When redundancy is not required, specify only the primary server. A RADIUS accounting server can function as the primary accounting server for one scheme and a secondary accounting server for another scheme at the same time.

When the device receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. By setting the maximum number of real-time accounting attempts for a scheme, the device disconnects users when no accounting response is received before the number of attempts reaches the limit. You can enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response. If the number of stop-accounting attempts reaches the upper limit, the device discards the buffered request.

Follow these guidelines when you specify RADIUS accounting servers:

To specify RADIUS accounting servers and set relevant parameters for a scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify RADIUS accounting servers.

  • Specify the primary RADIUS accounting server:primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

  • Specify a secondary RADIUS accounting server:secondary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *

Configure at least one command.

No accounting server is specified by default.

4. Set the maximum number of real-time accounting attempts.

retry realtime-accounting retry-times

Optional.

The default setting is 5.

5. Enable buffering of stop-accounting requests to which no responses are received.

stop-accounting-buffer enable

Optional.

Enabled by default.

6. Set the maximum number of stop-accounting attempts.

retry stop-accounting retry-times

Optional.

The default setting is 500.

Specifying the shared keys for secure RADIUS communication

The RADIUS client and RADIUS server use the MD5 algorithm to authenticate packets and use shared keys for packet authentication and user password encryption. They must use the same key for the same type of communication.

A shared key configured for a RADIUS scheme takes effect to all servers of the same type (accounting or authentication) in the scheme, and has a lower priority than a key configured individually for a RADIUS server.

A shared key configured on the device must be the same as that configured on the RADIUS server.

To specify a shared key for secure RADIUS communication:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify a shared key for secure RADIUS authentication/authorization or accounting communication.

key { accounting | authentication } [ cipher | simple ] key

By default, no shared key is specified.

Specifying a VPN for the scheme

After you specify a VPN for a RADIUS scheme, all AAA servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.

To specify a VPN for a RADIUS scheme:

Step

Command

1. Enter system view.

system-view

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

3. Specify a VPN for the RADIUS scheme.

vpn-instance vpn-instance-name

Setting the username format and traffic statistics units

A username is usually in the format userid@isp-name, where isp-name represents the ISP domain name of the user and is used by the device to determine which users belong to which ISP domains. However, some earlier RADIUS servers do not recognize usernames that contain the user ISP domain name. In this case, you can configure the device to remove the domain name from each username before sending the username.

The device periodically sends accounting updates to RADIUS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the data flow and packet unit settings on the device are consistent with those on the RADIUS server.

Follow these guidelines when you set the username format and the traffic statistics units:

To set the username format and the traffic statistics units for a RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Set the format for usernames sent to the RADIUS servers.

user-name-format { keep-original | with-domain | without-domain }

Optional.

By default, the ISP domain name is included in a username.

4. Specify the unit for data flows or packets sent to the RADIUS servers.

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

Optional.

The default unit is byte for data flows and is one-packet for data packets.

Setting the supported RADIUS server type

The supported RADIUS server type determines the type of the RADIUS protocol that the device uses to communicate with the RADIUS server. It can be standard or extended:

When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies. For the device to function as a RADIUS server to authenticate login users, set the RADIUS server type to standard.

Changing the RADIUS server type restores the unit for data flows and that for the packets sent to the RADIUS server to the defaults.

To set the RADIUS server type:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Set the RADIUS server type.

server-type { extended | standard }

Optional.

The default RADIUS server type is standard.

Setting the maximum number of RADIUS request transmission attempts

RADIUS uses UDP packets to transfer data. UDP communication is not reliable. To improve reliability, RADIUS uses a retransmission mechanism. If a NAS sends a RADIUS request to a RADIUS server but receives no response before the response timeout timer (defined by the timer response-timeout command) expires, it retransmits the request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it tries to communicate with other RADIUS servers in active state. If no other servers are in active state at the time, it considers the authentication or accounting attempt a failure. For more information about RADIUS server states, see "Setting the status of RADIUS servers."

The maximum number of transmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 seconds. For more information about the RADIUS server response timeout timer, see "Setting RADIUS timers."

To set the maximum number of RADIUS request transmission attempts for a scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Set the maximum number of RADIUS request transmission attempts.

retry retry-times

Optional.

The default setting is 3.

Setting the status of RADIUS servers

By setting the status of RADIUS servers to blocked or active, you can control which servers the device communicates with for AAA or uses when the current servers are no longer available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally, the device chooses servers based on these rules:

The device does not change the status of an unreachable authentication or accounting server if the quiet timer of the servers is set to 0. Instead, the device keeps the server status as active and sends authentication or accounting packets to another server in active state, so that subsequent authentication or accounting packets can still be sent to the server. For more information about the quiet timer, see "Setting RADIUS timers."

By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may have to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server.

The server status set by the state command cannot be saved to the configuration file. After the device restarts, the status of each server is restored to active. To display the states of the servers, use the display radius scheme command.

To set the status of RADIUS servers in a RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Set the RADIUS server status.

  • Set the status of the primary RADIUS authentication/authorization server:state primary authentication { active | block }

  • Set the status of the primary RADIUS accounting server:state primary accounting { active | block }

  • Set the status of a secondary RADIUS authentication/authorization server:state secondary authentication [ ip ipv4-address | ipv6 ipv6-address ] { active | block }

  • Set the status of a secondary RADIUS accounting server:state secondary accounting [ ip ipv4-address | ipv6 ipv6-address ] { active | block }

Optional.

By default, all servers in the RADIUS scheme are in active state.

Specifying the source IP address for outgoing RADIUS packets

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.

Usually, the source address of outgoing RADIUS packets can be the IP address of any NAS interface that can communicate with the RADIUS server. In some special cases, however, you must change the source IP address. For example, if a NAT device is present between the NAS and the RADIUS server, the source IP address of outgoing RADIUS packets must be a public IP address of the NAS. If the NAS is configured with VRRP for stateful failover, the source IP address of outgoing RADIUS packets can be the virtual IP address of the uplink VRRP group.

You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in the same VPN. Before sending a RADIUS packet, the NAS selects a source IP address in the following order:

To specify a source IP address for all RADIUS schemes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address for outgoing RADIUS packets.

radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

By default, the IP address of the outbound interface is used as the source IP address.

To specify a source IP address for a specific RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify a source IP address for outgoing RADIUS packets.

nas-ip { ip-address | ipv6 ipv6-address }

By default, the IP address of the outbound interface is used as the source IP address.

Specifying a backup source IP address for outgoing RADIUS packets

In a stateful failover scenario, the active device authenticates portal users by interacting with the RADIUS server, and synchronizes its online portal user information to the standby device through the backup link established between them. The standby device only receives and processes synchronization messages from the active device. However, when the active device fails, the RADIUS server cannot send RADIUS packets to the standby device because it does not have the IP address of the standby device.

To solve this problem, configure the source IP address for outgoing RADIUS packets on each device as the backup source IP address for outgoing RADIUS packets on the other device. With such configuration, the active device sends the source IP address for outgoing RADIUS packets that is configured on the standby device to the RADIUS server, so that the RADIUS server can send unsolicited RADIUS packets to the standby device.

You can specify a backup IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in the same VPN. Before sending a RADIUS packet, the NAS uses the following order to select a backup source IP address:

If no backup source IP address is specified in the views, the NAS sends no backup source IP address to the server.

To specify a backup source IP address for all RADIUS schemes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a backup source IP address for outgoing RADIUS packets.

radius nas-backup-ip ip-address [ vpn-instance vpn-instance-name ]

Not specified by default.

To specify a backup source IP address for a RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify a backup source IP address for outgoing RADIUS packets.

nas-backup-ip ip-address

Not specified by default.

The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby device.

Setting RADIUS timers

The device uses the following types of timers to control the communication with a RADIUS server:

Follow these guidelines when you set RADIUS timers:

For more information about the maximum number of RADIUS packet transmission attempts, see "Setting the maximum number of RADIUS request transmission attempts."

To set RADIUS timers:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Set the RADIUS server response timeout timer.

timer response-timeout seconds

Optional.

The default RADIUS server response timeout timer is 3 seconds.

4. Set the quiet timer for the servers.

timer quiet minutes

Optional.

The default quiet timer is 5 minutes.

5. Set the real-time accounting timer.

timer realtime-accounting minutes

Optional.

The default real-time accounting timer is 12 minutes.

Configuring RADIUS accounting-on

The accounting-on feature enables a device to send an accounting-on packet to the RADIUS server after it reboots so the server can log out users who logged in through the device before the reboot. Without this feature, users who were online before the reboot could not re-log in after the reboot, because the RADIUS server would consider them already online.

If a device sends an accounting-on packet to the RADIUS server but receives no response, it resends the packet to the server at a particular interval for a specified number of times.

The accounting-on feature requires the cooperation of the HPE IMC network management system.

To configure the accounting-on feature for a RADIUS scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Enable accounting-on and configure parameters.

accounting-on enable [ interval seconds | send send-times ] *

Disabled by default.

The default interval is 3 seconds, and the default number of send-times is 5.

Configuring the IP address of the security policy server

The core of the HPE EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.

The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the IMC security policy server and that of the IMC Platform on the NAS.

To configure the IP address of the security policy server for a scheme:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Specify a security policy server.

security-policy-server ip-address

No security policy server is specified by default.

Configuring interpretation of the RADIUS class attribute as CAR parameters

This task is required when the RADIUS server supports assigning CAR parameters through the class attribute and the device supports CAR parameters assignment.

According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client. However, the RFC only requires the RADIUS client to send the attribute to the accounting server on an "as is" basis, but does not require the RADIUS client to interpret the attribute. When RADIUS servers use the class attribute to deliver the assigned CAR parameters, the device must interpret the attribute as the CAR parameters to implement user-based traffic monitoring and controlling.

To configure the device to interpret the RADIUS class attribute as CAR parameters:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter RADIUS scheme view.

radius scheme radius-scheme-name

N/A

3. Interpret the class attribute as CAR parameters.

attribute 25 car

By default, RADIUS attribute 25 is not interpreted as CAR parameters.

Enabling the trap function for RADIUS

With the trap function, the NAS sends a trap message when either of the following events occurs:

The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server.

To enable the trap function for RADIUS:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable the trap function for RADIUS.

radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }

Disabled by default.

Enabling the RADIUS client service

To receive and send RADIUS packets, enable the RADIUS client on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.

To enable the RADIUS client service:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable the RADIUS client service.

radius client enable

Optional.

Enabled by default.

Setting the DSCP value for RADIUS packets

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the DSCP value for IPv4 RADIUS packets.

radius dscp dscp-value

Optional.

The default DSCP value is 0.

3. Set the DSCP value for IPv6 RADIUS packets.

radius ipv6 dscp dscp-value

Optional.

The default DSCP value is 0.

Displaying and maintaining RADIUS

Task

Command

Remarks

Display the configuration information of RADIUS schemes.

display radius scheme [ radius-scheme-name ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display the RADIUS packet statistics .

display radius statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display information about buffered stop-accounting requests for which no responses have been received .

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Clear RADIUS statistics .

reset radius statistics [ slot slot-number ]

Available in user view.

Clear the buffered stop-accounting requests for which no responses have been received .

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

Available in user view.