Setting the status of RADIUS servers
About RADIUS server status
To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers function as the backup of the primary server. When the RADIUS server load sharing feature is disabled, the device chooses servers based on the following rules:
When the primary server is in active state, the device first tries to communicate with the primary server. If the primary server is unreachable, the device searches for an active secondary server in the order the servers are configured.
When one or more servers are in active state, the device tries to communicate with these active servers only, even if the servers are unavailable.
When all servers are in blocked state, the device only tries to communicate with the primary server.
If a server is unreachable, the device performs the following operations:
Changes the server status to blocked.
Starts a quiet timer for the server.
Tries to communicate with the next secondary server in active state that has the highest priority.
When the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active. The device does not check the server again during the authentication or accounting process.
The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is reachable, the device considers the authentication or accounting attempt a failure.
When you remove a server in use, communication with the server times out. The device looks for a server in active state by first checking the primary server, and then checking secondary servers in the order they are configured.
When a RADIUS server's status changes automatically, the device changes this server's status accordingly in all RADIUS schemes in which this server is specified.
When a RADIUS server is manually set to blocked, server detection is disabled for the server, regardless of whether a test profile has been specified for the server. When the RADIUS server is set to active state, server detection is enabled for the server on which an existing test profile is specified.
By default, the device sets the status of all RADIUS servers to active. However, in some situations, you must change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server.
Restrictions and guidelines
The configured server status cannot be saved to any configuration file, and can only be viewed by using the display radius scheme command.
After the device restarts, all servers are restored to the active state.
Procedure
Enter system view.
system-view
Enter RADIUS scheme view.
radius scheme radius-scheme-name
Set the RADIUS server status. Choose the following tasks as needed:
Set the status of the primary RADIUS authentication server.
state primary authentication { active | block }
Set the status of the primary RADIUS accounting server.
state primary accounting { active | block }
Set the status of a secondary RADIUS authentication server.
state secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Set the status of a secondary RADIUS accounting server.
state secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
By default, a RADIUS server is in active state.