data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

RADIUS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Note that:

l The specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.

l You can use these commands to change the settings only when no user is using the RADIUS scheme.

Related commands: display radius scheme.

Examples

# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

display radius scheme

Syntax

display radius scheme [ radius-scheme-name ] [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.

Description

Use the display radius scheme command to display the configuration information of a specified RADIUS scheme or all RADIUS schemes.

Note that:

l If no RADIUS scheme is specified, the command will display the configuration information of all RADIUS schemes.

l If no IRF member ID is specified, the command will display the configuration information of the RADIUS schemes on all IRF member devices.

Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName : radius1

Index : 0 Type : extended

Primary Auth Server:

IP: 1.1.1.1 Port: 1812 State: active

VPN instance : 1

Primary Acct Server:

VPN instance : 1

IP: 1.1.1.1 Port: 1813 State: active

Second Auth Server:

VPN instance : 1

IP: N/A Port: 1812 State: block

Second Acct Server:

VPN instance : 1

IP: N/A Port: 1813 State: block

Auth Server Encryption Key : 123

Acct Server Encryption Key : N/A

VPN instance : 1

Interval for timeout(second) : 3

Retransmission times for timeout : 3

Interval for realtime accounting(minute) : 12

Retransmission times of realtime-accounting packet : 5

Retransmission times of stop-accounting packet : 500

Quiet-interval(min) : 5

Username format : without-domain

Data flow unit : Byte

Packet unit : one

NAS-IP address : 1.1.1.1

Attribute 25 : car

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 1-1 display radius scheme command output description

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS server
Primary Auth Server	Primary authentication server
Primary Acct Server	Primary accounting server
Second Auth Server	Secondary authentication server
Second Acct Server	Secondary accounting server
IP	IP address of the server. N/A means not configured.
Port	Service port of the server. If no port configuration is performed, the default port number is displayed.
State	Status of the server, active or block.
VPN instance	VPN of the server
Auth Server Encryption Key	Shared key of the authentication server
Acct Server Encryption Key	Shared key of the accounting server
Interval for timeout(second)	Timeout time in seconds
Retransmission times for timeout	Times of retransmission in case of timeout
Interval for realtime accounting(minute)	Interval for realtime accounting in minutes
Retransmission times of realtime-accounting packet	Retransmission times of realtime-accounting packet
Retransmission times of stop-accounting packet	Retransmission times of stop-accounting packet
Quiet-interval(min)	Quiet interval for the primary server
Username format	Format of the username
Data flow unit	Unit of data flows
Packet unit	Unit of packets
NAS-IP address	Source IP address for RADIUS packets to be sent
Attribute 25	Interprets RADIUS attribute 25 as the CAR parameters.

display radius statistics

Syntax

display radius statistics [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

Slot 1:state statistic(total=4096):

DEAD = 4096 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

StateErr = 0

Received and Sent packets statistic:

Sent PKT total = 6

Received PKT total = 0

Resend Times Resend total

1 2

2 2

Total 4

RADIUS received packets statistic:

Code = 2 Num = 0 Err = 0

Code = 3 Num = 0 Err = 0

Code = 5 Num = 0 Err = 0

Code = 11 Num = 0 Err = 0

Running statistic:

RADIUS received messages statistic:

Normal auth request Num = 2 Err = 0 Succ = 2

EAP auth request Num = 0 Err = 0 Succ = 0

Account request Num = 0 Err = 0 Succ = 0

Account off request Num = 0 Err = 0 Succ = 0

PKT auth timeout Num = 5 Err = 1 Succ = 4

PKT acct_timeout Num = 0 Err = 0 Succ = 0

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 0 Err = 0 Succ = 0

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

Set policy result Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 0

Auth reject Num = 1

EAP auth replying Num = 0

Account success Num = 0

Account failure Num = 0

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 0

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 1-2 display radius statistics command output description

Field	Description
state statistic	state statistics
DEAD	Number of idle users
AuthProc	Number of users waiting for authentication
AuthSucc	Number of users who have passed authentication
AcctStart	Number of users for whom accounting has been started
RLTSend	Number of users for whom the system sends real-time accounting packets
RLTWait	Number of users waiting for real-time accounting
AcctStop	Number of users in the state of accounting waiting stopped
OnLine	Number of online users
Stop	Number of users in the state of stop
StateErr	Number of users in the state of unknown error
Received and Sent packets statistic	Statistics of packets received and sent
Sent PKT total	Number of packets sent
Received PKT total	Number of packets received
Resend Times	Number of retransmission attempts
Resend total	Number of packets retransmitted
Total	Total number of packets retransmitted
RADIUS received packets statistic	Statistics of packets received by RADIUS
Code	Packet type
Num	Total number of packets
Err	Number of error packets
Running statistic	RADIUS operation message statistics
RADIUS received messages statistic	Number of messages received by RADIUS
Normal auth request	Number of normal authentication requests
EAP auth request	Number of EAP authentication requests
Account request	Number of accounting requests
Account off request	Number of stop-accounting requests
PKT auth timeout	Number of authentication timeout messages
PKT acct_timeout	Number of accounting timeout messages
Realtime Account timer	Number of realtime accounting requests
PKT response	Number of responses
Session ctrl pkt	Number of session control messages
Normal author request	Number of normal authorization requests
Succ	Number of acknowledgement messages
Set policy result	Number of responses to the Set policy packets
RADIUS sent messages statistic	Number of messages that have been sent by RADIUS
Auth accept	Number of accepted authentication packets
Auth reject	Number of rejected authentication packets
EAP auth replying	Number of replying packets of EAP authentication
Account success	Number of accounting succeeded packets
Account failure	Number of accounting failed packets
Server ctrl req	Number of server control requests
RecError_MSG_sum	Number of received packets in error
SndMSG_Fail_sum	Number of packets that failed to be sent out
Timer_Err	Number of timer errors
Alloc_Mem_Err	Number of memory errors
State Mismatch	Number of errors for mismatching status
Other_Error	Number of errors of other types
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory

display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user by the username, which is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting by the user-name-format command for the RADIUS scheme.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, username, or slot.

Note that if receiving no response after sending a stop-accounting request to a RADIUS server, the device buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

Slot 1:

Total 0 record(s) Matched

key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

Note that:

l You must ensure that the same shared key is set on the device and the RADIUS server.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

nas-ip (RADIUS scheme view)

Syntax

nas-ip { ip-address | ipv6 ipv6-address }

undo nas-ip

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the device and must be a unicast address that is neither a loopback one nor a link-local one.

Description

Use the nas-ip command to specify the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo nas-ip command to restore the default.

By default, the source IP address of a packet sent to the server is that configured by the radius nas-ip command in system view.

Note that:

l Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. The address of a loopback interface is recommended.

l The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.

l The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration will not take effect.

l You can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

primary accounting (RADIUS scheme view)

Syntax

primary accounting { ip-address [ port-number | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number ] }

undo primary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the primary accounting server.

ipv6 ipv6-address: IPv6 address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813.

vpn-instance vpn-instance-name: Name of the VPN instance of the primary RADIUS accounting server, a string of 1 to 31 case-sensitive characters.

Description

Use the primary accounting command to specify the primary RADIUS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l The IP addresses of the primary and secondary accounting servers must be of the same IP version.

l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the primary accounting command to ensure normal communication with the server.

l The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

l The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state, vpn-instance (RADIUS scheme view).

Examples

# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2 and the UDP port of the server as 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

primary authentication (RADIUS scheme view)

Syntax

primary authentication { ip-address [ port-number | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number ] }

undo primary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the primary authentication/authorization server.

ipv6 ipv6-address: IPv6 address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

vpn-instance vpn-instance-name: Name of the VPN instance of the primary RADIUS authentication/authorization server, a string of 1 to 31 case-sensitive characters.

Description

Use the primary authentication command to specify the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to remove the configuration.

By default, no primary RADIUS authentication/authorization server is specified.

Note that:

l After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the primary authentication command to ensure normal communication with the server.

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l The IP addresses of the primary and secondary authentication/authorization servers must be of the same IP version.

l The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

l The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state, vpn-instance (RADIUS scheme view).

Examples

# Specify the primary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

radius client

Syntax

radius client enable

undo radius client

View

System view

Default Level

2: System level

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.

Use the undo radius client command to disable the listening port of the RADIUS client.

By default, the listening port is enabled.

Note that when the listening port of the RADIUS client is disabled:

l The RADIUS client can either accept authentication, authorization or accounting requests or process timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.

l The end account packets of online users cannot be sent out and buffered. This may cause a problem that the RADIUS server still has the user record after a user goes offline for a period of time.

l The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.

l The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view

[Sysname] radius client enable

radius nas-ip

Syntax

radius nas-ip { ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }

undo radius nas-ip { ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }

View

System view

Default Level

2: System level

Parameters

ip-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the device and must be a unicast address that is neither a loopback one nor a link-local one.

vpn-instance vpn-instance-name: Name of the VPN instance of the backup source IP address, a string of 1 to 31 case-sensitive characters. With a VPN specified, the command specifies a private-network backup source IP address. With no VPN specified, the command specifies a public-network backup source IP address.

Description

Use the radius nas-ip command to specify the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l You can specify up to 16 backup source IP addresses, which can include one public-network IP address at most. A newly specified public-network backup source IP address overwrites the previous one. Each VPN can have only one private-network backup source IP address specified at most. A private-network backup source IP address newly specified for a VPN overwrites the previous one.

l If you configure the command for more than one time, the last configuration takes effect.

l The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS schemes that use the specified source IP address. Otherwise, the source IP address configuration will not take effect.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default Level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, no RADIUS scheme is defined.

Note that:

l The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

l A RADIUS scheme can be referenced by more than one ISP domain at the same time.

l You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.

Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Default Level

2: System level

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the function.

By default, the RADIUS trap function is disabled.

Note that:

l If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message.

l If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

reset radius statistics

Syntax

reset radius statistics [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a username based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of transmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS transmission attempts.

Use the undo retry command to restore the default.

The default value for the retry-times argument is 3.

Note that:

l As RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout time, it will retransmit the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device regards that the authentication fails.

l The maximum number of transmission attempts defined by this command refers to the sum of all transmission attempts sent by the device to the primary server and the secondary server. For example, assume that the maximum number of transmission attempts is N and both the primary server and secondary RADIUS server are specified and exist, the device will send a request to the other server if the current server does not respond after the sum of transmission attempts reaches N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).

l The maximum number of transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.

Use the undo retry realtime-accounting command to restore the default.

Note that:

l A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the device generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still receives no response, the device will cut the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

retry stop-accounting (RADIUS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the device receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will temporarily store the request in the device and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the device discard the request.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

secondary accounting (RADIUS scheme view)

Syntax

secondary accounting { ip-address [ port-number | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number ] }

undo secondary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.

ipv6 ipv6-address: IPv6 address of the secondary accounting server.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.

vpn-instance vpn-instance-name: Name of the VPN instance of the secondary RADIUS accounting server, a string of 1 to 31 case-sensitive characters.

Description

Use the secondary accounting command to specify the secondary RADIUS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the secondary accounting command to ensure normal communication with the server.

l The IP addresses of the primary and secondary accounting servers must be of the same IP version.

l The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

l The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state, vpn-instance (RADIUS scheme view).

Examples

# Specify the secondary accounting server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

secondary authentication (RADIUS scheme view)

Syntax

secondary authentication { ip-address [ port-number | vpn-instance vpn-instance-name ] * | ipv6 ipv6-address [ port-number ] }

undo secondary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IPv4 address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

vpn-instance vpn-instance-name: Name of the VPN instance of the secondary RADIUS authentication/authorization server, a string of 1 to 31 case-sensitive characters.

Description

Use the secondary authentication command to specify the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary RADIUS authentication/authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l If the server to be specified resides on an MPLS VPN, you also need to specify that VPN with the secondary authentication command to ensure normal communication with the server.

l The IP addresses of the primary and secondary authentication/authorization servers must be of the same IP version.

l The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

l The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state, vpn-instance (RADIUS scheme view).

Examples

# Specify the secondary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the security policy server.

all: Specifies all security policy servers.

Description

Use the security-policy-server command to specify a security policy server.

Use the undo security-policy-server command to remove one or all security policy servers.

By default, no security policy server is specified.

Note that:

l You can specify up to eight security policy servers for a RADIUS scheme.

l You can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: radius nas-ip.

Examples

# For RADIUS scheme radius1, set the IP address of a security policy server to 10.110.1.2.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default Level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally iMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).

Description

Use the server-type command to specify the RADIUS server type supported by the device.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

Note that you can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Default Level

2: System level

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.

accounting: Sets the status of the RADIUS accounting server.

authentication: Sets the status of the RADIUS authentication/authorization server.

active: Sets the status of the RADIUS server to active, namely the normal operation state.

block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.

Note that:

l When the primary server and secondary server are both in active state, the device communicates with the primary server. If the primary server fails, the device changes the status of the primary server to block and turns to the secondary server. When the quiet timer times out, the device resumes the status of the primary server to active while keeping the status of the secondary server unchanged. In the case of authentication/authorization, the device resumes the communication with the primary server; in the case of accounting, however, the device keeps communicating with the secondary server no matter whether the primary server recovers or not.

l When the primary server and secondary server are both in block state, the device communicates with the primary server. If the primary server is available, its status changes to active. If both the primary server and secondary server are in block state and you want the device to use the secondary server for AAA services, you need to change the status of the secondary server to active; otherwise, no primary/secondary switchover will take place.

l If a server is in active state while the other is in block state, the device only tries to communicate with the server in active state, even if the server is unavailable.

l You can use this command to change the settings only when no user is using the RADIUS scheme.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication active

stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Note that you can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display radius scheme.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. The default is 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.

l When the real-time accounting interval on the device is zero, the device will send online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or will not send online user accounting information.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval means higher accounting precision but requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (1000 or more). The following table lists the recommended ratios of the interval to the number of users.

Table 1-3 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

Note that:

l If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

l A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

l The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

user-name-format (RADIUS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

RADIUS scheme view

Default Level

2: System level

Parameters

keep-original: Sends the username to the RADIUS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

l If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same user ID as one.

l For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server.

l You can use this command to change the setting only when no user is using the RADIUS scheme.

Related commands: radius scheme.

Examples

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

vpn-instance (RADIUS scheme view)

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

View

RADIUS scheme view

Default Level

2: System level

Parameters

vpn-instance-name: Name of a VPN instance, a string of 1 to 31 case-sensitive characters.

Description

Use the vpn-instance command to specify a VPN instance for the RADIUS scheme.

Use the undo vpn-instance command to remove the configuration.

Note that:

l The VPN instance specified here takes effect for all servers in the RADIUS scheme. But the VPN instance specified for a specific server takes precedence over the one specified here.

l The VPN instance specified here is not effective for IPv6 RADIUS servers.

Related commands: radius scheme, display radius scheme

Examples

# Specify VPN instance test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.

Part 8 - Security

Table of Content

02-RADIUS Commands

1 RADIUS Configuration Commands

data-flow-format (RADIUS scheme view)

display radius scheme

display radius statistics

display stop-accounting-buffer

key (RADIUS scheme view)

nas-ip (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius nas-ip

radius scheme

reset radius statistics

retry

retry realtime-accounting

retry stop-accounting (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

security-policy-server

state

stop-accounting-buffer enable (RADIUS scheme view)

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)