How to configure the weight of a RADIUS server on an S series switch

2

Generally, two or more RADIUS servers are deployed on the live network to improve network reliability. When two or more RADIUS servers are available, you can control traffic sent to different RADIUS servers. For S series switches (except the S1700):
- In V200R003C00 and later versions, you can set the algorithm for selecting primary and secondary RADIUS servers or load balancing based on actual requirements, and specify the weights of the RADIUS authentication or accounting servers when configuring them.
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server algorithm loading-share
[HUAWEI-radius-template1] radius-server accounting 10.163.155.12 1813 weight 80
[HUAWEI-radius-template1] radius-server accounting 10.163.155.13 1813 weight 40
- In versions earlier than V200R003C00, two or more RADIUS servers can only work in primary or secondary mode. The secondary parameter is used to determine whether a RADIUS server is primary or secondary. If this parameter is specified, the server is the primary server with the weight 100. If the parameter is not specified, the server is the secondary server with the weight 0.
[HUAWEI] radius-server template template1
[HUAWEI-radius-template1] radius-server accounting 10.163.155.12 1813
[HUAWEI-radius-template1] radius-server accounting 10.163.155.13 1813 secondary
Note:
- If the algorithm for selecting primary and secondary RADIUS servers is used, the primary and secondary RADIUS authentication or accounting servers are determined based on the weights of the servers specified when the servers are configured. The server with a larger weight is the primary server. If servers have the same weight, the server configured first is the primary server.
- If the load balancing algorithm is used, the switch sends packets to RADIUS servers according to the configured weights of the servers. In the preceding configuration example, the probability that the switch sends packets to the RADIUS server at 10.163.155.12:1813 is 66.7% (80/[80 + 40]), and the probability that the switch sends packets to the RADIUS server at 10.163.155.13:1813 is 33.3% (40/[80 + 80]).

Other related questions:
Do S series switches support RADIUS server functions
S series switches can only function as RADIUS clients but not RADIUS servers.

Configure NAT server on S series switches
S7700, S9700, and S9300 series modular switches use SPUs to support the NAT server function.

Configure S series switches to send user names without a domain name to the RADIUS server for authentication
For S series switches (except S1700 switches), the format of a user name is user name@domain name. In the user name, @ is the domain name delimiter, which can also be any of the following symbols: \ / : < > | ' %. By default, a switch does not modify the user name entered by the user in the packets sent to the RADIUS server. If the RADIUS server does not accept user names with domain names, users who enter user names with domain names fail the RADIUS authentication. To solve the problem, perform the following configuration on the switch to make the switch send user names without domain names to the RADIUS server. [HUAWEI] radius-server template template1 [HUAWEI-radius-template1] undo radius-server user-name domain-included Note: You can modify this configuration only when the RADIUS server template is not in use.

Why does RADIUS authentication fail when the RADIUS server template and RADIUS server are properly configured
This problem has the following possible causes: -The IP address of the router (a RADIUS client) is not configured on the RADIUS server, so the RADIUS server cannot send an authentication response packet to the router. -Different shared keys are configured on the router and the RADIUS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top