Table of Contents
Advertisement
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS authentication server.
port-number: Specifies the service port number of the secondary RADIUS authentication server. The
value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the secondary RADIUS authentication
server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form
will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
•
In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext
form of the key is a string of 1 to 64 characters.
•
In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext
form of the key is a string of 15 to 64 characters. The plaintext string must contain digits,
uppercase letters, lowercase letters, and special characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The
profile-name argument is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary
RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the
weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS
server will not be used for load sharing. This option takes effect only when the RADIUS server load
sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher
capacity to process authentication requests.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS authentication
server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the
primary server fails, the device tries to communicate with a secondary server in active state. The
device connects to the secondary servers in the order they are configured.
The server status detection is triggered for a server if the specified test profile exists on the device.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN
instance, host name, IP address, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with
the key authentication command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the
vpn-instance vpn-instance-name option. The VPN instance specified by this command takes
precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication
server during an authentication process, communication with the secondary server times out.
•
When the RADIUS server load sharing feature is disabled, the device tries to communicate with
an active server that has the highest priority for authentication.
•
When the RADIUS server load sharing feature is enabled, the device performs the following
operations:
a. Checks the weight value and number of currently served users for each active server.
b. Determines the most appropriate server in performance to receive an AAA request.
105
Advertisement
Table of Contents
