HPE FlexNetwork HSR6800 Security Command Reference page 77

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization
server, which must be a valid global unicast address.
port-number: Specifies the service port number of the primary RADIUS authentication/authorization
server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary
RADIUS authentication/authorization server. In FIPS mode, the shared key must be a string of at
least 8 characters that contain numbers, uppercase letters, lowercase letters, and special characters,
and is encrypted and decrypted by using 3DES.
•
cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to
117 characters.
•
simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64
characters.
•
If neither cipher nor simple is specified, you set a plaintext shared key string.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive
string of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables the device to detect the status of the primary RADIUS authentication/authorization
server.
username name: Specifies the username in the authentication request that is used to detect the
status of the primary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value ranges from
1 to 3600 and defaults to 60, in minutes.
Usage guidelines
Make sure
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command. For secrecy, all shared keys, including keys
configured in plain text, are saved in cipher text.
The IP addresses of the authentication/authorization servers and those of the accounting servers
must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be
different from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
If you remove the primary authentication server when an authentication process is in progress, the
communication with the primary server times out, and the device looks for a server in active state
from the new primary server on.
With the server status detection feature enabled, the device sends an authentication request that
carries the specified username to the primary server at the specified interval. If the device receives
no response from the server within the time interval specified by the timer response-timeout
command, the device sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still
receives no response from the server, the device considers the server as unreachable. If the device
receives a response from the server before the maximum number of retries is reached, the device
considers the server as reachable. The device sets the status of the server to block or active
according to the status detection result, regardless of the current status of the server.
the port number and shared key
64
settings of the primary RADIUS