HPE FlexNetwork HSR6800 Security Command Reference page 88

port-number:
authentication/authorization server, which is a UDP port number ranging from 1 to 65535 and
defaults to 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
RADIUS authentication/authorization server. In FIPS mode, the shared key must be a string of at
least 8 characters that contain numbers, uppercase letters, lowercase letters, and special characters,
and is encrypted and decrypted by using 3DES.
•
cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to
117 characters.
•
simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64
characters.
•
If neither cipher nor simple is specified, you set a plaintext shared key string.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive
string of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables
authentication/authorization server.
username name: Specifies the username in the authentication request that is used to detect the
status of the secondary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value ranges from
1 to 3600 and defaults to 60, in minutes.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command. For secrecy, all shared keys, including keys
configured in plain text, are saved in cipher text.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme. After the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a
higher priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers
must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be
different from each other. Otherwise, the configuration fails.
If you remove a secondary authentication server in use in the authentication process, the
communication with the secondary server times out, and the device looks for a server in active state
from the primary server on.
With the server status detection feature enabled, the device sends an authentication request that
carries the specified username to the secondary server at the specified interval. If the device
receives no response from the server within the time interval specified by the timer
response-timeout command, the device sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still
receives no response from the server, the device considers the server as unreachable. If the device
receives a response from the server before the maximum number of retries is reached, the device
considers the server as reachable. The device sets the status of the server to block or active
according to the status detection result, regardless of the current status of the server.
Specifies the service
the device to
port number
detect the status
75
of the secondary
of the secondary
RADIUS
RADIUS