Secondary Authorization - HP FlexNetwork 7500 Series Command Reference Manual

keyword, the device establishes a new TCP connection each time it exchanges authentication
packets with the secondary authentication server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary
HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive
string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of each secondary HWTACACS authentication
server are the same as those configured on the corresponding server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers.
If the primary server fails, the device tries to communicate with a secondary server in active state.
The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the
command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical VPN
instance, host name, IP address, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving
system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the
vpn-instance vpn-instance-name option. The VPN instance specified by this command takes
precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing
an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address
10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple
123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key
{ cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number |
vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization servers are specified.
135