H3C MSR Series Command Reference Manual page 135
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
port-number: Sets the service port number of the secondary RADIUS authentication server. The
value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the secondary RADIUS authentication
server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form
will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
•
In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext
form of the key is a string of 1 to 64 characters.
•
In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext
form of the key is a string of 15 to 64 characters. The plaintext string must contain digits,
uppercase letters, lowercase letters, and special characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The
profile-name argument represents the test profile name, which is a case-sensitive string of 1 to 31
characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary
RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of each secondary RADIUS authentication
server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the
primary server fails, the device tries to communicate with a secondary server in active state. The
device connects to the secondary servers in the order they are configured.
When you specify a test profile for secondary authentication servers, make sure the test profile
already exists on the device. Otherwise, the device cannot detect the server status.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP
address, port number, and VPN instance settings.
The shared key configured by this command takes precedence over the shared key configured with
the key authentication command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the
vpn-instance vpn-instance-name option. The VPN instance specified by this command takes
precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication
server during an authentication process, communication with the secondary server times out. The
device tries to communicate with an active server that has the highest priority for authentication.
Examples
# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2
and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# In RADIUS scheme radius2, specify two secondary authentication servers with the IP addresses
of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
112
Advertisement
Table of Contents
