Table of Contents
Advertisement
•
In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext
form of the key is a string of 1 to 64 characters.
•
In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext
form of the key is a string of 15 to 64 characters. The plaintext string must contain digits,
uppercase letters, lowercase letters, and special characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The
profile-name argument is a case-sensitive string of 1 to 31 characters.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the
weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS
server will not be used for load sharing. This option takes effect only when the RADIUS server load
sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher
capacity to process authentication requests.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS authentication
server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the
primary server fails, the device tries to communicate with a secondary server in active state. The
device connects to the secondary servers in the order they are configured.
The server status detection is triggered for a server if the specified test profile exists on the device.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP
address and port number settings.
The shared key configured by this command takes precedence over the shared key configured with
the key authentication command.
If you use the secondary authentication command to modify or delete a secondary authentication
server during an authentication process, communication with the secondary server times out.
•
When the RADIUS server load sharing feature is disabled, the device tries to communicate with
an active server that has the highest priority for authentication.
•
When the RADIUS server load sharing feature is enabled, the device performs the following
operations:
a. Checks the weight value and number of currently served users for each active server.
b. Determines the most appropriate server in performance to receive an AAA request.
Examples
# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2
and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses
10.110.1.1 and 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
display radius scheme
key (RADIUS scheme view)
primary authentication (RADIUS scheme view)
84
Advertisement
Chapters
Table of Contents
