HP 6125G Command Reference Manual page 70

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS
authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to
31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a
RADIUS scheme.
Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server.
By default, no secondary RADIUS authentication/authorization server is specified.
Make sure
authentication/authorization server are the same as those configured on the server.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme by executing this command repeatedly. After the configuration, if the primary server fails, the
switch looks for a secondary server in active state (a secondary RADIUS authentication/authorization
server configured earlier has a higher priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other and use the same IP version. Otherwise, the configuration fails.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified
for the RADIUS scheme.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the switch looks for a server in active state from the primary
server on.
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.
With the server status detection feature enabled, the switch sends an authentication request that carries
the specified username to the secondary server at the specified interval. If the switch receives no response
from the server within the time interval specified by the timer response-timeout command, the switch
sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the switch still receives
no response from the server, the switch considers the server as unreachable. If the switch receives a
response from the server before the maximum number of retries is reached, the switch considers the
server as reachable. The switch sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the switch might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Related commands: key, state, and vpn-instance (RADIUS scheme view).
the port number and shared key
61
settings of the secondary RADIUS