Manualshelf

R3303-HP HSR6800 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
81828384858687888990
68
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS authentication/authorization
server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command. For secrecy, all shared keys, including keys configured
in plain text, are saved in cipher text.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
If you remove the primary authentication server when an authentication process is in progress, the
communication with the primary server times out, and the device looks for a server in active state from the
new primary server on.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the primary server at the specified interval. If the device receives no response
from the server within the time interval specified by the timer response-timeout command, the device
sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the device might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Examples
# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to
10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello
# In RADIUS scheme radius1, set the username used for status detection of the primary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval
120