R3303-HP HSR6800 Routers Security Command Reference
79
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization
server, which is a UDP port number ranging from 1 to 65535 and defaults to 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
RADIUS authentication/authorization server. In FIPS mode, the shared key must be a string of at least 8
characters that contain numbers, uppercase letters, lowercase letters, and special characters, and is
encrypted and decrypted by using 3DES.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables the device to detect the status of the secondary RADIUS authentication/authorization
server.
username name: Specifies the username in the authentication request that is used to detect the status of
the secondary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value ranges from 1 to
3600 and defaults to 60, in minutes.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command. For secrecy, all shared keys, including keys configured in
plain text, are saved in cipher text.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme. After the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a higher
priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the device looks for a server in active state from the primary
server on.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the secondary server at the specified interval. If the device receives no
response from the server within the time interval specified by the timer response-timeout command, the
device sends the authentication request again.