Manualshelf

R3303-HP HSR6800 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
919293949596979899100
80
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To make sure the device can set the server to its actual status, set a longer quiet timer for the secondary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the device might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the
server IP addresses of 10.110 .1.1 a n d 10 .110.1.2 and the UDP port number of 1813. Set the shared keys to
hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello
# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server
to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
# In RADIUS scheme radius1, set the username used for status detection of the secondary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval
120
Related commands
key (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
security-policy-server
Use security-policy-server to specify a security policy server for a RADIUS scheme.
Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme.
Syntax
security-policy-server ip-address
undo security-policy-server { ip-address | all }