F3215-HP Load Balancing Module Security Command Reference-6PW101
93
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the device looks for a server in active state from the primary
server on.
For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the secondary server at the specified interval. If the device receives no
response from the server within the time interval specified by the timer response-timeout command, the
device sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the secondary
server with the timer quiet command.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the
server IP addresses of 10.110 .1.1 a n d 10 .110.1.2 and the UDP port number of 1813. Set the shared keys to
hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello
# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server
to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
# In RADIUS scheme radius1, set the username used for status detection of the secondary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval
120
Related commands
• key
• state