Manualshelf

F3215-HP Load Balancing Module Security Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
919293949596979899100
82
vpn-instance vpn-instance-name: Specifies the VPN to which the primary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables the device to detect the status of the primary RADIUS authentication/authorization server.
username name: Specifies the username in the authentication request for server status detection.
interval interval: Specifies the detection interval. The value ranges from 1 to 3600, in minutes. The
default setting is 60 minutes.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS authentication/authorization
server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command.
The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.
If you remove the primary authentication server when an authentication process is in progress, the
communication with the primary server times out, and the device looks for a server in active state from the
new primary server on.
For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the primary server at the specified interval. If the device receives no response
from the server within the time interval specified by the timer response-timeout command, the device
sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary
server with the timer quiet command.
Examples
# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to
10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello
# In RADIUS scheme radius1, set the username used for status detection of the primary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view