F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

201

202

203

204

205

206

207

208

209

210

202

Hardware O

tion com

atible

F1000-A-EI/F1000-S-EI Yes

F1000-E Yes

F5000 Yes

Firewall module Yes

U200-A Yes

U200-S No

port-number: Specifies the service port number of the primary RADIUS authentication/authorization

server, a UDP port number ranging from 1 to 65535. The default setting is 1812.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS

authentication/authorization server. In FIPS mode, you cannot set a plaintext key, and the key must

contain at least 8 characters comprising uppercase and lowercase letters, digits, and special characters.

In FIPS mode, a key is encrypted and decrypted by using the 3DES algorithm.

• cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117

characters.

• simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.

• If neither cipher nor simple is specified, you set a plaintext shared key string.

vpn-instance vpn-instance-name: Specifies the VPN to which the primary RADIUS

authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string

of 1 to 31 characters. If the server is on the public network, do not specify this option.

probe: Enables the device to detect the status of the primary RADIUS authentication/authorization server.

username name: Specifies the username in the authentication request for server status detection.

interval interval: Specifies the detection interval. The value ranges from 1 to 3600, in minutes. The

default setting is 60 minutes.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS authentication/authorization

server are the same as those configured on the server.

The shared key configured by this command takes precedence over that configured by using the key

authentication [ cipher | simple ] key command.

The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be

of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different

from each other. Otherwise, the configuration fails.

If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name

option.

If you remove the primary authentication server when an authentication process is in progress, the

communication with the primary server times out, and the device looks for a server in active state from the

new primary server on.

For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.