F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Command Reference-6PW100
214
interval interval: Specifies the detection interval. The value ranges from 1 to 3600, in minutes. The
default setting is 60 minutes.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme. With the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a higher
priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the device looks for a server in active state from the primary
server on.
For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the secondary server at the specified interval. If the device receives no
response from the server within the time interval specified by the timer response-timeout command, the
device sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the secondary
server with the timer quiet command. If you set a short quiet timer, the device might frequently change the
server status.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the
server IP addresses of 10.110 .1.1 a n d 10 .110.1.2 and the UDP port number of 1813. Set the shared keys
to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello