R3721-F3210-F3171-HP High-End Firewalls Access Control Command Reference-6PW101
139
• In FIPS mode, the key must be a ciphertext string of at least 8 characters that must contain uppercase
letters, lowercase letters, digits, and special characters, and is encrypted with the 3DES algorithm.
vpn-instance vpn-instance-name: Specifies the VPN to which the secondary RADIUS
authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to
31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a
RADIUS scheme.
Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server.
By default, no secondary RADIUS authentication/authorization server is specified.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme by executing this command repeatedly. After the configuration, if the primary server fails, the
firewall looks for a secondary server in active state (a secondary RADIUS authentication/authorization
server configured earlier has a higher priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If the specified server resides on a VPN, specify the VPN by using the vpn-instance vpn-instance-name
option.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the firewall looks for a server in active state from the primary
server on.
NOTE:
• The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ]
key
command.
• The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
Related commands: key, state, and vpn-instance (RADIUS scheme view).
Examples
# For RADIUS scheme radius1, set the IP address of the secondary authentication/authorization server
to 10.110.1.2, the UDP port to 1812, and the shared key to the ciphertext string IT8Q4sHnitM=, and
specify to display the key in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key cipher IT8Q4sHnitM=
# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the
server IP addresses of 10.110 .1.1 a n d 10 .110.1.2, and the UDP port number of 1813. Set the shared keys
to plaintext string hello and specify to display the key in plain text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key simple hello