R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

121

122

123

124

125

126

127

128

129

130

107

Syntax

secondary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance

vpn-instance-name ] *

undo secondary authentication

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: Specifies the IP address of the secondary HWTACACS authentication server in dotted

decimal notation. The default is 0.0.0.0.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The

value range for the port number is 1 to 65535, and the default is 49.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary

HWTACACS authentication server.

• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373

characters.

• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.

• If neither cipher nor simple is specified, you set a plaintext shared key string.

• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key

string must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS

authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31

characters. If the server is on the public network, do not specify this option.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS authentication server

are the same as those configured on the server.

The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the

configuration fails.

If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance

vpn-instance-name option.

The shared key configured by this command takes precedence over that configured by using the key

authentication [ cipher | simple ] key command.

If you execute the command multiple times, the most recent configuration takes effect.

You can remove an authentication server only when it is not used by any active TCP connection to send

authentication packets is using it. Removing an authentication server only affects authentication

processes that occur after the remove operation.

The VPN specified by this command takes precedence over the VPN specified for the HWTACACS

scheme.