HP MSR2000/3000/4000 Router Series Security Command Reference
77
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server, a
TCP port number in the range of 1 to 65535. The default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary
HWTACACS authentication server.
• cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
{ In non-FIPS mode, the shared key is a string of 1 to 373 characters.
{ In FIPS mode, the shared key is a string of 15 to 373 characters.
• simple string: Sets a plaintext shared key. The string argument is case sensitive.
{ In non-FIPS mode, the shared key is a string of 1 to 255 characters.
{ In FIPS mode, the shared key is a string of 15 to 255 characters that must contain digits,
uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS
authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of each secondary HWTACACS authentication
server are the same as those configured on the corresponding server.
You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme.
With the configuration, if the primary server fails, the device looks for a secondary server in active state
(a secondary HWTACACS authentication server configured earlier has a higher priority) and tries to
communicate with it.
If you use the undo secondary authentication command without specifying any parameter, the command
removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP
address, port number, and VPN settings.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified
for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an
authentication server affects only authentication processes that occur after the remove operation.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in
ciphertext.
Examples
# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and
plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple
123456TESTauth&!