HP 6125G HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 59

radius client, Examples, Syntax

Get HP 6125G PDF manuals and user guides View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 59 highlights

The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the switch looks for a server in active state from the new primary server on. With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the primary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again. If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server. For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the switch can set the server to its actual status, set a longer quiet timer for the primary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN. Related commands: key and vpn-instance (RADIUS scheme view). Examples # For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to 10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello # In RADIUS scheme radius1, set the username used for status detection of the primary authentication/authorization server to test in plain text, and set the server status detection interval to 120 minutes. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval 120 radius client Syntax radius client enable undo radius client 50

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
50
The shared key configured by this command takes precedence over that configured by using the
key
authentication
[
cipher
|
simple
]
key
command.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the
vpn-instance
vpn-instance-name
option. The VPN specified by this command takes precedence over the VPN specified
for the RADIUS scheme.
If you remove the primary authentication server when an authentication process is in progress, the
communication with the primary server times out, and the switch looks for a server in active state from the
new primary server on.
With the server status detection feature enabled, the switch sends an authentication request that carries
the specified username to the primary server at the specified interval. If the switch receives no response
from the server within the time interval specified by the
timer response-timeout
command, the switch
sends the authentication request again.
If the maximum number of retries (specified by the
retry
command) is reached and the switch still receives
no response from the server, the switch considers the server as unreachable. If the switch receives a
response from the server before the maximum number of retries is reached, the switch considers the
server as reachable. The switch sets the status of the server to
block
or
active
according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is
block
, the switch assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see
Security Configuration Guide
.
To ensure that the switch can set the server to its actual status, set a longer quiet timer for the primary
server with the
timer quiet
command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the switch might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Related commands:
key
and
vpn-instance
(RADIUS scheme view).
Examples
# For RADIUS scheme
radius1
, set the IP address of the primary authentication/authorization server to
10.110.1.1, the UDP port to 1812, and the shared key to
hello
in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello
# In RADIUS scheme
radius1
, set the username used for status detection of the primary
authentication/authorization server to
test
in plain text, and set the server status detection interval to 120
minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval
120
radius client
Syntax
radius client enable
undo radius client