Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 70

Description, vpn-instance-name, Security Configuration Guide

Add to My Manuals
Save this manual to your list of manuals

Page 70 highlights

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme. Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server. By default, no secondary RADIUS authentication/authorization server is specified. Make sure the port number and shared key settings of the secondary RADIUS authentication/authorization server are the same as those configured on the server. You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the switch looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it. The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version. The IP addresses of the primary and secondary authentication/authorization servers must be different from each other and use the same IP version. Otherwise, the configuration fails. The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the switch looks for a server in active state from the primary server on. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text. With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the secondary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again. If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server. For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN. Related commands: key, state, and vpn-instance (RADIUS scheme view). 61

Section	Page
Title Page	1
Security Command Reference	3
AAA configuration commands	10
General AAA configuration commands	10
aaa nas-id profile	10
access-limit enable	10
accounting command	11
accounting default	12
accounting lan-access	12
accounting login	13
accounting optional	14
authentication default	15
authentication lan-access	16
authentication login	16
authentication super	17
authorization command	18
authorization default	19
authorization lan-access	20
authorization login	21
authorization-attribute user-profile	22
cut connection	22
display connection	23
display domain	26
domain	28
domain default enable	29
idle-cut enable	29
nas-id bind vlan	30
self-service-url enable	31
state (ISP domain view)	31
Local user configuration commands	32
access-limit	32
authorization-attribute (local user view/user group view)	33
bind-attribute	34
display local-user	35
display user-group	37
expiration-date (local user view)	39
group	39
group-attribute allow-guest	40
local-user	40
password (local user view)	41
service-type	42
state (local user view)	43
user-group	44
validity-date	44
RADIUS configuration commands	45
accounting-on enable	45
attribute 25 car	46
data-flow-format (RADIUS scheme view)	46
display radius scheme	47
display radius statistics	50
display stop-accounting-buffer (for RADIUS)	53
key (RADIUS scheme view)	54
nas-ip (RADIUS scheme view)	55
primary accounting (RADIUS scheme view)	56
primary authentication (RADIUS scheme view)	58
radius client	59
radius dscp	60
radius ipv6 dscp	61
radius nas-ip	61
radius scheme	62
radius trap	63
reset radius statistics	64
reset stop-accounting-buffer (for RADIUS)	64
retry	65
retry realtime-accounting	66
retry stop-accounting (RADIUS scheme view)	67
secondary accounting (RADIUS scheme view)	67
secondary authentication (RADIUS scheme view)	69
security-policy-server	71
server-type	72
state primary	72
state secondary	73
stop-accounting-buffer enable (RADIUS scheme view)	74
timer quiet (RADIUS scheme view)	75
timer realtime-accounting (RADIUS scheme view)	75
timer response-timeout (RADIUS scheme view)	76
user-name-format (RADIUS scheme view)	77
vpn-instance (RADIUS scheme view)	78
HWTACACS configuration commands	79
data-flow-format (HWTACACS scheme view)	79
display hwtacacs	79
display stop-accounting-buffer (for HWTACACS)	83
hwtacacs nas-ip	83
hwtacacs scheme	84
key (HWTACACS scheme view)	85
nas-ip (HWTACACS scheme view)	86
primary accounting (HWTACACS scheme view)	87
primary authentication (HWTACACS scheme view)	88
primary authorization	89
reset hwtacacs statistics	90
reset stop-accounting-buffer (for HWTACACS)	90
retry stop-accounting (HWTACACS scheme view)	91
secondary accounting (HWTACACS scheme view)	91
secondary authentication (HWTACACS scheme view)	92
secondary authorization	93
stop-accounting-buffer enable (HWTACACS scheme view)	94
timer quiet (HWTACACS scheme view)	95
timer realtime-accounting (HWTACACS scheme view)	95
timer response-timeout (HWTACACS scheme view)	96
user-name-format (HWTACACS scheme view)	97
vpn-instance (HWTACACS scheme view)	98
802.1X configuration commands	99
display dot1x	99
dot1x	102
dot1x authentication-method	103
dot1x auth-fail vlan	105
dot1x critical vlan	105
dot1x critical recovery-action	107
dot1x domain-delimiter	107
dot1x guest-vlan	108
dot1x handshake	110
dot1x handshake secure	110
dot1x mandatory-domain	111
dot1x max-user	112
dot1x multicast-trigger	113
dot1x port-control	114
dot1x port-method	115
dot1x quiet-period	116
dot1x re-authenticate	116
dot1x retry	117
dot1x timer	118
dot1x unicast-trigger	119
reset dot1x statistics	120
EAD fast deployment configuration commands	121
dot1x free-ip	121
dot1x timer ead-timeout	121
dot1x url	122
MAC authentication configuration commands	124
display mac-authentication	124
mac-authentication	126
mac-authentication domain	127
mac-authentication max-user	128
mac-authentication timer	129
mac-authentication user-name-format	129
reset mac-authentication statistics	131
Port security configuration commands	132
display port-security	132
display port-security mac-address block	135
display port-security mac-address security	136
port-security authorization ignore	138
port-security enable	139
port-security intrusion-mode	139
port-security mac-address aging-type inactivity	140
port-security mac-address dynamic	141
port-security mac-address security	142
port-security max-mac-count	143
port-security ntk-mode	144
port-security oui	145
port-security port-mode	146
port-security timer autolearn aging	148
port-security timer disableport	148
port-security trap	149
User profile configuration commands	151
display user-profile	151
user-profile enable	152
user-profile	152
Password control configuration commands	154
display password-control	154
display password-control blacklist	155
password	156
password-control { aging \| composition \| history \| length } enable	157
password-control aging	158
password-control alert-before-expire	159
password-control authentication-timeout	160
password-control complexity	160
password-control composition	161
password-control enable	162
password-control expired-user-login	162
password-control history	163
password-control length	164
password-control login idle-time	165
password-control login-attempt	165
password-control password update interval	167
password-control super aging	167
password-control super composition	168
password-control super length	168
reset password-control blacklist	169
reset password-control history-record	169
Public key configuration commands	171
display public-key local public	171
display public-key peer	172
peer-public-key end	174
public-key-code begin	174
public-key-code end	175
public-key local create	176
public-key local destroy	177
public-key local export dsa	178
public-key local export rsa	179
public-key peer	180
public-key peer import sshkey	180
PKI configuration commands	182
attribute	182
ca identifier	183
certificate request entity	183
certificate request from	184
certificate request mode	184
certificate request polling	185
certificate request url	186
common-name	187
country	187
crl check	188
crl update-period	188
crl url	189
display pki certificate	189
display pki certificate access-control-policy	191
display pki certificate attribute-group	192
display pki crl domain	193
fqdn	194
ip (PKI entity view)	195
ldap-server	196
locality	196
organization	197
organization-unit	197
pki certificate access-control-policy	198
pki certificate attribute-group	198
pki delete-certificate	199
pki domain	200
pki entity	200
pki import-certificate	201
pki request-certificate domain	201
pki retrieval-certificate	202
pki retrieval-crl domain	203
pki validate-certificate	203
root-certificate fingerprint	204
rule (PKI CERT ACP view)	205
state	205
SSH2.0 configuration commands	207
SSH2.0 server configuration commands	207
display ssh server	207
display ssh user-information	208
ssh server authentication-retries	209
ssh server authentication-timeout	210
ssh server compatible-ssh1x	211
ssh server dscp	211
ssh server enable	212
ssh server ipv6 dscp	212
ssh server rekey-interval	213
ssh user	214
SSH2.0 client configuration commands	215
display ssh client source	215
display ssh server-info	216
ssh client authentication server	217
ssh client dscp	217
ssh client first-time	218
ssh client ipv6 dscp	219
ssh client ipv6 source	219
ssh client source	220
ssh2	221
ssh2 ipv6	222
SFTP configuration commands	224
SFTP server configuration commands	224
sftp server enable	224
sftp server idle-timeout	224
SFTP client configuration commands	225
bye	225
cd	225
cdup	226
delete	226
dir	227
display sftp client source	228
exit	228
get	229
help	229
ls	230
mkdir	231
put	231
pwd	232
quit	232
remove	233
rename	233
rmdir	234
sftp	234
sftp client dscp	235
sftp client ipv6 dscp	236
sftp client ipv6 source	236
sftp client source	237
sftp ipv6	238
SCP configuration commands	240
SCP client configuration commands	240
scp	240
SSL configuration commands	242
ciphersuite	242
client-verify enable	243
client-verify weaken	243
close-mode wait	244
display ssl client-policy	245
display ssl server-policy	246
handshake timeout	247
pki-domain	248
prefer-cipher	248
server-verify enable	249
session	250
ssl client-policy	251
ssl server-policy	251
version	252
TCP attack protection configuration commands	253
display tcp status	253
tcp syn-cookie enable	254
IP source guard configuration commands	255
display ip source binding	255
ip source binding	256
ip verify source	257
ip verify source max-entries	258
ARP attack protection configuration commands	260
ARP defense against IP packet attacks configuration commands	260
arp resolving-route enable	260
arp source-suppression enable	260
arp source-suppression limit	261
display arp source-suppression	261
ARP packet rate limit configuration commands	262
arp rate-limit	262
Source MAC address based ARP attack detection configuration commands	263
arp anti-attack source-mac	263
arp anti-attack source-mac aging-time	264
arp anti-attack source-mac exclude-mac	264
arp anti-attack source-mac threshold	265
display arp anti-attack source-mac	266
ARP packet source mac address consistency check configuration commands	267
arp anti-attack valid-check enable	267
ARP active acknowledgement configuration commands	267
arp anti-attack active-ack enable	267
ARP detection configuration commands	268
arp detection	268
arp detection enable	269
arp detection trust	270
arp detection validate	270
arp restricted-forwarding enable	271
display arp detection	271
display arp detection statistics	272
reset arp detection statistics	273
ARP automatic scanning and fixed ARP configuration commands	274
arp fixup	274
arp scan	274
ARP gateway protection configuration commands	275
arp filter source	275
ARP filtering configuration commands	276
arp filter binding	276
ND attack defense configuration commands	278
ipv6 nd mac-check enable	278
URPF configuration commands	279
ip urpf strict	279
MFF configuration commands	280
display mac-forced-forwarding interface	280
display mac-forced-forwarding vlan	280
mac-forced-forwarding	282
mac-forced-forwarding gateway probe	282
mac-forced-forwarding network-port	283
mac-forced-forwarding server	284
Support and other resources	285
Contacting HP	285
Subscription service	285
Related information	285
Documents	285
Websites	285
Conventions	286
Command conventions	286
GUI conventions	286
Symbols	286
Network topology icons	287
Port numbering in examples	287

Match case Limit results 1 per page

vpn-instance

vpn-instance-name

: Specifies the MPLS L3VPN to which the secondary RADIUS

authentication/authorization server belongs, where

vpn-instance-name

is a case-sensitive string of 1 to

31 characters. If the server is on the public network, do not specify this option.

Description

Use

secondary authentication

to specify secondary RADIUS authentication/authorization servers for a

RADIUS scheme.

Use

undo secondary authentication

to remove a secondary RADIUS authentication/authorization server.

By default, no secondary RADIUS authentication/authorization server is specified.

Make

sure

the

port

number

and

shared

key

settings

the

secondary

RADIUS

authentication/authorization server are the same as those configured on the server.

You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS

scheme by executing this command repeatedly. After the configuration, if the primary server fails, the

switch looks for a secondary server in active state (a secondary RADIUS authentication/authorization

server configured earlier has a higher priority) and tries to communicate with it.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be

of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different

from each other and use the same IP version. Otherwise, the configuration fails.

The shared key configured by this command takes precedence over that configured by using the

key

authentication

[

cipher

simple

]

key

command.

If the specified server resides on an MPLS VPN, specify the VPN by using the

vpn-instance

vpn-instance-name

option. The VPN specified by this command takes precedence over the VPN specified

for the RADIUS scheme.

If you remove a secondary authentication server in use in the authentication process, the communication

with the secondary server times out, and the switch looks for a server in active state from the primary

server on.

For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

With the server status detection feature enabled, the switch sends an authentication request that carries

the specified username to the secondary server at the specified interval. If the switch receives no response

from the server within the time interval specified by the

timer response-timeout

command, the switch

sends the authentication request again.

If the maximum number of retries (specified by the

retry

command) is reached and the switch still receives

no response from the server, the switch considers the server as unreachable. If the switch receives a

response from the server before the maximum number of retries is reached, the switch considers the

server as reachable. The switch sets the status of the server to

block

active

according to the status

detection result, regardless of the current status of the server.

For 802.1X authentication, if the status of every server is

block

, the switch assigns the port connected to

an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X

critical VLAN, see

Security Configuration Guide

To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary

server with the

timer quiet

command. If you set a short quiet timer and configure 802.1X critical VLAN on

a port, the switch might frequently change the server status, and the port might frequently join and leave

the critical VLAN.

Related commands:

key

state

, and

vpn-instance

(RADIUS scheme view).

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Security Command Reference - Page 70

Description, vpn-instance-name, Security Configuration Guide

Page 70 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 70