HP 6125G HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 70
Description, vpn-instance-name, Security Configuration Guide
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 70 highlights
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme. Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server. By default, no secondary RADIUS authentication/authorization server is specified. Make sure the port number and shared key settings of the secondary RADIUS authentication/authorization server are the same as those configured on the server. You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the switch looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it. The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version. The IP addresses of the primary and secondary authentication/authorization servers must be different from each other and use the same IP version. Otherwise, the configuration fails. The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the switch looks for a server in active state from the primary server on. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text. With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the secondary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again. If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server. For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN. Related commands: key, state, and vpn-instance (RADIUS scheme view). 61