secondary authentication (RADIUS scheme view)
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *
undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the secondary authentication/authorization server, in dotted decimal notation.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary authentication/authorization server.
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, which is a UDP port number in the range of 1 to 65535 and defaults to 1812.
key [ cipher | simple ] key: Sets the shared key for secure communication with the secondary RADIUS authentication/authorization server.
cipher key: Sets a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117 characters in non-FIPS mode and 8 to 117 characters in FIPS mode.
simple key: Sets a plaintext shared key, which is a case-sensitive string of 1 to 64 characters in non-FIPS mode and 8 to 64 characters that must include numbers, uppercase letters, lowercase letters, and special characters in FIPS mode.
If neither cipher nor simple is specified, you set a plaintext shared key string.
probe username: Enables the switch to detect the status of the secondary RADIUS authentication/authorization server.
username name: Specifies the username in the authentication request that is used to detect the status of the secondary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value ranges from 1 to 3600 and defaults to 60, in minutes.
Description
Use secondary authentication to specify a secondary RADIUS authentication/authorization server for a RADIUS scheme.
Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server.
By default, no secondary RADIUS authentication/authorization server is specified.
Make sure the port number and shared key settings of a secondary RADIUS authentication/authorization server are the same as those configured on the server.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme. If the primary server fails, the switch tries to communicate with a secondary server in active state. The switch connects to the secondary servers in the order they are configured.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other and use the same IP version. Otherwise, the configuration fails.
The shared key configured by using this command takes precedence over the shared key configured by using the key authentication [ cipher | simple ] key command. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary RADIUS authentication/authorization servers from the scheme.
If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the switch looks for a server in active state from the primary server on.
With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the secondary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide.
To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN.
Related commands: key.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 key simple hello [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key simple hello
# In RADIUS scheme radius1, set the username used for status detection of the secondary authentication/authorization server to test in plain text, and set the server status detection interval to 120 minutes.
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval 120