secondary authorization

Syntax

secondary authorization ip-address [ port-number | key [ cipher | simple ] key ] *

undo secondary authorization [ ip-address ]

View

HWTACACS scheme view

Default level

2: System level

Parameters

ip-address: Specifies the IP address of the secondary HWTACACS authorization server, in dotted decimal notation. The default setting is 0.0.0.0.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.

key [ cipher | simple ] key: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

cipher key: Sets a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373 characters in non-FIPS mode and 8 to 373 characters in FIPS mode.
simple key: Sets a plaintext shared key, which is a case-sensitive string of 1 to 255 characters in non-FIPS mode and 8 to 255 characters that must include numbers, uppercase letters, lowercase letters, and special characters in FIPS mode.
If neither cipher nor simple is specified, you set a plaintext shared key string.

Description

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

By default, no secondary HWTACACS authorization server is specified.

You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the switch tries to communicate with a secondary server in active state. The switch connects to the secondary servers in the order they are configured.

The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

Make sure the port number and shared key settings of a secondary HWTACACS authorization server are the same as those configured on the server.

The shared key configured by using this command takes precedence over the shared key configured by using the key authorization [ cipher | simple ] key command. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text.

You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation.

If you do not specify the ip-address argument for the undo secondary authorization command, the command removes all secondary HWTACACS authorization servers from the scheme.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.

<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

prev	up	next
secondary authentication (HWTACACS scheme view)	home	stop-accounting-buffer enable (HWTACACS scheme view)