primary authentication (RADIUS scheme view)

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *

undo primary authentication

View

RADIUS scheme view

Default level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the primary authentication/authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary authentication/authorization server.

port-number: Specifies the service port number of the primary RADIUS authentication/authorization server, which is a UDP port number in the range of 1 to 65535 and defaults to 1812.

key [ cipher | simple ] key: Sets the shared key for secure communication with the primary RADIUS authentication/authorization server.

probe username: Enables the switch to detect the status of the primary RADIUS authentication/authorization server.

username name: Specifies the username in the authentication request that is used to detect the status of the primary RADIUS authentication/authorization server.

interval interval: Specifies the interval between two server status detections. The value ranges from 1 to 3600 and defaults to 60, in minutes.

Description

Use primary authentication to specify the primary RADIUS authentication/authorization server.

Use undo primary authentication to remove the configuration.

By default, no primary RADIUS authentication/authorization server is specified.

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different from each other and use the same IP version. Otherwise, the configuration fails.

The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command.

If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the switch looks for a server in active state from the new primary server on.

With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the primary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again.

If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server.

For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide.

To ensure that the switch can set the server to its actual status, set a longer quiet timer for the primary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN.

Related commands: key.

Examples

# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to 10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello

# In RADIUS scheme radius1, set the username used for status detection of the primary authentication/authorization server to test in plain text, and set the server status detection interval to 120 minutes.

<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval 120