secondary authentication (RADIUS scheme view)
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *
undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the secondary authentication/authorization server, in dotted decimal notation.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary authentication/authorization server.
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, which is a UDP port number in the range of 1 to 65535 and defaults to 1812.
key [ cipher | simple ] key: Sets the shared key for secure communication with the secondary RADIUS authentication/authorization server.
cipher key: Sets a ciphertext shared key. The key argument is case sensitive.
In non-FIPS mode, the key is a string of 1 to 117 characters.
In FIPS mode, the key is a string of 8 to 117 characters.
simple key: Sets a plaintext shared key. The key argument is case sensitive.
In non-FIPS mode, the key is a string of 1 to 64 characters.
In FIPS mode, the key is a string of 8 to 64 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters.
If neither cipher nor simple is specified, you set a plaintext shared key string.
probe username: Enables the switch to detect the status of the secondary RADIUS authentication/authorization server.
username name: Specifies the username in the authentication request that is used to detect the status of the secondary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value ranges from 1 to 3600 and defaults to 60, in minutes.
Description
Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme.
Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server.
By default, no secondary RADIUS authentication/authorization server is specified.
Make sure the port number and shared key settings of the secondary RADIUS authentication/authorization server are the same as those configured on the server.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the switch looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other and use the same IP version. Otherwise, the configuration fails.
The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command.
If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the switch looks for a server in active state from the primary server on.
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text to the configuration file.
With the server status detection feature enabled, the switch sends an authentication request that carries the specified username to the secondary server at the specified interval. If the switch receives no response from the server within the time interval specified by the timer response-timeout command, the switch sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the switch still receives no response from the server, the switch considers the server as unreachable. If the switch receives a response from the server before the maximum number of retries is reached, the switch considers the server as reachable. The switch sets the status of the server to block or active according to the status detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the switch assigns the port connected to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide.
To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on a port, the switch might frequently change the server status, and the port might frequently join and leave the critical VLAN.
Related commands: key and state.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 key simple hello [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key simple hello
# In RADIUS scheme radius1, set the username used for status detection of the secondary authentication/authorization server to test in plain text, and set the server status detection interval to 120 minutes.
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval 120