52
new primary server is evaluated at first and then the secondary servers according to the order in which
they are configured.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in
ciphertext.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the primary server at the specified interval. If the device receives no response
from the server within the time interval specified by the timer response-timeout command, the device
sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the device will assign the port connected
to an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the device might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Related commands: key, radius scheme, and state.
Examples
# Specify the primary authentication/authorization server for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812
# In RADIUS scheme radius1, set the username used for status detection of the primary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval
120
radius client
Syntax
radius client enable
undo radius client
View
System view
Default level
2: System level
To Next Page
Loading...
