63
Use the undo secondary authentication command to remove the configuration.
By default, no secondary RADIUS authentication/authorization server is specified.
To configure multiple secondary RADIUS authentication/authorization servers, execute this command
repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a higher
priority) and tries to communicate with it.
A RADIUS scheme supports up to 16 secondary RADIUS authentication/authorization servers.
All authentication/authorization servers, primary or secondary, must use IP addresses of the same IP
version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
The RADIUS service port configured on the device and that of the RADIUS server must be consistent.
The shared keys configured on the device for authentication/authorization packets and that configured on
the RADIUS server must be consistent.
If the specified server resides on an MPLS VPN, you also need to specify that VPN by using the vpn-
instance vpn-instance-name keyword and argument combination to ensure normal communication with
the server.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The VPN specified here takes precedence over the VPN specified for the RADIUS scheme.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server will time out, and the device will look for a server in active state from scratch:
the new primary server is evaluated at first and then the secondary servers according to the order in
which they are configured.
If the specified server resides on an MPLS VPN, you also need to specify that VPN by using the vpn-
instance vpn-instance-name keyword and argument combination to ensure normal communication with
the server.
NOTE:
The shared key configured by this command takes precedence over that configured by the key
accounting
string
command.
Related commands: key, radius scheme, state, and vpn-instance (RADIUS scheme view).
Examples
# Specify the secondary authentication/authorization server for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server
IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
To Next Page
Loading...
Need help?
General
