Configuring Server Groups

You can create groups of servers for specific types of authentication – for example, you can specify one or more RADIUS servers to be used for 802.1X authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS server.

Configuring Server Groups

Server names are unique. You can configure the same server in more than one server group. You must configure the server before you can include it in a server group.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click New to add a server to the group.
a. Select a server from the drop-down list and click Add Server.
b. Repeat the above step to add other servers to the group.
6. Click Apply.

Using the CLI

(host)(config) #aaa server-group <name>

auth-server <name>

Configuring Server List Order and Fail-Through

The servers in a server group are part of an ordered list. The first server in the list is always used by default, unless it is unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group through the WebUI using the up or down arrows (the top server is the first server in the list). In the CLI, the position parameter specifies the relative order of servers in the list (the lowest value denotes the first server in the list).

As mentioned previously, the first available server in the list is used for authentication. If the server responds with an authentication failure, there is no further processing for the user or client for which the authentication request failed. You can also enable fail-through authentication for the server group so that if the first server in the list returns an authentication deny, the controller attempts authentication with the next server in the ordered list. The controller attempts to authenticate with each server in the list until there is a successful authentication or the list of servers in the group is exhausted. This feature is useful in environments where there are multiple, independent authentication servers; users may fail authentication on one server but can be authenticated on another server.

Before enabling fail-through authentication, note the following:

This feature is not supported for 802.1X authentication with a server group that consists of external EAP-compliant RADIUS servers. You can, however, use fail-through authentication when the 802.1X authentication is terminated on the controller (AAA FastConnect).
Enabling this feature for a large server group list may cause excess processing load on the controller. It is recommended that you use server selection based on domain matching whenever possible (see Configuring Dynamic Server Selection).
Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers.

In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each containing a subset of the usernames and passwords used in the network. When you enable fail-through authentication, users that fail authentication with the first server on the list will be authenticated with the second server.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select LDAP Server to display the LDAP Server List.
3. Enter ldap-1 for the server name and click Add.
4. Enter ldap-2 for the server name and click Add.
5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server. Select the Mode checkbox to activate the authentication server. Click Apply.
6. Repeat step 5 to configure ldap-2.
7. Display the Server Group list: Under the Servers tab, select Server Group.
8. Enter corp-serv as the new server group and click Add.
9. Select corp-serv, under the Server tab, to configure the server group.
10. Select Fail Through.
11. Under Servers, click New to add a server to the group. Select ldap-1 from the drop-down list and click Add Server.
12. Repeat step 11 to add ldap-2 to the group.
13. Click Apply.

Using the CLI

(host)(config) #aaa authentication-server ldap ldap-1

host 10.1.1.234

(host)(config) #aaa authentication-server ldap ldap-2

host 10.2.2.234

 

(host)(config) #aaa server-group corp-serv

auth-server ldap-1 position 1

auth-server ldap-2 position 2

allow-fail-through

Configuring Dynamic Server Selection

The controller can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client or user information in one of the following formats:

<domain>\<user> : for example, corpnet.com\darwin
<user>@<domain> : for example, darwin@corpnet.com
host/<pc-name>.<domain> : for example, host/darwin-g.finance.corpnet.com (this format is used with 802.1X machine authentication in Windows environments)

When you configure a server in a server group, you have the option to associate the server with one or more match rules. A match rule for a server can be one of the following:

The server is selected if the client/user information contains a specified string.
The server is selected if the client/user information begins with a specified string.
The server is selected if the client/user information exactly matches a specified string.

You can configure multiple match rules for the same server. The controller compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the controller sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned, and no authentication request for the client/user is sent.

Figure 1 depicts a network consisting of several subdomains in corpnet.com. The server radius-1 provides 802.1X machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.

Figure 1  Domain-Based Server Selection Example

 

Click to view a larger size.

You configure the following rules for servers in the corp-serv server group:

radius-1 is selected if the client information starts with “host.”
radius-2 is selected if the client information contains “abc.corpnet.com.”

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Under the Servers tab, select Server Group to display the Server Group list.
3. Enter corp-serv for the new server group and click Add.
4. Under the Servers tab, select corp-serv to configure the server group.
5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down list.
a. For Match Type, select Authstring.
b. For Operator, select starts-with.
c. For Match String, enter host/.
d. Click Add Rule >>.
e. Scroll to the right and click Add Server.
6. Under Servers, click New to add the radius-2 server to the group. Select radius-2 from the drop-down list.
a. For Match Type, select Authstring.
b. For Operator, select contains.
c. For Match String, enter abc.corpnet.com.
d. Click Add Rule >>.
e. Scroll to the right and click Add Server.

 

The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the up or down arrow for the appropriate server.

7. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-1 match-authstring starts-with host/ position 1

auth-server radius-2 match-authstring contains abc.corpnet.com position 2

Configuring Match FQDN Option

You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is selected if the <domain> portion of the user information in the formats <domain>\<user> or <user>@<domain> matches a specified string exactly. Note the following caveats when using a match FQDN rule:

This rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful for 802.1X machine authentication.
The match FQDN option performs matches on only the <domain> portion of the user information sent in an authentication request. The match-authstring option (described previously) allows you to match all or a portion of the user information sent in an authentication request.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Under the Servers tab, select Server Group to display the Server Group list.
3. Enter corp-serv for the new server group and click Add.
4. Under the Servers tab, select corp-serv to configure the server group.
5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down list.
a. For Match Type, select FQDN.
b. For Match String, enter corpnet.com.
c. Click Add Rule >>.
d. Scroll to the right and click Add Server.
6. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-1 match-fqdn corpnet.com

Trimming Domain Information from Requests

Before the controller forwards an authentication request to a specified server, it can truncate the domain-specific portion of the user information. This is useful when user entries on the authenticating server do not include domain information. You can specify this option with any server match rule. This option is only applicable when the user information is sent to the controller in the following formats:

<domain>\<user> : the <domain>\ portion is truncated
<user>@<domain> : the @<domain> portion is truncated

 

This option does not support client information sent in the format host/<pc-name>.<domain>

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click Edit for a configured server or click New to add a server to the group.
If editing a configured server, select Trim FQDN, scroll right, and click Update Server.
If adding a new server, select a server from the drop-down list, then select Trim FQDN, scroll right, and click Add Server.
6. Click Apply.

Using the CLI

(host)(config) #aaa server-group corp-serv

auth-server radius-2 match-authstring contains abc.corpnet.com trim-fqdn

Configuring Server-Derivation Rules

When you configure a server group, you can set the VLAN or role for clients based on attributes returned for the client by the server during authentication. The server derivation rules apply to all servers in the group. The user role or VLAN assigned through server derivation rules takes precedence over the default role and VLAN configured for the authentication method.

 

The authentication servers must be configured to return the attributes for the clients during authentication. For instructions on configuring the authentication attributes in a Windows environment using IAS, refer to the documentation at http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx

The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned is applied to the client, and would be the only rule applied from the server rules. These rules are applied uniformly across all servers in the server group.

Table 1 describes the server rule parameters you can configure.

 

Table 1: Server Rule Configuration Parameters

Parameter

Description

Role or VLAN

The server derivation rules apply to either user role or VLAN assignment. With Role assignment, a client can be assigned a specific role based on the attributes returned. In VLAN assignment, the client can be placed in a specific VLAN based on the attributes returned.

Attribute

This is the attribute returned by the authentication server that is examined for Operation and Operand match.

Operation

This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server.

contains : The rule is applied if and only if the attribute value contains the string in parameter Operand.
starts-with : The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.
ends-with : The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.
equals : The rule is applied if and only if the attribute value returned equals the string in parameter Operand.
not-equals : The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.
value-of : This is a special condition. What this implies is that the role or VLAN is set to the value of the attribute returned. For this to be successful, the role and the VLAN ID returned as the value of the attribute selected must be already configured on the controller when the rule is applied.

Operand

This is the string to which the value of the returned attribute is matched.

Value

The user role or the VLAN name applied to the client when the rule is matched.

position

Position of the condition rule. Rules are applied based on the first match principle. One is the top.

Default: bottom

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click New to add a server to the group.
a. Select a server from the drop-down list and click Add.
b. Repeat the above step to add other servers to the group.
6. Under Server Rules, click New to add server derivation rules for assigning a user role or VLAN.
a. Enter the attribute.
b. Select the operation from the drop-down list.
c. Enter the operand.
d. To set the role, select set role from the Set drop-down list and enter the value to be assigned from the Value drop-down list.
e. Or, to set the vlan, select set vlan from the Set drop-down list and select the VLAN name or ID from the Value drop-down list and click the left-arrow.
f. Click Add.
g. Repeat the above steps to add other rules for the server group.
7. Click Apply.

Using the CLI

(host) (config) #aaa server-group <name>

(host) (Server Group name) #set {role|vlan} condition <attribute> contains|ends-with|equals|not-equals|starts-with <operand> set-value <set-value-str> position <number>

Configuring a Role Derivation Rule for the Internal Database

When you add a user entry in the controller’s internal database, you can optionally specify a user role (see Managing the Internal Database). The role specified in the internal database entry to be assigned to the authenticated client, you must configure a server derivation rule as shown in the following sections:

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Select the internal server group.
4. Under Server Rules, click New to add a server derivation rule.
a. For Condition, enter Role.
b. Select value-of from the drop-down list.
c. Select Set Role from the drop-down list.
d. Click Add.
5. Click Apply.

Using the CLI

(host)(config) #aaa server-group internal

set role condition Role value-of