You are here: Home > CLI Commands > Just_CLI_Topics > aaa server-group

aaa server-group

aaa server-group <group>

allow-fail-through

auth-server <name> [match-authstring contains|equals|starts-with <string>] [match-fqdn <string>] [position <number>] [trim-fqdn]

clone <source>

load-balance

no ...

set role|vlan condition <attribute> contains|ends-with|equals|not-equals|starts-with <string> set-value <set-value-str> [position <number>]

Description

This command allows you to add a configured authentication server to an ordered list in a server group, and configure server rules to derive a user role, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name from attributes returned by the server during authentication.

Syntax

Parameter

Description

Default

<group>

Name that identifies the server group. The name must be 32 characters or less.

allow-fail-through

When this option is configured, an authentication failure with the first server in the group causes the Mobility Master to attempt authentication with the next server in the list. The Mobility Master attempts authentication with each server in the ordered list until either there is a successful authentication or the list of servers in the group is exhausted.

disabled

auth-server <name>

Name of a configured authentication server.

match-authstring

This option associates the authentication server with a match rule that the Mobility Master can compare with the user or client information in the authentication request. With this option, the user or client information in the authentication request can be in any of the following formats:

<domain>\<user>

<user>@<domain>

host/<pc-name>.<domain>

An authentication request is sent to the server only if there is a match between the specified match rule and the user or client information. You can configure multiple match rules for an authentication server.

contains

The rule matches if the user or client information contains the specified string.

equals

The rule matches if the user or client information exactly matches the specified string.

starts-with

The rule matches if the user or client information starts with the specified string.

match-fqdn <string>

This option associates the authentication server with a specified domain. An authentication request is sent to the server only if there is an exact match between the specified domain and the <domain> portion of the user information sent in the authentication request. With this option, the user information must be in one of the following formats:

<domain>\<user>

<user>@<domain>

position <number>

Position of the server in the server list. 1 is the top.

(last)

trim-fqdn

This option causes the user information in an authentication request to be edited before the request is sent to the server. Specifically, this option:

removes the <domain>\ portion for user information in the <domain>\<user> format

removes the @<domain> portion for user information in the <user>@<domain> format.

clone <source>

Name of an existing server group from which parameter values are copied.

load-balance

Enables load-balancing of authentication requests among different servers in a server group.

no

Negates any configured parameter.

set role|vlan

Assigns the client a user role, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name based on attributes returned for the client by the authentication server. Rules are ordered: the first rule that matches the configured condition is applied.

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IDs and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. names cannot be listed together.

condition

Attribute returned by the authentication server.

contains

The rule is applied if and only if the attribute value contains the specified string.

ends-with

The rule is applied if and only if the attribute value ends with the specified string.

equals

The rule is applied if and only if the attribute value equals the specified string.

not-equals

The rule is applied if and only if the attribute value is not equal to the specified string.

starts-with

The rule is applied if and only if the attribute value begins with the specified string.

set-value

User role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. applied to the client when the rule is matched.

value-of

Sets the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to the value of the attribute returned. The user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute must already be configured on the Mobility Master when the rule is applied.

Usage Guidelines

You create a server group for a specific type of authentication or for accounting. The list of servers in a server group is an ordered list, which means that the first server in the group is always used unless it is unavailable (in which case, the next server in the list is used). You can configure servers of different types in a server group, for example, you can include the internal database as a backup to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. You can add the same server to multiple server groups. There is a predefined server group internal that contains the internal database.

Example

The following command configures a server group corp-servers with a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server as the main authentication server and the internal database as the backup. The command also sets the client’s user role to the value of the returned Class attribute.

(host) ^[md] (config) aaa server-group corp-servers

auth-server radius1 position 1

auth-server internal position 2

set role condition Class value-of

load-balance

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/