You are here: Home > CLI Commands > Just_CLI_Topics > show aaa server-group

show aaa server-group

show aaa server-group [<group-name>|summary]

Description

Show configuration details for your AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server groups.

Syntax

Parameter

Description

<group-name>

The name of an existing AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server group.

Usage Guidelines

Issue this command without the ><group-name orsummary options to display the entire server group list, including profile status and the number of references to each profile. The References column lists the number of other profiles that reference a server group, and the Profile Status column indicates whether the server group is predefined. User-defined server groups will not have an entry in the Profile Status column. Examples

This first example shows that there are five configured server groups

 

(host) #show aaa server-group summary

 

Server Group List

-----------------

Name References Profile Status

---- ---------- --------------

auth-profile-2 1

coltrane-server-group 1

default 25

group1 0

internal 0 Predefined

 

Total:5

 

To view additional statistics for all server groups, include the statistics parameter.

 

(host) #show aaa server-group summary

Server Groups

-------------

Name Servers Rules hits Out-of-service

---- ------- ----- ---- --------------

auth-profile-2 1 0 0

coltrane-server-group 1 0 0

default 1 0 0

group1 1 1 0

internal 1 1 0

 

The output of the show aaa server-group summary command includes the following parameters:

Parameter

Description

name

Name of an existing AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server group.

Servers

Number of servers in the group.

Rules

Number of rules configured for the server group.

hits

Number of hits for the server’s rules.

Out-of-Service

Indicates whether the server is active, or out of service. Active servers may not have an entry in the Out-of-Service column.

To display detailed authorization, role and vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. statistics for an individual server group, include the name of the group for which you want more information.

 

(host) #show aaa server-group summary group1

 

Fail Through:No

 

Auth Servers

------------

Name Server-Type trim-FQDN Match-Type Match-Op Match-Str

---- ----------- --------- ---------- -------- ---------

rad1 Radius No authstring equals company_eng

rad3 Radius No authstring equals company_qa

 

Role/VLAN derivation rules

---------------------------

Priority Attribute Operation Operand Action Value

-------- --------- --------- ------- ------ -----

1 class contains admin set role root

 

The output of the show aaa server-group <group-name> command includes the following parameters:

Parameter

Description

Name

Specifies if the server is in service or out-of-service.

Server-Type

If enabled, user information in an authentication request is edited before the request is sent to the server.

trim-FDQN

If enabled, user information in an authentication request is edited before the request is sent to the server.

Match-Type

If the match type is authstring he authentication server associates with a match rule that the controller can compare with the user/client information in the authentication request.

A fdqn match type associates the authentication server with a specified domain. An authentication request is sent to the server only if there is an exact match between the specified domain and the <domain> portion of the user information sent in the authentication request.

Match-Op

This is the match method by which the string in Match-Str is matched with the attribute value returned by the authentication server.

contains – The rule is applied if and only if the attribute value contains the string in parameter Operand.

starts-with – The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.

ends-with – The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.

equals – The rule is applied if and only if the attribute value returned equals the string in parameter Operand.

not-equals – The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.

value-of – This is a special condition. What this implies is that the role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is set to the value of the attribute returned. For this to be successful, the role and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute selected must be already configured on the controller when the rule is applied

Match-Str

This is the string to which the value of the returned attribute is matched.

Priority

The priority in which role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules are applied. Rules at the top of the list are applied before rules at the bottom.

Attribute

For role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules, this is the attribute returned by the authentication server that is examined for Operation and Operand match.

Operation

For role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules, this is the match method by which the string in Operand is matched with the attribute value returned by the authentication

server.

contains – The rule is applied if and only if the attribute value contains the string in parameter Operand.

starts-with – The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.

ends-with – The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.

equals – The rule is applied if and only if the attribute value returned equals the string in parameter Operand.

not-equals – The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.

value-of – This is a special condition. What this implies is that the role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is set to the value of the attribute returned. For this to be successful, the role and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute selected must be already configured on the controller when the rule is applied.

Operand

For role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules, this is the string to which the value of the returned attribute is matched.

Action

This parameter identifies whether the derivation rule sets a server group role (set role) or a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (set vlan).

Value

Sets the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to be assigned to the client if the rule condition is met.

Related Commands

Command

Description

aaa server-group

This command allows you to add a configured authentication server to an ordered list in a server group, and configure server rules to derive a user role, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name from attributes returned by the server during authentication.

show references aaa server-group

This command shows references to a server group.

Command History

Command

Description

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable or Config mode on Mobility Master.

/*]]>*/