ArubaOS 8.6.0.0 Help Center
You are here: Home > Authentication Servers > Assigning Server Groups

Assigning Server Groups

You can create server groups for the following purposes:

User authentication

Management authentication

Accounting

You can configure all types of servers for user and management authentication (see Table 1). Accounting is only supported with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  and TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  servers when RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  is used for authentication.

Table 1: Server Types and Purposes

 

RADIUS

TACACS+

LDAP

Internal Database

User authentication

Yes

Yes

Yes

Yes

Management authentication

Yes

Yes

Yes

Yes

Accounting

Yes

Yes

No

No

The following section describes user authentication, management authentication, and accounting:

User Authentication

For information about assigning a server group for user authentication, see Roles and Policies.

Management Authentication

Users who need to access Mobility Master to monitor, manage, or configure the Aruba user-centric network can be authenticated with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. , or LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers or the internal database.

 

Only user record attributes are returned upon successful authentication. Therefore, to derive a management role other than the default mgmt auth role, set the server derivation rule based on the user attributes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables management authentication:

(host)[mynode] (config) #aaa authentication mgmt

server-group <group>

enable

Accounting

You can configure accounting for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  and TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server groups.

 

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  accounting is only supported when RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  or TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  is used for authentication.

The following section describes RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting, roaming RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting service, RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting on multiple servers and TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  accounting:

RADIUS Accounting

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting allows user activity and statistics to be reported from managed devices to RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers:

1. The managed device generates an Accounting Start packet when a user logs in. The code field of transmitted RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet is set to 4 (Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information.). Note that sensitive information, such as user passwords, are not sent to the accounting server. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server sends an acknowledgment of the packet.

2. The managed device sends an Accounting Stop packet when a user logs off; the packet information includes various statistics such as elapsed time, input and output bytes, and packets. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server sends an acknowledgment of the packet.

The following attributes can be sent to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting server:

Acct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Current values are Start, Stop, and Interim Update.

User-Name: Name of user.

Acct-Session-Id: A unique identifier to facilitate matching of accounting records for a user. It is derived from the user name, IP address, and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. This is set in all accounting packets.

Acct-Authentic: This indicates how the user was authenticated. Current values are 1 (RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. ), 2 (Local), and 3 (LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.).

Acct-Session-Time: The elapsed time, in seconds, that the client was logged in to the managed device. This is only sent in Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information. records, where the Acct-Status-Type is Stop or Interim Update.

Acct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information. records where the Acct-Status-Type is Stop. Possible values are:

1: User logged off

4: Idle Timeout

5: Session Timeout. Maximum session length timer expired.

7: Admin Reboot: Administrator is ending service, for example prior to rebooting the Mobility Master.

NAS-Identifier: This is set in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server configuration.

NAS-IP-Address: IP address of the managed device. You can configure a “global” NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address:

In the Mobility Master node hierarchy of the WebUI, navigate to the Configuration > Authentication > Advanced page. Under RADIUS Client, enter the IPv4 or IPv6 address.

In the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., use the, ip radius nas-ip command.

NAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the managed device.

NAS-Port-Type: Type of port used in the connection. This is set to one of the following:

5: admin login

15: wired user type

19: wireless user

Framed-IP-Address: IP address of the user.

Calling-Station-ID: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the user.

Called-station-ID: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device.

The following attributes are sent in Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information. packets when Acct-Status-Type value is Start:

Acct-Status-Type

User-Name

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP-Address

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port-Type

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Identifier

Framed-IP-Address

Calling-Station-ID

Called-station-ID

Acct-Session-ID

Acct-Authentic

The following attributes are sent in Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information. packets when Acct-Status-Type value is Stop:

Acct-Status-Type

User-Name

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP-Address

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port-Type

NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Identifier

Framed-IP-Address

Calling-Station-ID

Called-station-ID

Acct-Session-ID

Acct-Authentic

Terminate-Cause

Acct-Session-Time

The following statistical attributes are sent only in Interim-Update and Accounting Stop packets (they are not sent in Accounting Start packets):

Acct-Input-Octets

Acct-Output-Octets

Acct-Input-Packets

Acct-Output-Packets

Acct-Input-Gigawords

Acct-Output-Gigawords

Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. in split-tunnel mode now support RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting. If you enable RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting in a split-tunnel Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, the managed device sends a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting start record to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server when a user associates with the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., and sends a stop record when the user logs out or is deleted from the user database. If interim accounting is enabled, the managed device sends updates at regular intervals. Each interim record includes cumulative user statistics, including received bytes and packets counters.

The following procedure describes how to assign a server group for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting:

1. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.

2. Expand the AAA Profiles pane and select the default profile instance.

3. (Optional) In the AAA Profile: default pane, select RADIUS Interim Accounting to allow the managed device to send Interim-Update messages with current user statistics to the server at regular intervals. This option is disabled by default, allowing the managed device to send only start and stop messages RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting server.

4. Select a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, and then scroll down to select the RADIUS Accounting Server Group for the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. Select the Server group from the drop-down list.

You can add additional servers to the group or configure server rules.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a server group for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting:

(host) [mynode] (config) #aaa profile <profile>

radius-accounting <group>

radius-interim-accounting

Roaming RADIUS Accounting Service

Starting from ArubaOS 8.1, the Roaming RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Accounting Service creates an Accounting session for each wireless client. The records in the session contain the same set of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes as compared to the timer-based RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Interim-Update Accounting record, except the statistics attributes. Whenever a wireless client roams to a different AP, the Roaming triggered RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Interim-Update Accounting record is sent to the configured RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Accounting server. This record is used to track the current location of the wireless client. Currently this feature is supported for wireless clients in both cluster and non-cluster environments, but is not supported for wired, VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two./VIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network., and L3-Mobility clients.

The following procedure describes how to enable roaming RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting services:

1. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.

2. Expand AAA Profiles and select a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile instance.

3. In the AAA Profile: <name of the profile> pane, select the RADIUS Roaming Accounting check box.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables roaming RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting services:

(host) [mynode] (config) # aaa profile <profile_name>

radius-accounting <group>

radius-roam-accounting

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command checks if roaming-triggered RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting is enabled:

(host) #show aaa profile <profile_name>

Configuring RADIUS Accounting on Multiple Servers

ArubaOS provides support to send RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting to multiple RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers. Mobility Master notifies all the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers to track the status of authenticated users. Accounting messages are sent to all the servers configured in the server group in a sequential order.

The following procedure describes how to enable multiple server account functionality:

1. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.

2. Expand AAA Profiles and select a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile instance.

3. In the AAA Profile: <name of the profile> pane, select the Multiple Server Accounting check box.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting on multiple servers functionality:

(host) [mynode] (config) # aaa profile <profile_name>

multiple-server-accounting

TACACS+ Accounting

TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  accounting allows commands issued on a Mobility Master or managed device to be reported to TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  servers. You can specify which types of commands are reported (action, configuration, or show commands), or report all commands.

You can only configure TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  accounting using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  accounting:

(host) [mm] (config) #aaa tacacs-accounting

(host) ^[mm] (config-submode) #command {action|all|configuration|show}

(host) ^[mm] (config-submode) #server-group <name of the TACACS server>

(host) ^[mm] (config-submode) #write memory

/*]]>*/