ArubaOS 8.6.0.0 Help Center
You are here: Home > Authentication Servers > Server Groups

Configuring Server Groups

You can create groups of servers for specific types of authentication. For example, you can specify one or more RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers to be used for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. You can also configure the same server in more than one server group. However, you must configure the server before you can include it in a server group using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following procedure describes how to configure a server group:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

2. The Server Groups table displays the server group list.

3. Click + in the Server Groups. Enter the name of the new server group and click Submit.

4. Select the new server group created.

5. In Server Group <server group name>, click the Servers tab and click + to add a server to the group.

a. To add an existing server, select Add existing server and choose a server from the list. Click Submit.

b. To add a new server, select Add new server. Specify a server type from the Type drop-down list, and enter a Name and IP address/hostname for the server. Click Submit.

c. Repeat the above step(s) to add other servers to the group.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a server group:

(host) [mynode] (config) #aaa server-group <name>

auth-server <name>

Configuring Server List Order and Fail-Through

The servers in a server group are part of an ordered list. The first server in the list is always used by default, unless it is unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group through the WebUI using the up or down arrows (the top server is the first server in the list). In the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., the position parameter specifies the relative order of servers in the list (the lowest value denotes the first server in the list).

As mentioned previously, the first available server in the list is used for authentication. If the server responds with an authentication failure, there is no further processing for the user or client for which the authentication request failed. You can also enable fail-through authentication for the server group so that if the first server in the list returns an authentication deny, the managed device attempts authentication with the next server in the ordered list. The managed device attempts to authenticate with each server in the list until there is a successful authentication or the list of servers in the group is exhausted. This feature is useful in environments where there are multiple, independent authentication servers; users may fail authentication on one server but can be authenticated on another server.

Before enabling fail-through authentication, note the following:

This feature is not supported for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication with a server group that consists of external EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -compliant RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers. You can, however, use fail-through authentication when the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is terminated on a managed device (AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect).

Enabling this feature for a large server group list may cause excess processing load on the managed device. It is recommended that you use server selection based on domain matching whenever possible (see Configuring Dynamic Server Selection).

Certain servers, such as the RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, lock out the managed device if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers.

In the following example, you create a server group "corp-serv" with two LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers (ldap-1 and ldap-2), each containing a subset of the usernames and passwords used in the network. When you enable fail-through authentication, users that fail authentication with the first server on the list will be authenticated with the second server.

The following procedure describes how to configure the server list order and fail-through:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

2. The All Servers table displays the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server list.

3. Click +. Enter ldap-1 for the Name of the server, enter the IP address / hostname for the server, and set the Type to LDAP and click Submit.

4. Click +. Enter ldap-2 for the Name of the server, enter the IP address / hostname for the server, and set the Type to LDAP and click Submit.

5. Under All Servers, select ldap-1 to configure server parameters. Select the Mode check box to activate the authentication server.

6. Click Submit.

7. Repeat step 5 to configure ldap-2.

8. Click + under the Server Groups table to add a new server group. Set the server group name to corp-serv, and then click Submit.

9. Select corp-serv from the Server Groups table to configure the server group settings.

10. In Server group <corp-serv>, select the Options tab.

11. Select the Fail through check box.

12. Click Submit.

13. Navigate to the Servers tab.

14. Click + to add a server to the group.

a. Select ldap-1, and then click Submit.

b. Repeat the step above to add ldap-2 to the server group.

15. Click Submit.

16. Click Pending Changes.

17. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the server list order and fail-through:

(host)[mynode] (config) #aaa authentication-server ldap ldap-1

host 10.1.1.234

(host) [mynode] (config) #aaa authentication-server ldap ldap-2

host 10.2.2.234

(host) [mynode] (config) #aaa server-group corp-serv

auth-server ldap-1 position 1

auth-server ldap-2 position 2

allow-fail-through

Configuring Dynamic Server Selection

Managed devices can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client or user information in one of the following formats:

<domain>\<user> : for example, corpnet.com\darwin

<user>@<domain> : for example, darwin@corpnet.com

host/<pc-name>.<domain> : for example, host/darwin-g.finance.corpnet.com (this format is used with 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication in Windows environments)

When you configure a server in a server group, you have the option to associate the server with one or more match rules. A match rule for a server can be one of the following:

The server is selected if the client/user information contains a specified string.

The server is selected if the client/user information begins with a specified string.

The server is selected if the client/user information exactly matches a specified string.

You can configure multiple match rules for the same server. Managed devices compare the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the managed device sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned, and no authentication request for the client/user is sent.

Figure 1 depicts a network consisting of several subdomains in corpnet.com. The server radius-1 provides 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.

Figure 1  Domain-Based Server Selection Example

 

Click to view a larger size.

The following procedure describes how to configure dynamic server selection:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

2. Select a server group from the Server Groups table.

3. In the Server Group <server group name>, select the Server Rules tab, click +.

a. Select an attribute from the Attribute drop-down list.

b. Select an Operation to apply a condition to the attribute.

c. Set the Operand value to the client or user information.

d. Set the Action to apply an action to the attribute.

e. Set the Role to set a role to the attribute.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure dynamic server selection:

(host) [mynode] (config) #aaa server-group <group>

auth-server <name> [match-authstring contains|equals|starts-with <string>] [match-fqdn <string>] [position <number>] [trim-fqdn]

Configuring Match FQDN Option

You can also use the “match FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. (domain name)” option for a server rule. With this rule, the server is selected if the <domain> portion of the user information in the formats <domain>\<user> or <user>@<domain> matches a specified string exactly. Note the following caveats when using a match FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. rule:

This rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication.

The match FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option performs matches on only the <domain> portion of the user information sent in an authentication request. The match-authstring option (described previously) allows you to match all or a portion of the user information sent in an authentication request.

The following procedure describes how to configure a match FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers page.

2. Select a server group from the Server Groups table.

3. In the Server Group <server group name>, select the Server Rules tab and click +.

a. Select Domain-Name from the Attribute drop-down list.

b. Set the Operation to equals.

c. Set the Operand value to the client or user information.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a match FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option:

(host) [mynode] (config) #aaa server-group <group>

auth-server <name> match-fqdn <string>

Trimming Domain Information from Requests

Before a managed device forwards an authentication request to a specified server, it can truncate the domain-specific portion of the user information. This is useful when user entries on the authenticating server do not include domain information. You can specify this option with any server match rule. This option is only applicable when the user information is sent to the managed device in the following formats:

<domain>\<user> : the <domain>\ portion is truncated

<user>@<domain> : the @<domain> portion is truncated

 

This option does not support client information sent in the format host/<pc-name>.<domain>.

The following procedure describes how to configure the trimming domain information from requests:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

2. Select a server group from the Server Groups table.

3. Under Server Group <server group name>, click the Servers tab and select a server or click + to add a new server to the group.

a. To add an existing server, select Add existing server and choose a server from the list. Click Submit.

b. To add a new server, select Add new server. Specify a server type from the Type drop-down list, and enter a Name and IP address / hostname for the server. Click Submit.

4. Select the new server.

5. In Server group <server group name> < server name>, click the Server Group Trim FQDN tab.

6. Select the Trim FQDN check box.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the trimming domain information from requests:

(host) [mynode] (config) #aaa server-group <group>

auth-server <name> trim-fqdn

Configuring Server-Derivation Rules

When you configure a server group, you can set the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or role for clients based on attributes returned for the client by the server during authentication. The server derivation rules apply to all servers in the group. The user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assigned through server derivation rules takes precedence over the default role and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. configured for the authentication method.

 

The authentication servers must be configured to return the attributes for the clients during authentication. For instructions on configuring the authentication attributes in a Windows environment using IASInternet Authentication Service. IAS is a component of Windows Server operating systems that provides centralized user authentication, authorization, and accounting., refer to the documentation at http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx

The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned is applied to the client, and would be the only rule applied from the server rules. These rules are applied uniformly across all servers in the server group.

Table 1 describes the server rule parameters you can configure.

Table 1: Server Rule Configuration Parameters

Parameter

Description

Attribute

This is the attribute returned by the authentication server that is examined for Operation and Operand match.

Operation

This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server.

contains : The rule is applied if and only if the attribute value contains the string in parameter Operand.

starts-with : The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.

ends-with : The rule is applied if and only if the attribute value returned ends with the string in parameter Operand.

equals : The rule is applied if and only if the attribute value returned equals the string in parameter Operand.

not-equals : The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand.

value-of : This is a special condition. What this implies is that the role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is set to the value of the attribute returned. For this to be successful, the role and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID returned as the value of the attribute selected must already be configured on the managed device when the rule is applied.

Operand

This is the string to which the value of the returned attribute is matched.

Action

Defines whether to assign a role or a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to the user when the rule is matched.

Role or VLAN

The server derivation rules apply to either user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment. With Role assignment, a client can be assigned a specific role based on the attributes returned. In VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment, the client can be placed in a specific VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on the attributes returned.

The following procedure describes how to configure Server-Derivation Rules:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

2. Select a server group from the Server Groups table .

3. In Server Group <server group name >, select the Servers tab and select a server or click + to add a new server to the group.

a. To add an existing server, select Add existing server and choose a server from the list. Click Submit.

b. To add a new server, select Add new server. Specify a server type from the Type drop-down list, and enter a Name and IP address / hostname for the server. Click Submit.

4. In the Server Rules tab, click + to add server derivation rules for assigning a user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

a. Select the Attribute from the drop-down list.

b. Select the Operation from the drop-down list.

c. Enter the Operand.

d. To set a role, select set role from the Action drop-down list. Select the role to be assigned from the Role drop-down list.

e. To set a vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., select set vlan from the Action drop-down list. Select the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name or ID from the Vlan drop-down list.

f. Click Submit.

g. Repeat the above steps to add other rules for the server group.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure Server-Derivation Rules:

(host) [mynode] (config) #aaa server-group <name>

(host) [mynode] (Server Group name) #set {role|vlan} condition <attribute> contains|ends-with|equals|not-equals|starts-with <operand> set-value <set-value-str> position <number>

Configuring a Role Derivation Rule for the Internal Database

When you add a user entry to the internal database, you can specify a user role (see Managing the Internal Database). The role specified in the internal database entry to be assigned to the authenticated client, you must configure a server derivation rule as shown in the following:

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a server derivation rule for the internal database:

(host) [mynode] (config) #aaa server-group internal

set role condition Role value-of

/*]]>*/