Assigning Server Groups

You can create server groups for the following purposes:

User authentication
Management authentication
Accounting

You can configure all types of servers for user and management authentication (see Table 1). Accounting is only supported with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. and TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. servers when RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. is used for authentication.

Table 1: Server Types and Purposes
	RADIUS	TACACS+	LDAP	Internal Database
User authentication	Yes	Yes	Yes	Yes
Management authentication	Yes	Yes	Yes	Yes
Accounting	Yes	Yes	No	No

The following section describes user authentication, management authentication, and accounting:

User Authentication

For information about assigning a server group for user authentication, see Roles and Policies.

Management Authentication

Users who need to access Mobility Master to monitor, manage, or configure the Aruba user-centric network can be authenticated with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. , or LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers or the internal database.

Only user record attributes are returned upon successful authentication. Therefore, to derive a management role other than the default mgmt auth role, set the server derivation rule based on the user attributes.

(host)[mynode] (config) #aaa authentication mgmt

server-group <group>

enable

Accounting

You can configure accounting for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. and TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. server groups.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. accounting is only supported when RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. is used for authentication.

The following section describes RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting, roaming RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting service, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting on multiple servers and TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. accounting:

RADIUS Accounting

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting allows user activity and statistics to be reported from managed devices to RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers:

The managed device generates an Accounting Start packet when a user logs in. The code field of transmitted RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. packet is set to 4 (Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.). Note that sensitive information, such as user passwords, are not sent to the accounting server. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server sends an acknowledgment of the packet.
The managed device sends an Accounting Stop packet when a user logs off; the packet information includes various statistics such as elapsed time, input and output bytes, and packets. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server sends an acknowledgment of the packet.

The following attributes can be sent to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting server:

Acct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Current values are Start, Stop, and Interim Update.
User-Name: Name of user.
Acct-Session-Id: A unique identifier to facilitate matching of accounting records for a user. It is derived from the user name, IP address, and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. This is set in all accounting packets.
Acct-Authentic: This indicates how the user was authenticated. Current values are 1 (RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. ), 2 (Local), and 3 (LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.).
Acct-Session-Time: The elapsed time, in seconds, that the client was logged in to the managed device. This is only sent in Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. records, where the Acct-Status-Type is Stop or Interim Update.
Acct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. records where the Acct-Status-Type is Stop. Possible values are:
- 1: User logged off
- 4: Idle Timeout
- 5: Session Timeout. Maximum session length timer expired.
- 7: Admin Reboot: Administrator is ending service, for example prior to rebooting the Mobility Master.
NAS-Identifier: This is set in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server configuration.
- In the Mobility Master node hierarchy of the WebUI, navigate to the Configuration > Authentication > Advanced page. Under RADIUS Client, enter the IPv4 or IPv6 address.
NAS-IP-Address: IP address of the managed device. You can configure a “global” NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address:
- In the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., use the, ip radius nas-ip command.
NAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the managed device.
NAS-Port-Type: Type of port used in the connection. This is set to one of the following:
- 5: admin login
- 15: wired user type
- 19: wireless user
Framed-IP-Address: IP address of the user.
Calling-Station-ID: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the user.
Called-station-ID: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device.

The following attributes are sent in Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. packets when Acct-Status-Type value is Start:

Acct-Status-Type
User-Name
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP-Address
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port-Type
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Identifier
Framed-IP-Address
Calling-Station-ID
Called-station-ID
Acct-Session-ID
Acct-Authentic

The following attributes are sent in Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. packets when Acct-Status-Type value is Stop:

Acct-Status-Type
User-Name
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP-Address
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Port-Type
NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -Identifier
Framed-IP-Address
Calling-Station-ID
Called-station-ID
Acct-Session-ID
Acct-Authentic
Terminate-Cause
Acct-Session-Time

The following statistical attributes are sent only in Interim-Update and Accounting Stop packets (they are not sent in Accounting Start packets):

Acct-Input-Octets
Acct-Output-Octets
Acct-Input-Packets
Acct-Output-Packets
Acct-Input-Gigawords
Acct-Output-Gigawords

Remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. in split-tunnel mode now support RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting. If you enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting in a split-tunnel Remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, the managed device sends a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting start record to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server when a user associates with the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., and sends a stop record when the user logs out or is deleted from the user database. If interim accounting is enabled, the managed device sends updates at regular intervals. Each interim record includes cumulative user statistics, including received bytes and packets counters.

The following procedure describes how to assign a server group for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting:

In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.
Expand the AAA Profiles pane and select the default profile instance.
(Optional) In the AAA Profile: default pane, select RADIUS Interim Accounting to allow the managed device to send Interim-Update messages with current user statistics to the server at regular intervals. This option is disabled by default, allowing the managed device to send only start and stop messages RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting server.
Select a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, and then scroll down to select the RADIUS Accounting Server Group for the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. Select the Server group from the drop-down list.

You can add additional servers to the group or configure server rules.

Click Submit.
Click Pending Changes.
In the Pending Changes window, select the check box and click Deploy Changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a server group for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting:

(host) [mynode] (config) #aaa profile <profile>

radius-accounting <group>

radius-interim-accounting

Roaming RADIUS Accounting Service

Starting from ArubaOS 8.1, the Roaming RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Accounting Service creates an Accounting session for each wireless client. The records in the session contain the same set of RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. attributes as compared to the timer-based RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Interim-Update Accounting record, except the statistics attributes. Whenever a wireless client roams to a different AP, the Roaming triggered RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Interim-Update Accounting record is sent to the configured RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Accounting server. This record is used to track the current location of the wireless client. Currently this feature is supported for wireless clients in both cluster and non-cluster environments, but is not supported for wired, VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two./VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network., and L3-Mobility clients.

The following procedure describes how to enable roaming RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting services:

In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.
Expand AAA Profiles and select a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile instance.
In the AAA Profile: <name of the profile> pane, select the RADIUS Roaming Accounting check box.
Click Submit.
Click Pending Changes.
In the Pending Changes window, select the check box and click Deploy Changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables roaming RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting services:

(host) [mynode] (config) # aaa profile <profile_name>

radius-accounting <group>

radius-roam-accounting

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command checks if roaming-triggered RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting is enabled:

(host) #show aaa profile <profile_name>

Configuring RADIUS Accounting on Multiple Servers

ArubaOS provides support to send RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting to multiple RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers. Mobility Master notifies all the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers to track the status of authenticated users. Accounting messages are sent to all the servers configured in the server group in a sequential order.

The following procedure describes how to enable multiple server account functionality:

In the Managed Network node hierarchy, navigate to the Configuration > Authentication > AAA Profiles tab.
Expand AAA Profiles and select a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile instance.
In the AAA Profile: <name of the profile> pane, select the Multiple Server Accounting check box.
Click Submit.
Click Pending Changes.
In the Pending Changes window, select the check box and click Deploy Changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting on multiple servers functionality:

(host) [mynode] (config) # aaa profile <profile_name>

multiple-server-accounting

TACACS+ Accounting

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. accounting allows commands issued on a Mobility Master or managed device to be reported to TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. servers. You can specify which types of commands are reported (action, configuration, or show commands), or report all commands.

You can only configure TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. accounting using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. accounting:

(host) [mm] (config) #aaa tacacs-accounting

(host) ^[mm] (config-submode) #command {action|all|configuration|show}

(host) ^[mm] (config-submode) #server-group <name of the TACACS server>

(host) ^[mm] (config-submode) #write memory