Configuring Server Groups
You can create groups of servers for specific types of authentication. For example, you can specify one or more RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers to be used for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server. You can also configure the same server in more than one server group. However, you must configure the server before you can include it in a server group using the WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The following procedure describes how to configure a server group:
- In the node hierarchy, navigate to the tab.
- The table displays the server group list.
- Click in the . Enter the name of the new server group and click .
- Select the new server group created.
- In
- To add an existing server, select and choose a server from the list. Click .
- To add a new server, select . Specify a server type from the drop-down list, and enter a and for the server. Click .
- Repeat the above step(s) to add other servers to the group.
, click the tab and click to add a server to the group. - Click .
- In the window, select the check box and click .
- Click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a server group:
(host) [mynode] (config) #aaa server-group <name>
auth-server <name>
Configuring Server List Order and Fail-Through
The servers in a server group are part of an ordered list. The first server in the list is always used by default, unless it is unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group through the WebUI using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., the parameter specifies the relative order of servers in the list (the lowest value denotes the first server in the list).
or arrows (the top server is the first server in the list). In theAs mentioned previously, the first available server in the list is used for authentication. If the server responds with an authentication failure, there is no further processing for the user or client for which the authentication request failed. You can also enable fail-through authentication for the server group so that if the first server in the list returns an authentication deny, the managed device attempts authentication with the next server in the ordered list. The managed device attempts to authenticate with each server in the list until there is a successful authentication or the list of servers in the group is exhausted. This feature is useful in environments where there are multiple, independent authentication servers; users may fail authentication on one server but can be authenticated on another server.
Before enabling fail-through authentication, note the following:
- This feature is not supported for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication with a server group that consists of external EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -compliant RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers. You can, however, use fail-through authentication when the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is terminated on a managed device (AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect).
- Enabling this feature for a large server group list may cause excess processing load on the managed device. It is recommended that you use server selection based on domain matching whenever possible (see Configuring Dynamic Server Selection).
- Certain servers, such as the RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, lock out the managed device if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers.
In the following example, you create a server group "corp-serv" with two LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers (ldap-1 and ldap-2), each containing a subset of the usernames and passwords used in the network. When you enable fail-through authentication, users that fail authentication with the first server on the list will be authenticated with the second server.
The following procedure describes how to configure the server list order and fail-through:
- In the node hierarchy, navigate to the tab.
- Click . Enter for the of the server, enter the for the server, and set the to and click .
- Click . Enter for the of the server, enter the for the server, and set the to and click .
- Under , select to configure server parameters. Select the check box to activate the authentication server.
- Click .
- Repeat step to configure .
- Click under the table to add a new server group. Set the server group name to , and then click .
- Select from the table to configure the server group settings.
- In , select the tab.
- Select the check box.
- Click .
- Navigate to the tab.
- Click
- Select , and then click .
- Repeat the step above to add to the server group.
to add a server to the group. - Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the server list order and fail-through:
(host)[mynode] (config) #aaa authentication-server ldap ldap-1
host 10.1.1.234
(host) [mynode] (config) #aaa authentication-server ldap ldap-2
host 10.2.2.234
(host) [mynode] (config) #aaa server-group corp-serv
auth-server ldap-1 position 1
auth-server ldap-2 position 2
allow-fail-through
Configuring Dynamic Server Selection
Managed devices can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client or user information in one of the following formats:
- : for example, corpnet.com\darwin
- : for example, darwin@corpnet.com
- 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication in Windows environments) : for example, host/darwin-g.finance.corpnet.com (this format is used with
When you configure a server in a server group, you have the option to associate the server with one or more match rules. A match rule for a server can be one of the following:
- The server is selected if the client/user information contains a specified string.
- The server is selected if the client/user information begins with a specified string.
- The server is selected if the client/user information exactly matches a specified string.
You can configure multiple match rules for the same server. Managed devices compare the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the managed device sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned, and no authentication request for the client/user is sent.
Figure 1 depicts a network consisting of several subdomains in corpnet.com. The server radius-1 provides 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.
Figure 1 Domain-Based Server Selection Example
The following procedure describes how to configure dynamic server selection:
- In the node hierarchy, navigate to the tab.
- Select a server group from the table.
- In the
- Select an attribute from the drop-down list.
- Select an to apply a condition to the attribute.
- Set the value to the client or user information.
- Set the to apply an action to the attribute.
- Set the to set a role to the attribute.
select the tab, click . - Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure dynamic server selection:
(host) [mynode] (config) #aaa server-group <group>
auth-server <name> [match-authstring contains|equals|starts-with <string>] [match-fqdn <string>] [position <number>] [trim-fqdn]
Configuring Match FQDN Option
You can also use the “match FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. (domain name)” option for a server rule. With this rule, the server is selected if the <domain> portion of the user information in the formats or matches a specified string exactly. Note the following caveats when using a match FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. rule:
- This rule does not support client information in the host/<pc-name>.<domain> format, so it is not useful for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. machine authentication.
- The match FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option performs matches on only the <domain> portion of the user information sent in an authentication request. The match-authstring option (described previously) allows you to match all or a portion of the user information sent in an authentication request.
The following procedure describes how to configure a match FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option:
- In the node hierarchy, navigate to the page.
- Select a server group from the table.
- In the
- Select from the drop-down list.
- Set the to .
- Set the value to the client or user information.
select the tab and click . - Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a match FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. option:
(host) [mynode] (config) #aaa server-group <group>
auth-server <name> match-fqdn <string>
Trimming Domain Information from Requests
Before a managed device forwards an authentication request to a specified server, it can truncate the domain-specific portion of the user information. This is useful when user entries on the authenticating server do not include domain information. You can specify this option with any server match rule. This option is only applicable when the user information is sent to the managed device in the following formats:
- : the <domain>\ portion is truncated
- : the @<domain> portion is truncated
This option does not support client information sent in the format host/<pc-name>.<domain>.
The following procedure describes how to configure the trimming domain information from requests:
- In the node hierarchy, navigate to the tab.
- Select a server group from the table.
- Under
- To add an existing server, select and choose a server from the list. Click .
- To add a new server, select . Specify a server type from the drop-down list, and enter a for the server. Click .
click the tab and select a server or click to add a new server to the group. - Select the new server.
- In , click the tab
- Select the check box.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the trimming domain information from requests:
(host) [mynode] (config) #aaa server-group <group>
auth-server <name> trim-fqdn
Configuring Server-Derivation Rules
When you configure a server group, you can set the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or role for clients based on attributes returned for the client by the server during authentication. The server derivation rules apply to all servers in the group. The user role or VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assigned through server derivation rules takes precedence over the default role and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. configured for the authentication method.
The authentication servers must be configured to return the attributes for the clients during authentication. For instructions on configuring the authentication attributes in a Windows environment using IAS Internet Authentication Service. IAS is a component of Windows Server operating systems that provides centralized user authentication, authorization, and accounting., refer to the documentation at
The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned is applied to the client, and would be the only rule applied from the server rules. These rules are applied uniformly across all servers in the server group.
Table 1 describes the server rule parameters you can configure.
The following procedure describes how to configure Server-Derivation Rules:
- In the node hierarchy, navigate to the tab.
- Select a server group from the table .
- In
- To add an existing server, select and choose a server from the list. Click .
- To add a new server, select . Specify a server type from the drop-down list, and enter a for the server. Click .
select the tab and select a server or click to add a new server to the group. - In the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
- Select the from the drop-down list.
- Select the from the drop-down list.
- Enter the .
- To set a role, select from the drop-down list. Select the role to be assigned from the drop-down list.
- To set a vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., select from the drop-down list. Select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name or ID from the drop-down list.
- Click .
- Repeat the above steps to add other rules for the server group.
tab, click to add server derivation rules for assigning a user role or - Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure Server-Derivation Rules:
(host) [mynode] (config) #aaa server-group <name>
(host) [mynode] (Server Group name) #set {role|vlan} condition <attribute> contains|ends-with|equals|not-equals|starts-with <operand> set-value <set-value-str> position <number>
Configuring a Role Derivation Rule for the Internal Database
When you add a user entry to the internal database, you can specify a user role (see Managing the Internal Database). The role specified in the internal database entry to be assigned to the authenticated client, you must configure a server derivation rule as shown in the following:
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a server derivation rule for the internal database:
(host) [mynode] (config) #aaa server-group internal
set role condition Role value-of