User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

231

232

233

234

235

236

237

238

239

240

238 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Configuring Server Groups

You can create groups of servers for specific types of authentication – for example, you can specify one or

more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one

group. For example, you can include the internal database as a backup to a RADIUS server.

Configuring Server Groups

Server names are unique. You can configure the same server in more than one server group. You must

configure the server before you can include it in a server group.

Using the WebUI

1. Navigate to the Configuration > Security > Authentication > Servers page.

2. Select Server Group to display the Server Group list.

3. Enter the name of the new server group and click Add.

4. Select the name to configure the server group.

5. Under Servers, click New to add a server to the group.

a. Select a server from the drop-down list and click Add Server.

b. Repeat the above step to add other servers to the group.

6. Click Apply.

Using the CLI

(host)(config) #aaa server-group <name>

auth-server <name>

Configuring Server List Order and Fail-Through

The list of servers in a server group is an ordered list. The first server in the list is always used by default, unless

it is unavailable in which case the next server in the list is used. You can configure the order of servers in the

server group. In the WebUI, use the up or down arrows to order the servers (the top server is the first server in

the list). In the CLI, use the position parameter to specify the relative order of servers in the list (the lowest

value denotes the first server in the list).

As mentioned previously, the first available server in the list is used for authentication. If the server responds

with an authentication failure, there is no further processing for the user or client for which the authentication

request failed. You can optionally enable fail-through authentication for the server group so that if the first

server in the list returns an authentication deny, the controller attempts authentication with the next server in

the ordered list. The controller attempts authentication with each server in the list until either there is a

successful authentication or the list of servers in the group is exhausted. This feature is useful in environments

where there are multiple, independent authentication servers; users may fail authentication on one server but

can be authenticated on another server.

Before enabling fail-through authentication, note the following:

l This feature is not supported for 802.1x authentication with a server group that consists of external EAP-

compliant RADIUS servers. You can, however, use fail-through authentication when the 802.1x

authentication is terminated on the controller (AAA FastConnect).

l Enabling this feature for a large server group list may cause excess processing load on the controller. It is

recommended that you use server selection based on domain matching whenever possible (see Configuring

Dynamic Server Selection on page 239).

l Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication

failures. Therefore you should not enable fail-through authentication with these servers.