Users Guide

l Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication
failures. Therefore, you should not enable fail-through authentication with these servers.
In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each
containing a subset of the usernames and passwords used in the network. When you enable fail-through
authentication, users that fail authentication with the first server on the list will be authenticated with the
second server.
Using the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select LDAP Server to display the LDAP Server List.
3. Enter ldap-1 for the server name and click Add.
4. Enter ldap-2 for the server name and click Add.
5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server.
Select the Mode checkbox to activate the authentication server. Click Apply.
6. Repeat step 5 on page 267 to configure ldap-2.
7. Display the Server Group list: Under the Servers tab, select Server Group.
8. Enter corp-serv as the new server group and click Add.
9. Select corp-serv, under the Server tab, to configure the server group.
10.Select Fail Through.
11.Under Servers, click New to add a server to the group. Select ldap-1 from the drop-down list and click Add
Server.
12.Repeat step 11 on page 267 to add ldap-2 to the group.
13.Click Apply.
Using the CLI
(host)(config) #aaa authentication-server ldap ldap-1
host 10.1.1.234
(host)(config) #aaa authentication-server ldap ldap-2
host 10.2.2.234
(host)(config) #aaa server-group corp-serv
auth-server ldap-1 position 1
auth-server ldap-2 position 2
allow-fail-through
Configuring Dynamic Server Selection
The controller can dynamically select an authentication server from a server group based on the user
information sent by the client in an authentication request. For example, an authentication request can include
client or user information in one of the following formats:
l <domain>\<user> : for example, corpnet.com\darwin
l <user>@<domain> : for example, darwin@corpnet.com
l host/<pc-name>.<domain> : for example, host/darwin-g.finance.corpnet.com (this format is used with
802.1x machine authentication in Windows environments)
When you configure a server in a server group, you have the option to associate the server with one or more
match rules. A match rule for a server can be one of the following:
l The server is selected if the client/user information contains a specified string.
l The server is selected if the client/user information begins with a specified string.
Dell Networking W-Series ArubaOS 6.4.x | User Guide Authentication Servers | 267