Users Guide
52 | Controller Configuration Reference Dell Networking W-AirWave 8.0 | Controller Configuration Guide
Refer to the "ip access-list session" command in the Dell Networking W-Series AOS CLI Guide for information
about the options that are available on this form.
Security > Server Groups
Server Groups Page Overview
The Server > Server Groups page displays all server groups currently configured along with the profiles and controllers
that are used by each server group:
l AAA
l Captive Portal Auth
l Stateful Kerberos Auth
l Management Auth
l Stateful NTLMAuth
l Stateful 802.1X Auth
l TACACS Accounting
l VIA Auth
l VPN Auth
l WISPr Auth
l Controller
The list of servers in a server group is an ordered list. By default, the first server in the list is always used unless it is
unavailable, in which case the next server in the list is used. You can configure the order of servers in the server group.
In the Web UI, use the up or down arrows to order the servers (the top server is the first server in the list). In the CLI, use
the position parameter to specify the relative order of servers in the list (the lowest value denotes the first server in the
list).
The first available server in the list is used for authentication. If the server responds with an authentication failure, there
is no further processing for the user or client for which the authentication request failed. You can optionally enable fail-
through authentication for the server group so that if the first server in the list returns an authentication deny, the
controller attempts authentication with the next server in the ordered list. The controller attempts authentication with
each server in the list until either there is a successful authentication or the list of servers in the group is exhausted. This
feature is useful in environments where there are multiple, independent authentication servers; users may fail
authentication on one server but can be authenticated on another server.
Before enabling fail-through authentication, note the following:
l This feature is not supported for 802.1x authentication with a server group that consists of external EAP compliant
RADIUS servers. You can, however, use fail-through authentication when the 802.1x authentication is terminated on
the controller (AAA FastConnect).
l Enabling this feature for a large server group list may cause excess processing load on the controller. Best practices
are to use server selection based on domain matching whenever possible.
l Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication failures.
Therefore you should not enable fail-through authentication with these servers.
When fail-through authentication is enabled, users that fail authentication on the first server in the server list should be
authenticated with the second server.
Supported Servers
Dell Networking W-Series AOS supports the following external authentication servers:
l LDAP (Lightweight Directory Access Protocol)
l RADIUS (Remote Authentication Dial-In User Service)