Authentication Server Groups

To use an authentication server on TNSR it must be a member of an authentication sever group. Authentication server groups allow TNSR to use one or more servers of the same type to perform an authentication task while giving the user control over the order in which TNSR uses them.

Configuring Authentication Server Groups

To create an authentication sever group, first create the authentication server(s) as described in the RADIUS and LDAP documentation.

Once the authentication servers are defined, use the auth server-group <group-name> command to enter config-auth-server-group mode:

tnsr(config)# auth server-group <group-name>
tnsr(config-auth-server-group)#

Within config-auth-server-group mode, the following commands are available:

type (ldap|radius)

Mandatory option which sets the type of authentication servers contained within this group, either ldap or radius.

all-servers

Instructs TNSR to use all defined authentication servers which match the specified type.

This behavior is mutually exclusive with specifying servers via the priority command.

priority <value> (ldap|radius) <server-name>

Adds an authentication server to this group at a given priority. Repeat the command with a different priority value to add additional servers to the group.

Adding servers using this command is mutually exclusive with using the all-servers directive.

The available options for these entries are:

<value>

Priority value for this server from 1-255. TNSR prefers lower priority servers and will try higher priority servers if lower priority servers are not usable.

(ldap|radius)

The type of authentication server being added to the group. Must match the type value of this server group.

<server-name>

The name of the authentication server.

After creating the server group it can then be used for other purposes, such as system (System User Authentication Method) or IPsec user authentication.

Example

tnsr(config)# radius
tnsr(config-radius)# server name primary host 198.51.100.3 secret abcd1234
                       timeout 30 source-address 198.51.100.30
tnsr(config-radius)# server name secondary host 198.51.100.7 secret efgh5678
tnsr(config-radius)# exit
tnsr(config)# auth server-group radauth
tnsr(config-auth-server-group)# type radius
tnsr(config-auth-server-group)# priority 20 radius primary
tnsr(config-auth-server-group)# priority 40 radius secondary
tnsr(config-auth-server-group)# exit