Authentication Server Groups¶
To use an authentication server on TNSR it must be a member of an authentication sever group. Authentication server groups allow TNSR to use one or more servers of the same type to perform an authentication task while giving the user control over the order in which TNSR uses them.
Configuring Authentication Server Groups¶
To create an authentication sever group, first create the authentication server(s) as described in the RADIUS and LDAP documentation.
Once the authentication servers are defined, use the auth server-group
<group-name>
command to enter config-auth-server-group
mode:
tnsr(config)# auth server-group <group-name>
tnsr(config-auth-server-group)#
Within config-auth-server-group
mode, the following commands are available:
type (ldap|radius)
Mandatory option which sets the type of authentication servers contained within this group, either
ldap
orradius
.all-servers
Instructs TNSR to use all defined authentication servers which match the specified
type
.This behavior is mutually exclusive with specifying servers via the
priority
command.priority <value> (ldap|radius) <server-name>
Adds an authentication server to this group at a given priority. Repeat the command with a different priority value to add additional servers to the group.
Adding servers using this command is mutually exclusive with using the
all-servers
directive.The available options for these entries are:
<value>
Priority value for this server from
1-255
. TNSR prefers lower priority servers and will try higher priority servers if lower priority servers are not usable.(ldap|radius)
The type of authentication server being added to the group. Must match the
type
value of this server group.<server-name>
The name of the authentication server.
After creating the server group it can then be used for other purposes, such as system (System User Authentication Method) or IPsec user authentication.
Example¶
tnsr(config)# radius
tnsr(config-radius)# server name primary host 198.51.100.3 secret abcd1234
timeout 30 source-address 198.51.100.30
tnsr(config-radius)# server name secondary host 198.51.100.7 secret efgh5678
tnsr(config-radius)# exit
tnsr(config)# auth server-group radauth
tnsr(config-auth-server-group)# type radius
tnsr(config-auth-server-group)# priority 20 radius primary
tnsr(config-auth-server-group)# priority 40 radius secondary
tnsr(config-auth-server-group)# exit