Server groups and method lists, Server groups, Method lists – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1213
AAA Introduction and Configuration
Software Reference for x310 Series Switches
C613-50046-01 REV A
AlliedWare Plus
TM
Operating System - Version 5.4.4C
44.3
Server Groups and Method Lists
There are two constructs that underlie the structure of the AAA commands:
■
Server groups are lists of RADIUS servers
■
Method Lists are lists of server types
Server Groups
A server group is defined by the command
. This command puts you
into Server Group configuration mode. Once in that mode you can add servers to the
group by using the command
Any number of servers can be added to a group. Typically, you will add servers which have
already been configured by the command
. If you add a server that has
not yet been configured by the command
, you will receive a warning
that the server has not yet been configured, but the command will be accepted.
There is one server group that is always present on the switch by default that cannot be
removed. It is the group simply named radius that comprises all servers that have been
configured using the command
. As soon as a server is configured by
, it is automatically a member of the server group radius
and cannot be removed from it.
Method Lists
A method list defines the set of server types that you want to be used for authenticating a
user/device, and the order in which you want the server types to be used.
■
You may want the usernames proffered for logging in at the console to be checked for
in the local user database. You can create a server list that specifies local.
■
You may want to check the TACACS+ servers first, and resort to the local user database
if none of the TACACS+ servers respond. You can create a server list that specifies
group tacacs+ first, followed by local.
■
You may want to check the RADIUS servers first, and resort to the local user database
if none of the RADIUS servers respond. You can create a server list that specifies group
radius first, followed by local.
A method list defines the servers where authentication requests are sent. The first server
listed is used to authenticate users; if that server fails then the next authentication server
type in the method list is selected. This process continues until there is a successful
authentication or until all server types fail.
When a user attempts to log in, the switch sends an authentication request to the first
authentication server in the method list. If the first server in the list is reachable and it
contains a username and password matching the authentication request, the user is
authenticated and the login succeeds. If the authentication server denies the
authentication request because of an incorrect username or password, the user login fails.
If the first server in the method list is unreachable, the switch sends the request to the next
server in the list, and so on.
For example, if the method list specifies group tacacs+ local, and a user attempts
to log in with a password that does not match a user entry in the first TACACS+ server, if
this TACACS+ server denies the authentication request, then the switch does not try any
other TACACS+ servers not the local user database; the user login fails.