.Configuring Server Groups

You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the same protocol, either RADIUS or TACACS+. The servers are tried in the same order in which you configure them.

The AAA server monitoring feature can mark an AAA server as dead. You can configure a period of time in minutes to elapse before the switch sends requests to a dead AAA server. (See the "AAA Server Monitoring" topic).

Restrictions

You can configure these server groups at any time but they only take effect when you apply them to an AAA service. You configure AAA policies for CLI users or DCNM-SAN or Device Manager users.

Note     Configuration of a TACACS+ group fails if MSCHPv2 authentication is not disabled.

Detailed Steps

To configure a RADIUS, TACACS+, or LDAP server group using DCNM-SAN, follow these steps:

  1. Expand Switches > Security, and then select AAA.

    2. You see the AAA configuration in the Information pane. If you do not see the screen, click the Server Groups tab.

    You see the RADIUS, TACACS+, or LDAP server groups configured.

  2. Click Create Row to create a server group.

    3. You see the Create Server dialog box.

  3. Click the radius radio button to add a RADIUS server group, the tacacs+ radio button to add a TACACS+ server group, and the ldap radio button to add a LDAP server group.
  4. Supply server names for the ServerIdList field.
  5. When you chose LDAP, enter the LDAP search map name for the LDAPSearchMapName.
    • LDAPSSLMODE—Specifies if the TLS tunnel should be setup before binding with the LDAP server.
    • LDAPBindFirst—Specifies if the user bind should be completed before the search.
  6. Click the plain radio button to select the plain authentication method, click the kerberos button to select the kerberos authentication method, and click md5digest to select the md5digest authentication method.
  7. Enter the password for the LDAPComparePasswd field:
    • LDAPCertDNBind—Specifies if the User Certification Bind needs to be checked while doing PKI SSH certificate authorization.
    • LDAPUserServerBind—Specifies if the User Server Bind should be checked as part of SSH PKI authorization.
  8. Set the DeadTime field for the number of minutes that a server can be nonresponsive before it is marked as bypassed. See the "About Bypassing a Nonresponsive Server" topic.
  9. Click Create to create this server group.

    10. The LDAP Server Group displays LDAP-specific parameters.

  10. Click the Applications tab to assign this server group to an application.

    11. You can associate a server group with all applications or you can specify specific applications.

  11. Click the General tab to assign the type of authentication to this server group.

    12. Check either the MSCHAP or MSCHAPv2 check box based on the type of server group.

  12. Click the Apply Changes icon to save the changes.

    13. Once the LDAP Server group is created, the configuration information is displayed in two tabs:

    • Server Groups—Displays common data shared by all AAA protocols (RADIUS, TACACS+, and LDAP).
    • LDAP Server Group—Displays only LDAP-specific protocols.

Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.