Define AAA Group Server (Optional)
The global configuration mode command aaa group server provides a way to group existing defined server
hosts. By grouping a set of servers, you can use the group name with other commands to select that subset of server hosts to use them
for a particular service. A server group is comprised of server hosts of a
particular type. Currently, the IOS supports RADIUS and TACACS+ server hosts.
The aaa group server command lists the IP addresses of the
selected server hosts from the global protocol-server host list. To remove a
server group from the configuration list, enter the no form of this command. The
syntax is
Rtr1(config)#aaa group server {tacacs+ | radius} group-name
Rtr1(config)#no aaa
group server tacacs+ | radius group-name
The command was introduced in IOS version 12.0(5)T. There are no
default values.
The command can only be entered after the aaa
new-model command turns on the AAA features. The entry is followed by one or
more server server-name statements identifying the servers to be included in the
group. The next two sample outputs demonstrate this; be sure to note the prompt
for the server entries.
The following example uses the three TACACS+ servers created in
the earlier example and selects only two them to be included in the server
group.
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9
Rtr1(config)#aaa group server tacacs+ tac-1
Rtr1(config-sg-tacacs+)#server tac-serv1
Rtr1(config-sg-tacacs+)#server 192.168.6.4
The following RADIUS example shows the configuration of an AAA
group server named rad-1, which includes two of the three defined servers:
Rtr1(config)#aaa new-model
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host rad-serv1
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server host 192.168.6.4 timeout 3 key cisco9
Rtr1(config)#aaa group server radius rad-1
Rtr1(config-sg-radius)#server rad-serv1 auth-port 1800 acct-port 1801
Rtr1(config-sg-radius)#server 192.168.6.4 auth-port 1802 acct-port 1803
The server statement allows the auth-port and acct-port to be
defined. If not specified, the default value of auth-port is 1645 and the
default value of acct-port is 1646. The output for next paragraph demonstrates
this.
With either protocol, if you attempt to create the server group
without first defining the servers with protocol-server host commands, you’ll
get the following error messages because the IOS attempts to verify the server
presence. Notice the entry with
Rtr1(config)#aaa new-model
Rtr1(config)#aaa group server radius rad-1
Rtr1(config-sg-radius)#server rad-serv1
Translating "rad-serv1"...domain server (255.255.255.255)
^
% Invalid input detected at '^' marker.
Rtr1(config-sg-radius)#server 192.168.6.4
Rtr1(config-sg-radius)#
00:02:11: %RADIUS-4-NOSERV: Warning: Server 192.168.6.4:1645,1646 is
not defined.
Rtr1(config-sg-radius)#^z
Rtr1#show run
Building configuration...
!
hostname Rtr1
!
aaa new-model
aaa group server radius rad-1
server 192.168.6.4 auth-port 1645 acct-port 1646
!
Notice that the entry with a named server—rad-serv1—returned
an invalid input error and the command was rejected. The entry that used the
server IP address—192.168.6.4—returned a system warning message indicating that
the specified address can’t be found, but the entry was accepted. The show run command in the same output confirms this. The result is
identical for TACACS+. So, if you’re going to define servers by name, it’s
critical for your ip host table to be created or your ip name-server command(s) to be issued before creating your
server groups.
Sections
Comments (0 posted)
Syndication
