How to configure dynamic server selection?

MVP
MVP
Requirement:

How to configure dynamic server selection?



Solution:

Managed devices can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request. For example, an authentication request can include client or user information in one of the following formats:

  • <domain>\<user>: for example, corpnet.com\darwin
  • <user>@<domain> : for example, darwin@corpnet.com
  • host/<pc name>.<domain> : for example, host/darwin-g.finance.corpnet.com (this format is used with 802.1X machine authentication in Windows environments)

When you configure a server in a server group, you have the option to associate the server with one or more match rules. A match rule for a server can be one of the following:

  • The server is selected if the client/user information contains a specified string.
  • The server is selected if the client/user information begins with a specified string.
  • The server is selected if the client/user information exactly matches a specified string.

We can configure multiple match rules for the same server. Managed devices compare the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the managed device sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned, and no authentication request for the client/user is sent.

Image below depicts a network consisting of several subdomains in corpnet.com. The server radius-1 provides 802.1X machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.

 



Configuration:

(host) [mynode] (config) #aaa server-group auth-server [match-authstring contains|equals|starts-with ] [match-fqdn ] [position ] [trim-fqdn]



Verification

#show auth-tracebuf mac 54:13:79:11:21:eb


May  3 13:37:47  station-up             *  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           -    -    wpa2 aes
May  3 13:37:47  eap-id-req            <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           1    5    
May  3 13:37:47  eap-id-resp           ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           1    17   host/NCHAM0982.corpnet.com
May  3 13:37:47  rad-req               ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           173  182  
May  3 13:37:47  rad-resp              <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  173  90   
May  3 13:37:47  eap-req               <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           2    6    
May  3 13:37:47  eap-resp              ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           2    216  
May  3 13:37:47  rad-req               ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  174  419  
May  3 13:37:47  rad-resp              <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  174  243  
May  3 13:37:47  eap-req               <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           3    159  
May  3 13:37:47  eap-resp              ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           3    69   
May  3 13:37:47  rad-req               ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  175  272  
May  3 13:37:47  rad-resp              <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  175  191  
May  3 13:37:47  eap-req               <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           6    107  
May  3 13:37:47  eap-resp              ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           6    107  
May  3 13:37:47  rad-req               ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  176  310  
May  3 13:37:48  rad-accept            <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11/Radius1  176  292  
May  3 13:37:48  eap-success           <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           6    4    
May  3 13:37:48  wpa2-key1             <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           -    117  
May  3 13:37:48  wpa2-key2             ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           -    117  
May  3 13:37:48  wpa2-key3             <-  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           -    151  
May  3 13:37:48  wpa2-key4             ->  54:13:79:11:0f:5f  24:f2:7f:e1:e8:11           -    95   

 

User 2:

#show auth-tracebuf mac 54:13:79:07:3c:7d

May  3 13:40:02  station-up             *  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    -    wpa2 aes
May  3 13:40:02  eap-id-req            <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           1    5    
May  3 13:40:02  eap-start             ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    -    
May  3 13:40:02  eap-id-req            <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           1    5    
May  3 13:40:02  eap-id-resp           ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           1    17   Corpnet\Test
May  3 13:40:02  rad-req               ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           185  182  
May  3 13:40:02  eap-id-resp           ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           1    17   Corpnet\Test
May  3 13:40:02  rad-resp              <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  185  90   
May  3 13:40:02  eap-req               <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           2    6    
May  3 13:40:02  eap-resp              ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           2    216  
May  3 13:40:02  rad-req               ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  186  419  
May  3 13:40:02  rad-resp              <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  186  243  
May  3 13:40:02  eap-req               <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           3    159  
May  3 13:40:02  eap-resp              ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           3    69   
May  3 13:40:02  rad-req               ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  187  272  
May  3 13:40:02  rad-resp              <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  187  191  
May  3 13:40:02  eap-req               <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           6    107  
May  3 13:40:02  eap-resp              ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           6    107  
May  3 13:40:02  rad-req               ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  188  310  
May  3 13:40:02  rad-accept            <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11/Radius2  188  292  
May  3 13:40:02  eap-success           <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           6    4    
May  3 13:40:02  wpa2-key1             <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    117  
May  3 13:40:02  wpa2-key2             ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    117  
May  3 13:40:02  wpa2-key3             <-  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    151  
May  3 13:40:02  wpa2-key4             ->  54:13:79:07:3c:7d  24:f2:7f:e1:e8:11           -    95   
 

Version history
Revision #:
2 of 2
Last update:
‎05-16-2018 04:38 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: