Table of Contents
Advertisement
Chapter 17: Server Groups
ZoneRanger TACACS+ proxy and RADIUS proxy services can be used to proxy TACACS+ and/or
RADIUS traffic from managed devices to configured authentication, authorization, and accounting
(a.k.a. AAA) servers. Configuration of these proxy services is organized around the concept of server
groups, where each server group contains the following information:
•
The name of the server group
•
A set of entries of the following form:
(Ranger Gateway, TACACS+/RADIUS Server)
•
Protocol options related to TACACS+
•
Protocol options related to RADIUS
The underlying assumption behind server groups is that there may be multiple TACACS+/RADIUS
servers in a group, primarily for reasons of high availability, and that any of the TACACS+/RADIUS
servers in a group are equally able to handle authentication and authorization requests from a given set
of devices.
ZoneRanger also supports the ability to define multiple server groups, and to associate different server
groups with different device addresses, so that TACACS+/RADIUS traffic for different devices can be
handled by different groups of servers. Each server group has its own set of ( Ranger Gateway ,
TACACS+/RADIUS Server
been defined, proxy rules must be configured for each protocol, associating managed devices, or groups
of managed devices with the server group that should be used for those devices. Each proxy rule
associates an IP address, or range of IP addresses, with a server group name. Separate proxy rule tables
are provided for TACACS+ and RADIUS.
For example consider the network shown in the following figure:
Figure 17-1. Server Groups Example
In this example, there are two redundant pairs of TACACS+/RADIUS servers:
ZoneRanger 5.5 User's Guide
) entries and protocol-specific options. Once a set of server groups has
54
Hide quick links:
Advertisement
Table of Contents
