Chapter 9: Authentication
196 Console Server & RIM Gateway User Manual
If a local user logs in, they may be authenticated/ authorized from the remote AAA server, depending on the chosen
priority of the remote AAA. A local user's authorization is the union of local and remote privileges.
Example 1:
User Tim is locally added, and has access to ports 1 and 2. He is also defined on a remote TACACS server,
which says he has access to ports 3 and 4. Tim may log in with either his local or TACACS password, and will
have access to ports 1 through 4. If TACACS is down, he will need to use his local password, and will only be
able to access ports 1 and 2.
Example 2:
User Ben is only defined on the TACACS server, which says he has access to ports 5 and 6. When he attempts
to log in a new user will be created for him, and he will be able to access ports 5 and 6. If the TACACS server is
down he will have no access.
Example 3:
User Paul is defined on a RADIUS server only. He has access to all serial ports and network hosts.
Example 4:
User Don is locally defined on an appliance using RADIUS for AAA. Even if Don is also defined on the RADIUS
server he will only have access to those serial ports and network hosts he has been authorized to use on the
appliance.
If a “no local AAA” option is selected, then root will still be authenticated locally.
Remote users may be added to the admin group via either RADIUS or TACACS. Users may have a set of authorizations
set on the remote TACACS server. Users automatically added by RADIUS will have authorization for all resources,
whereas those added locally will still need their authorizations specified.
LDAP has not been modified, and will still need locally defined users.
Note To interact with RADIUS, TACACS+ and LDAP with console server firmware pre 2.4.2 you must also set up the
user accounts on the local console server. All resource authorizations must be added to the local appliance. With
this release if remote AAA is selected, it is used for password checking only. Root is always authenticated locally.
Any changes to PAM configurations will be destroyed next time the authentication configurator is run
9.1.6 Group support with remote authentication
All console servers allow remote authentication via RADIUS, LDAP and TACACS+. With Firmware V3.2 and later,
RADIUS and LDAP can provide additional restrictions on user access based on group information or membership. For
example, with remote group support, RADIUS and LDAP users can belong to a local group that has been setup to have
restricted access to serial ports, network hosts and managed devices.
Remote authentication with group support works by matching a local group name with a remote group name provided by
the authentication service. If the list of remote group names returned by the authentication service matches any local
group names, the user is given permissions as configured in the local groups.
To enable group support to be used by remote authentication services:
Select Serial & Network: Authentication
Select the relevant Authentication Method
Check the Use Remote Groups button
To Next Page
Loading...
Need help?
General
