Using an authorization method in addition to authentication provides an extra level of system security. Selecting Security > Authentication > TACACS+ in Expert mode brings up the TACACS+ form where an administrators can configure a TACACS+ authentication server and can also enable user authorization checking.By checking the “Enable Raccess Authorization” check box, an additional level of security checking is implemented. After each user is successfully authenticated through the standard login procedure, the ACS uses TACACS+ to authorize whether or not each user/group is allowed to access specific serial ports.By default the “Enable Raccess Authorization” is disabled allowing all users full authorization. When this feature is enabled by placing a check mark in the box, users/groups are denied access unless they have the proper authorization, which must be set on the TACACS+ authentication server itself. To see the configuration procedures for a TACACS+ authentication server refer to the ACS Command Reference Guide, Chapter 3, Section 3.4 “Group Authorization”.Perform the following procedure to configure an LDAP authentication server when the ACS or any of its ports are configured to use the LDAP authentication method or any of its variations (LDAP, LDAP/Local, or LDAPDownLocal).Before starting this procedure, find out the following information from the LDAP server administrator:Work with the LDAP server administrator to ensure that the following types of accounts are set up on the LDAP server and that the administrators of the ACS and the connected devices know the passwords assigned to the accounts:
• If LDAP authentication is specified for the ACS, accounts for all users who need to log into the ACS to administer connected devices.
• If LDAP authentication is specified for serial ports, accounts for users who need administrative access to the connected devices.The “LDAP” form displays with “LDAP Server” and “LDAP Base” fields filled in from with the current values in the /etc/ldap.conf file.
3. If the LDAP authentication server uses a different distinguished name for the search base than the one displayed in the “LDAP Base” field, change the definition.The default distinguished name is “dc,” as in dc=value,dc=value. If the distinguished name on the LDAP server is “o,” then replace dc in the base field with o, as in o=value,o=value.For example, for the LDAP domain name cyclades.com, the correct entry is: dc=cyclades,dc=com.
6. Enter optional information in “LDAP User Name”, “LDAP Password”, and “LDAP Login Attribute” fields.The changes are stored in /etc/ldap.conf on the ACS.Group information retrieval from an LDAP authentication server adds another layer of security by adding a network-based authorization. It retrieves the “group” information from the authentication server and performs an authorization through ACS. To see the configuration procedures for an LDAP authentication server refer to the ACS Command Reference Guide, Chapter 3, Section 3.4 “Group Authorization”.Perform the following procedure to configure a Kerberos authentication server when ACS or any of its ports is configured to use Kerberos authentication method or any of its variations (Kerberos, Kerberos/Local, or KerberosDownLocal).Before starting this procedure, find out the following information from the Kerberos server’s administrator:Also, work with the Kerberos server’s administrator to ensure that following types of accounts are set up on the Kerberos server and that the administrators of the ACS and connected devices know the passwords assigned to the accounts:
• If Kerberos authentication is specified for ACS, accounts for all users who need to log into the ACS to administer connected devices.
• If Kerberos authentication is specified for the serial ports, accounts for users who need administrative access to connected devices
1. Make sure an entry for the ACS and the Kerberos server exist in the ACS’s /etc/hosts file.
i.
2. Make sure that time, date, and timezone settings are synchronized on the ACS and on the Kerberos server.Note: Kerberos authentication depends on time synchronization. Time and date synchronization can be achieved by setting both ACS and the Kerberos server to use the same NTP server.
c. Work with the Kerberos authentication server administrator to synchronize the time and date between ACS and the Kerberos server.
3. Set the timezone on ACS by going to Administration > Time/Date in Expert mode as per the following figure. The default is GMT.Perform the following procedure to configure a NIS authentication server when ACS or any of its ports is configured to use NIS authentication method or any of its variations (Local/NIS, NIS/Local, or NISDownLocal).