Security Menu and Forms : Authentication : Configuring authentication for console server logins

Configuring authentication for console server logins
The default authentication method for the console server is Local. You can either accept the default or select another authentication method from the Unit Authentication pull-down menu on the AuthType form.
Any authentication method selected for the console server is used for authentication of any user attempting to log into the console server through Telnet, SSH or the Web Manager.
To configure the console server login authentication method:
1.
Go to Security - Authentication. The AuthType form is displayed.
2.
NOTE: Make sure an authentication server is specified for the selected authentication type.
3.
Click apply changes.
Configuring authentication servers for logins to the console server and connected devices
If you are configuring any authentication method other than Local, make sure an authentication server is set up for that method.
The following is a summary of the things you need to know about setting up authentication servers.
The console server administrator should obtain the necessary information from each authentication server administrator, in order set up and identify those servers on the ACS console server.
For example, if LDAP authentication were to be used for logins to the console server and Kerberos for logins to serial ports, then the console server needs to have network access to an LDAP and a Kerberos authentication server. The administrator needs to perform setup on the console server for both types of authentication servers.
The administrator completes the appropriate form through the Web Manager Expert - Security - Authentication to setup an authentication server for every authentication method to be used by the console server and its ports.
The following table lists the procedures that apply to each authentication method.
To configure a RADIUS authentication server:
Perform the following procedure to configure a RADIUS authentication server when the console server or any of its ports are configured to use RADIUS authentication method or any of its variations (Local/RADIUS, RADIUS/Local or RADIUS/DownLocal).
1.
Go to Security - Authentication - RADIUS in Expert mode.
2.
3.
Click apply changes.
Group authorization on RADIUS
Group information retrieval from a RADIUS authentication server adds another layer of security by adding a network-based authorization. It retrieves the group information from the authentication server and performs an authorization through the console server.
To configure a TACACS+ authentication server:
Perform the following procedure to configure a TACACS+ authentication server when the console server or any of its ports are configured to use TACACS+ authentication method or any of its variations (Local/TACACS+, TACACS+/Local or TACACS+/DownLocal).
1.
Go to Security - Authentication - TACACS+ in Expert mode. The TACACS+ form displays.
2.
3.
By default, Raccess Authorization is disabled and no additional authorization is implemented. When Raccess Authorization is enabled, the authorization level of users trying to access the console server or its ports using TACACS+ authentication is checked. Users with administrator privileges have administrative access and users with regular user privileges have regular user access.
4.
If the authentication server does not respond to the client’s login attempt before the specified time period, the login attempt is cancelled. The user may retry depending on the number specified in the Retries field on this form.
5.
To specify a number of times the user can request authentication verification from the server before sending an authentication failure message to the user, enter a number in the Retries field.
6.
Click apply changes.
Group authorization on TACACS+
Using an authorization method in addition to authentication provides an extra level of system security. Selecting Security - Authentication - TACACS+ in Expert mode displays the TACACS+ form where an administrators can configure a TACACS+ authentication server and can also enable user authorization checking.
By checking the Enable Raccess Authorization checkbox, an additional level of security checking is implemented. After each user is successfully authenticated through the standard login procedure, the console server uses TACACS+ to determine whether or not each user/group is authorized to access specific serial ports.
By default the Enable Raccess Authorization is disabled allowing all users full authorization. When this feature is enabled by placing a check mark in the box, users/groups are denied access unless they have the proper authorization, which must be set on the TACACS+ authentication server itself. To see the configuration procedures for a TACACS+ authentication server, refer to the Cyclades ACS Advanced Console Server Command Reference Guide.
To configure an LDAP authentication server:
Perform the following procedure to configure an LDAP authentication server when the console server or any of its ports are configured to use the LDAP authentication method or any of its variations (LDAP, LDAP/Local or LDAPDownLocal).
Before starting this procedure, you will need the following information from the LDAP server administrator:
You can enter information in the LDAP User Name, LDAP Password and LDAP Login Attribute fields, but an entry is not required:
Work with the LDAP server administrator to ensure that the following types of accounts are set up on the LDAP server and that the administrators of the console server and the connected devices know the passwords assigned to the accounts:
1.
Go to Security - Authentication - LDAP in Expert mode. The LDAP form displays with LDAP Server and LDAP Base fields filled in from with the current values in the /etc/ldap.conf file.
Expert - Security - Authentication - LDAP
2.
3.
If the LDAP authentication server uses a different distinguished name for the search base than the one displayed in the LDAP Base field, change the definition.
The default distinguished name is dc, as in dc=value,dc=value. If the distinguished name on the LDAP server is o, then replace dc in the base field with o, as in o=value,o=value.
4.
For example, for the LDAP domain name avocent.com, the correct entry is: dc=avocent,dc=com.
5.
6.
7.
Click apply changes. The changes are stored in /etc/ldap.conf on the console server.
Group Authorization on LDAP
Group information retrieval from an LDAP authentication server adds another layer of security by adding a network-based authorization. It retrieves the group information from the authentication server and performs an authorization through the console server.
To configure a Kerberos authentication server:
Perform the following procedure to configure a Kerberos authentication server when the console server or any of its ports is configured to use Kerberos authentication method or any of its variations (Kerberos, Kerberos/Local or KerberosDownLocal).
Before starting this procedure, find out the following information from the Kerberos server’ administrator:
Also, work with the Kerberos server’s administrator to ensure that following types of accounts are set up on the Kerberos server and that the administrators of the console server and connected devices know the passwords assigned to the accounts:
If Kerberos authentication is specified for the console server, accounts will be needed for all users who need to log into the console server to administer connected devices
Make sure an entry for the console server and the Kerberos server exist in the console server’s /etc/hosts file.
1.
Go to Network - Host Table in Expert mode. The Host Table form appears.
2.
a.
b.
c.
d.
3.
NOTE: Kerberos authentication depends on time synchronization. Time and date synchronization can be achieved by setting both the console server and the Kerberos server to use the same NTP server.
4.
5.
6.
7.
Set the timezone on the console server by going to Administration - Time/Date in Expert mode as shown in the following figure. The default is GMT.
Expert - Administration - Time/Date
8.
Go to Security - Authentication- Kerberos in Expert mode. The Kerberos form displays as shown in the following figure.
Expert - Security - Authentication - Kerberos
9.
10.
Click apply changes.
To configure a NIS authentication server:
Perform the following procedure to configure a NIS authentication server when the console server or any of its ports are configured to use NIS authentication method or any of its variations (Local/NIS, NIS/Local or NISDownLocal).
1.
Go to Security - Authentication - NIS in Expert mode. The NIS form displays as shown in the following figure.
Expert - Security - Authentication - NIS
2.
Fill in the form according to your configuration of the NIS server.
3.
Click apply changes.