KVM/net Remote Authentication FAQ
 
                                                                                                                                                                                                                                 

Background
This FAQ was started due to the lack of a central document describing Remote Authentication support for the KVM based products. The problem lies in the unique implementations of the authentication protocols from one OS to the other and the way in which the server will accept users credentials for authentication. Alot of things will be assumed here since every scenario cannot be covered.
The assumptions are the authentication server is fully functional, there is an administrator or individual that can manage the Authentication server, and the user/password that is being passed to the server for authentication exists and is configured. The current discussion will try to focus on the KVM WMI, but may include CLI operations.
A requirement on the part of the authentication server administrator is to add the user 'admin'  to the authentication database. This is necessary to properly manage the KVM and allows the login of admin when not using local authentication. I recommend that the local (KVM) password and the remote (authentication server) passwords be different. Using the same password will not signal a failure of the authentication server and can mislead the administrator, because you will always authenticate.
In the KVM products, the remotely authenticated user need not exist in the local KVM user database, the user will be added automatically with R/W acess to all ports on the KVM. This added user cannot authenticate locally even after entry in the local user database. If a password is set locally for that user though, then local access is granted.

Regarding Ldap: The WMI assumes  the distinguished name of the search base  is "Ldap Base Domain Name" or "dc=  ". For configurations of Ldap using for example Organisation or "o= ", the /etc/ldap.conf  will have to be manually editted using "vi /etc/ldap.conf" and modify the line "base dc= ...." to "base o= ...". See the respective sections below for more information.
p.f.m.          10/6/2004

Q & A

Q. What versions of firmware does this FAQ apply?
A. This FAQ is for versions 1.1.x, this release of firmware has changes to most notably Ldap to allow for different basedn configuration (dc=aaaaa, dc=bbb) or (o= aaa bbb).
A.  Additionally the OSD now has configuration options (new) for setting remote authentication.

Q.  Has Kerberos authentication been tested using an Open Source Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has Ldap authentication been tested using an Open Source Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has NTLM authentication been tested using an Open Source Solution server?
A.  Yes NTLM is done using Samba, the details to configure the KVM are here: ¤

Q.  Has Radius authentication been tested using an Open Source Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has Tacacs+ authentication been tested using an Open Source Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has Kerberos authentication been tested using a Microsoft Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has Ldap authentication been tested using a Microsoft Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Has NTLM authentication been tested using a Microsoft server?
A.  Yes NTLM, the details to configure the KVM are here: ¤

Q.  Has Ldap authentication been tested using a Novell Solution server?
A.  Yes, the details to configure the KVM are here: ¤

Q.  Are there plans for to detail the server side configurations?
A.  There is that possibility; unfortunately the configurations are based on location needs and that will be unique to each location.

Q.  Are the samples you give correct for every location?
A.  My samples are given based on what I found I had to set to get the KVM to authenticate users, the environment is a test environment.

Q. Will there be more authentication types to be tested on different platforms in the future?
A.  I'm absolutely sure that this FAQ will grow, both in authentication type and platform.


Open Source Authentication Server:
 
Kerberos
° Required information:
    Realm name and KDC address
    Realm username (principal) and password
    User 'admin' and realm password
° Hostname sensitive (hostname cannot be canonicalized error)
    The KVM and the Authentication  server should both have an entry in the hosts file of the KVM.
    To add the name and ipaddress to the KVM host file (WMI: Configuration >> Network >> Host Table)
    The hostname of the KVM must be set
       - at the console type hostname, the default name KVM should be returned if its new.
° Time and Timezone sensitive (clock skew errors)
    KVM and KDC may need to use NTP service using the same NTP server
    KVM can be set for NTP under WMI > Configuration > System > Date/Time
    The time zone will need to be set if you are not in PST zone
       - at the console type "set_timezone"
° The WMI fields are
    Kerberos Server (Realm)            < 192.168.47.125 >
    Kerberos Realm Domain Name   < cyclades.com >
Authentication Type:   Kerberos

   Authentication Down Local
Kerberos Server (Realm)
Kerberos Realm Domain Name

° OSD Configure - General fields
    Authentication type    < Kerberos >
    Authent. down local   < Yes/No >
    1st Authent. server     < 192.168.47.125 >
    Authent. domain         < cyclades.com >
Ldap
° Required information:
    Domain name and LDAP server address
    Domain username and Domain user password
    User 'admin' and Domain password
° Allows anonymous binds so the only fields requiring entries in the WMI:
    Ldap Server                     < 192.168.47.125 >
    Ldap Base Domain Name < dc=cyclades,dc=com >

Authentication Type:   Ldap

   Authentication Down Local
Ldap Server
Ldap Base Domain Name

Secure Ldap
Ldap User Name
Ldap Password
Ldap Login Attribute

° OSD Configure - General fields
    Authentication type    < LDAP >
    Authent. down local   < Yes/No >
    1st authent. server     < 192.168.47.125 >
    LDAP base                < dc=cyclades,dc=com >
    LDAP binddn
    LDAP attribute
    Authent. secret
    Secure Auth.         < Yes/No >

NTLM
° Required information:
    Domain name and Domain server address
    Domain username and Domain user password
    User 'admin' and Domain password
°  This is also known as Samba and can used as a Login server.
°  The WMI fields requiring an entry are:
    Domain:                                < cyclades >
    Primary Domain Controller   < 192.168.47.125 >
Authentication Type:   NTLM (Windows NT/2000/2003 Domain)

   Authentication Down Local
Domain:
Primary Domain Controller:
Secondary Domain Controller
° OSD Configure - General fields
    Authentication type    < Windows NT/2k/2k3 >
    Authent. down local   < Yes/No >
    1st authent. server     < 192.168.47.125 >
    2nd authent. server
    Authent. domain        < cyclades >

Radius
° Required information:
    Authentication and accounting server address
    Radius username and Radius user password
    User 'admin' and Radius password
    Radius Public key
°  The WMI fields requiring an entry are:
    First Authentication Server   < 192.168.47.125 >
    First Accounting Server       < 192.168.47.125 >
    Secret                                 <  abc123 >
Authentication Type:   Radius

   Authentication Down Local
First Authentication Server
Second Authentication Server
First Accounting Server
Second Accounting Server
Secret
Timeout
Retries
° OSD Configure - General fields
    Authentication type    < Radius >
    Authent. down local   < Yes/No >
    1st authent. server      < 192.168.47.125 >
    2nd authent. server
    1st  account server     < 192.168.47.125 >
    2nd account server
    Authent. timeout       < 0 - 255 >
    Authent. retries         < 0 - 255 >
    Authent. secret         < abc123 >

Tacacs+
° Required information:
    Authentication and accounting server address
    Radius username and Radius user password
    User 'admin' and Radius password
    Radius Public key
°  The WMI fields requiring an entry are:
    First Authentication Server    < 192.168.47.125 >
    First Accounting Server        < 192.168.47.125 >
    Secret                                  < abc123 >
Authentication Type:   TacacsPlus
   Authentication Down Local
First Authentication Server
Second Authentication Server
First Accounting Server
Second Accounting Server
Secret
Timeout
Retries
° OSD Configure - General fields
    Authentication type    < TacacsPlus >
    Authent. down local   < Yes/No >
    1st authent. server      < 192.168.47.125 >
    2nd authent. server
    1st  account server     < 192.168.47.125 >
    2nd account server
    Authent. timeout       < 0 - 255 >
    Authent. retries         < 0 - 255 >
    Authent. secret         < abc123 >



Windows 2000/2003 Server (AD)

Kerberos
° Required information:
    Realm name and KDC address
    Realm username (principal) and password
    User 'admin' and realm password
° Hostname sensitive (hostname cannot be canonicalized error)
    The KVM and the Authentication  server should both have an entry in the hosts file of the KVM.
    To add the name and ipaddress to the KVM host file (WMI: Configuration >> Network >> Host Table)
    The hostname of the KVM must be set
       - at the console type hostname, the default name KVM should be returned if its new.
° Time and Timezone sensitive (clock skew error)
    KVM and KDC may need to use NTP service using the same NTP server
    KVM can be set for NTP under WMI >> Configuration >> System >> Date/Time
    The time zone will need to be set if you are not in PST zone
       - at the console type "set_timezone"
° The WMI fields are
    Kerberos Server (Realm)            < 192.168.47.59 >
    Kerberos Realm Domain Name   < RDCYCLADES.COM >   (must be in CAPs)

Authentication Type:   Kerberos

   Authentication Down Local
Kerberos Server (Realm)
Kerberos Realm Domain Name
° OSD Configure - General fields
    Authentication type    < Kerberos >
    Authent. down local   < Yes/No >
    1st Authent. server     < 192.168.47.59 >
    Authent. domain         < RDCYCLADES.COM >
Ldap
° Required information:
    Domain name and Ldap server address
    AD username and AD user password
    User 'admin' and Domain password
° You may want to create an AD user just for authentication binds (Ldap User Name)
° All fields require entries in the WMI:
    Ldap Server                     < 192.168.47.59 >
    Ldap Base Domain Name < rdcyclades.com >
    Ldap User Name              < joe@rdcyclades.com >
    Ldap Password                < abc123 >
    Ldap Login Attribute         < samaccountname >
Authentication Type:   Ldap

   Authentication Down Local
Ldap Server
Ldap Base Domain Name

Secure Ldap
Ldap User Name
Ldap Password
Ldap Login Attribute
° OSD Configure - General fields
    Authentication type    < LDAP >
    Authent. down local   < Yes/No >
    1st authent. server      < 192.168.47.125 >
    LDAP base               < dc=rdcyclades,dc=com >
    LDAP binddn            < joe@rdcyclades.com >
    LDAP attribute         < samaccountname >
    Authent. secret         < abc123 >
    Secure Auth.            < Yes/No >
NTLM
° Required information:
    Domain name and Domain server address
    AD username and AD user password
    User 'admin' and Domain password
°  Domain entry is without the .com
°  Both fields for the Domain controller must be filled and must be the short hostname.
°  If  the short name is not getting mapped properly, add the name and ipaddress to the KVM host file (WMI: Configuration >> Network >> Host Table) 
    192.169.47.59   QAHPBrio
°  The WMI fields requiring an entry are:
    Domain:                                    < rdcyclades >
    Primary Domain Controller       < QAHPBrio >
    Secondary Domain Controller   < QAHPBrio >
Authentication Type:   NTLM (Windows NT/2000/2003 Domain)

   Authentication Down Local
Domain:
Primary Domain Controller:
Secondary Domain Controller
° OSD Configure - General fields
    Authentication type    < Windows NT/2k/2k3 >
    Authent. down local   < Yes/No >
    1st authent. server     < QAHPBrio >
    2nd authent. server   < QAHPBrio >
    Authent. domain        < rdcyclades >



Novell Server (NDS)

Ldap
° Ideally the NDS administrator is not named "admin" to avoid exposing the server administrator password
° Required information:
    Domain name and Domain server address
    Domain username and Domain user password
    User 'admin' and Domain password
° Allows anonymous binds so the only fields requiring entries in the WMI:
    Ldap Server                     < 192.168.47.116 >
    Ldap Base Domain Name < o=cyclades corporation >
Authentication Type:   Ldap

   Authentication Down Local
Ldap Server
Ldap Base Domain Name

Secure Ldap
Ldap User Name
Ldap Password
Ldap Login Attribute

° OSD Configure - General fields
    Authentication type    < LDAP >
    Authent. down local   < Yes/No >
    1st authent. server      < 192.168.47.116 >
    LDAP base               < o=cyclades corporation >
    LDAP binddn            
    LDAP attribute         
    Authent. secret         
    Secure Auth.            < Yes/No >