The OnBoard administrator can configure many common authentication methods for the following types of logins:
• These authentication methods use both local authentication and authentication servers in the order shown:
• Local/AuthType
• AuthType/Local
• AuthType/DownLocal
• The AuthType/Local and AuthType/DownLocal authorization methods are referred to as authentication methods with local fallback options.
• Administrators can specify separate authentication types for OnBoard logins and for connected devices.
• Local and OTP authentication methods and the authentication methods that have local fallback options require user accounts configured on the OnBoard.
• If an authentication server for a specified authentication method is down, and a local fallback option is not configured, then authentication fails for regular users. administrative users and for root.Note: If the authentication server is not available or the user account is not configured properly, then the OnBoard administrator needs to work with the authentication server’s administrator to fix the problem. If logins to the OnBoard are not allowed, the root user can use the procedure in Recovering From Login Failure to fix the lock-out.If configuring any authentication method other than Local, the administrator user must make sure an authentication server is set up for that method as itemized in the following list.
• The OnBoard must have network access to an authentication server set up for every authentication method specified.
• The administrator configuring the OnBoard needs to work with the administrator of each authentication server to get user accounts set up and to obtain information needed for configuring access to the authentication server on the OnBoard.For example, if LDAP authentication is to be used for logins to the OnBoard and if Kerberos authentication is to be used for logins to devices, then the OnBoard needs to have network access to both an LDAP and a Kerberos authentication server, and the administrator needs to perform configuration on the OnBoard for each type of authentication server.The following table lists the supported authentication methods and indicates which methods are available for the OnBoard and which are available for connected devices.
Uses local user/password for local authentication on the OnBoard. Uses user/password configured on the Kerberos authentication server. No logins allowed if Kerberos server is down or Kerberos authentication fails. Uses local authentication if Kerberos server is down. Uses local authentication if Kerberos authentication fails. Uses Kerberos authentication if local authentication fails. Uses user/password configured on the LDAP (Lightweight directory access protocol) authentication server. No logins allowed if LDAP server is down or LDAP authentication fails. Uses local authentication if LDAP authentication fails Uses LDAP authentication if local authentication fails Uses user/password configured on the NIS authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses local authentication if NIS authentication fails. Uses NIS authentication if local authentication fails. Uses the one-time password (OTP) authentication method. Uses the local password if the OTP password fails Uses user/password configured on the RADIUS authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses local authentication if RADIUS server is down. Uses local authentication if RADIUS authentication fails. Uses RADIUS authentication if local authentication fails. Uses user/password configured on the SMB authentication server (for Microsoft Windows NT/2000/2003 Domain). No logins allowed if SMB server is down or SMB authentication fails. Uses local authentication if the SMB server is down. Uses local authentication if SMB authentication fails. Uses SMB authentication if local authentication fails. Uses user/password configured on the Terminal Access Controller Access Control System (TACACS+) authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses local authentication if TACACS+ server is down. Uses local authentication if TACACS+ authentication fails. Uses TACACS+ authentication if local authentication fails. An administrative user can use the Web Manager, and any administrator can use the cycli utility for configuring an authentication method for the OnBoard and for connected devices and for configuring authentication servers. The tasks for configuring authentication are summarized in the following list with links to more information and to procedures using the Web Manager
Decide which authentication methods are going to be used for logins to the OnBoard and for logins to connected devices. Make sure an authentication server for each method is accessible to the OnBoard and work with the server(s)’ administrators to obtain the information needed to configure the servers on the OnBoard and to make sure the required accounts are set up on the servers. On the OnBoard, configure an authentication server for each authentication method. Optional: create a custom security profile that specifies authentication method to be assigned to all subsequently-created devices. (The specified authentication method can be overridden during configuration of new devices.) While creating new devices assign the desired authentication method to each device. Give users the username and password information they need for being authenticated on the devices. Configure either an external modem connected to an AUX port, or a modem or GSM or CDMA phone PCMCIA card for dial-in logins with OTP authentication, and give users the OTP information they need to be authenticated for dial--ins. For examples of using cycli scripts that you can adapt to configure device authentication, see /libexec/example_scripts.