Introduction for Administrative Users > OnBoard Authentication Options

OnBoard Authentication Options
The OnBoard administrator can configure many common authentication methods for the following types of logins:
By default, all logins to the OnBoard and connected devices use Local authentication.
See the authentication-related considerations in the following bulleted list:
These authentication methods use both local authentication and authentication servers in the order shown:
Local/AuthType
AuthType/Local
AuthType/DownLocal
The AuthType/Local and AuthType/DownLocal authorization methods are referred to as authentication methods with local fallback options.
Local and OTP authentication methods and the authentication methods that have local fallback options require user accounts configured on the OnBoard.
If an authentication server for a specified authentication method is down, and a local fallback option is not configured, then authentication fails for regular users. administrative users and for root.
Note: If the authentication server is not available or the user account is not configured properly, then the OnBoard administrator needs to work with the authentication server’s administrator to fix the problem. If logins to the OnBoard are not allowed, the root user can use the procedure in Recovering From Login Failure to fix the lock-out.
If configuring any authentication method other than Local, the administrator user must make sure an authentication server is set up for that method as itemized in the following list.
The administrator configuring the OnBoard needs to work with the administrator of each authentication server to get user accounts set up and to obtain information needed for configuring access to the authentication server on the OnBoard.
For example, if LDAP authentication is to be used for logins to the OnBoard and if Kerberos authentication is to be used for logins to devices, then the OnBoard needs to have network access to both an LDAP and a Kerberos authentication server, and the administrator needs to perform configuration on the OnBoard for each type of authentication server.
The following table lists the supported authentication methods and indicates which methods are available for the OnBoard and which are available for connected devices.
When a table cell is blank, the authentication method is not supported.
 
Uses local user/password for local authentication on the OnBoard.
Uses user/password configured on the Kerberos authentication server. No logins allowed if Kerberos server is down or Kerberos authentication fails.
Uses user/password configured on the LDAP (Lightweight directory access protocol) authentication server. No logins allowed if LDAP server is down or LDAP authentication fails.
Uses user/password configured on the NIS authentication server. No logins allowed if NIS server is down or NIS authentication fails.
Uses local authentication if NIS authentication fails.
Uses the one-time password (OTP) authentication method.
 
 
Uses user/password configured on the RADIUS authentication server. No logins allowed if NIS server is down or NIS authentication fails.
X
X
X
SMB
Uses user/password configured on the SMB authentication server (for Microsoft Windows NT/2000/2003 Domain). No logins allowed if SMB server is down or SMB authentication fails.
X
 
X
X
X
X
X
X
X
Uses user/password configured on the Terminal Access Controller Access Control System (TACACS+) authentication server. No logins allowed if NIS server is down or NIS authentication fails.
X
X
X
X
X
An administrative user can use the Web Manager, and any administrator can use the cycli utility for configuring an authentication method for the OnBoard and for connected devices and for configuring authentication servers. The tasks for configuring authentication are summarized in the following list with links to more information and to procedures using the Web Manager
Decide which authentication methods are going to be used for logins to the OnBoard and for logins to connected devices.
Make sure an authentication server for each method is accessible to the OnBoard and work with the server(s)’ administrators to obtain the information needed to configure the servers on the OnBoard and to make sure the required accounts are set up on the servers.
On the OnBoard, configure an authentication server for each authentication method.
Specify the OnBoard login authentication method or accept the default Local authentication method.
Optional: create a custom security profile that specifies authentication method to be assigned to all subsequently-created devices. (The specified authentication method can be overridden during configuration of new devices.)
While creating new devices assign the desired authentication method to each device.
Give users the username and password information they need for being authenticated on the devices.
Configure either an external modem connected to an AUX port, or a modem or GSM or CDMA phone PCMCIA card for dial-in logins with OTP authentication, and give users the OTP information they need to be authenticated for dial--ins.
For examples of using cycli scripts that you can adapt to configure device authentication, see /libexec/example_scripts.

Introduction for Administrative Users > OnBoard Authentication Options