![]() |
The OnBoard appliance administrator can configure many common authentication methods for logins to the OnBoard appliance or to connected devices. By default, all logins to the OnBoard appliance and connected devices use Local authentication.See the authentication-related considerations in the following bulleted list. These authentication methods use both local authentication and authentication servers in the order shown: Local/AuthType, AuthType/Local and then AuthType/DownLocal.
• The AuthType/Local and AuthType/DownLocal authorization methods are referred to as authentication methods with local fallback options
•
• Local and OTP authentication methods and the authentication methods that have local fallback options require user accounts configured on the OnBoard applianceIf configuring any authentication method other than Local, the administrator user must make sure an authentication server is set up for that method as itemized in the following list.
• The OnBoard appliance must have network access to an authentication server set up for every authentication method specified.
• The administrator configuring the OnBoard appliance needs to work with the administrator of each authentication server to get user accounts set up and to obtain information needed for configuring access to the authentication server on the OnBoard appliance.NOTE: This section discusses only the types of authentication used for controlling who can access the OnBoard appliance and connected devices. Other authentication methods that are used by SNMP, PPTP, IPSec or PPP are described in the related sections.The following table lists the supported authentication methods and indicates which methods are available for the OnBoard appliance and which are available for connected devices. When a table cell is blank, the authentication method is not supported.
OnBoard Appliance Uses local user/password for local authentication on the OnBoard appliance. Uses user/password configured on the Kerberos authentication server. No logins allowed if Kerberos server is down or Kerberos authentication fails. Uses local authentication if Kerberos authentication fails. Uses Kerberos authentication if local authentication fails. Uses user/password configured on the LDAP (Lightweight directory access protocol) authentication server. No logins allowed if LDAP server is down or LDAP authentication fails. Uses local authentication if LDAP authentication fails. Uses LDAP authentication if local authentication fails. Uses user/password configured on the NIS authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses the one-time password (OTP) authentication method. Uses user/password configured on the RADIUS authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses local authentication if RADIUS authentication fails. Uses RADIUS authentication if local authentication fails. Uses user/password configured on the SMB authentication server (for Microsoft Windows NT/2000/2003 Domain). No logins allowed if SMB server is down or SMB authentication fails. Uses local authentication if SMB authentication fails. Uses SMB authentication if local authentication fails. Uses user/password configured on the Terminal Access Controller Access Control System (TACACS+) authentication server. No logins allowed if NIS server is down or NIS authentication fails. Uses local authentication if TACACS+ authentication fails. Uses TACACS+ authentication if local authentication fails. An administrative user can use the Web Manager, and any administrator can use the cycli utility for configuring an authentication method for the OnBoard appliance and connected devices and for configuring authentication servers. The tasks for configuring authentication are summarized in the following list with links to more information and to procedures using the Web Manager.
Decide which authentication methods are going to be used for logins to the OnBoard appliance and for logins to connected devices. Make sure an authentication server for each method is accessible to the OnBoard appliance and work with the server(s)’ administrators to obtain the information needed to configure the servers on the OnBoard appliance and to make sure the required accounts are set up on the servers. On the OnBoard appliance, configure an authentication server for each authentication method. Specify the OnBoard appliance login authentication method or accept the default Local authentication method. (Optional:) Create a custom security profile that specifies authentication method to be assigned to all subsequently-created devices. (The specified authentication method can be overridden during configuration of new devices.) While creating new devices, assign the desired authentication method to each device. Give users the username and password information they need for being authenticated on the devices. Configure either an external modem connected to an AUX port, or a modem or GSM or CDMA phone PCMCIA card for dial-in logins with OTP authentication and give users the OTP information they need to be authenticated for dial--ins.