Web Manager for Administrators > Configuration>Security>Authentication > Configuring Authentication Servers

Configuring Authentication Servers
The administrator fills out the appropriate screen to set up an authentication server for every authentication method to be used by the OnSite and by any of its ports: Kerberos, LDAP, NIS, NTLM/SMB (ports only), RADIUS, TACACS+.
The following table lists the procedures that apply to each authentication method.
 
NTLM (Windows NT/2000/2003 Domain)
RADIUS, Local/RADIUS, RADIUS/Local, or RADIUS/DownLocal
TACACS+, Local/TACACS+, TACACS+/Local, or TACACS+/DownLocal
To Configure a Kerberos Authentication Server [Expert]
Perform this procedure to configure a Kerberos authentication server when the OnSite or any of its ports is configured to use the Kerberos authentication method or any of its variations (Kerberos, Local/Kerberos, Kerberos/Local, or KerberosDownLocal).
Before starting this procedure, find out the following information from the Kerberos server’s administrator:
Also, work with the Kerberos server’s administrator to ensure that following types of accounts are set up on the Kerberos server and that the administrators of the OnSite and connected devices know the passwords assigned to the accounts:
If Kerberos authentication is specified for the OnSite, accounts for all users who need to log into the OnSite to administer connected devices.
If Kerberos authentication is specified for KVM or serial ports, accounts for users who need administrative access to connected devices
1.
a.
The “Host Table” screen appears.
b.
i.
The “New/Modify Host” dialog appears.
ii.
iii.
iv.
2.
Note: Kerberos authentication depends on time synchronization. Time and date synchronization is most easily achieved by setting both the OnSite and the Kerberos server to use the same NTP server.
a.
b.
c.
Work with the authentication server’s administrator to synchronize the time and date between the OnSite and the server.
3.
a.
The root prompt appears.
b.
Enter set_timezone.
A list of timezones appears followed by a prompt asking you to enter a number of a timezone.
c.
d.
4.
The Kerberos screen displays as shown in the following figure.
Web Manager Kerberos Authentication Server Screen
5.
6.
7.
To Configure an LDAP Authentication Server [Expert]
Perform this procedure to configure an LDAP authentication server when the OnSite or any of its ports is configured to use the LDAP authentication method or any of its variations (LDAP, Local/LDAP, LDAP/Local, or LDAP/DownLocal).
Before starting this procedure, find out the following information from the LDAP server’s administrator:
An administrative user can enter information in the following two fields, but an entry is not required:
Work with the LDAP server’s administrator to ensure that following types of accounts are set up on the LDAP server and that the administrators of the OnSite and connected devices know the passwords assigned to the accounts:
If LDAP authentication is specified for the OnSite, accounts for all users who need to log into the OnSite to administer connected devices.
If LDAP authentication is specified for KVM ports, accounts for users who need administrative access to the connected devices.
Make sure to configure a group or groups on the OnSite with the same names and members as the group or groups on the LDAP authentication server. (See To Add a Group [Expert].)
1.
The “LDAP” screen displays with “LDAP Server” and “LDAP Search Base” fields filled in from the current values in the /etc/ldap.conf file.
Web Manager LDAP Authentication Server Screen
2.
3.
If the LDAP authentication server uses a different distinguished name for the search base than the one displayed in the “LDAP” Base field, change the definition.
The default distinguished name is “dc,” as in dc=value,dc=value. If the distinguished name on the LDAP server is “o,” then replace dc in the base field with o, as in o=value,o=value.
4.
For example, for the LDAP domain name cyclades.com, the correct entry is: dc=cyclades,dc=com.
5.
6.
The changes are stored in /etc/ldap.conf on the OnSite.
To Configure an SMB(NTLM) Authentication Server [Expert]
Perform this procedure to configure an SMB(NTLM) authentication server if any of the ports is configured to use the NTLM (Windows NT/2000/2003 Domain) authentication method or NTLM/Downlocal local fallback option.
Work with the NTLM server’s administrator to ensure that following types of accounts are set up on the NTLM server and that the administrators of the OnSite and connected devices know the passwords assigned to the accounts:
If NTLM authentication is specified for KVM ports, accounts for users who need administrative access to the connected devices.
Make sure to configure a group or groups on the OnSite with the same names and members as the group or groups on the NTLM authentication server. (See To Add a Group [Expert].)
1.
The SMB(NTLM) screen displays as shown in the following figure.
Web Manager SMB(NTLM) Authentication Server Screen
2.
Fill in the screen according to your configuration of the SMB server.
3.
4.
To Configure a NIS Authentication Server [Expert]
Perform this procedure to identify the authentication server when the OnSite or any of its ports is configured to use the NIS authentication method or any of its variations (Local/NIS, NIS/Local, or NIS/DownLocal).
1.
The NIS screen displays as shown in the following figure.
Web Manager NIS Authentication Server Screen
2.
Fill in the screen according to your configuration of the NIS server.
3.
4.
To Configure a RADIUS Authentication Server [Expert]
Perform this procedure to identify the authentication server when the OnSite or any of its ports is configured to use the RADIUS authentication method or any of its variations (Local/RADIUS, RADIUS/Local, or RADIUS/DownLocal).
1.
The RADIUS screen displays as shown in the following figure.
Web Manager Radius Authentication Server Screen
2.
3.
4.
The changes are stored in /etc/raddb/server on the OnSite.
To Configure a TACACS+ Authentication Server [Expert]
Perform this procedure to configure a TACACS+ authentication server when the OnSite or any of its ports is configured to use the TACACS+ authentication method or any of its local fallback options (Local/TACACS+, TACACS+/Local, or TACACS+/DownLocal).
Work with the TACACS+ server’s administrator to ensure that following types of accounts are set up on the TACACS+ server and that the administrators of the OnSite and connected devices know the passwords assigned to the accounts:
If TACACS+ authentication is specified for the OnSite, accounts for all users who need to perform administrative tasks with the users assigned to a group called “admin.”
See Configuring Groups for TACACS+ for how the groups are configured on the TACACS+ server.
If TACACS+ authentication is specified for KVM ports, accounts for users who need administrative access to the connected devices.
Make sure to configure a group or groups on the OnSite with the same names and members as the group or groups on the TACACS+ authentication server. (See To Add a Group [Expert].)
1.
The TACACS+ screen appears.
Web Manager TACACS Authentication Server Screen
2.
Note: “Enable Raccess Authorization” must be checked if groups are configured as in To Add a Group [Expert].
3.
4.
The changes are stored in /etc/tacplus.conf on the OnSite.

Web Manager for Administrators > Configuration>Security>Authentication > Configuring Authentication Servers