User Manual
NOTE
The certificate needs to be in CRT format and myCA.crt needs to be installed onto console
server at /etc/config/ldaps_ca.crt. Also the file name must be ldaps_ca.crt. You need to copy the
file to this location and file name manually using 'scp' or the like e.g.
scp /local/path/to/myCA.c
rt root@console_server:/etc/config/ldaps_ca.crt
5.
Enter the
Server Password
6.
Click
Apply.
LDAP remote authentication is used for all user access to console server and serially
or network attached devices
8.1.5 RADIUS/TACACS user configuration
Users may be added to the local console server appliance. If they are not added and they log in via remote
AAA, a user will be added for them. This user will not show up in the Opengear configurators unless they
are specifically added, at which point they are transformed into a local user. The newly added user must
authenticate off of the remote AAA server and will have no access if it is down.
If a local user logs in, they may be authenticated / authorized from the remote AAA server, depending on
the chosen priority of the remote AAA. A local user's authorization is the union of local and remote
privileges.
Example 1:
User Tim is locally added and has access to ports 1 and 2. He is also defined on a remote
TACACS server, which says he has access to ports 3 and 4. Tim may log in with either his local or
TACACS password and will have access to ports 1 through 4. If TACACS is down, he will need to
use his local password, and will only be able to access ports 1 and 2.
Example 2:
User Lynn is only defined on the TACACS server, which says she has access to ports 5 and 6.
When she attempts to log in a new user will be created for him, and she will be able to access
ports 5 and 6. If the TACACS server is down she will have no access.
Example 3:
User Paul is defined on a RADIUS server only. He has access to all serial ports and network hosts.
Example 4:
User Don is locally defined on an appliance using RADIUS for AAA. Even if Don is also defined on
the RADIUS server he will only have access to those serial ports and network hosts he has been
authorized to use on the appliance.
If a
no local AAA
option is selected, root will be authenticated locally.
Remote users may be added to the admin group via either RADIUS or TACACS. Users may have a set of
authorizations set on the remote TACACS server. Users automatically added by RADIUS will have
authorization for all resources, whereas those added locally will need their authorizations specified.
LDAP has not been modified and needs locally defined users.
8.1.6 Group support with remote authentication
All console servers allow remote authentication via RADIUS, LDAP and . RADIUS and LDAP can
provide additional restrictions on user access based on group information or membership. For example,
with remote group support, users can belong to a local group that has been setup to have restricted
access to serial ports, network hosts and managed devices.
Remote authentication with group support works by matching a local group name with a remote group
name provided by the authentication service. If the list of remote group names returned by the
