Chapter 8:
Authentication
188
8.2
PAM (Pluggable Authentication Modules)
The console server supports RADIUS, and LDAP for two-factor authentication via PAM
(Pluggable Authentication Modules). PAM is a flexible mechanism for authenticating users. Nowadays a
number of new ways of authenticating users have become popular. The challenge is that each time a new
authentication scheme is developed; it requires all the necessary programs (login, ftpd etc.) to be
rewritten to support it.
PAM provides a way to develop programs that are independent of authentication scheme. These
programs need authentication modules to be attached to them at run-time in order to work. Which
authentication module is to be attached is dependent upon the local system setup and is at the discretion
of the local administrator.
The console server family supports PAM to which we have added the following modules for remote
authentication:
RADIUS
- pam_radius_auth
(http://www.freeradius.org/pam_radius_auth/)
- pam_tacplus
(http://echelon.pl/pubs/pam_tacplus.html)
LDAP - pam_ldap
(http://www.padl.com/OSS/pam_ldap.html)
Further modules can be added as required.
Changes may be made to files in /etc/config/pam.d / which will persist, even if the authentication
configurator is run.
•
Users added on demand:
When a user attempts to log in but does not have an account on the console server, a new user
account is created. This account will have no rights and no password set. They will not appear in
the Opengear configuration tools.
Automatically added accounts will not be able to log in if the remote servers are unavailable
•
Admin rights granted over AAA:
Users may be granted administrator rights via networked AAA. For TACACS a priv-lvl of 12 of
above indicates an administrator. For RADIUS, administrators are indicated via the Framed Filter
ID. (See the example configuration files below)
•
Authorization via TACACS, LDAP or RADIUS for using remote groups
•
Authorization via TACACS for both serial ports and host access:
