Table of Contents
Advertisement
in to the Web Interface or CLI via SSH using a username and password that are checked against
the credentials stored in a local NetDefendOS database.
An alternative to using a local database is to have NetDefendOS perform authentication of the
entered credentials against an external RADIUS server. This is done by changing the properties of
the Remote Management object mgmt_http for Web Interface access and/or the properties of the
mgmt_ssh object for CLI access via SSH. Configuring either of these objects for RADIUS
authentication consists of the following steps:
•
Select the Authentication Source property to be RADIUS.
•
Select the Authentication Order property to be one of the following:
i.
Local First - The login credentials are first looked up in the local user database. If not
found in the local database, the configured RADIUS servers are queried.
ii.
Local Last - The local database is only queried if none of the configured RADIUS servers
responds to an authentication request.
•
Select one or more RADIUS servers to use for authentication. If there is more than one, they
will be tried sequentially if one is unavailable. The servers selected must have already been
configured as Radius Server objects in NetDefendOS (see Section 8.2.3, "External RADIUS
Servers" for how to do this).
•
Specify the Admin Groups and/or Audit Groups to decide which kind of access will be given
once login credentials are authenticated by a RADIUS server. These group names are
matched by NetDefendOS against the group name returned for the user by the RADIUS
server. Setting either of these properties to the single wildcard character asterisk "*" means
any group will get that access. Leaving either property blank means no user can have that
type of access.
The administrator group names take precedence over the auditor groups. This means if a
user is first authenticated by being a member of the administrator groups, auditor group
membership is ignored. Therefore, specifying the asterisk "*" character for the Admin
Groups property means that auditor group membership will never be checked.
Note that the wildcard "*" character can be used instead of all or part of a group name. For
example, the string sys* means any group name that begins with the three letters sys.
Important: Group membership must be defined on the server
It is important to note that all management users authenticated by a RADIUS server
must have their group membership defined on the RADIUS server. They cannot be
authenticated without group membership which NetDefendOS matches against the
Admin Groups and Audit Groups properties.
Note: Set the RADIUS Vendor ID for group membership
If the RADIUS server is required to send the group membership, it is necessary to use the
user group vendor specific attribute vendor when configuring the server. The
NetDefendOS Vendor ID is 5089 and the user group is defined as vendor-type 1 with a
string value type.
The Login Message Changes for a Group Mismatch
Chapter 2: Management and Maintenance
68
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
