Group Support With Remote Authentication; Remote Groups With Radius Authentication - Tripp Lite B092-016 Owner's Manual

Chapter 9: Authentication
Example 3:
User C is defined on a RADIUS server only. He has access to all serial ports and network hosts.
Example 4:
User D is locally defined on an appliance using RADIUS for AAA. Even if the user is also defined on the RADIUS server, he
will only have access to those serial ports and network hosts he has been authorized to use on the appliance.
If a "no local AAA" option is selected, then root will still be authenticated locally.
Remote users may be added to the admin group via either RADIUS or TACACS. Users may have a set of authorizations set
on the remote TACACS server. Users automatically added by RADIUS will have authorization for all resources, whereas those
added locally will still need their authorizations specified.
LDAP has not been modified, and will still need locally defined users.
9.1.6

Group support with remote authentication

All Console Servers allow remote authentication via RADIUS, LDAP and TACACS+. With Firmware V3.2 and later, RADIUS
and LDAP can provide additional restrictions on user access based on group information or membership. For example, with
remote group support, RADIUS and LDAP users can belong to a local group that has been setup to have restricted access to
serial ports, network hosts and managed devices.
Remote authentication with group support works by matching a local group name with a remote group name provided by
the authentication service. If the list of remote group names returned by the authentication service matches any local group
names, the user is given permissions as configured in the local groups.
To enable group support to be used by remote authentication services:
• Select Serial & Network: Authentication
• Select the relevant Authentication Method
• Check the Use Remote Groups button
9.1.7

Remote groups with RADIUS authentication

• Enter the RADIUS Authentication and Authorization Server Address and Server Password
• Click Apply
• Edit the Radius user's file to include group information and restart the Radius server
When using RADIUS authentication, group names are provided to the Console Server using the Framed-Filter-Id attribute. This
is a standard RADIUS attribute, and may be used by other devices that authenticate via RADIUS.
To interoperate with other devices using this field, the group names can be added to the end of any existing content in the
attribute, in the following format:
:group_name=testgroup1,users:
The above example sets the remote user as a member of testgroup1 and users if groups with those names exist on the
Console Server. Any groups which do not exist on the Console Server are ignored.
When setting the Framed-Filter-Id, the system may also remove the leading colon for an empty field. To work around this, add
some dummy text to the start of the string. For example:
dummy:group_name=testgroup1,users:
• If no group is specified for a user, for example AmandaJones, then the user will have no User Interface and serial port
access but limited console access
• Default groups available on the Console Server include 'admin' for administrator access and 'users' for general user
access
TomFraser Cleartext-Password := "FraTom70"
Framed-Filter-Id=":group_name=admin:"
AmandaJones Cleartext-Password := "JonAma83"
140