Tripp Lite B092-016 Owner's Manual download pdf (Page 131)

131

9.2

PAM (

Pluggable Authentication Modules

)

The

Console Server

supports RADIUS, TACACS+ and

LDA

P for

two

factor authentication

via

PAM

(Pluggable Authentication Modules). PAM is a flexible mechanism for authenticating

Users

. Nowadays

number of new ways of authenticating users

have become popular. The challenge

is that each time a

new aut

hentication sc

heme is developed,

it requires all the necess

ary programs (login, ftpd

etc

) to be

rewritten to support it.

PAM provides a way to develop programs that are independent of authentication scheme

. These

programs need "authentication modules" to be attached

to them at run

time in order to work. Which

authentication module is to be attached is dependent upon the local system setup and is at the

discretion of the local

Administrator

The

Console Server

family supports PAM to which we have added

the following

dules for remote

authentication

RADIUS

pam_radius_auth

(

http://www.freeradius.org/pam_radius_auth/

)

TACACS+

pam_tacplus

(

ttp://echelon.pl/pubs/pam_tacplus.html

)

LDAP

pam_ldap

(

http://www.padl.com/OSS/pam_ldap.html

)

Further modules can be added as required.

Changes may be made to files in /etc/config/pam.

d/ which will persist, even if the authentication

configurator is run.



Users added on demand:

When a user attempts to log in, but does not already have an account on t

Console Server

, a

new user account will be created. This account will

not

have

any

rig

hts, and no password set

They will not appear in t

he configuration tools.

Automatically added accounts will not be able to log in if the remote

servers are unavailable

RADIUS

users are currently assumed to have

access to all resources, so will only be au

thoriz

ed to

Console Server

RADIUS

users will be authoriz

ed each time they access a new

resource.



Admin rights granted over AAA

Users may be granted Administrator rights via networked AAA.

For TACACS

a priv

lvl of 12 of

above indicates an a

dministrator.

For RADIUS, administrators are indicated via the Framed Filter

ID.

(

See the example configuration files below

for example

)



Authoriz

ation via TACACS for both serial ports and host access

Permission to access resources may be granted via TAC

ACS by ind

icating an a

ppliance and a port

or networked host the user may access.

(

See the example configuration files below

for

example.

)

TACACS

Example:

user = tim {

service = raccess {

priv

lvl = 11

port1 = xxxxx

/port02

1 2 ... 126 127 128 129 130 131 132 133 134 135 136 ... 241 242

Comments to this Manuals

No comments

Tripp Lite B092-016 Owner's Manual Page 131

Comments to this Manuals

Related products and manuals for KVM switches Tripp Lite B092-016