RADIUS Authentication

Setting

Description

Server #1 IP address or hostname of the primary RADIUS server.

Server #1 Port Number of the TCP port on the RADIUS server used for the RADIUS service. If you do not specify an optional port, the vSLM 2 secure management software uses the default RADIUS port (1812).

Note: Older RADIUS servers may use 1645 as the default port. Check your RADIUS server configuration.

Server #1 Secret Text that serves as a shared secret between a RADIUS client and the server (vSLM 2 software). The shared secret is used to encrypt a password sent between the client and the server. May have up to 128 characters.

Server #2 IP address or hostname of the secondary RADIUS server.

Server #2 Port Number of the TCP port on the RADIUS server used for the RADIUS service. If you do not specify an optional port, the vSLM 2 software uses the default RADIUS port (1812).

Note: Older RADIUS servers may use 1645 as the default port. Check your RADIUS server configuration.

Server #2 Secret Text that serves as a shared secret between a RADIUS client and the server (vSLM 2 software). The shared secret is used to encrypt a password sent between the client and the server. May have up to 128 characters.

Timeout The number of seconds after which the connection attempt times out. The default setting is 30.

Enabled Displays selected if you previously enabled this method on the User Authentication page or on this page. To configure this authentication method but not enable it, clear the check box.

Note: You can enable this authentication method here or on the User

Authentication page. If you enable it here, it is assigned the lowest priority on the User Authentication page.

8: User Management

vSLM™ 2 Secure Management Software User Guide 103

Kerberos

Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography.

The administrator can configure the vSLM 2 secure management software to use Kerberos to authenticate users attempting to log in to the vSLM 2 software through the web interface, SSH, Telnet, or the console port.

Note: For a user to log in remotely using Kerberos, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is Kerberos. See Accounts on page 125 for information on setting up accounts.

To configure the vSLM 2 software to use Kerberos to authenticate users:

1. On the menu, select Configuration > Authentication > Kerberos. The following page opens.

Figure 8-9 Kerberos Authentication Page - Configure Tab

2. Enter the following:

Table 8-10 Kerberos Authentication Settings

Kerberos Authentication Setting

Description

Realm Enter the name of the logical network served by a single Kerberos database and a set of Key Distribution Centers. Usually, realm names are all uppercase letters to differentiate the realm from the Internet domain. Realm is similar in concept to an NT domain.

KDC A key distribution center (KDC) is a server that issues Kerberos tickets. A ticket is a temporary set of electronic credentials that verify the identity of a client for a particular service.

Enter the KDC in the fully qualified domain name format (FQDN). An example is SLC.local.

IP Address Enter the IP address of the Key Distribution Center (KDC).

Port Port on the KDC listening for requests. Enter an integer with a maximum value of 65535. The default setting is 88.

8: User Management

3. To save, click the Update button. A confirmation message displays.

TACACS+

Similar to RADIUS, the main function of TACACS+ is to perform authentication for remote access. The vSLM 2 software supports the TACACS+ protocol (not the older TACACS or XTACACS protocols).

The administrator can configure the vSLM 2 secure management software to use TACACS+ to authenticate users attempting to log in to the vSLM 2 software through the web interface, SSH, Telnet, or the console port.

Note: For a user to log in remotely using TACACS+, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is TACACS.

To configure the vSLM 2 software to use TACACS+ to authenticate users:

1. On the menu, select Configuration > Authentication > TACACS. The following page opens.

Figure 8-11 TACACS+ Authentication Page - Configure Tab

Use LDAP Indicate whether Kerberos should rely on LDAP to look up user IDs and Group IDs. This setting is disabled by default.

Note: Make sure to configure LDAP if you select this option.

Enabled Displays selected if you previously enabled this method on the User Authentication page or on this page. To configure this authentication method but not enable it, clear the check box.

Note: You can enable this authentication method here or on the User

Authentication page. If you enable it here, it is assigned the lowest priority on the User Authentication page.

Kerberos Authentication Setting

8: User Management

vSLM™ 2 Secure Management Software User Guide 105

2. Enter the following:

Table 8-12 TACACS+ Authentication Settings

3. To save, click the Update button. A confirmation message displays.

SSH Keys

The vSLM 2 secure management software can import and export SSH keys to facilitate shared key authentication for all incoming and outgoing SSH connections. By using a public/private key pair, a user can access multiple hosts with a single passphrase, or, if a passphrase is not used, a user can access multiple hosts without entering a password.

For imported and exported SSH keys, the vSLM 2 software supports both RSA and DSA keys and can import and export keys in OpenSSH and SECSH formats. Both imported and exported keys must be associated with a local vSLM 2 software user.

Imported Keys

Imported SSH keys must be associated with an vSLM 2 software local user. The key can be generated on host "MyHost" for user "MyUser," and when the key is imported into the vSLM 2 software, it must be associated with either "MyUser" (if "MyUser" is an existing vSLM 2 software local user) or an alternate vSLM 2 software local user. The public key file can be imported through SCP or FTP; once the file is imported, you can view or delete the public key. Any SSH connection into the vSLM 2 secure management software from the designated host/user combination uses the SSH key for authentication.

Exported Keys

The vSLM 2 software can generate SSH keys for SSH connections out of the vSLM 2 software for any vSLM 2 software user. The vSLM 2 secure management software retains both the private and public key on the vSLM 2 software, and makes the public key available for export through SCP, FTP, or copy and paste. The name of the key is used to generate the name of the public key file that is exported (for example, <keyname>.pub), and the exported keys are organized by user and key name. Once a key is generated and exported, any SSH connection out of the vSLM 2 software for the designated host/user combination uses the SSH key for authentication.

TACACS+