TACACS+ (Terminal Access

User Authentication Methods

Controller Access Control System)

TACACS+ allows a remote access server to communicate with an authentication server to determine whether the user has access to the network. TACACS+ is a completely new protocol and is not compatible with TACACS or XTACACS. The vSLM 2 software supports TACACS+ only.

User

Authentication Setting

8: User Management

To configure the vSLM 2 software to use NIS to authenticate users:

1. On the menu, click Configuration > Authentication > NIS. The following page opens.

Figure 8-3 NIS Authentication Page - Configure Tab

2. Enter the following:

Table 8-4 NIS Authentication - Configure Tab

3. To save, click the Update button. A confirmation message displays. NIS Authentication

Page Setting

Description

Domain The NIS domain of the vSLM 2 secure management software must be the same as the NIS domain of the NIS server.

Master Server (required)

The IP address or hostname of the master server.

Slave Server #1 - 5

The IP addresses or hostnames of up to five slave servers.

Broadcast for Server Select the check box for the vSLM 2 software to send a broadcast datagram to find the NIS Server on the local network.

Enabled Displays selected if you previously enabled this method on the User Authentication page or on this page. To configure this authentication method but not enable it, clear the check box.

Note: You can enable this authentication method here or on the User Authentication page. If you enable it here, it is assigned the lowest priority on the User

8: User Management

vSLM™ 2 Secure Management Software User Guide 99

LDAP

The administrator can configure the vSLM 2 secure management software to use LDAP to authenticate users attempting to log in to the vSLM 2 software through the web interface, SSH public key, Telnet, or the console port.

LDAP allows vSLM 2 software users to authenticate using a wide variety of LDAP servers, such as OpenLDAP and Microsoft Active Directory. The LDAP implementation supports LDAP servers that do not allow anonymous queries.

Note: For a user to log in remotely using LDAP, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is LDAP. See Accounts on page 125 for information on setting up accounts.

Users that are authenticated via an LDAP server may automatically be created and assigned to SLM account groups. There are two methods for this: one using any type of group name of the LDAP server, and one using groups prefixed with "SLM_" (for backward compatibility).

For the method using any type of group name, if an LDAP account is a member of a group AND an account group exists on the SLM with the same name, then a user logging into the SLM using LDAP authentication will have an account automatically created for them in the matching account group, and the user will inherit all permissions assigned to that group. If a user is a member of more than one group, the SLM will try each group (in the order they were received from the LDAP server) until it finds one that matches.

For the method using groups prefixed with "SLM_", if an LDAP account is a member of a group and the name has the format "SLM_xxxxx" AND an account group exists on the SLM named "xxxxx" (without the "SLM_" prefix), then a user logging into the SLM using LDAP authentication will have an account automatically created for them in the matching account group, and the user will inherit all permissions assigned to that group. Example: user "dsmith" has an account on the LDAP server and is a member of group "SLM_musers". The account group "musers" has been defined on the SLM. When user dsmith logs into the SLM, a "dsmith" account will be created in the "musers" account group and user dsmith will log into the SLM using that account. If the dsmith LDAP acccount is a member of more than one group starting with "SLM_", the first one received from the LDAP server will be used; any other "SLM_xxxxx" groups will be ignored.

If later, the LDAP account dsmith is assigned to a different group, then at the next login, the dsmith account on the SLM will be moved to the new account group.

If a user is a member of both groups prefixed with "SLM_xxxxx" and groups that are not, the groups that are prefixed with "SLM_xxxxx" will be used to assign group membership.

For some LDAP servers, such as Microsoft Active Directory LDAP servers, the User Login Attribute, Group Filter Objectclass and Group Member Attribute/Group Member Value may need to be specified for the group assignment features. See these fields below for their use and suggested values.

To configure the vSLM 2 secure management software to use LDAP to authenticate users: 1. On the menu, click Configuration > Authentication > LDAP. The following page opens.

8: User Management

Figure 8-5 LDAP Authentication Page - Configure Tab

2. Enter the following:

Table 8-6 LDAP Authentication Settings

LDAP

Authentication Setting

Description

Server The IP address or host name of the LDAP server.

Base The name of the LDAP search base (e.g., dc=company, dc=com). May have up to 80 characters.

Bind Name The name for a non-anonymous bind to an LDAP server. This item has the same format as LDAP Base. One example is

cn=administrator,cn=Users,dc=domain,dc=com Bind Password and

Retype Password

Password for a non-anonymous bind. This entry is optional. Acceptable characters are a-z, A-Z, and 0-9.

The maximum length is 127 characters.

User Login Attribute

The attribute used by the LDAP server for user logins. If nothing is specified for the user filter, the SLM will use "uid". For AD LDAP servers, the attribute for user logins is typically "sAMAccountName".

Group Filter Objectclass

The objectclass used by the LDAP server for groups. If nothing is specified for the group filter, the SLM will use "posixGroup". For AD LDAP servers, the objectclass for groups is typically "Group".

8: User Management

vSLM™ 2 Secure Management Software User Guide 101

3. To save, click the Update button. A confirmation message displays.

RADIUS

The administrator can configure the vSLM 2 secure management software to use RADIUS to authenticate users attempting to log in to the vSLM 2 software through the web interface, SSH public key, Telnet, or the console port.

Note: For a user to log in remotely using RADIUS, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is RADIUS. See Accounts on page 125 for information on setting up accounts.

To configure the vSLM 2 software to use RADIUS to authenticate users:

1. On the menu, click Configuration > User Authentication > RADIUS. The following page opens.

Group Member Attribute

The attribute used by the LDAP server for group membership. This attribute may be used in two ways to search for a user's group membership:

1. When the user's login record is retrieved (see User Login Attribute), the SLM will search for an attribute that matches the Group Member Attribute in the user's record. If nothing is specified for the group member attribute, the SLM will use "memberUID". For AD LDAP servers, the value used for this is typically "memberOf".

2. To search through group records for group membership by a name (ie, "msmith") or a Distinguished Name (ie,

"uid=msmith,ou=People,dc=ltx,dc=com"). Select either Name or DN as appropriate for the LDAP server. If nothing is specified for the group member attribute, the SLM will use "memberUID" for name and "uniqueMember" for DN. For AD LDAP servers, the Group Member Value is typically DN, with the Group Member Attribute of "member".

Group Member Value

Port Number of the TCP port on the LDAP server to which the vSLM 2 secure management software talks. The default setting is 389.

Active Directory Support

Select to enable. Active Directory is a directory service from Microsoft that is a part of Windows® 2000 and later versions of Windows. It stores information about network resources within a domain. It is LDAP- and Kerberos- compliant. Disabled by default.

Encrypt Select Start TLS or SSL to encrypt messages between the SLM and the LDAP server. Disabled by default.

 If Start TLS is selected, the port will automatically be set to 389 and the StartTLS extension will be used to initiate a secure connection.

 If SSL is selected, the port will automatically be set to 636 and a SSL tunnel will be used for LDAP communication. The port number can be changed to a non- standard LDAP port; if the port number is set to anything other than 636, Start TLS will be used as the encryption method.

Enabled Displays selected if you previously enabled this method on the User Authentication page or on this page. To configure this authentication method but not enable it, clear the check box.

Note: You can enable this authentication method here or on the User Authentication page. If you enable it here, it is assigned the lowest priority on the User

Authentication page. LDAP

Authentication Setting

8: User Management

Figure 8-7 RADIUS Authentication Page - Configure Tab

2. Enter the following:

Table 8-8 RADIUS Authentication Settings

RADIUS

In document vslm 2 Secure Management Software User Guide (Page 97-102)