User Authentication Methods
TACACS+ (Terminal Access
Controller Access Control System)
TACACS+ allows a remote access server to communicate with an authentication server to determine whether the user has access to the network. TACACS+ is a completely new protocol and is not compatible with TACACS or XTACACS. The SLM supports TACACS+ only.
SecurID SecurID is a two-factor authentication method based on the user's SecurID token
and pin number. The SecurID token displays a string of digits called a token code that changes once a minute (some tokens are set to change codes every 30 seconds).
Select RADIUS if a RADIUS server is used as a proxy for SecurID. Select SecurID if a native SecurID server is used.
User
Authentication Setting
To configure the SLM to use NIS to authenticate users:
1. On the menu, click Configuration > Authentication > NIS. The following page opens.
Figure 8-3 NIS Authentication Page - Configure Tab
2. Enter the following:
Table 8-4 NIS Authentication - Configure Tab
3. To save, click the Update button. A confirmation message displays.
NIS Authentication Page Setting
Description
Domain The NIS domain of the SLM must be the same as the NIS domain of the NIS server. Master Server
(required) The IP address or hostname of the master server. Slave
Server #1 - 5
The IP addresses or hostnames of up to five slave servers.
Broadcast for Server Select the check box for the SLM to send a broadcast datagram to find the NIS Server on the local network.
Enabled Displays selected if you previously enabled this method on the User Authentication page or on this page. To configure this authentication method but not enable it, clear the check box.
Note: You can enable this authentication method here or on the User Authentication page. If you enable it here, it is assigned the lowest priority on the User
LDAP
The administrator can configure the SLM to use LDAP to authenticate users attempting to log in to the SLM through the web interface, SSH public key, Telnet, or the console port.
LDAP allows SLM users to authenticate using a wide variety of LDAP servers, such as OpenLDAP and Microsoft Active Directory. The LDAP implementation supports LDAP servers that do not allow anonymous queries.
Note: For a user to log in remotely using LDAP, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is LDAP. See Accounts on page 125 for information on setting up accounts.
Note: Users that are authenticated via Microsoft Active Directory LDAP server may automatically be created and assigned to SLM account groups. If an LDAP acount is made a Member of Group and the name has the format "SLM_xxxxx" AND an account group exists on the SLM named "xxxxx" (without the "SLM_" prefix), then a user logging into the SLM using LDAP authentication will have an account automatically created for them in the matching account group, and the user will inherit all permissions assigned to that group.
Example: user "dsmith" has an account on the LDAP server and is a member of group
"SLM_musers". The account group "musers" has been defined on the SLM. When user dsmith logs into the SLM, a "dsmith" account will be created in the "musers" account group and user dsmith will log into the SLM using that account.
If the dsmith LDAP acccount is a member of more than one group starting with "SLM_" the first one found will be used. If later, the LDAP account dsmith is assigned to a different "SLM_xxxxx" group, then at the next login, the dsmith account on the SLM will be moved to the new account group.
To configure the SLM to use LDAP to authenticate users:
1. On the menu, click Configuration > Authentication > LDAP. The following page opens.
2. Enter the following:
Table 8-6 LDAP Authentication Settings
3. To save, click the Update button. A confirmation message displays.
LDAP
Authentication Setting
Description
Server The IP address or host name of the LDAP server.
Base The name of the LDAP search base (e.g., dc=company, dc=com). May have up to 80
characters.
Bind Name The name for a non-anonymous bind to an LDAP server. This item has the same
format as LDAP Base. One example is
cn=administrator,cn=Users,dc=domain,dc=com
Bind Password and Retype Password
Password for a non-anonymous bind. This entry is optional. Acceptable characters are a-z, A-Z, and 0-9.
The maximum length is 127 characters.
Port Number of the TCP port on the LDAP server to which the SLM talks. The default
setting is 389. Active Directory
Support
Select to enable. Active Directory is a directory service from Microsoft that is a part of Windows 2000 and later versions of Windows. It stores information about network resources within a domain. It is LDAP- and Kerberos- compliant. Disabled by default.
Encrypt Select to encrypt messages between the SLM and the LDAP server. Disabled by
default.
Enabled Displays selected if you previously enabled this method on the User Authentication
page or on this page. To configure this authentication method but not enable it, clear the check box.
Note: You can enable this authentication method here or on the User Authentication page. If you enable it here, it is assigned the lowest priority on the User
RADIUS
The administrator can configure the SLM to use RADIUS to authenticate users attempting to log in to the SLM through the web interface, SSH public key, Telnet, or the console port.
Note: For a user to log in remotely using RADIUS, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is RADIUS. See Accounts on page 125 for information on setting up accounts.
To configure the SLM to use RADIUS to authenticate users:
1. On the menu, click Configuration > User Authentication > RADIUS. The following page opens.
2. Enter the following:
Table 8-8 RADIUS Authentication Settings
2. To save, click the Update button. When the update is complete, a confirmation message displays.
Kerberos
Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography.
The administrator can configure the SLM to use Kerberos to authenticate users attempting to log in to the SLM through the web interface, SSH, Telnet, or the console port.
Note: For a user to log in remotely using Kerberos, the user's account must have remote access (Remote Only or Local & Remote), or there must be an account defined whose login name is Kerberos. See Accounts on page 125 for information on setting up accounts.
RADIUS