Lantronix SLC 8000 Advanced Console Manager User Guide - Page 307
TACACS+ Groups, Service, Protocol, priv_lvl, TACACS
View all Lantronix SLC 8000 Advanced Console Manager manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 307 highlights
12: User Authentication TACACS+ Groups This section describes how a priv_lvl assigned to a TACACS+ user can be mapped to a SLC custom Groups, which will set the permissions and port rights for a TACACS+ user when they login to the SLC. TACACS+ users are typically configured to have a privilege level 0-15, with each level representing a privilege level that is a superset of the next lower value. The privilege level can be assigned to individual users, or to groups that the user is a member of. When the SLC authenticates a TACACS+ user, it will first send an authentication request to the TACACS+ server, and wait for an authentication reply. If the user is successfully authenticated, the SLC will next send an authorization request to the TACACS+ server with the Service and optional Protocol. The SLC will wait for an authorization response that will indicate if the user was successfully authorized for the requested service and protocol, and also contains a set of attribute-value pairs which define the attributes associated with the TACACS+ user. The priv_lvl or priv-lvl is the only attribute sent from the TACACS+ server that the SLC will recognize and utilize. The privilege level number will be used to map to a SLC custom user group by finding a group with a name that ends in the same number as the priv_lvl. For example, a SLC group called "admin15" will map to any TACACS+ users with priv_lvl equal to 15; a SLC group called "manager8" will map to any TACACS+ users with priv_lvl equal to 8, and a SLC group called "readonly0" will map to any TACACS+ users with priv_lvl equal to 0. If two SLC groups ending with the same number exist, the SLC will select the first matching group it finds while searching the group list; for consistency it is recommended that only one SLC group exist for each priv_lvl. When a TACACS+ user authenticates to the SLC, the Authentication Log will record any priv_lvl attribute-value pair returned by the TACACS+ server: Sep 21 15:44:38 2017 slc431d SLC-SLB/x15login[2839]: pam_sm_authenticate: server returned attribute `PRIV_LVL=14' Any priv_lvl obtained for a TACACS+ user can also be viewed at the CLI with the show user command. To configure the SLC unit to use TACACS+ to authenticate users: 1. Click the TACACS+ tab and select TACACS+. The following page displays. SLC™ 8000 Advanced Console Manager User Guide 307