Home » Lantronix Manuals » Electronics Accessories » Lantronix SLC 8000 Advanced Console Manager » Manual Viewer

Lantronix SLC 8000 Advanced Console Manager User Guide - Page 307

TACACS+ Groups, Service, Protocol, priv_lvl, TACACS

View all Lantronix SLC 8000 Advanced Console Manager manuals

Add to My Manuals
Save this manual to your list of manuals

Page 307 highlights

12: User Authentication TACACS+ Groups This section describes how a priv_lvl assigned to a TACACS+ user can be mapped to a SLC custom Groups, which will set the permissions and port rights for a TACACS+ user when they login to the SLC. TACACS+ users are typically configured to have a privilege level 0-15, with each level representing a privilege level that is a superset of the next lower value. The privilege level can be assigned to individual users, or to groups that the user is a member of. When the SLC authenticates a TACACS+ user, it will first send an authentication request to the TACACS+ server, and wait for an authentication reply. If the user is successfully authenticated, the SLC will next send an authorization request to the TACACS+ server with the Service and optional Protocol. The SLC will wait for an authorization response that will indicate if the user was successfully authorized for the requested service and protocol, and also contains a set of attribute-value pairs which define the attributes associated with the TACACS+ user. The priv_lvl or priv-lvl is the only attribute sent from the TACACS+ server that the SLC will recognize and utilize. The privilege level number will be used to map to a SLC custom user group by finding a group with a name that ends in the same number as the priv_lvl. For example, a SLC group called "admin15" will map to any TACACS+ users with priv_lvl equal to 15; a SLC group called "manager8" will map to any TACACS+ users with priv_lvl equal to 8, and a SLC group called "readonly0" will map to any TACACS+ users with priv_lvl equal to 0. If two SLC groups ending with the same number exist, the SLC will select the first matching group it finds while searching the group list; for consistency it is recommended that only one SLC group exist for each priv_lvl. When a TACACS+ user authenticates to the SLC, the Authentication Log will record any priv_lvl attribute-value pair returned by the TACACS+ server: Sep 21 15:44:38 2017 slc431d SLC-SLB/x15login[2839]: pam_sm_authenticate: server returned attribute `PRIV_LVL=14' Any priv_lvl obtained for a TACACS+ user can also be viewed at the CLI with the show user command. To configure the SLC unit to use TACACS+ to authenticate users: 1. Click the TACACS+ tab and select TACACS+. The following page displays. SLC™ 8000 Advanced Console Manager User Guide 307

Section	Page
SLC™ 8000 Advanced Console Manager User Guide	1
Intellectual Property	2
Warranty	2
Contacts	2
GNU General Public License Notice	2
Disclaimer & Revisions	3
Revision History	4
Table of Contents	6
List of Figures	16
List of Tables	20
1: About this Guide	21
Purpose and Audience	21
Summary of Chapters	21
Additional Documentation	22
2: Introduction	23
Features	23
Console Management	23
Power	24
Integration with Other Secure Lantronix Products	24
Hardware	24
System Features	26
Protocols Supported	27
Access Control	27
Device Port Buffer	27
Configuration Options	28
Device Port and Console Port Interfaces	28
Network Connections	32
Front Panel USB Ports	33
Memory Card Port	33
Internal Modem	34
3: Installation	35
What's in the Box	35
Customize an SLC 8000	36
Product Label	37
Technical Specifications	37
Physical Installation	39
Connecting to a Device Port	39
Modular Expansion for I/O Module Bays	41
Connecting to Network Ports	42
Connecting Terminals	42
AC Input	43
Modem Installation	44
Battery Replacement	47
4: Quick Setup	51
Recommendations	51
Method #1 Using the Front Panel Display	52
Front Panel LCD Display and Keypads	52
Navigating	52
Entering the Settings	55
Restoring Factory Defaults	56
Limiting Sysadmin User Access	56
Method #2 Quick Setup on the Web Page	57
Network Settings	58
Date & Time Settings	59
Administrator Settings	59
Method #3 Quick Setup on the Command Line Interface	60
Next Step	63
5: Web and Command Line Interfaces	64
Web Manager	64
Logging in	66
Logging Out	66
Web Page Help	67
Command Line Interface	67
Logging In	67
Logging Out	68
Command Syntax	68
Command Line Help	68
Tips	68
6: Basic Parameters	71
Requirements	71
Network Port Settings	72
Ethernet Interfaces (Eth1 and Eth2)	75
Hostname & Name Servers	77
DNS Servers	77
DHCP-Acquired DNS Servers	77
TCP Keepalive Parameters	77
Gateway	78
Fail-Over Settings	79
Fail-Over Cellular Gateway Configuration	81
Advanced Cellular Gateway Configuration	83
Fail-Over Cellular Gateway Firmware	84
Load Cellular Gateway Firmware Options	84
Ethernet Counters	85
Network Commands	85
Ethernet Switch	85
Port Statistics	88
DHCP	90
DHCP Server Settings	91
DHCP Relay Settings	92
IP Filter	92
Viewing IP Filters	92
Mapping Rulesets	93
Enabling IP Filters	93
Configuring IP Filters	95
Rule Parameters	96
Updating an IP Filter	97
Deleting an IP Filter	97
IP Filter Commands	97
Routing	97
Dynamic Routing	98
Static Routing	98
Routing Commands	99
Forwarding	99
Forwarding Connections Commands	100
VPN Settings	100
Sample ipsec.conf Files	112
VPN Commands	117
Security	117
Performance Monitoring	120
Performance Monitoring - Add/Edit Probe	123
Performance Monitoring - Results	126
Performance Monitoring Commands	130
FQDN List	131
7: Services	132
System Logging and Other Services	132
SSH/Telnet/Logging	133
System Logging	134
Audit Log	134
SSH	135
SMTP	135
Telnet	136
Web SSH/Web Telnet Settings	136
Phone Home	137
SSH Commands	137
Logging Commands	137
SNMP	138
v1/v2c Communities	142
Version 3	142
V3 User Read-Only	142
V3 User Read-Write	143
V3 User Trap	143
Version 3 TLS (over TCP)	143
Services Commands	144
NFS and SMB/CIFS	145
SMB/CIFS Share	147
NFS and SMB/CIFS Commands	147
Secure Lantronix Network	148
Browser Issues	151
Troubleshooting Browser Issues	152
Web SSH/Telnet Copy and Paste	154
Secure Lantronix Network Commands	154
Date and Time	154
Date and Time Commands	156
Web Server	156
Admin Web Commands	158
Services - SSL Certificate	159
Services - Web Sessions	161
ConsoleFlow	162
ConsoleFlow Commands	168
8: USB/SD Card Port	169
USB/SD Card Storage	169
Manage Files on Storage Device	171
USB Modem Settings	172
Data Settings	174
Modem Settings	174
Text Mode	176
PPP Mode	176
IP Settings	177
USB Serial Settings	177
Data Settings	179
IP Settings	180
USB Commands	180
SD Card Commands	180
9: Device Ports	181
Connection Methods	181
Permissions	181
I/O Modules	182
Device Status	183
Device Ports	184
Telnet/SSH/TCP in Port Numbers	185
DevicePort Global Commands	185
Device Ports - Settings	186
Device Port Settings	188
IP Settings	190
Data Settings	191
Hardware Signal Triggers	192
Modem Settings (Device Ports)	193
Modem Settings: Text Mode	194
Modem Settings: PPP Mode	195
Port Status and Counters	196
Device Ports - Power Management	196
Device Ports - RPMs - Add Device	199
Device Port - Sensorsoft Device	201
Device Port Commands	202
Device Commands	202
Interacting with a Device Port	202
Device Ports - Logging and Events	203
Local Logging	203
NFS File Logging	203
USB and SD Card Logging	204
Token/Data Detection	204
Syslog Logging	204
Token & Data Detection	205
Local Logging	207
Log Viewing Attributes	207
NFS File Logging	207
USB / SD Card Logging	207
Syslog Logging	207
Logging Commands	208
Console Port	208
Console Port Commands	209
Internal Modem Settings	209
Setting Up Internal Modem Storage	209
Text Mode	212
PPP Mode	212
Internal Modem Commands	213
Xmodem	213
Host Lists	216
Host Parameters	217
Host Parameters	218
Host List Commands	219
Scripts	219
Scripts	222
Script Commands	226
Batch Script Syntax	226
Interface Script Syntax	226
Primary Commands	228
Secondary Commands	229
Control Flow Commands	231
Custom Script Syntax	232
Example Scripts	233
Sites	249
Site Commands	252
Access Lists	252
Access List Commands	254
Modem Dialing States	254
Dial In	254
Dial-back	255
Dial-on-demand	256
Dial-in & Dial-on-demand	256
Dial-back & Dial-on-demand	257
CBCP Server and CBCP Client	257
CBCP Server	257
CBCP Client	258
Key Sequences	258
10: Remote Power Managers	260
Devices - RPMs	260
RPMs - Add Device	263
RPMs - Manage Device	266
RPMs - Outlets	269
RPM Shutdown Procedure	270
Optimizing and Troubleshooting RPM Behavior	272
RPM Commands	273
11: Connections	274
Typical Setup Scenarios for the SLC Unit	274
Terminal Server	274
Remote Access Server	275
Reverse Terminal Server	275
Multiport Device Server	276
Console Server	276
Connection Configuration	277
Connection Commands	279
12: User Authentication	280
Authentication Commands	282
User Rights	282
Local and Remote User Settings	284
Sysadmin Account Default Login Values	285
Adding, Editing or Deleting a User	286
Shortcut	290
Local Users Commands	290
Remote User Rights Commands	290
NIS	291
NIS Commands	294
LDAP	294
LDAP Commands	298
RADIUS	299
RADIUS Commands	302
User Attributes & Permissions from LDAP Schema or RADIUS VSA	302
Kerberos	303
Kerberos Commands	306
TACACS+	306
TACACS+ Groups	307
TACACS+ Commands	310
Groups	311
Group Commands	314
SSH Keys	314
Imported Keys	314
Exported Keys	314
Imported Keys (SSH In)	316
Host & Login for Import	316
Exported Keys (SSH Out)	316
Host and Login for Export	317
SSH Commands	319
Custom Menus	319
Custom User Menu Commands	322
13: Maintenance	323
Firmware & Configurations	323
Zero Touch Provisioning Configuration Restore	323
Creating a Certificate	324
HTTPS Push Configuration Restore	326
Factory Reset with External Storage Device	327
Internal Temperature	329
Site Information	329
SLC Firmware	329
Boot Banks and Bootloader Settings	330
Load Firmware Via Options	331
Configuration Management	331
Manage Files	333
Administrative Commands	333
System Logs	334
System Log Commands	335
Audit Log	336
Audit Log Commands	337
Email Log	337
Logging Commands	337
Diagnostics	338
Diagnostic Commands	341
Status/Reports	341
View Report	341
Status Commands	343
Emailing Logs and Reports	343
Events	346
Events Commands	347
LCD/Keypad	348
Administrative LCD/Keypad Commands	349
Banners	349
Administrative Banner Commands	350
System Info	350
14: Application Examples	352
Telnet/SSH to a Remote Device	352
Dial-in (Text Mode) to a Remote Device	354
Local Serial Connection to Network Device via Telnet	355
15: Command Reference	357
Introduction to Commands	357
Command	357
Command Line Help	358
Tips	358
Access List Commands	359
set accesslist add\|edit	359
set accesslist add\|edit	359
set accesslist delete	359
showaccesslist	360
Administrative Commands	360
admin banner login	360
admin banner logout0	360
admin banner show	360
admin banner ssh	361
admin banner welcome	361
admin banner welcome	361
admin clear	361
admin config copy	362
admin config rename\|delete	362
admin config factorydefaults	362
admin config restore	363
admin config save	363
admin config checksum	363
admin config commands	364
admin config batch	364
admin config show	364
admin firmware bootbank	364
admin firmware bootcount	365
admin firmware bootlimit	365
admin firmware bootdelay	365
admin firmware highrestimers	365
admin firmware watchdog	366
admin firmware show	366
admin firmware update	366
admin firmware clearlog	366
admin ftp password	367
admin ftp server	367
admin ftp show	367
admin keypad	367
admin keypad password	367
admin keypad show	368
admin lcd reset	368
admin lcd default	368
admin lcd screens	368
admin lcd line1	369
admin lcd scrolling	369
admin memory show	369
admin memory swap add	369
admin memory swap delete	370
admin quicksetup	370
admin reboot	370
admin shutdown	370
admin site	370
admin sysinfo	371
admin sysinfo save <ZIP File Name> location <ftp\|sftp\|scp\|nfs\|usb\|sdcard>	371
[nfsdir <NFS Mounted Directory>] [usbport <U1\|U2>]	371
[host <IP Address or Name>] [login <User Login>]	371
[path <Path to Save File>]	371
admin version	371
admin web certificate import	371
admin web certificate reset	371
admin web certificate custom	372
admin web certificate custom	372
admin web certificate show	372
admin web group	372
admin web server	372
admin web sha2	372
admin web timeout	373
admin web terminate	373
admin web show	373
admin web banner	373
admin web iface	373
admin web cipher	374
admin web sha2	374
admin web tlsv10	374
admin web tlsv11	374
admin web tlsv12	374
admin web restart	375
admin chip resetmodem	375
admin eeprom	375
Audit Log Commands	376
show auditlog	376
show auditlog clear	376
Authentication Commands	377
set auth	377
show auth	377
show user	377
Kerberos Commands	378
set kerberos	378
show kerberos	378
LDAP Commands	379
set ldap	379
set ldap bindpassword	379
set ldap certificate import	380
set ldap certificate delete	380
show ldap	380
Local Users Commands	380
set localusers add\|edit	380
set localusers allowreuse	381
set local users complexpasswords	381
set localusers state	381
set localusers delete	381
set localusers lifetime	382
set localusers maxloginattempts	382
set localusers password	382
set localusers periodlockout	382
set localusers periodwarning	382
set localusers reusehistory	383
set localusers multipleadminlogins	383
set localusers consoleonlyadmin	383
show localusers	383
set localusers lock	383
set localusers unlock	384
set localusers permissions	384
NIS Commands	384
set nis	384
show nis	385
RADIUS Commands	385
set radius	385
set radius server	386
show radius	386
TACACS+ Commands	386
set tacacs+	386
show tacacs+	387
User Permissions Commands	387
set localusers group	387
set localusers lock	388
set localusers unlock	388
set localusers permissions	388
set <nis\|ldap\|radius\|kerberos\|tacacs+> permissions	388
show user	389
Remote User Commands	389
set remoteusers add\|edit	389
set remoteusers listonlyauth	389
set remoteusers denyaccessnocustomgroup	390
set remoteusers denyaccessnocustomgroup <enable\|disable>	390
set remoteusers lock\|unlock	390
set remoteusers delete	390
show remoteusers	390
set <nis\|ldap\|radius\|kerberos\|tacacs+> group	390
set cli	391
set cli menu	391
show cli	392
show user	392
set history	392
show history	392
Connection Commands	392
connect bidirection	392
connect direct	393
connect forward	394
connect global outgoingtimeout	394
connect listen deviceport	394
connect terminate	394
connect unidirection	394
show connections	395
show connections connid	395
ConsoleFlow Commands	396
set cflow client	396
set cflow statusinterval	396
set cflow fwupdate	396
set cflow rebootafterupdate	396
set cflow allowremoteconnection	396
set cflow auditlogmessages	397
set cflow connection	397
set cflow devicename	397
set cflow timeoutcli	397
set cflow digitalprobe	398
set cflow id	398
set cflow key	398
set cflow useproxy	398
set cflow proxypassword	398
show cflow	399
Console Port Commands	399
set consoleport	399
show consoleport	399
Custom User Menu Commands	400
set localusers	400

Match case Limit results 1 per page

12: User Authentication

SLC™ 8000 Advanced Console Manager User Guide

307

TACACS+ Groups

This section describes how a priv_lvl assigned to a TACACS+ user can be mapped to a SLC

custom

Groups

, which will set the permissions and port rights for a TACACS+ user when they

TACACS+ users are typically configured to have a privilege level 0-15, with each level

representing a privilege level that is a superset of the next lower value. The privilege level can be

assigned to individual users, or to groups that the user is a member of. When the SLC

authenticates a TACACS+ user, it will first send an authentication request to the TACACS+ server,

and wait for an authentication reply. If the user is successfully authenticated, the SLC will next

send an authorization request to the TACACS+ server with the

Service

and optional

Protocol

The SLC will wait for an authorization response that will indicate if the user was successfully

authorized for the requested service and protocol, and also contains a set of attribute-value pairs

which define the attributes associated with the TACACS+ user.

The

priv_lvl

priv-lvl

is the only attribute sent from the TACACS+ server that the SLC will

recognize and utilize. The privilege level number will be used to map to a SLC custom user group

by finding a group with a name that ends in the same number as the priv_lvl. For example, a SLC

group called "admin15" will map to any TACACS+ users with priv_lvl equal to 15; a SLC group

called "manager8" will map to any TACACS+ users with priv_lvl equal to 8, and a SLC group

called "readonly0" will map to any TACACS+ users with priv_lvl equal to 0. If two SLC groups

ending with the same number exist, the SLC will select the first matching group it finds while

searching the group list; for consistency it is recommended that only one SLC group exist for each

priv_lvl.

When a TACACS+ user authenticates to the SLC, the Authentication Log will record any priv_lvl

attribute-value pair returned by the TACACS+ server:

Sep 21 15:44:38 2017 slc431d SLC-SLB/x15login[2839]:

pam_sm_authenticate: server returned attribute `PRIV_LVL=14'

Any priv_lvl obtained for a TACACS+ user can also be viewed at the CLI with the

show user

command.

To configure the SLC unit to use TACACS+ to authenticate users:

Click the

TACACS+

tab and select

TACACS+

. The following page displays.