Tripp Lite B0930042E4U Owners Manual for B093- B097- and B098-Series Console S - Page 180

PAM Pluggable Authentication Modules

Get Tripp Lite B0930042E4U PDF manuals and user guides View all Tripp Lite B0930042E4U manuals
Add to My Manuals
Save this manual to your list of manuals

Page 180 highlights

9. Authentication 9.1.12 Authentication Testing The Authentication Testing tab (firmware version 3.5.2u3 and later) enables the connection to the remote authentication server to be tested. 9.2 PAM (Pluggable Authentication Modules) The console server supports RADIUS, TACACS+ and LDAP for two-factor authentication via PAM (Pluggable Authentication Modules). PAM is a flexible mechanism for authenticating users. A number of new ways of authenticating users have become popular. The challenge is that each time a new authentication scheme is developed, it requires all the necessary programs (login, ftpd, etc.) to be rewritten to support it. PAM provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attached to them at run-time in order to work. Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local Administrator. The console server family supports PAM with the following modules added for remote authentication: RADIUS - pam_radius_auth (http://www.freeradius.org/pam_radius_auth/) TACACS+ - pam_tacplus (http://echelon.pl/pubs/pam_tacplus.html) LDAP - pam_ldap (http://www.padl.com/OSS/pam_ldap.html) Further modules can be added, as required. Changes may be made to files in /etc/config/pam.d / which will persist, even if the authentication configurator is run. • Users added on demand: When a user attempts to log in, but does not already have an account on the console server, a new user account will be created. This account will have no rights and no password set. They will not appear in the Tripp Lite configuration tools. Automatically added accounts will not be able to log in if the remote servers are unavailable. • Administrator rights granted over AAA: Users may be granted Administrator rights via networked AAA. For TACACS, a priv-lvl of 12 of above indicates an administrator. For RADIUS, administrators are indicated via Framed Filter ID. See the example configuration files below for more information. • Authorization via TACACS, LDAP or RADIUS for using remote groups: Refer to 9.1.6 Group Support with Remote Authentication. • Authorization via TACACS for both serial ports and host access: Permission to access resources may be granted via TACACS by indicating a Tripp Lite device and a port or networked host the user may access. See the example configuration files below for more information. 180

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
180
9.1.12 Authentication Testing
The Authentication Testing tab (firmware version 3.5.2u3 and later) enables the connection to the remote authentication
server to be tested.
9.2 PAM (Pluggable Authentication Modules)
The console server supports RADIUS, TACACS+ and LDAP for two-factor authentication via PAM (Pluggable Authentication
Modules). PAM is a flexible mechanism for authenticating users. A number of new ways of authenticating users have become
popular. The challenge is that each time a new authentication scheme is developed, it requires all the necessary programs
(login, ftpd, etc.) to be rewritten to support it.
PAM provides a way to develop programs that are independent of authentication scheme. These programs need
“authentication modules” to be attached to them at run-time in order to work. Which authentication module is to be attached
is dependent upon the local system setup and is at the discretion of the local Administrator.
The console server family supports PAM with the following modules added for remote authentication:
RADIUS
TACACS+ - pam_tacplus
(http://echelon.pl/pubs/pam_tacplus.html)
LDAP
- pam_ldap
Further modules can be added, as required.
Changes may be made to files in /etc/config/pam.d / which will persist, even if the authentication configurator is run.
• Users added on demand:
When a user attempts to log in, but does not already have an account on the console server, a new user account will be
created. This account will have no rights and no password set. They will not appear in the Tripp Lite configuration tools.
Automatically added accounts will not be able to log in if the remote servers are unavailable.
• Administrator rights granted over AAA:
Users may be granted Administrator rights via networked AAA. For TACACS, a priv-lvl of 12 of above indicates an
administrator. For RADIUS, administrators are indicated via Framed Filter ID. See the example configuration files below for
more information.
• Authorization via TACACS, LDAP or RADIUS for using remote groups:
Refer to
9.1.6 Group Support with Remote Authentication
.
• Authorization via TACACS for both serial ports and host access:
Permission to access resources may be granted via TACACS by indicating a Tripp Lite device and a port or networked host
the user may access. See the example configuration files below for more information.
9. Authentication