Tripp Lite B098016V Owners Manual for B093- B097- and B098-Series Console Serv - Page 178

9. Authentication Note: When using remote groups with LDAP remote authorization, you need to have corresponding local groups on the console server. However, where the LDAP group names can contain upper case and space characters, the local group name on the console server must be all lower case and the spaces replaced with underscores. For example, a remote group on the LDAP server may be My Ldap Access Group needs a corresponding local group on the console server called my_ldap_access_group (both without the single quotes). The local group on the console server must specify what the group member is granted access to for any group membership to be effective. 9.1.9 Remote Groups with TACACS+ Authentication When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12 (refer to 9.2 PAM for more information). Group names can also be provided to the console server using the groupname custom attribute of the raccess service. An example Linux tac-plus config snippet might look like: user = myuser { service = raccess { groupname="users" groupname1="routers" groupname2="dracs" } } You may also specify multiple groups in one comma-delimited (e.g., groupname="users,routers,dracs"), but be aware that the maximum length of the attribute value string is 255 characters. To use an attribute name other than groupname, set Authentication -> TACACS+ -> TACACS Group Membership Attribute. 178