Work with Users

You can create new users, edit existing users, delete users and alter groups and permissions. Users can be either local users or remote users, in both instances you must understand how users must be authenticated. Lighthouse allows users to use the following authentication modes:

  • LDAP

  • RADIUS

  • TACAS

    The root user can be authenticated by AAA but it will always try local auth for the root user first.

    AAA mode comparison

    name Password and Group source Extra Notes
    Local

    Authentication: Local only

    Groups: Local

    All users must exist locally before they can log in.

     

    [AAA]

    (Radius, Tacacs+, Ldap)

    		 Authentication: the username/password provided by the user is ONLY tested against the [AAA] server. Groups: Union of the user’s local groups and their [AAA] groups. If the user didn’t exist locally and successfully authenticated via [AAA], the user is also added to the netgrp group.

    If there is a local user with the same username as the [AAA] user and that user tries to login with the local password, login will be denied UNLESS the local password is the SAME as the remote password,that is, the remote password is used to login.

    If the [AAA] server is unreachable, the only user that can authenticate locally is root.

     
    Local[AAA] (LocalRadius, LocalTacacs+, LocalLdap) Authentication: The username/password provided by the user is first tested locally and if local authentication fails then the [AAA] server is used. Groups: Union of the user’s local groups and their [AAA] groups. If the user didn’t exist locally and successfully authenticated via [AAA], then the user is also added to the netgrp group. Basically, the user can log in with either their local password (if the user exists locally) or their [AAA] password (if the user exists in the [AAA] server). The main point is that the username/password is tested locally first and if it fails, [AAA] auth is attempted with the same username and password.
    [AAA]Local (RadiusLocal, Tacacs+Local, LdapLocal)

    Authentication: The username/password provided by the user is first tested by the [AAA] server and if [AAA] authentication fails then the credentials are tested locally. Groups: Union of the user’s local groups and their [AAA] groups.

    If the user didn’t exist locally and successfully authenticated via [AAA], then the user is also added to the netgrp group.

    Basically, the user can log in with either their local password (if the user exists locally) or their [AAA] password (if the user exists in the [AAA] server).

    The main point is that the username/password is tested by [AAA] first and if it fails, local auth is attempted with the same username and password.
    [AAA]DownLocal (RadiusDownLocal, Tacacs+DownLocal, LdapDownLocal) Authentication: Local authentication is ONLY used if the [AAA] server is urnreachable. Otherwise [AAA] authentication is always used. Groups: Union of the user’s local groups and their [AAA] groups. If the user didn’t exist locally and successfully authenticated via [AAA], then the user is also added to the netgrp group. This should behave exactly the same as the [AAA] mode until the [AAA] server is unreachable at which point, local authentication is attempted.