Remote Authentication

CONFIGURE > USER MANAGEMENT > Remote Authentication

The Operations Manager supports three AAA systems. Select the remote authentication mode to be applied (DownLocal, or Local apply for all modes):

  • RADIUS

  • TACACS+

  • LDAP

Navigate to CONFIGURE > USER MANAGEMENT > Remote Authentication, the Remote Authentication Home page is displayed.

Tip: All fields in the Remote Authentication form have tooltips that provide additional information to assist with completing the form fields.

Configure RADIUS Authentication

  1. Under CONFIGURE > User Management > Remote Authentication, select RADIUS from the Mode drop-down menu.

  1. Select the preferred Radius Remote Authentication policy to be applied: Radius DownLocal, or Radius Local (see the tips below).

    Tip: RADIUS DownLocal:Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at login are incorrect or if the account does not exist on the remote server, the user is denied access.

    Tip: RADIUS Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM attempts to authenticate the user using a local account as per a regular local login

  2. Add the Address and optionally the Port of the authentication server.

  3. Add the Address and optionally the Port of the RADIUS accounting server.

  4. Add and confirm the Server password, also known as the RADIUS Secret.

  5. Click Apply.

Note:Multiple servers can be added. The RADIUS subsystem will query them in a round-robin fashion.

To provide group membership, RADIUS needs to be configured to provide a list of group names via the Framed-Filter-Id attribute. The following configuration snippet shows how this can be configured for FreeRADIUS:

operator1 Auth-Type := System
Framed-Filter-ID = ":group_name=west_coast_admin,east_coast_user:"

Note:The Framed-Filter-ID attribute must be delimited by the colon character.

Configure TACACS+ Authentication

  1. Under CONFIGURE > USER MANAGEMENT > Remote Authentication, select TACACS+ from the Mode drop-down menu.

  2. Select the preferred TACACS+ Remote Authentication policy to be applied: TACACS+ DownLocal, or TACACS+ Local (see the tips below).

    Tip: TACACS+ DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at login are incorrect or if the account does not exist on the remote server, the user is denied access.

    Tip: TACACS+ Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM attempts to authenticate the user using a local account as per a regular local login.

  3. Add the Address and optionally the Port of the TACACS+ authentication server to query.

  4. Select the Login MethodPAP is the default method. However, if the server uses DES-encrypted passwords, select Login.

  5. Add and confirm the Server password, also known as the TACACS+ Secret.

  6. Add the Service. This determines the set of attributes sent back by the TACACS+ server

    Note:Multiple servers can be added. The TACACS+ subsystem queries them in a round-robin fashion.

user = operator1 {
    service = raccess {
        groupname = west_coast_admin,east_cost_user
    }
}

  1. Enable or Disable Remote Accounting.
    TACACS Accounting is enabled by default, the Remote Auth Server is used as the Accounting server. However one or more Accounting Servers can be specified.

    1. To disable Remote Accounting, select Disable

    2. To enable Remote Accounting, select Enable.

  1. Click Apply.

Note:For Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk.

Configure LDAP Authentication

  1. Under CONFIGURE > User Management > Remote Authentication, select LDAP from the Mode drop-down menu.

  2. Select the preferred LDAP Remote Authentication policy to be applied: LDAP DownLocal, or LDAP Local (see the tips below for explanation).

    Tip: LDAP DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at login are incorrect or if the account does not exist on the remote server, the user is denied access.

    Tip: LDAP Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM will attempt to authenticate the user using a local account as per a regular local login.

  1. Add the Address and optionally the Port of the LDAP server to query.

  2. Add the LDAP Base DN that corresponds to the LDAP system being queried. For example:

CN=example-user,CN=Users,DC=example-domain,DC=com

  1. Add the LDAP Bind DN. This is the distinguished name of a user with privileges on the LDAP system to perform the lookups required for retrieving the username of the users, and a list of the groups they are members of.

  2. Input the password for the LDAP Bind DN user and confirm the password.

  3. Add the LDAP Username Attribute. This depends on the underlying LDAP system. Use sAMAccountName for Active Directory systems, and uid for OpenLDAP based systems.

  4. Add the LDAP Group Membership Attribute. This is only needed for Active Directory and is generally memberOf.

  5. If desired, check Ignore referrals option. When checked, LDAP will not follow referrals to other remote authentication servers when logging users in. If multiple remote authentication servers exist on the network, checking this option may improve log in times.

    Note:Multiple servers can be added. The LDAP subsystem queries them in a round-robin fashion.