Server User Manual

ManualsBrandsBlack Box ManualsServerLES1308A

171

172

173

174

175

176

177

178

179

180

9.1.5 RADIUS/TACACS User Configuration

Users may be added to the local console server appliance. If they are not added and they log in via

remote AAA, a user will be added for them. This user will not show up in the Black Box configurators

unless they are specifically added, at which point they are transformed into a completely local user. The

newly added user must authenticate from the remote AAA server, and will have no access if it is down.

If a local user logs in, they may be authenticated/authorized from the remote AAA server, depending on

the chosen priority of the remote AAA. A local user’s authorization is the union of local and remote

privileges.

Example 1:

User Tim is locally added, and has access to ports 1 and 2. He is also defined on a remote

TACACS server, which says he has access to ports 3 and 4. Tim may log in with either his local or

TACACS password, and will have access to ports 1 through 4. If TACACS is down, he will need to

use his local password, and will only be able to access ports 1 and 2.

Example 2:

User Ben is only defined on the TACACS server, which says he has access to ports 5 and 6. When

he attempts to log in, a new user will be created for him, and he will be able to access ports 5

and 6. If the TACACS server is down he will have no access.

Example 3:

User Paul is defined on a RADIUS server only. He has access to all serial ports and network hosts.

Example 4:

User Don is locally defined on an appliance using RADIUS for AAA. Even if Don is also defined on

the RADIUS server, he will only have access to those serial ports and network hosts he has been

authorized to use on the appliance.

If a “no local AAA” option is selected, then root will still be authenticated locally.

You can add remote users to the admin group via either RADIUS or TACACS. Users may have a set of

authorizations set on the remote TACACS server. Users automatically added by RADIUS will have

authorization for all resources, whereas those added locally will still need their authorizations specified.

LDAP has not been modified, and will still need locally defined users.

9.1.6 Group support with remote authentication

All console servers allow remote authentication via RADIUS, LDAP and TACACS+. With RADIUS and

LDAP additional restrictions can be provided on user access based on group information or membership.

For example, with remote group support, RADIUS and LDAP users can belong to a local group that has

been setup to have restricted access to serial ports, network hosts and managed devices.

Remote authentication with group support works by matching a local group name with a remote group

name provided by the authentication service. If the list of remote group names returned by the

authentication service matches any local group names, the user is given permissions as configured in the

local groups.

To enable group support to be used by remote authentication services:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 171