Server User Manual
TACACS+ - pam_tacplus (http://echelon.pl/pubs/pam_tacplus.html)
LDAP - pam_ldap (http://www.padl.com/OSS/pam_ldap.html)
Further modules can be added as required.
Changes may be made to files in /etc/config/pam.d/ that will persist, even if the authentication
configurator runs.
Users added on demand:
When a user attempts to log in, but does not already have an account on the console server, a
new user account will be created. This account will have no rights, and no password set. It will
not appear in the Black Box configuration tools.
Automatically added accounts will not be able to log in if the remote servers are unavailable.
RADIUS users are currently assumed to have access to all resources, so they will only be
authorized to log in to the console server. RADIUS users will be authorized each time they access
a new resource.
Admin rights granted over AAA:
Users may be granted Administrator rights via networked AAA. For TACACS a priv-lvl of 12 of
above indicates an Administrator. For RADIUS, Administrators are indicated via the Framed Filter
ID. (See the example configuration files below for example.)
Authorization via TACACS for both serial ports and host access:
Permission to access resources may be granted via TACACS by indicating a Black Box Appliance
and a port or networked host the user may access. (See the example configuration files below
for example.)
TACACS Example:
user = tim {
service = raccess {
priv-lvl = 11
port1 = les1116/port02
port2 = 192.168.254.145/port05
}
global = cleartext mit
}
RADIUS Example:
paul Cleartext-Password := "luap"
Service-Type = Framed-User,
Fall-Through = No,
Framed-Filter-Id=":group_name=admin"
The list of groups may include any number of entries separated by a comma. If the admin group
is included, the user will be made an Administrator.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 176