Manualshelf

User manual

ManualsBrandsRaritan ManualsNetworkingIPR-M1
71727374757677787980
64 IP-REACH USER MANUAL
Controlling IP-Reach User Permissions via RADIUS FILTER-ID
IP-Reach recognizes, and in some cases requires, optional “FILTER-ID” RADIUS attributes that are
returned by the RADIUS server. These returned attributes communicate permissions for each user, which
override default permissions set for all RADIUS users under the “Default RADIUS Permissions” settings
parameter – (see Chapter 4: Administrative Functions, RADIUS Configuration).
The FILTER-ID attribute tells IP-Reach what permissions to grant or deny each specific RADIUS user
(or user group, since most RADIUS servers can be configured to return this optional attribute per user or
for groups of users).
The FILTER-ID attribute contains an ASCII text string. The form of the string is the text
“IP-Reach:letter(s) where letter(s) represents one or more of the following case-sensitive parameters
that denote access permissions, as follows:
A Add administrator permissions.
a Subtract administrator permissions.
K Add keyboard and mouse control permissions.
k Subtract keyboard and mouse control permissions.
M Add modem access permissions.
m Subtract modem access permissions.
N Add network access (using Raritan Remote Client software) permissions.
n Subtract network access (using Raritan Remote Client software) permissions.
S Add serial console access permissions.
s Subtract serial console access permissions.
P Add PC Share permissions.
p Subtract PC Share permissions.
Example # 1:
If the “Default RADIUS permissions” option is set to “User permissions (Net,Modem,PC Share)” and the
RADIUS server returned a FILTER-ID attribute with the string “IP-Reach:m”, the modem access
permission would be removed from the user. The user would be left with Network (Raritan Remote Client
Software) and PC Share permissions.
Example # 2:
If the “Default RADIUS permissions” option is set to “None, must use RADIUS attributes” and the
RADIUS server returned a FILTER-ID attribute with the string “IP-Reach:NAP”, then the user would
have network access, administrator, and PC Share permissions. The user would not have serial console
access privileges.
Note:
When the “Default RADIUS permissions” option is set to “None, must use
RADIUS attributes,” RADIUS user access to IP-Reach will be denied unless the FILTER-
ID is used to grant the user permissions.
Note: To maintain backward compatibility with the existing Raritan installed base, IP-
Reach also supports the same FILTER-ID attributes prefaced by the string "TeleReach:".
Therefore, if you have upgraded your TeleReach firmware to IP-Reach, you need not
reformat your RADIUS permissions.