RADIUS. Lantronix Lantronix SLC

12: User Authentication

RADIUS

The system administrator can configure the SLC console manager to use RADIUS to authenticate users attempting to log in using the Web, Telnet, SSH, or the console port.

Users who are authenticated through RADIUS are granted device port access through the port permissions on this page.

All RADIUS users are members of a group that has predefined user rights associated with it. You can add additional user rights that are not defined by the group.

To configure the SLC unit to use RADIUS to authenticate users:

1.

Click the User Authentication tab and select RADIUS. The following page displays.

Figure 12-6 User Authentication > RADIUS

SLC™ Console Manager User Guide 185

12: User Authentication

2.

Enter the following:

Enable RADIUS

RADIUS Server #1

Server #1 Port

Server #1 Secret

RADIUS Server #2

Server #2 Port

Server #2 Secret

Timeout

Use VSA

Custom Menu

Escape Sequence

Break

Sequence

Displays selected if you enabled this method on the User Authentication page. If you want to set up this authentication method but not enable it immediately, clear the checkbox.

Note: You can enable RADIUS here or on the first User Authentication page. If you enable RADIUS here, it automatically displays at the end of the order of precedence on the User Authentication page.

IP address or hostname of the primary RADIUS server. This RADIUS server may be a proxy for SecurID.

SecurID is a two-factor authentication method based on the user's SecurID token and pin number. The SecurID token displays a string of digits called a token code that changes once a minute (some tokens are set to change codes every 30 seconds).

Number of the TCP port on the RADIUS server used for the RADIUS service. If you do not specify an optional port, the SLC console manager uses the default RADIUS port (1812).

Text that serves as a shared secret between a RADIUS client and the server

(SLC). The shared secret is used to encrypt a password sent between the client and the server. May have up to 128 characters.

IP address or host name of the secondary RADIUS server. This server can be used as a SecurID proxy.

Number of the TCP port on the RADIUS server used for the RADIUS service. If you do not specify an optional port, the SLC console manager uses the default RADIUS port (1812).

Text that serves as a shared secret between a RADIUS client and the server

(SLC). The shared secret is used to encrypt a password sent between the client and the server. May have up to 128 characters.

The number of seconds (1-30) after which the connection attempt times out. The default is 30 seconds.

Select the check box to obtain remote user attributes (group/permissions and port access) from the RADIUS server via the Vendor-Specific Attribute (VSA). For

details on the format of the VSA, see User Attributes & Permissions from LDAP

Schema or RADIUS VSA on page 189

.

If custom menus have been created, you can assign a default custom menu to

RADIUS users.

A single character or a two-character sequence that causes the SLC console manager to leave direct (interactive) mode. (To leave listen mode, press any key.)

A suggested value is Esc+A (escape key, then uppercase "A" performed quickly but not simultaneously). You would specify this value as \x1bA, which is hexadecimal (\x) character 27 (1B) followed by an A.

This setting allows the user to terminate the connect direct command on the command line interface when the endpoint of the command is deviceport , tcp , or udp .

A series of 1-10 characters users can enter on the command line interface to send a break signal to the external device. A suggested value is Esc+B (escape key, then uppercase “B” performed quickly but not simultaneously). You would specify this value as \x1bB, which is hexadecimal (\x) character 27 (1B) followed by a B.

SLC™ Console Manager User Guide 186

12: User Authentication

Enable for Dial-back Select to grant a user dial-back access. Users with dial-back access can dial into the SLC unit and enter their login and password. Once the SLC unit authenticates them, the modem hangs up and dials them back. Disabled by default.

Dial-back Number The phone number the modem dials back on depends on this setting for the device port. The user is either dialed back on a fixed number, or on a number that is associated with the user’s login (specified here).

Data Ports The ports users are able to monitor and interact with using the direct command. connect

Listen Port The ports users are able to monitor using the connect listen command.

Clear Port Buffers The ports whose port buffer users may clear using the command.

set locallog clear

Note: Older RADIUS servers may use 1645 as the default port. Check your RADIUS server configuration.

3.

In the User Rights section, select the user group to which RADIUS users will belong.

Group Select the group to which the RADIUS users will belong:







Default Users: This group has only the most basic rights. You can specify additional rights for the individual user.

Power Users: This group has the same rights as Default Users plus

Networking, Date/Time, Reboot & Shutdown, and Diagnostics & Reports.

Administrators: This group has all possible rights.

4.

Select or clear the checkboxes for the following rights:

Full Administrative

Networking

Services

Secure Lantronix

Network

Date/Time

Local Users

Remote

Authentication

SSH Keys

User Menus

Right to set SSH keys for authenticating users.

Right to create a custom user menu for the CLI for NIS users.

Web Access

Diagnostics &

Reports

Right to access Web-Manager.

Right to obtain diagnostic information and reports about the unit.

Reboot & Shutdown Right to use the CLI or shut down the SLC and then reboot it.

Firmware &

Configuration

Device Port

Operations

Device Port

Configuration

Right to add, update, and delete all editable fields.

Right to enter Network settings.

Right to enable and disable system logging, SSH and Telnet logins, SNMP, and

SMTP.

Right to view and manage Secure Lantronix units (e.g., SLP, Spider, SLC and SLB unit) on the local subnet.

Right to set the date and time.

Right to add or delete local users on the system.

Right to assign a remote user to a user group and assign a set of rights to the user.

Right to upgrade the firmware on the unit and save or restore a configuration (all settings). Selecting this option automatically selects Reboot & Shutdown.

Right to control device ports.

Right to access to port settings.

SLC™ Console Manager User Guide 187

12: User Authentication

USB

PC Card

Right to enter modem settings for USB. The USB checkbox is available for certain

SLC and SLB models.

Right to enter modem settings for PC cards. Includes managing storage PC cards.

The PC card checkbox is available for certain SLC and SLB models.

5.

Click the Apply button.

Note: You must reboot the unit before your changes will take effect.

RADIUS Commands

These commands for the command line interface correspond to the web page entries described above.

To configure the SLC console manager to use RADIUS to authenticate users who log in via the Web, SSH, Telnet, or the console port: set radius <one or more parameters>

Parameters: accessoutlets <Outlet List> breakseq <1-10 Chars> clearports <Port List> dataports <Port List> escapeseq <1-10 Chars> listenports <Port List> state <enable|disable>

To identify the RADIUS server(s), the text secret, and the number of the TCP port on the

RADIUS server: set radius server <1|2> host <IP Address or Hostname> secret <Secret>

[port <TCP Port>]

The default port is 1812.

To set the number of seconds after which the connection attempt times out: set radius timeout <disable|1-30>

May be 1-30 seconds.

To set user group and permissions for RADIUS users: set radius group <default|power|admin>

To set permissions for RADIUS users not already defined by the user rights group: set radius permissions <Permission List> where

<Permission List> is one or more of nt, sv, dt, lu, ra, sk, um, dp, ub, rs, rc, dr, wb, sn, ad, po, pc

SLC™ Console Manager User Guide 188

12: User Authentication

To remove a permission, type a minus sign before the two-letter abbreviation for a user right.

To set a default custom menu for RADIUS users: set radius custommenu <Menu Name>

To view RADIUS settings: show radius

User Attributes & Permissions from LDAP Schema or RADIUS VSA

Remote user attributes (group/permissions and port access) can be obtained from an Active

Directory server's schema via the user attribute 'secureLinxSLCPerms', or from a RADIUS server's

Vendor-Specific Attribute (see below). This attribute is a set of parameter-value pairs. Each parameter and value is separated by a space, and a space separates each parameter-value pair.

Whitespace is not supported in the value strings. The parameters that are supported are:













rights - User rights. The value string is a comma-separated list of two letter user permissions.

Example: "nt,wb,ra".

data - Data port access. The value string specifies the list of ports the user has 'direct' access to. Example: "2,4-18,U,L".

listen - Listen port access. The value string specifies the list of ports the user has 'listen' access to.

clear - Clear port access. The value string specifies the list of port buffers the user has the right to clear.

group - User group. Valid values for the value string are "default", "power", and "admin", and any SLC or SLB custom group name. If a custom group name is specified and it matches a current SLC custom group name, any rights attribute will be ignored, and the custom group's rights (permissions) will be used instead. A group name with spaces cannot be specified.

escseq - Escape sequence. The value string specifies the user's escape sequence. Use "\x" to specify non-printable characters. For example, "\x1bA" specifies the sequence "ESC-A".









brkseq - Break sequence. The value string specifies the user's break sequence.

menu - Custom user menu. The value string specifies the user's custom user menu.

display - Display custom user menu when a user logs into the CLI. Valid values for the value string are "yes" and "no".

dbnumber - Dial-back number. The value string specifies the user's dial-back number for modem dial-back connections.

 allowdb - Allow a user to have dial-back access. Valid values for the value string are "yes" and "no".

RADIUS servers will need to be configured to support the Lantronix Vendor-Specific Attribute. For example, on a FreeRADIUS server, the dictionary will need be updated with the Lantronix definition by including the contents below in a file named dictionary.lantronix, and including it in the

RADIUS server dictionary definitions by adding the appropriate $INCLUDE directive to the main dictionary file.

SLC™ Console Manager User Guide 189