26CPS Installer/User Guide

Authentication of serial CLI port sessions

Using the Server CLI command, you may enable or disable user authentication at the serial CLI port. You may also configure a preemption level that will be used by a serial CLI port user when user authentication is disabled on that port. By default, authentication is enabled on the serial CLI port.

When enabled, a serial CLI port user is authenticated against the local CPS user database, using the access rights/level and preemption level configured for that user with the User Add/ User Set command.

When disabled, a serial CLI port user is not authenticated and will be assigned the appliance administrator access level. If that CLI port user attempts to connect to another CPS port (assuming connection ability is enabled), and that port is already in use, the preemption level configured with the Server CLI command is used. For more information, see Preemption on page 21.

PPPsessions are always authenticated using the method specified with the Server Security

command. In other words, enabling/disabling user authentication at the serial CLI port does not apply to PPP dial-in connections.

Authentication summary

The CPS appliance allows concurrent use of multiple authentication methods. This allows Telnet, SSH and DSView software clients to all access a single CPS appliance as long as the appropriate authentication methods are enabled.

For example, if you enable local and DS authentication (which is the default), DSView software clients will always be authenticated using DSView software servers. Telnet and SSH clients will be authenticated using the CPS local user database first, and DSView software second.

Similarly, if you enable DS and RADIUS authentication, DSView software clients will always be authenticated using DSView software servers. Telnet and SSH clients will be authenticated using the RADIUS servers.

As indicated above, DSView software servers will always be used for DSView software clients. For Telnet and SSH clients, the order in which you specify the authentication methods determines the order in which each method is used.

For example, if you enable local and RADIUS authentication (in that order), authentication uses the CPS user database. If that fails, authentication goes to the defined RADIUS servers. If you enable RADIUS and local authentication (in that order), authentication goes first to the defined RADIUS servers. If that fails, the local CPS user database is used.

To specify the authentication method:

1.For RADIUS authentication, issue a Server RADIUS command.

SERVER RADIUS PRIMARYSECONDARY IP=<radius_ip> SECRET=<secret> USER- RIGHTS=<attr> [AUTHPORT=<udp>] [TIMEOUT=<time-out>] [RETRIES=<retry>]