Black Box Secure Device Servers, 1102 PAM Pluggable Authentication Modules, Pamtacplus, Pamldap

1101 and 1102 Secure Device Servers

Example 2: User Ben is only defined on the TACACS server, which says he has access to ports 5 and 6. When he attempts to log in, a new user will be created for him, and he will be able to access ports 5 and 6. If the TACACS server is down he will have no access.

Example 3: User Paul is defined on a RADIUS server only. He has access to all serial ports and network hosts.

Example 4: User Don is locally defined on an appliance using RADIUS for AAA. Even if Don is also defined on the RADIUS server, he will only have access to those serial ports and network hosts he has been authorized to use on the appliance.

If a “no local AAA” option is selected, then root will still be authenticated locally.

You can add remote users to the admin group via either RADIUS or TACACS. Users may have a set of authorizations set on the remote TACACS server. Users automatically added by RADIUS will have authorization for all resources, whereas those added locally will still need their authorizations specified.

LDAP has not been modified, and will still need locally defined users.

9.2 PAM (Pluggable Authentication Modules)

The console server supports RADIUS, TACACS+, and LDAP for two-factor authentication via PAM (Pluggable Authentication Modules). PAM is a flexible mechanism for authenticating users. A number of new ways of authenticating users have become popular. The challenge is that each time a new authentication scheme is developed, you need to rewrite all the necessary programs (login, ftpd, etc.) to support it.

PAM provides a way to develop programs that are independent of authentication scheme. These programs need “authentication modules” to be attached to them at run-time in order to work. Which authentication module is attached depends on the local system setup and is at the discretion of the local Administrator.

The console server family supports PAM with the following modules added for remote authentication:

Further modules can be added as required.

Changes may be made to files in /etc/config/pam.d/ that will persist, even if the authentication configurator runs.

Users added on demand: When a user attempts to log in, but does not already have an account on the console server, a new user account will be created. This account will have no rights, and no password set. It will not appear in the Black Box configuration tools. Automatically added accounts will not be able to log in if the remote servers are unavailable. RADIUS users are currently assumed to have access to all resources, so they will only be authorized to log in to the console server. RADIUS users will be authorized each time they access a new resource.

Admin rights granted over AAA: Users may be granted Administrator rights via networked AAA. For TACACS a priv-lvl of 12 or above indicates an Administrator. For RADIUS, Administrators are indicated via the Framed Filter ID. (See the example configuration files below for example.)

Authorization via TACACS for both serial ports and host access: Permission to access resources may be granted via TACACS by indicating a Black Box Appliance and a port or networked host the user may access. (See the example configuration files below.)

TACACS Example: user = tim {

service = raccess { priv-lvl = 11

port1 = les1102/port02

port2 = 192.168.254.145/port05

}

global = cleartext mit

}

RADIUS Example:

paul Cleartext-Password := "luap" Service-Type = Framed-User, Fall-Through = No, Framed-Filter-Id=":group_name=admin"

]

The list of groups may include any number of entries separated by a comma. If the admin group is included, the user will be made an Administrator. If there is already a Framed-Filter-Id, simply add the list of group_names after the existing entries, including the separating colon “:”.