9.1.9 Remote groups with TACACS+ authentication
When using TACACS+ authentication, t here are two ways to grant a remotel y authenticated user
privileges. The f i rst is t o set the priv-lvl and port attributes of the raccess service to 12, this is discussed
further in section 9.2 of this document. Additi onall y or alternatively, group names can be provided to the
console server using t he groupname custom attribut e of the raccess service.
An example Linux tac-plus config snippet m i ght look like:
user = myuser {
service = raccess {
groupname="users"
groupname1="routers"
groupname2="dracs"
}
}
You may also specify multiple groups in one comma-delimited, e.g. groupname="users,routers,dracs" but
be aware that the maximum length of the attribute v al ue st ring is 255 characters.
To use an attribute nam e other than "groupname", set Authentication -> TACACS+ -> TACACS Group
Membership Attribut e.
9.1.10 Idle timeout
You can specify amount of tim e i n m i nutes the console server wai ts before it terminates an idl e ss h,
pmshell or web connection.
Select Serial and Net work: Au thentication
Web Management Session Timeout specifies the browser consol e session idle timeout in
minutes. The default set ting is 20 minutes
CLI Management Session Tim eout sp ecifies the ssh console session idle timeout in minute s.
The default setting i s t o never expire
Console Server Session Timeout specifies the pmshell se rial console server session idl e
timeout in minutes. The default setting is to never expire
9.1.11 Kerberos authentication
The Kerberos authent i cation can be used with U NI X and Windows (Active Directory) Kerberos servers.
This form of authentication does not provide group information, so a local u ser with the same username
must be created, and permissions set.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 174