Black Box LES1348A, LES1332A, LES1408A Remote groups with TACACS+ authentication, Idle timeout

9.1.9Remote groups with TACACS+ authentication

When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12, this is discussed further in section 9.2 of this document. Additionally or alternatively, group names can be provided to the console server using the groupname custom attribute of the raccess service.

An example Linux tac-plus config snippet might look like:

user = myuser {

service = raccess { groupname="users" groupname1="routers" groupname2="dracs"

}

}

You may also specify multiple groups in one comma-delimited, e.g. groupname="users,routers,dracs" but be aware that the maximum length of the attribute value string is 255 characters.

To use an attribute name other than "groupname", set Authentication -> TACACS+ -> TACACS Group Membership Attribute.

9.1.10 Idle timeout

You can specify amount of time in minutes the console server waits before it terminates an idle ssh, pmshell or web connection.

Select Serial and Network: Authentication

Web Management Session Timeout specifies the browser console session idle timeout in minutes. The default setting is 20 minutes

CLI Management Session Timeout specifies the ssh console session idle timeout in minutes. The default setting is to never expire

Console Server Session Timeout specifies the pmshell serial console server session idle timeout in minutes. The default setting is to never expire

9.1.11 Kerberos authentication

The Kerberos authentication can be used with UNIX and Windows (Active Directory) Kerberos servers. This form of authentication does not provide group information, so a local user with the same username must be created, and permissions set.

_____________________________________________________________________