Perle Systems SCS, STS Configuring Security

IOLAN SDS/SCS/STS User’s Guide, Version 3.6 203

Configuring Security Chapter 9

Introduction

The Security group includes the following configuration options:

zAuthentication—When a serial port is configured for the

Console Management or TCP Sockets profile, the user can be

authenticated either locally in the IOLAN user profile or

externally. This option configures the external authentication

server. See Authentication on page 203 for more information.

zSSH—This config uration window configures the SSH server in

the IOLAN. See SSH on page 213 for more information.

zSSL/TLS—This configuration window configures global

SSL/TLS settings, which can be overridden on the serial port

level. See SSL/TLS on page 216 for more information.

zVPN—This configuration window config ures the Virtual Personal Network (VPN) IPsec and

L2TP/IPsec tunn el p a ram e ters. See VPN on page 221 for more information.

zServices—This configuration window is used to enable/disabled client and daemon services that

run in the IOLAN. See Services on page 230 for more information.

Authentication can be handled by the IOLAN or through an external authentication server.

Authentication is different from authorization, which can restrict a user’s access to the network

(although this can be done through the concept of creating sessions for a user, see Sessions Tab on

page 199 for more information). Authenti cation ensures that the user is defined within the

authentication database—with the exception of using the Guest authentication option under Local

Authentication, which can accept any user ID as long as the user knows the configured password.

For external authentication, the IOLAN supports RADIUS, Kerberos, LDAP, TACACS+, SecurID,

and NIS. You can specify a primary authentication method and a secondary authentication method. If

the primary authentication method fails (cannot connect to the server or authentication fails), the

secondary authentication metho d is tri ed (unless you enable the Only Use as backup option, in

which case the secondary authentication method will be tried only when the IOLAN cannot

communicate with the primary authentication host). This allows you to specify tw o different

authentication methods. If you do specify two different authentication methods, the user will be

prompted for his/her username once, but will be prompted for a password for each authentication

method tried. For example, user Alfred’s user ID is maintained in the secondary authentication

database, therefore, he will be prompted for his password twice, because he is not in the primary

authentication database.

Unlike the other external authentication methods, RADIUS and TACACS+ can also send back Serial

Port and User parameters that are used for the duration of the connection. Therefore, any parameters

configured by RADIUS or TACACS+ will override the same parameters configured in the IOLAN.

See Appendix A, RADIUS and TACACS+ on page 335 for more infor mat ion.