Setting up Remote Authentication methods in NodeGrid

            Notethis configuration applies only to software version 3.2.x and later.

             

            With NodeGrid Software version 3.2.x, it is now possible to have multiple authentication methods. 

            Use Case

            In some networks, there may have more than one authentication server such as LDAP servers with multiple domains, or two Radius servers and one AD server, to be used for different users, groups, or teams.

             

            Example

            You have the following settings in NodeGrid:

            First authentication method: LDAP#1 with domain abc.com

            Second authentication method: LDAP#2 with domain xyz.com

            Third authentication method: Radius

            Last authentication method: Local

            Note: the fallback option is enabled in each authentication server's settings.

            John is in LDAP#2 user database, and he wants to access NodeGrid. John's credential is sent to LDAP#1, but since that user is not in its database, the authentication falls to LDAP#2. The credential is correct, John is granted access.

            Mike is in Radius user database - the authentication will pass through LDAP#1 and LDAP#2 servers, and then falls to Radius.

            The NodeGrid administrator wants to access the unit via ssh as root. The authentication will pass through LDAP#1, LDAP#2, Radius, and then falls to Local.

             

            Authentication methods configuration 

            Log in as admin to the NodeGrid's webui.

            Go to Security :: Authentication page, and click on Add.

            Select the Authentication method desired as follows:

            LDAP or AD

            1. Enter the Server IP address and the Base;
            2. Select Start_TLS, On or OFF from the Secure drop-down menu;
            3. Enter the User Name of the Database, the Database password and then, re-type the password in the Password field to confirm it;
            4. Enter Login and Group Attributes, if any;
            5. Optionally, enable Fallback if denied access, and then click on Save;

            RADIUS

            1. Enter the Remote and Accounting Servers' IP addresses;
            2. Enter the secret word in both Secret and Confirm Secret fields;
            3. In the Timeout field, enter the number of seconds for server timeout and in the Retries field, enter the desired number of retries;
            4. If the Enable ServiceType attribute association to local authorization group checkbox is checked, then type the authorization group name for all of the following Service Types: Callback Framed, Login, Callback Login, Framed, Administrative and Outbound.
            5. Optionally, enable Fallback if denied access, and then click on Save.

            TACACS+

            1. Enter the Remote and Accounting Servers’ IP addresses;
            2. From the Service drop-down menu, choose the requested service (PPP, raccess or Shell – depends on the Tacacs+ Remote Server settings);
            3. Enter the pass sentence or secret word in both Secret and Confirm Secret fields;
            4. In the Timeout field, enter the number of seconds for server timeout and then, the number of allowed retries in the Retry field;
            5. If Enable User-Level attribute of Shell and raccess services association to local authorization group checkbox is checked, then enter the local authorization group name for each User-Level, up to 15 user levels.
            6. Optionally, enable Fallback if denied access, and then click on Save.

            Kerberos

            1. Enter the server's IP address (Realm) and then, the Realm Domain Name;
            2. Enter the Domain Name;
            3. Optionally, enable Fallback if denied access, and then click on Save.

             

            Repeat the steps above to add other Authentication methods.

             

            Note that Local authentication is always the last method.

            The authentication process will stop at that server if user gets denied. The process continues to the next method if the server is unresponsive. If the Fallback if denied access option is enabled, then the authentication process continues to the next method.

            If you want to delete a server, select that server, and click on Delete button. 


            Additional Information

            By default, admin and root users have local authentication via the console port of the NodeGrid.

            It can be disabled if network security policies don't allow that.

            To disable it, go to Security :: Authentication page and click on Console button.

            Uncheck the "Enable Admin and Root users Fallback to Local Authentication on Console" parameter and Save.

             

            Configuration via CLI

            Log in as admin to NodeGrid via console or ssh, then type the following:

            [admin@nodegrid /]# cd /settings/authentication/servers/

            [admin@nodegrid servers]# add

            LDAP or AD

            [admin@nodegrid {servers}]# set method=ldap_or_ad

            [admin@nodegrid {servers}]# set remote_server=<LDAP/AD IP>

            [admin@nodegrid {servers}]# set ldap_ad_base=<base>

            [admin@nodegrid {servers}]# set ldap_ad_database_username=<user>

            [admin@nodegrid {servers}]# set ldap_ad_database_password=<password>

            [admin@nodegrid {servers}]# set fallback_if_denied_access=yes

            [admin@nodegrid {servers}]# commit

            Radius

            [admin@nodegrid {servers}]# set method=radius

            [admin@nodegrid {servers}]# set remote_server=<radius IP>

            [admin@nodegrid {servers}]# set radius_accounting_server=<accounting IP>

            [admin@nodegrid {servers}]# set radius_secret=<radius secret>

            [admin@nodegrid {servers}]# set fallback_if_denied_access=yes

            [admin@nodegrid {servers}]# commit

            Optionally, the following parameters can be changed/set, depending on the Radius Remote Server's settings:

            [admin@nodegrid {servers}]# set radius_timeout=

            [admin@nodegrid {servers}]# set radius_retries=

            [admin@nodegrid {servers}]# set radius_enable_servicetype=yes

            [admin@nodegrid {servers}]# set radius_service_type_login=

            [admin@nodegrid {servers}]# set radius_service_type_framed=

            [admin@nodegrid {servers}]# set radius_service_type_callback_login=

            [admin@nodegrid {servers}]# set radius_service_type_callback_framed=

            [admin@nodegrid {servers}]# set radius_service_type_outbound=

            [admin@nodegrid {servers}]# set radius_service_type_administrative=

            [admin@nodegrid {servers}]# commit

            Tacacs+

            [admin@nodegrid {servers}]# set method=tacacs+

            [admin@nodegrid {servers}]# set remote_server=<TACACS+ IP>

            [admin@nodegrid {servers}]# set tacacs+_accounting_server=<accounting IP>

            [admin@nodegrid {servers}]# set tacacs+_service=<ppp/racces/shell>

            [admin@nodegrid {servers}]# set tacacs+_secret=<tacacs+ secret>

            [admin@nodegrid {servers}]# set tacacs+_version=<v0/v1/v0_v1/v1_v0>

            [admin@nodegrid {servers}]# set fallback_if_denied_access=yes

            [admin@nodegrid {servers}]# commit

            Optionally, the following parameters can be changed/set, depending on the Tacacs+ Remote Server's settings:

            [admin@nodegrid {servers}]# set tacacs+_timeout=

            [admin@nodegrid {servers}]# set tacacs+_retries=

            [admin@nodegrid {servers}]# set tacacs+_enable_user-level=yes

            [admin@nodegrid {servers}]# set tacacs+_user_level_1=

            [admin@nodegrid {servers}]# set tacacs+_user_level_2=

            ...

            [admin@nodegrid {servers}]# set tacacs+_user_level_14=

            [admin@nodegrid {servers}]# set tacacs+_user_level_15=

            [admin@nodegrid {servers}]# commit

            Kerberos

            [admin@nodegrid {servers}]# set method=kerberos

            [admin@nodegrid {servers}]# set remote_server=<Kerberos IP>

            [admin@nodegrid {servers}]# set kerberos_domain_name=<kerberos domain>

            [admin@nodegrid {servers}]# set kerberos_realm_domain_name=<kerberos realm domain>

            [admin@nodegrid {servers}]# set fallback_if_denied_access=yes

            [admin@nodegrid {servers}]# commit

             

            Delete an Authentication method

            If you would like to delete servers, type:

            cd /settings/authentication/servers

            show

            delete <index number>

            commit

             

            Example:

            [admin@nodegrid /]# cd /settings/authentication/servers

            [admin@nodegrid servers]# show

              index      method               remote server            fallback

              =====  ==========  =============  ========

              1             ldap or ad           1.1.1.1                     disabled

              2             radius                 2.2.2.2                     disabled

              3             local                                                   disabled

            Try ls command instead...

            [admin@nodegrid servers]# delete 2

            [+admin@nodegrid servers]# commit

             

            Disable Fallback on Console

            Additionally, disable Fallback on console option:

            [admin@nodegrid /]# cd /settings/authentication/fallback_on_console/

            [admin@nodegrid fallback_on_console]# set admin_and_root_fallback_to_local_on_console=no

            [admin@nodegrid fallback_on_console]#commit


            Updated: 06 Jun 2017 03:02 AM
            Helpful?  
            Help us to make this article better
            0 0