Raritan Computer DKSX440 User Manual
Page 78
66
D
OMINION
KSX U
SER
M
ANUAL
Controlling Dominion KSX User Permissions via RADIUS
FILTER-ID
Dominion KSX recognizes, and in some cases requires, optional “FILTER-ID” RADIUS attributes that are returned
by the RADIUS server. These returned attributes communicate permissions for each user, which override default
permissions set for all RADIUS users under the “Default RADIUS Permissions” settings parameter – (see Chapter
4: Administrative Functions, RADIUS Configuration).
The FILTER-ID attribute tells Dominion KSX what permissions to grant or deny each specific RADIUS user (or
user group, since most RADIUS servers can be configured to return this optional attribute per user or for groups of
users).
The FILTER-ID attribute contains an ASCII text string. The form of the string is the text
−
“IP-Reach:letter(s)”
−
where letter(s) represents one or more of the following case-sensitive parameters that denote
access permissions, as follows:
A Add
administrator
permissions.
a Subtract
administrator
permissions.
K
Add keyboard and mouse control permissions.
k
Subtract keyboard and mouse control permissions.
M
Add modem access permissions.
m Subtract
modem
access permissions.
N
Add network access (using Raritan Remote Client software) permissions.
n
Subtract network access (using Raritan Remote Client software) permissions.
V
Add KVM video access permissions
v
Subtract KVM video access permissions
S
Add serial console access permissions.
s
Subtract serial console access permissions.
P
Add PC Share permissions.
p
Subtract PC Share permissions.
Example # 1:
If the “Default RADIUS permissions” option is set to “User permissions (Net,Modem,PC Share)” and the RADIUS
server returned a FILTER-ID attribute with the string “IP-Reach:m”, the modem access permission would be
removed from the user. The user would be left with Network (Raritan Remote Client Software) and PC Share
permissions.
Example # 2:
If the “Default RADIUS permissions” option is set to “None, must use RADIUS attributes” and the RADIUS server
returned a FILTER-ID attribute with the string “IP-Reach:NAP”, then the user would have network access,
administrator, and PC Share permissions. The user would not have serial console access privileges.
Note: When the “Default RADIUS permissions” option is set to “None, must use RADIUS
attributes,” RADIUS user access to Dominion KSX will be denied unless the FILTER-ID is used to
grant the user permissions.
Note: To maintain backward compatibility with the existing Raritan installed base, Dominion KSX
supports FILTER-ID attributes prefaced by the string "TeleReach:" or “IP-Reach”. Therefore, if
you already use Raritan network devices such as TeleReach or IP-Reach, you need not reformat
your RADIUS permissions.