Chapter 9: configuring remote authentication, Authentication and authorization, Flow for authentication – Raritan Engineering Command Center CC-SG User Manual

C

HAPTER

9:

C

ONFIGURING

R

EMOTE

A

UTHENTICATION

113

Chapter 9: Configuring Remote Authentication

Authentication and Authorization

Users of CC-SG can be locally authenticated and authorized on the CC-SG or remotely
authenticated using the following supported directory servers:
• Microsoft Active Directory (AD)

• Netscape’s Lightweight Directory Access Protocol (LDAP)

• TACACS+
• RADIUS

Any number of remote RADIUS, TACACS+, and LDAP servers can be used for external
authentication. For example, you could have three Active Directory (AD) servers, two iPlanet
(LDAP) servers, and three RADIUS servers.

Flow for Authentication

When remote authentication is enabled, authentication and authorization follow these steps:
1. The user logs into CC-SG with the appropriate user name and password.
2. CC-SG connects to the external server and sends the user name and password.
3. User name and password are either accepted or rejected and sent back. If authentication is

rejected, this results in a failed login attempt.

4. If authentication is successful, local authorization is performed where CC-SG checks if user

name entered matches a group or “users not in group” and grants privileges per the assigned
policy. In the case of Active Directory authorization, the server returns a list of group names
that were assigned a policy. CC-SG will then match the groups and assign the appropriate
privileges as specified in the policy.

When remote authentication is disabled, both authentication and authorization are performed
locally on CC-SG.

User Accounts

User Accounts must be added to the authentication server for remote authentication. Except when
using Active Directory for both authentication and authorization, all remote authentication servers
require that users be created on CC-SG. The user’s user name on both the authentication server
and on CC-SG must be the same, although the passwords may be different. The local password is
used only when remote authentication is disabled. Please see Chapter 7: Adding Users and
User Groups for additional information on adding users who will be remotely authenticated.

Note: If remote authentication is used, users have to contact their Administrators to change their
passwords on the remote server. Passwords cannot be changed on the CC-SG server for remotely
authenticated users.

To use CC-SG for port level authorization, a local account with assigned ports must be added.