9.1.9 Remote groups with TACACS+ authentication
When using TACACS+ authentication, there are two ways to grant a remotely authenticated user
privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12, this is discussed
further in section 9.2 of this document. Additionally or alternatively, group names can be provided to the
console server using the groupname custom attribute of the raccess service.
An example Linux tac-plus config snippet might look like:
user = myuser {
service = raccess {
groupname="users"
groupname1="routers"
groupname2="dracs"
}
}
You may also specify multiple groups in one comma-delimited, e.g. groupname="users,routers,dracs" but
be aware that the maximum length of the attribute value string is 255 characters.
To use an attribute name other than "groupname", set Authentication -> TACACS+ -> TACACS Group
Membership Attribute.
9.1.10 Idle timeout
You can specify amount of time in minutes the console server waits before it terminates an idle ssh,
pmshell or web connection.
Select Serial and Network: Authentication
Web Management Session Timeout specifies the browser console session idle timeout in
minutes. The default setting is 20 minutes
CLI Management Session Timeout specifies the ssh console session idle timeout in minutes.
The default setting is to never expire
Console Server Session Timeout specifies the pmshell serial console server session idle
timeout in minutes. The default setting is to never expire
9.1.11 Kerberos authentication
The Kerberos authentication can be used with UNIX and Windows (Active Directory) Kerberos servers.
This form of authentication does not provide group information, so a local user with the same username
must be created, and permissions set.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 174