54 IP-REACH USER MANUAL
Remote Authentication Implementation
Introduction
Note to CommandCenter Users
If you plan to configure IP-Reach to be integrated with and controlled by Raritan’s CommandCenter
management appliance, this section of the User Manual does not apply to you. When an IP-Reach unit is
controlled by CommandCenter, CommandCenter determines the allowed users and groups. Please refer to
your CommandCenter User Guide.
Note to Raritan Customers Upgrading from Previous Firmware Versions
If you have previously implemented RADIUS authentication on Raritan products such as Dominion KSX
and IP-Reach running legacy firmware versions earlier than v3.2, read this entire section carefully
.
Beginning with firmware version v3.2 and above, the implementation of external authentication has
changed significantly to provide more flexible and powerful configurations.
Supported Protocols
To simplify management of usernames and passwords, IP-Reach is able to forward authentication requests
to an external authentication server. IP-Reach supports two external authentication protocols: LDAP and
RADIUS.
Note on Microsoft Active Directory
Microsoft Active Directory uses the LDAP protocol natively, and can function as an LDAP server and
authentication source for IP-Reach. If it has the IAS (Internet Authorization Server) component, a
Microsoft Active Directory server can also serve as a RADIUS authentication source.
Remote Authentication Implementation
Priority
When a user tries to authenticate to an IP-Reach unit that is configured for external authentication, IP-
Reach first checks its own internal user database for that username. If the username is not found in the IP-
Reach internal database, the request is forwarded to the external authentication server.
• If Username is not found in IP-Reach internal database: Request is forwarded to external
authentication server to determine whether the login is allowed or denied.
• If Username is found in IP-Reach internal database and Password is correct: Login is allowed.
• If Username is not found in IP-Reach internal database and Password is incorrect: Login is
denied; the request does NOT get forwarded to the external authentication server.