Raritan Computer TR361 Switch User Manual

Open as PDF

of 84

CHAPTER 4: ADMINISTRATIVE FUNCTIONS 55

Authentication vs. Authorization

When your IP-Reach unit is configured for remote authentication, the external authentication server is used

primarily for the purposes of authentication, not authorization.

Authorization is determined by IP-Reach on the basis of user groups. That is, once a given user is allowed

to access the IP-Reach system in general (authenticated), that user’s specific permission (authorization) is

determined by IP-Reach based upon the user’s group.

The external authentication server can assist in authorization by informing IP-Reach about the user group to

which a user belongs whenever the authentication server approves a given user’s login request. The

sections Implementing LDAP Remote Authentication and Implementing RADIUS Remote

Authentication that follow explain this in more detail.

The flow diagram below illustrates the steps taken:

User login with

username /

password

username in

internal

database?

password

correct?

denied

allowed

Permissions

determined by

internal user group

Internal

lookup of

user group

External

authentication server

configured?

denied

External

authentication

query

Valid

username /

password?

denied

External

authentication

allowed

User group

name provided

by authentication

server?

Permissions

determined by

internal user group,

“NONE”

User group

found in internal

database?

YESNO

YES

NO NO

YES

Permissions

determined by

internal user group,

“UNKNOWN”

Permissions

determined by

internal user group

YES

Note the importance of the group to which a given user belongs, as well as the need to configure the groups

named, “UNKNOWN” and “NONE.” If the external authentication server returns a group name that is not

recognized by IP-Reach, that user’s permissions are determined by the permanent group named

“UNKNOWN.” If the external authentication server does not return a group name, that user’s permissions

are determined by the permanent group named “NONE.”

Please see the sections involving LDAP or RADIUS in this chapter to determine how to configure your

authentication server to return user group information to IP-Reach as part of its reply to an authentication

query.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Raritan Computer TR361 Switch User Manual