Note: this configuration applies only to software version 3.2.x and later.

With NodeGrid Software version 3.2.x, it is now possible to have multiple authentication methods. 

Use Case

In some networks, there may have more than one authentication server such as LDAP servers with multiple domains, or two Radius servers and one AD server, to be used for different users, groups, or teams.

Example

You have the following settings in NodeGrid:

First authentication method: LDAP#1 with domain abc.com

Second authentication method: LDAP#2 with domain xyz.com

Third authentication method: Radius

Last authentication method: Local

Note: the fallback option is enabled in each authentication server's settings.

John is in LDAP#2 user database, and he wants to access NodeGrid. John's credential is sent to LDAP#1, but since that user is not in its database, the authentication falls to LDAP#2. The credential is correct, John is granted access.

Mike is in Radius user database - the authentication will pass through LDAP#1 and LDAP#2 servers, and then falls to Radius.

The NodeGrid administrator wants to access the unit via ssh as root. The authentication will pass through LDAP#1, LDAP#2, Radius, and then falls to Local.

Authentication methods configuration 

Log in as admin to the NodeGrid's webui.

Go to Security :: Authentication page, and click on Add.

Select the Authentication method desired as follows:

LDAP or AD

1. Enter the Server IP address and the Base;
2. Select Start_TLS, On or OFF from the Secure drop-down menu;
3. Enter the User Name of the Database, the Database password and then, re-type the password in the Password field to confirm it;
4. Enter Login and Group Attributes, if any;
5. Optionally, enable Fallback if denied access, and then click on Save;

RADIUS

1. Enter the Remote and Accounting Servers' IP addresses;
2. Enter the secret word in both Secret and Confirm Secret fields;
3. In the Timeout field, enter the number of seconds for server timeout and in the Retries field, enter the desired number of retries;
4. If the Enable ServiceType attribute association to local authorization group checkbox is checked, then type the authorization group name for all of the following Service Types: Callback Framed, Login, Callback Login, Framed, Administrative and Outbound.
5. Optionally, enable Fallback if denied access, and then click on Save.

TACACS+

1. Enter the Remote and Accounting Servers’ IP addresses;
2. From the Service drop-down menu, choose the requested service (PPP, raccess or Shell – depends on the Tacacs+ Remote Server settings);
3. Enter the pass sentence or secret word in both Secret and Confirm Secret fields;
4. In the Timeout field, enter the number of seconds for server timeout and then, the number of allowed retries in the Retry field;
5. If Enable User-Level attribute of Shell and raccess services association to local authorization group checkbox is checked, then enter the local authorization group name for each User-Level, up to 15 user levels.
6. Optionally, enable Fallback if denied access, and then click on Save.

Kerberos

1. Enter the server's IP address (Realm) and then, the Realm Domain Name;
2. Enter the Domain Name;
3. Optionally, enable Fallback if denied access, and then click on Save.

Repeat the steps above to add other Authentication methods.

Note that Local authentication is always the last method.

The authentication process will stop at that server if user gets denied. The process continues to the next method if the server is unresponsive. If the Fallback if denied access option is enabled, then the authentication process continues to the next method.

If you want to delete a server, select that server, and click on Delete button. 

Additional Information

By default, admin and root users have local authentication via the console port of the NodeGrid.

It can be disabled if network security policies don't allow that.

To disable it, go to Security :: Authentication page and click on Console button.

Uncheck the "Enable Admin and Root users Fallback to Local Authentication on Console" parameter and Save.

Configuration via CLI

Log in as admin to NodeGrid via console or ssh, then type the following:

[admin@nodegrid /]# cd /settings/authentication/servers/

[admin@nodegrid servers]# add

LDAP or AD

[admin@nodegrid {servers}]# set method=ldap_or_ad

[admin@nodegrid {servers}]# set remote_server=<LDAP/AD IP>

[admin@nodegrid {servers}]# set ldap_ad_base=<base>

[admin@nodegrid {servers}]# set ldap_ad_database_username=<user>

[admin@nodegrid {servers}]# set ldap_ad_database_password=<password>

[admin@nodegrid {servers}]# set fallback_if_denied_access=yes

[admin@nodegrid {servers}]# commit

Radius

[admin@nodegrid {servers}]# set method=radius

[admin@nodegrid {servers}]# set remote_server=<radius IP>

[admin@nodegrid {servers}]# set radius_accounting_server=<accounting IP>

[admin@nodegrid {servers}]# set radius_secret=<radius secret>

[admin@nodegrid {servers}]# set fallback_if_denied_access=yes

[admin@nodegrid {servers}]# commit

Optionally, the following parameters can be changed/set, depending on the Radius Remote Server's settings:

[admin@nodegrid {servers}]# set radius_timeout=

[admin@nodegrid {servers}]# set radius_retries=

[admin@nodegrid {servers}]# set radius_enable_servicetype=yes

[admin@nodegrid {servers}]# set radius_service_type_login=

[admin@nodegrid {servers}]# set radius_service_type_framed=

[admin@nodegrid {servers}]# set radius_service_type_callback_login=

[admin@nodegrid {servers}]# set radius_service_type_callback_framed=

[admin@nodegrid {servers}]# set radius_service_type_outbound=

[admin@nodegrid {servers}]# set radius_service_type_administrative=

[admin@nodegrid {servers}]# commit

Tacacs+

[admin@nodegrid {servers}]# set method=tacacs+

[admin@nodegrid {servers}]# set remote_server=<TACACS+ IP>

[admin@nodegrid {servers}]# set tacacs+_accounting_server=<accounting IP>

[admin@nodegrid {servers}]# set tacacs+_service=<ppp/racces/shell>

[admin@nodegrid {servers}]# set tacacs+_secret=<tacacs+ secret>

[admin@nodegrid {servers}]# set tacacs+_version=<v0/v1/v0_v1/v1_v0>

[admin@nodegrid {servers}]# set fallback_if_denied_access=yes

[admin@nodegrid {servers}]# commit

Optionally, the following parameters can be changed/set, depending on the Tacacs+ Remote Server's settings:

[admin@nodegrid {servers}]# set tacacs+_timeout=

[admin@nodegrid {servers}]# set tacacs+_retries=

[admin@nodegrid {servers}]# set tacacs+_enable_user-level=yes

[admin@nodegrid {servers}]# set tacacs+_user_level_1=

[admin@nodegrid {servers}]# set tacacs+_user_level_2=

...

[admin@nodegrid {servers}]# set tacacs+_user_level_14=

[admin@nodegrid {servers}]# set tacacs+_user_level_15=

[admin@nodegrid {servers}]# commit

Kerberos

[admin@nodegrid {servers}]# set method=kerberos

[admin@nodegrid {servers}]# set remote_server=<Kerberos IP>

[admin@nodegrid {servers}]# set kerberos_domain_name=<kerberos domain>

[admin@nodegrid {servers}]# set kerberos_realm_domain_name=<kerberos realm domain>

[admin@nodegrid {servers}]# set fallback_if_denied_access=yes

[admin@nodegrid {servers}]# commit

Delete an Authentication method

If you would like to delete servers, type:

cd /settings/authentication/servers

show

delete <index number>

commit

Example:

[admin@nodegrid /]# cd /settings/authentication/servers

[admin@nodegrid servers]# show

  index      method               remote server            fallback

  =====  ==========  =============  ========

  1             ldap or ad           1.1.1.1                     disabled

  2             radius                 2.2.2.2                     disabled

  3             local                                                   disabled

Try ls command instead...

[admin@nodegrid servers]# delete 2

[+admin@nodegrid servers]# commit

Disable Fallback on Console

Additionally, disable Fallback on console option:

[admin@nodegrid /]# cd /settings/authentication/fallback_on_console/

[admin@nodegrid fallback_on_console]# set admin_and_root_fallback_to_local_on_console=no

[admin@nodegrid fallback_on_console]#commit