Integrated Lights Out Manager (ILOM) Administration Guide for ILOM 1.1.1 Table Of ContentsPrevious ChapterNext ChapterBook Index


C H A P T E R  13
RADIUS

ILOM supports Remote Authentication Dial-In User Service (RADIUS) authentication for users, based on RFC 2058 and RFC 2059. RADIUS is an authentication protocol that facilitates centralized user administration. RADIUS allows many servers shared access to user data in a central database, providing better security and easier administration.

This chapter contains the following sections:

13.1 RADIUS Overview

RADIUS is based on a client/server model. The RADIUS server provides the user authentication data and can grant or deny access, and the clients send user data to the server and receive an accept or deny response. A RADIUS server can work in conjunction with multiple RADIUS servers and other types of authentication servers.

In the RADIUS client-server model, the client sends an Access-Request query to the RADIUS server. When the server receives an Access-Request message from a client, it searches the database for that user's authentication information. If the user's information is not found, the server sends an Access-Reject message and the user is denied access to the requested service. If the user's information is found, the server responds with an Access-Accept message. The Access-Accept message confirms the user's authentication data and grants the user access to the requested service.

All transactions between the RADIUS client and server are authenticated by the use of a shared secret. The client and server must each know the secret because it is never passed over the network. You must know the shared secret to configure RADIUS authenticating for ILOM.

To use RADIUS configuration with ILOM, you must configure ILOM as a RADIUS client. For more information, see Section 13.2, Configuring RADIUS Settings.

13.2 Configuring RADIUS Settings

If you need to provide ILOM access beyond the 10 local user accounts, you can configure ILOM to use RADIUS authentication. You must have a properly configured RADIUS server before you can use RADIUS authentication with ILOM.

Before completing this procedure, collect the appropriate information about your RADIUS environment, as described in Section 13.1, RADIUS Overview.

13.2.1 Configuring RADIUS Using the WebGUI

1. Log in to the WebGUI as administrator.

2. Select User Management => RADIUS.

The RADIUS Settings page appears.

FIGURE 13-1 RADIUS Page


Graphic showing a sample of the ILOM web GUI.

3. Complete the settings. For details, see TABLE 13-1.

4. Click Save for your changes to take effect.

13.2.2 Configuring RADIUS Using the CLI

1. Log in to the CLI as administrator.

2. Navigate to /SP/clients/radius.

3. Set the parameters shown in TABLE 13-1.

13.2.3 RADIUS Parameters

TABLE 13-1 describes the RADIUS parameters for the WebGUI and the CLI.


TABLE 13-1 RADIUS WebGUI and CLI Settings

WebGUI

CLI

Description

Default Role

defaultrole

administrator|operator

Sets the default role for all RADIUS users: administrator or operator

IP Address

ipaddress ipaddress

The IP address of the RADIUS server

Port

port portnum

The port number used to communicate with the RADIUS server. The default port is 1812.

State

state enabled|disabled

Enable to authenticate RADIUS users

Encryption Key

 

Type the encryption key used by your RADIUS server.

 

secret text

The shared secret used to gain access to RADIUS


13.3 RADIUS Commands

This section describes the RADIUS commands.

13.3.1 show /SP/clients/radius

This command is available to administrators and operators.

Purpose

Use this command to view the properties associated with RADIUS authentication.

Syntax

show /SP/clients/radius

Properties

defaultrole - This is the role assigned to all RADIUS users. It is either administrator or operator.

ipaddress - The IP address of your RADIUS server.

port - The port number used to communicate with your RADIUS server. The default port is 1812.

secret - Enter the shared secret used to gain access to your RADIUS server.

state - Choose enabled or disabled to allow or deny access to your RADIUS users.

Example

 -> show /SP/clients/radius

 

   /SP/clients/radius

    Targets:

 

    Properties:

        defaultrole = Operator

        ipaddress = 129.144.36.142

        port = 1812

        secret = (none)

        state = enabled

 

    Commands:

        cd

        set

        show

 

->

13.3.2 set /SP/clients/radius

This command is available to administrators.

Purpose

Use this command to configure the properties associated with RADIUS authentication on a service processor.

Syntax

set /SP/clients/radius [defaultrole=[Administrator|Operator] ipaddress=radiusserverIP port=port# secret=radiussecret state=[enabled|disabled]]

Properties
Example

 -> set /SP/clients/radius state=enabled ipaddress=10.8.145.77 

Set 'state' to 'enabled'

Set 'ipaddress' to '10.8.145.77

13.3.3 show /SP/clients

This command is available to administrators and operators.

Purpose

Use this command to view clients that can receive data from a service processor, including LDAP, NTP, RADIUS, and SYSLOG clients.

Syntax

show /SP/clients

Example 

 -> show /SP/clients

 

  /SP/clients

    Targets:

	ldap

	ntp

	radius

	syslog

 

    Properties:

 

    Commands:

        cd

        show


Note - Users with operator privileges can only view the ntp and syslog targets. The radius and ldap targets remain hidden.




Integrated Lights Out Manager (ILOM) Administration Guide for ILOM 1.1.1 820-0280-12 Table Of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2007, Sun Microsystems, Inc. All Rights Reserved.