C H A P T E R 13 |
RADIUS |
ILOM supports Remote Authentication Dial-In User Service (RADIUS) authentication for users, based on RFC 2058 and RFC 2059. RADIUS is an authentication protocol that facilitates centralized user administration. RADIUS allows many servers shared access to user data in a central database, providing better security and easier administration.
This chapter contains the following sections:
RADIUS is based on a client/server model. The RADIUS server provides the user authentication data and can grant or deny access, and the clients send user data to the server and receive an accept or deny response. A RADIUS server can work in conjunction with multiple RADIUS servers and other types of authentication servers.
In the RADIUS client-server model, the client sends an Access-Request query to the RADIUS server. When the server receives an Access-Request message from a client, it searches the database for that user's authentication information. If the user's information is not found, the server sends an Access-Reject message and the user is denied access to the requested service. If the user's information is found, the server responds with an Access-Accept message. The Access-Accept message confirms the user's authentication data and grants the user access to the requested service.
All transactions between the RADIUS client and server are authenticated by the use of a shared secret. The client and server must each know the secret because it is never passed over the network. You must know the shared secret to configure RADIUS authenticating for ILOM.
To use RADIUS configuration with ILOM, you must configure ILOM as a RADIUS client. For more information, see Section 13.2, Configuring RADIUS Settings.
If you need to provide ILOM access beyond the 10 local user accounts, you can configure ILOM to use RADIUS authentication. You must have a properly configured RADIUS server before you can use RADIUS authentication with ILOM.
Before completing this procedure, collect the appropriate information about your RADIUS environment, as described in Section 13.1, RADIUS Overview.
1. Log in to the WebGUI as administrator.
2. Select User Management => RADIUS.
The RADIUS Settings page appears.
3. Complete the settings. For details, see TABLE 13-1.
4. Click Save for your changes to take effect.
1. Log in to the CLI as administrator.
2. Navigate to /SP/clients/radius.
3. Set the parameters shown in TABLE 13-1.
TABLE 13-1 describes the RADIUS parameters for the WebGUI and the CLI.
Sets the default role for all RADIUS users: administrator or operator |
||
The port number used to communicate with the RADIUS server. The default port is 1812. |
||
This section describes the RADIUS commands.
This command is available to administrators and operators.
Use this command to view the properties associated with RADIUS authentication.
defaultrole - This is the role assigned to all RADIUS users. It is either administrator or operator.
ipaddress - The IP address of your RADIUS server.
port - The port number used to communicate with your RADIUS server. The default port is 1812.
secret - Enter the shared secret used to gain access to your RADIUS server.
state - Choose enabled or disabled to allow or deny access to your RADIUS users.
-> show /SP/clients/radius /SP/clients/radius Targets: Properties: defaultrole = Operator ipaddress = 129.144.36.142 port = 1812 secret = (none) state = enabled Commands: cd set show -> |
This command is available to administrators.
Use this command to configure the properties associated with RADIUS authentication on a service processor.
set /SP/clients/radius [defaultrole=[Administrator|Operator] ipaddress=radiusserverIP port=port# secret=radiussecret state=[enabled|disabled]]
-> set /SP/clients/radius state=enabled ipaddress=10.8.145.77 Set 'state' to 'enabled' Set 'ipaddress' to '10.8.145.77 |
This command is available to administrators and operators.
Use this command to view clients that can receive data from a service processor, including LDAP, NTP, RADIUS, and SYSLOG clients.
Note - Users with operator privileges can only view the ntp and syslog targets. The radius and ldap targets remain hidden. |
Copyright © 2007, Sun Microsystems, Inc. All Rights Reserved.