Manualshelf

User Manual

ManualsBrandsLantronix ManualsComputers & AccessoriesLantronix CONSLE Server 10/100MBPS ENET (SCS400-02)
171172173174175176177178179180
Security Database Configuration
11-15
For security reasons, it is recommended that you choose a secret string of at least 16 characters containing
no obvious or easily-guessable items (such as names, phone numbers, or words that can be found in a
dictionary).
11.4.3.2 RADIUS and Character Logins
When a user attempts to log into the SCS via a character-mode session (i.e. not through PPP or SLIP), the
SCS reports a Service-Type of Login: to the RADIUS server. Once the server authenticates the user, it will
send one of three possible Service-Types to the SCS:
Login The SCS allows the user to log into the SCS, but immediately connects the user
(via Telnet or Rlogin) to a remote host. To specify the remote host, see Login-
IP-Host on page D-3. If no host is found, the user receives an error message
and is logged out.
Callback-Login The SCS disconnects the user, then attempts to dialback to the user. If dialback
succeeds, the user will be connected to a remote host as in the normal Login
described above.
Prompt The SCS assumes that the user is an administrative user, and presents the user
with a Local> prompt. The user will not be forced to a remote host.
Different RADIUS software packages may have different names for these Login types. In particular, the
Prompt type may be referred to as Administrative User or Admin. It will be distinct from the basic
Login type. Consult your RADIUS servers documentation for specifics.
11.4.3.3 RADIUS and Sites
When a user logs in via PPP or SLIP, the SCS looks for a site that has the same name as the user. If it finds
a matching site, it starts the site and modifies it with whatever additional setup information the RADIUS
server sends it in its Access-Accept packet (see Step A under). If it does not find a matching site, it starts
and modifies a copy of the default site.
Note: Unless RADIUS specifically overrules a setting, the site’s settings apply.
If a user logs in using local mode but the RADIUS server indicates that the user should be using PPP or
SLIP, the Set Site sitename Logout command will be executed where sitename is the name of the RADIUS
site created for this user.
Note: Setting up sites for specific users should be done sparingly, and only when a user
has special connection requirements that can’t be met otherwise.
If, on the other hand, the RADIUS server detects that a user logging in via PPP should actually be a local
mode user, the connection will be denied. The reason for this is two-fold: the user would not be able to return
to the local prompt once in PPP mode, and allowing the connection may create a security hole.
11.4.3.4 RADIUS Accounting
A RADIUS accounting server creates an accounting log based on information that it gets from its client,
such as an SCS. The server also responds to the client so that the client knows its packets reached the
accounting server intact.
The SCS sends four types of packets to the accounting server: