Manualshelf

User guide

ManualsBrandsRaritan ManualsComputer equipmentDOMINION DKX432
61626364656667686970
CHAPTER 4: ADMINISTRATIVE FUNCTIONS 55
Authentication vs. Authorization
When your device is configured for remote authentication, the external authentication server is used
primarily for the purposes of authentication, not authorization.
Authorization is determined by the KX unit on the basis of user groups. That is, once a given user is
allowed to access the device in general (authenticated), that user’s specific permission (authorization) is
determined by the device, based upon the user’s group.
The external authentication server can assist in authorization by informing the device about the user group
to which a user belongs whenever the authentication server approves a given user’s login request. The
sections Implementing LDAP Remote Authentication and Implementing RADIUS Remote
Authentication that follow explain this in more detail.
This is most easily described via a simple flow diagram:
User login with
username /
password
username in
internal
database?
password
correct?
Login
denied
Login
allowed
Permissions
determined by
internal user group
Internal
lookup of
user group
External
authentication server
configured?
Login
denied
External
authentication
query
Valid
username /
password?
Login
denied
External
authentication
reply
Login
allowed
User group
name provided
by authentication
server?
Permissions
determined by
internal user group,
“NONE”
User group
found in internal
database?
YESNO
YES
NO NO
YES
NO
YES
YES
NO
Permissions
determined by
internal user group,
“UNKNOWN”
Permissions
determined by
internal user group
YES
NO
Figure 54 Authorization Flow Diagram
Note the importance of the group to which a given user belongs, as well as the need to configure the groups
named, “UNKNOWN” and “NONE.” If the external authentication server returns a group name that is not
recognized by the KX101, that user’s permissions are determined by the permanent group named
“UNKNOWN.” If the external authentication server does not return a group name, that user’s permissions
are determined by the permanent group named “NONE.”
Please see the sections LDAP or RADIUS in this chapter to determine how to configure your
authentication server to return user group information to KX101 as part of its reply to an authentication
query.