Once you have created user Groups to set permissions, you must assign permissions to users by adding them to these Groups. Users may either be Local (configured on Lighthouse) or Remote (configured on an external AAA server).
Local Users
- Login to Lighthouse as a Lighthouse Administrator User
- Click Settings -> User Management -> Local Users
- Click + to Add User
Username: Enter a POSIX-style name (must only contain lower case alphanumeric, dash and underscore characters) for the User, for example myadmin
Description: Enter an optional description
Password / Confirm Password: Enter a secure password in accordance to your organization’s security policies
Group Memberships: Select the User Groups to add this User to
User Enabled: Check
- Click Save User
Remote Users
When your AAA server responds to a successful authentication with a list of groups, the remote user is added to these groups. Each server type varies slightly in how the list of groups is configured.
- Login to Lighthouse as a Lighthouse Administrator User
- Click Settings -> User Management -> Remote Authentication
- Select your AAA server type
TACACS+
On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Enter the Server Password and Confirm.
On your TACACS server, add the group name or comma separated list of groups in custom attribute called "groupname" to the "raccess" service. Click here for instructions on how to do this using Cisco ACS, or see below for a tac-plus config snippet:
user = myadmin { service = raccess { groupname = cbgadmin } }
RADIUS
On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Optionally define Remote Accounting Server(s). Enter the Server Password and Confirm.
On your RADIUS server, add the group name or comma separated list of groups as "group_name" inside the "Framed-Filter-Id" attribute, see below for FreeRADIUS config snippet:
myadmin Auth-Type := System Framed-Filter-Id = ":group_name=cbgadmin:"
Ensure this setting is surrounded with colon characters.
Note: Auth-Type := System is no longer supported in FreeRADIUS 3.x
LDAP
On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Enter the Base DN to use (for example dc=my-company,dc=com) and the Bind DN to authenticate the server connection as (for example cn=server-admin,dc=my-company,dc=com). Enter and Confirm the Password of the Bind DN.
On your LDAP server:
- Active Directory: Add each group's distinguished name as a "memberOf" attribute.
- OpenLDAP: We use the POSIX schema, i.e. query the group name matching the remote user's "gidNumber" and any additional "posixGroups" with a "memberUid" matching the user's remote "uid".
Comments
0 comments
Article is closed for comments.