How do I grant privileges to remote AAA users?

Using Serial & Network -> Authentication -> Authentication Method -> *Remote*, user credentials can be stored on a remote TACACS, RADIUS, LDAP or Kerberos AAA server.  "Remote AAA users" are users that exist primarily on the AAA server and have not had local accounts manually created on each Opengear device.

After a remote AAA user successfully authenticates, a "hidden" user account is automatically created on the Opengear device.  By default, this account has no privileges so the user may see errors such as:

Fatal User 'operator1' is not authorized to access this area.
User 'operator1' does not have shell access on this device
ERROR: No configured console server mode ports accessible by this user.

There are four methods to grant privileges to remote AAA users:

Use Remote Groups

When Serial & Network -> Authentication -> Use Remote Groups is checked, and the TACACS, RADIUS or LDAP AAA server responds to a successful authentication with a list of groups, the remote AAA user is added to these groups.

TACACS: Add the group name or comma separated list of groups in custom attribute called "groupname" to the "raccess" service.  Click here for instructions on how to do this using Cisco ACS, or see below for a tac-plus config snippet:

user = operator1 {
    service = raccess {
        groupname = users,pmshell
    }
}

RADIUS: Add the group name or comma separated list of groups as "group_name" inside the "Filter-Id" attribute, see below for FreeRADIUS config snippet:

operator1 Auth-Type := System
        Filter-Id = ":group_name=users,pmshell:"

Ensure this setting is surrounded with colon characters.

Note: Auth-Type := System is no longer supported in FreeRADIUS 3.x

LDAP – Active Directory: Add each group's distinguished name as a "memberOf" attribute.

LDAP – OpenLDAP: We use the POSIX schema, i.e. query the group name matching the remote user's "gidNumber" and any additional "posixGroups" with a "memberUid" matching the user's remote "uid".

Authentication Method Specific

When Serial & Network -> Authentication -> Use Remote Groups is checked, TACACS and LDAP servers enable implementation specific mechanisms for granting privileges.

TACACS: Users with a priv-lvl of 12 or over are granted admin-level privileges.  This behavior can be disabled by checking Serial & Network -> Authentication -> TACACS -> Ignore Privilege Level.

LDAP: There are two "magic" distinguished names you can configure the Opengear device to look for, Serial & Network -> Authentication -> LDAP -> Basic Management Group DN and Administration Group DN.  If they exist, they granted users and admin-level privileges respectively.

Note that you may set a third magic Console Server Group DN that, if set, must exist for a user to be granted any access whatsoever – i.e. to allow you to explicitly whitelist LDAP users.

Grant privileges to the netgrp group

"Hidden" accounts created for remote AAA users automatically become members of the netgrp group.

Membership of this group grants no privileges by default, however you may edit it under Serial & Network -> Users & Groups -> netgrp -> Edit and assign it "Full administration & access" and "Basic management privileges via shell and WebUI" Roles which are equivalent to admin and users group-level privileges respectively, as well as Accessible Port(s), Outlet(s) and Host(s).

This is intended as a convenient way to grant remote AAA users privileges, with no modification to the AAA server configuration.

Create local users

Finally, you may decide to use "password only" remote AAA and create users locally on the Opengear device with a blank or secondary password.  While Serial & Network -> Authentication -> Authentication Method remains set to a *Remote* method, the user is authenticated against the remote server.