Currently there are three ways to login to the LANCOM administration interface:
- internal: The LANCOM handles the user management itself by means of user login name, password, and the assignment of access and function rights.
- TACACS+: User management is handled by a TACACS+ server in the network.
- RADIUS: User management is handled by a RADIUS server in the network.
The user can login with RADIUS over the following connections:
- Telnet
- SSH
- WEBconfig
- TFTP
- Outband
Note: A RADIUS authentication over SNMP is currently not supported.
Note: A RADIUS authentication via LL2M (LANCOM Layer 2 Management protocol) is not supported as LL2M requires plain-text access to the password stored in the LANCOM.
The RADIUS server handles user management with regard to authentication, authorization and accounting (triple-A protocol), which greatly simplifies the management of admin accounts in large network installations with multiple routers.
Authentication via a RADIUS server is conducted as follows:
- On login, the LANCOM sends the user credentials to the RADIUS server in the network. The necessary server data are in stored in the LANCOM.
- The server checks the credentials for their validity.
- If the credentials are invalid, it sends the LANCOM a corresponding message and the LANCOM aborts the login process with an error message.
- If the credentials are valid, the server informs the LANCOM that the user has permission of access, and also sends information on the access rights and function rights, so that the user has access only to the corresponding functions and directories.
- If the user's sessions are budgeted by the RADIUS server (accounting section), the LANCOM stores the session data such as start, end, user name, authentication mode and, if available, the port used.