If a system is configured for a supported remote authentication service, you must create a provider for that service to ensure
that Prime Network Services Controller and the system configured with the service can communicate.
User Accounts in Remote Authentication Services
You can create user accounts in Prime Network Services Controller or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through the Prime Network
Services Controller GUI.
User Roles and Locales in Remote Authentication Services
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles and locales
those users require for working in Prime Network Services Controller and that the names of those roles and locales match the
names used in Prime Network Services Controller. If an account does not have the required roles and locales, the user is granted
only read-only privileges.
LDAP Attribute for User
In Prime Network Services Controller, the LDAP attribute that holds the LDAP user roles and locales is preset. This attribute
is always a name-value pair. For example, by default CiscoAvPair specifies the role and locale information for the user, and
if the filter is specified, the LDAP search is restricted to those values that match the defined filter. By default, the filter
is sAMAccountName=$userid. The user can change these values to match the setting on the LDAP server. When a user logs in,
Prime Network Services Controller checks for the value of the attribute when it queries the remote authentication service
and validates the user. The value should be identical to the username.
An example of LDAP property settings is as follows:
-
Timeout—30
-
Retries—1
-
Attribute—CiscoAvPair
-
Filter—sAMAccountName=$userid
-
Base DN—DC=cisco, DC=com (The specific location in the LDAP hierarchy where Prime Network Services Controller starts the query
for the LDAP user.)
TACACS+ Attribute for User
In TACACS+ Server, while defining a user, to specify Authorization Level following Attribute-Value pair can be defined for
the group the user belongs to:
Role—Attribute with name "role" and value should have one of the roles defined in PNSC
Note |
For 3.4.2c release we support "admin" and "read-only" roles.
|
For example:
Note |
TACACS+ support is available from PNSC 3.4.2c onwards.
|