[Solved] User authentication

General discussion of anything Unimus
Post Reply
kingtrw
Posts: 48
Joined: Sun Dec 26, 2021 8:56 pm

Thu Mar 10, 2022 12:21 pm

Hi,

I see from https://wiki.unimus.net/display/UNPUB/System+login that there is the potential to use RADIUS authentication for logons, but I'm wondering if it's possible to restrict the logons in some way?

We'd really like to use individual centrally authenticated logons to make our security compliance reports happy, but we need to have logon access to the system restricted to just IT Staff (so effectively a group defined in active directory - or we could specify usernames in the server config)

Many thanks!
Vik@Unimus
Posts: 198
Joined: Thu Aug 05, 2021 6:35 pm

Thu Mar 10, 2022 3:21 pm

Hello,

This is already possible as it is required that an externally authenticated user has a locally created account in Unimus (you create one by adding a user and choosing Authentication method > RADIUS), hence any user in the user group used as a condition to grant access in RADIUS which doesn't have Unimus user account, will not be authenticated and allowed to login.
kingtrw
Posts: 48
Joined: Sun Dec 26, 2021 8:56 pm

Fri Mar 11, 2022 1:55 pm

Amazing, thanks - that sounds like it'd satisfy our requirements perfectly.
kingtrw
Posts: 48
Joined: Sun Dec 26, 2021 8:56 pm

Mon Mar 14, 2022 12:42 pm

Update -- unfortunately this turns out not to be a viable option, as per viewtopic.php?t=181 it would require our AD accounts to store passwords using reversible encryption which is not permitted.

For the moment we'll stick to using a shared login - it's only a few people who should be on this system anyway!

For the wishlist, it would be ideal to have support for either local login permission (e.g. SSSD, windows groups) or say SAML (we can use shibboleth without *too* much hassle).
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Mar 14, 2022 4:39 pm

kingtrw wrote:
Mon Mar 14, 2022 12:42 pm
Update -- unfortunately this turns out not to be a viable option, as per viewtopic.php?t=181 it would require our AD accounts to store passwords using reversible encryption which is not permitted.

For the moment we'll stick to using a shared login - it's only a few people who should be on this system anyway!

For the wishlist, it would be ideal to have support for either local login permission (e.g. SSSD, windows groups) or say SAML (we can use shibboleth without *too* much hassle).
Hi. You only need to use Reversible Encryption storage if you choose to you CHAP. If you use PAP, you do not need this. However, PAP has it's own cons, as described in the linked forum topic.

As for the future, one of the main new features in 2.3 will be a rework of the AAA system in Unimus. This will include support for LDAP, so you should be able to use LDAP to auth against your current AD fairly easily after 2.3 is out.
Post Reply