Hi,
I see from https://wiki.unimus.net/display/UNPUB/System+login that there is the potential to use RADIUS authentication for logons, but I'm wondering if it's possible to restrict the logons in some way?
We'd really like to use individual centrally authenticated logons to make our security compliance reports happy, but we need to have logon access to the system restricted to just IT Staff (so effectively a group defined in active directory - or we could specify usernames in the server config)
Many thanks!
[Solved] User authentication
-
- Posts: 198
- Joined: Thu Aug 05, 2021 6:35 pm
Hello,
This is already possible as it is required that an externally authenticated user has a locally created account in Unimus (you create one by adding a user and choosing Authentication method > RADIUS), hence any user in the user group used as a condition to grant access in RADIUS which doesn't have Unimus user account, will not be authenticated and allowed to login.
This is already possible as it is required that an externally authenticated user has a locally created account in Unimus (you create one by adding a user and choosing Authentication method > RADIUS), hence any user in the user group used as a condition to grant access in RADIUS which doesn't have Unimus user account, will not be authenticated and allowed to login.
Update -- unfortunately this turns out not to be a viable option, as per viewtopic.php?t=181 it would require our AD accounts to store passwords using reversible encryption which is not permitted.
For the moment we'll stick to using a shared login - it's only a few people who should be on this system anyway!
For the wishlist, it would be ideal to have support for either local login permission (e.g. SSSD, windows groups) or say SAML (we can use shibboleth without *too* much hassle).
For the moment we'll stick to using a shared login - it's only a few people who should be on this system anyway!
For the wishlist, it would be ideal to have support for either local login permission (e.g. SSSD, windows groups) or say SAML (we can use shibboleth without *too* much hassle).
Hi. You only need to use Reversible Encryption storage if you choose to you CHAP. If you use PAP, you do not need this. However, PAP has it's own cons, as described in the linked forum topic.kingtrw wrote: ↑Mon Mar 14, 2022 12:42 pmUpdate -- unfortunately this turns out not to be a viable option, as per viewtopic.php?t=181 it would require our AD accounts to store passwords using reversible encryption which is not permitted.
For the moment we'll stick to using a shared login - it's only a few people who should be on this system anyway!
For the wishlist, it would be ideal to have support for either local login permission (e.g. SSSD, windows groups) or say SAML (we can use shibboleth without *too* much hassle).
As for the future, one of the main new features in 2.3 will be a rework of the AAA system in Unimus. This will include support for LDAP, so you should be able to use LDAP to auth against your current AD fairly easily after 2.3 is out.