A description of the authenticator.

Value type: string

Default value: <none>

Whether or not this authenticator is enabled.

Value type: Yes / No

Default value: "No"

The type of the authenticator.

Value type: enumeration

Default value: <none>

Permitted values:

LDAP: LDAP

RADIUS: RADIUS

TACACSPlus: TACACS+

Additional keys used when type is "LDAP"

The base DN (Distinguished Name) under which directory searches will be applied. The entries for your users should all appear under this DN. An example of a typical base DN is: OU=users, DC=mycompany, DC=local

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

Template to construct the bind DN (Distinguished Name) from the username. The string %u will be replaced by the username. Examples: %[email protected] for Active Directory or cn=%u, dc=mycompany, dc=local for both LDAP and Active Directory.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

The bind DN (Distinguished Name) for a user can either be searched for in the directory using the ldap!basedn and ldap!filter values, or it can be constructed from the username.

Requires: auth!type is set to "LDAP"

Value type: enumeration

Default value: <none>

Permitted values:

construct: Construct

search: Search

If ldap!groupattr is not defined, or returns no results for the user logging in, the group named here will be used. If not specified, users will be denied access to the traffic manager if no groups matching a Permission Group can be found for them in the directory.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

A filter that can be used to extract a unique user record located under the base DN (Distinguished Name). The string %u will be replaced by the username. This filter is used to find a user's bind DN when ldap!dnmethod is set to "Search", and to extract group information if ldap!groupfilter is not specified. Examples: sAMAccountName=%u for Active Directory, or uid=%u for some Unix LDAP schemas.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

The LDAP attribute that gives a user's group. If there are multiple entries for the attribute all will be extracted and they'll be lexicographically sorted, then the first one to match a Permission Group name will be used.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

The sub-field of the group attribute that gives a user's group. For example, if ldap!groupattr is memberOf and this retrieves values of the form CN=mygroup, OU=groups, OU=users, DC=mycompany, DC=local you would set groupfield to CN. If there are multiple matching fields only the first matching field will be used.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

If the user record returned by ldap!filter does not contain the required group information you may specify an alternative group search filter here. This will usually be required if you have Unix/POSIX-style user records. If multiple records are returned the list of group names will be extracted from all of them. The string %u will be replaced by the username. Example: (&(memberUid=%u)(objectClass=posixGroup))

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

The port to connect to the LDAP server on.

Requires: auth!type is set to "LDAP"

Value type: unsigned integer

Default value: "389"

The bind DN (Distinguished Name) to use when searching the directory for a user's bind DN. You can leave this blank if it is possible to perform the bind DN search using an anonymous bind.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

If binding to the LDAP server using ldap!searchdn requires a password, enter it here.

Requires: auth!type is set to "LDAP"

Value type: password

Default value: <none>

The IP or hostname of the LDAP server.

Requires: auth!type is set to "LDAP"

Value type: string

Default value: <none>

The type of TLS encryption, if any, to use. Usually STARTTLS will be used with port 389, and LDAPS with port 636. A Certificate Authority that the LDAP server's certificate chains back to must be present in the "Admin Certificate Authorities and Certificate Revocation Lists Catalog" under "SSL catalogs", otherwise the connection will fail.

Requires: auth!type is set to "LDAP"

Value type: enumeration

Default value: "none"

Permitted values:

none: None

starttls: STARTTLS

ldaps: LDAPS

Connection timeout in seconds.

Requires: auth!type is set to "LDAP"

Value type: unsigned integer

Default value: "30"

Additional keys used when type is "RADIUS"

If no group is found using the vendor and group identifiers, or the group found is not valid, the group specified here will be used.

Requires: auth!type is set to "RADIUS"

Value type: string

Default value: <none>

The RADIUS identifier for the attribute that specifies an account's group. May be left blank if radius!fallbackgroup is specified.

Requires: auth!type is set to "RADIUS"

Value type: unsigned integer

Default value: "1"

The RADIUS identifier for the vendor of the RADIUS attribute that specifies an account's group. Leave blank if using a standard attribute (i.e. for Filter-Id set radius!groupattr to 11).

Requires: auth!type is set to "RADIUS"

Value type: unsigned integer

Default value: "7146"

This value is sent to the RADIUS server.

Requires: auth!type is set to "RADIUS"

Value type: string

Default value: <none>

This value is sent to the RADIUS server, if left blank the address of the interfaced used to connect to the server will be used.

Requires: auth!type is set to "RADIUS"

Value type: string

Default value: <none>

The port to connect to the RADIUS server on.

Requires: auth!type is set to "RADIUS"

Value type: unsigned integer

Default value: "1812"

Secret key shared with the RADIUS server.

Requires: auth!type is set to "RADIUS"

Value type: password

Default value: <none>

The IP or hostname of the RADIUS server.

Requires: auth!type is set to "RADIUS"

Value type: string

Default value: <none>

Connection timeout in seconds.

Requires: auth!type is set to "RADIUS"

Value type: unsigned integer

Default value: "30"

Additional keys used when type is "TACACSPlus"

Authentication type to use.

Requires: auth!type is set to "TACACSPlus"

Value type: enumeration

Default value: "PAP"

Permitted values:

PAP: PAP

ASCII: ASCII

If tacacsplus!groupsvc is not defined above, or no group value is provided for the user by the TACACS+ server, the group specified here will be used. If this is not specified, users with no TACACS+ defined group will be denied access.

Requires: auth!type is set to "TACACSPlus"

Value type: string

Default value: <none>

The TACACS+ "service" field that provides each user's group.

Requires: auth!type is set to "TACACSPlus"

Value type: string

Default value: "permission-group"

The TACACS+ "service" that provides each user's group field.

Requires: auth!type is set to "TACACSPlus"

Value type: string

Default value: "zeus"

The port to connect to the TACACS+ server on.

Requires: auth!type is set to "TACACSPlus"

Value type: unsigned integer

Default value: "49"

Secret key shared with the TACACS+ server.

Requires: auth!type is set to "TACACSPlus"

Value type: password

Default value: <none>

The IP or hostname of the TACACS+ server.

Requires: auth!type is set to "TACACSPlus"

Value type: string

Default value: <none>