System login

When a user attempts to login into the system, the local user database is consulted. If a corresponding account is found, the authentication method of that account is used to check the password.

Depending on the authentication method used:

• For locally authenticated accounts, the password is simply checked against the hash in the local user database. If the password is correct, user is logged in.

Radius:

• For users with Radius authentication, if the Radius client in Unimus is not enabled, authentication for this user immediately fails.
• If Radius is enabled, a Radius Access Request is performed. If Radius responds with an Access Accept message, the user is logged in to the system.

LDAP

• For users with LDAP authentication, if the LDAP client in Unimus is not enabled, authentication for this user immediately fails.
• If LDAP is enabled, an LDAP search is performed using a service account. If the user is found, an auth is attempted with the user's DN. If the auth succeeds, the user is logged in to the system.

Access accounting

After a successful login, an accounting record is always created in the local database. Even Radius or LDAP based logins are accounted in the local DB. 

If Radius is enabled, an Radius Accounting Request is performed (even for local or LDAP authenticated users). The failure of Radius accounting is not considered as an error. This means a user will be allowed to log-in, even if Radius accounting fails. This is done because even logins using the local database are accounted against Radius (if Radius is enabled). If Unimus didn't allow login after Radius accounting failed, system access would not be possible in case of Radius failure.

An accounting record in the local DB is always created, so this mechanism does not compromise the auditability of the system access.

Related articles

For more information on how user management works in Unimus, please check these articles:

• User management
• Account security roles
• Device access restrictions