Unimus
Page tree

Versions Compared

Old Version 11

changes.mady.by.user Tomas Kirnak

Saved on

compared with

New Version Current

changes.mady.by.user Tomas Kirnak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When a user attempts to login into the system, the local user database is always consulted first.
If a corresponding account is found, the user is logged in to the system.If the account is not found in the local DB and if Radius is enabled, authentication method of that account is used to check the password.

Depending on the authentication method used:

  • For locally authenticated accounts, the password is simply checked against the hash in the local user database. If the password is correct, user is logged in.

Radius:

  • For users with Radius authentication, if the Radius client in Unimus is not enabled, authentication for this user immediately fails.
  • If Radius is enabled, a Radius Access Request is performed.

...

  • If Radius responds with an Access Accept message, the user is logged in to the system.

LDAP

  • For users with LDAP authentication, if the LDAP client in Unimus is not enabled, authentication for this user immediately fails.
  • If LDAP is enabled, an LDAP search is performed using a service account. If the user is found, an auth is attempted with the user's DN. If the auth succeeds, the user is logged in to the system.

Access accounting

After a successful login, an accounting record is always created in the local database.
Even Radius -or LDAP based logins are accounted in the local DB. 

If Radius is enabled, an Radius Accounting Request is performed (even for local or LDAP authenticated users). The failure of Radius accounting is not considered as an error.
This means a user will be allowed to log-in, even if Radius accounting fails. This is done because even logins using the local database are accounted against Radius (if Radius is enabled).
If Unimus didn't allow login after Radius accounting failed, system access would not be possible in case of Radius failure.

An accounting record in the local DB is always created, so this mechanism does not compromise the auditability of the system access.

Login diagram

Related articles

For more information on how user management works in Unimus, please check these articles: