Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • For locally authenticated accounts, the password is simply checked against the hash in the local user database. If the password is correct, user is logged in.

Radius:

  • For users with Radius authentication, if the Radius client in Unimus is not enabled, authentication for this user immediately fails.
  • If Radius is enabled, a Radius Access Request is performed. If Radius responds with an Access Accept message, the user is logged in to the system.

LDAP

  • For users with LDAP authentication, if the LDAP client in Unimus is not enabled, authentication for this user immediately fails.
  • If LDAP is enabled, an LDAP search is performed using a service account. If the user is found, an auth is attempted with the user's DN. If the auth succeeds, the user is logged in to the system.

Access accounting

After a successful login, an accounting record is always created in the local database. Even Radius -or LDAP based logins are accounted in the local DB. 

If Radius is enabled, an Radius Accounting Request is performed (even for local or LDAP authenticated users). The failure of Radius accounting is not considered as an error. This means a user will be allowed to log-in, even if Radius accounting fails. This is done because even logins using the local database are accounted against Radius (if Radius is enabled). If Unimus didn't allow login after Radius accounting failed, system access would not be possible in case of Radius failure.

...