Cisco Cisco Transport Manager 9.2 Technical References
4
Cisco Transport Manager Release 9.2 Basic External Authentication
OL-21046-01
Understanding the Custom CTM SiteMinder Agent
•
Access-Challenge—Additional information is requested from the user.
The RADIUS access server:
•
Verifies user identity.
•
Determines whether the user is allowed to perform a task or access a network device.
•
Applies rules to user accounts.
CTM Implementation of RADIUS
The CTM server acts as a RADIUS client and sends authentication requests to a RADIUS server
implementing a Single-Sign-On application.
implementing a Single-Sign-On application.
The CTM server uses the Pluggable Authentication Module (PAM) Solaris library for authentication.
Specifically, it uses the pam_radius_auth module to authenticate users against the RADIUS access
server. The PAM framework consists of the following parts:
Specifically, it uses the pam_radius_auth module to authenticate users against the RADIUS access
server. The PAM framework consists of the following parts:
•
PAM consumers—Solaris access applications such as login and rlogin, and the CTM server.
•
PAM library.
•
PAM configuration file (pam.conf).
•
PAM service modules—Also referred to as providers.
Understanding the Custom CTM SiteMinder Agent
The CTM server application uses the SiteMinder agent API and is insulated from specific
implementation details about users who are created and managed remotely. The agent API works with
the policy server to simplify CTM secure application development while increasing application
scalability in terms of the number of applications and resource-privilege pairs.
implementation details about users who are created and managed remotely. The agent API works with
the policy server to simplify CTM secure application development while increasing application
scalability in terms of the number of applications and resource-privilege pairs.
The agent API insulates the CTM application from underlying technology details, including:
•
Username spaces such as Lightweight Directory Access Protocol (LDAP) directories
•
Authentication methods, including simple username/password validation and complex public-key
infrastructure (PKI) systems
infrastructure (PKI) systems
The actual CTM agent API implementation tracks the authentication process with the policy server. The
user credentials are stored in the policy store (the Solaris LDAP directory server), while the
authorization process behaves as it did previously. The CTM database grants CTM authorization.
user credentials are stored in the policy store (the Solaris LDAP directory server), while the
authorization process behaves as it did previously. The CTM database grants CTM authorization.
Configuring the SiteMinder Installation Library
To use the external authentication feature, the server system administrator must first configure the
SiteMinder library.
SiteMinder library.
Verify that the SuperUser has the correct file permissions for the following libraries; then, copy the
libraries to the /opt/CiscoTransportManagerServer/lib path:
libraries to the /opt/CiscoTransportManagerServer/lib path:
•
libsmagentapi.so
•
libsmcommonutil.so
•
libsmerrlog.so