User Authentication

Internal Authentication and External Authentication are available as login authentication methods. RADIUS authentication can be used for External Authentication.

Internal Authentication

Internal Authentication is performed using the authentication function of the ETERNUS DX.

The following authentication functions are available when the ETERNUS DX is connected via a LAN using operation management software.

  • User account authentication

    User account authentication uses the user account information that is registered in the ETERNUS DX to verify user logins. Up to 60 user accounts can be set to access the ETERNUS DX. Specifying a user policy (Password Policy and Lockout Policy) for user accounts can strengthen the security of user account authentications.

  • SSL authentication

    ETERNUS Web GUI, SMI-S, and RESTful API support HTTPS connections using SSL/TLS. Since data on the network is encrypted, security can be ensured. Server certifications that are required for connection are automatically created in the ETERNUS DX.

  • SSH authentication

    Since ETERNUS CLI supports SSH connections, data that is sent or received on the network can be encrypted. The server key for SSH varies depending on the ETERNUS DX. When the server certification is updated, the server key is updated as well.

    Password authentication and client public key authentication are available as authentication methods for SSH connections.

    The supported client public keys are shown below.

    Table: Client Public Key (SSH Authentication)

    Type of public key

    Complexity (bits)

    IETF style RSA for SSH v2

    1024, 2048, and 4096

External Authentication

External Authentication uses the user account information (username, password, and role name) that is registered on an external authentication server. RADIUS authentication is used to authenticate logins to ETERNUS Web GUI or ETERNUS CLI and to authenticate connections to the ETERNUS DX via a LAN using operation management software.

  • RADIUS authentication

    RADIUS authentication uses the Remote Authentication Dial-In User Service (RADIUS) protocol to consolidate authentication information for remote access.

    An authentication request is sent to the RADIUS authentication server that is outside the ETERNUS system network. The authentication method can be selected from CHAP and PAP. Two RADIUS authentication servers (the primary server and the secondary server) can be connected to distribute user account information and to create a redundant configuration. When the primary RADIUS server failed to authenticate, the secondary RADIUS server attempts to authenticate.

    User roles are specified in the Vendor Specific Attribute (VSA) of the Access-Accept response from the server. The following table shows the syntax of the VSA based account role on the RADIUS server.

    Item

    Size

    (octets)

    Value

    Description

    Type

    1

    26

    Attribute number for the Vendor Specific Attribute

    Length

    1

    7 or more

    Attribute size (calculated by server)

    Vendor-Id

    4

    211

    Fujitsu Limited (SMI Private Enterprise Code)

    Vendor type

    1

    1

    Eternus-Auth-Role

    Vendor length

    1

    2 or more

    Attribute size described after the "Vendor type" item (calculated by server)

    Attribute-Specific

    1 or more

    ASCII characters

    One or more assignable role names for successfully authenticated users (*1)
    *1

    The server-side role names must be identical to the role names of the ETERNUS DX. Match the letter case when entering the role names.

    [Example] RoleName0
Caution

  • If RADIUS authentication fails when "Do not use Internal Authentication" has been selected for "Authentication Error Recovery" on ETERNUS Web GUI or ETERNUS CLI, logging in to ETERNUS Web GUI, ETERNUS CLI, SMI-S, or RESTful API will not be available.

    When the setting to use Internal Authentication for errors caused by network problems is configured, Internal Authentication is performed if RADIUS authentication fails on both primary and secondary RADIUS servers, or at least one of these failures is due to communication error.

  • So long as there is no RADIUS authentication response the ETERNUS DX will keep retrying to authenticate the user for the entire "Retry Time Out" period set on the "Modify RADIUS" function. If authentication does not succeed before the "Retry Time Out" period expires, RADIUS authentication is considered to be a failure.

  • When using RADIUS authentication, if the role that is received from the server is unknown (not set) for the ETERNUS DX, RADIUS authentication fails.