Tripp Lite 0 Idades Manual

							141
Chapter 8: Power and Environment
8.2.3 Configuring powered computers to monitor a Managed UPS 
Once you have added a Managed UPS, each server that is drawing power thr\
ough the UPS should be setup to monitor the 
UPS status as a Slave. This is done by installing the NUT package on eac\
h server, and setting up upsmon to connect to the 
Console Server.
Refer to the NUT documentation for details on how this is done, specifi\
cally sections 13.5 to 13.10. 
http://eu1.networkupstools.org/doc/2.2.0/INSTALL.html
An example upsmon.conf entry might look like:
•  MONITOR [email protected] 1 username password Slave
• managedups is the UPS Name of the Managed UPS
• 192.168.0.1 is the IP address of the Console Server
• 1 indicates the server has a single power supply attached to this UPS
• username is the Username of the Managed UPS
• password is the Password of the Manager UPS  
						

							142
Chapter 8: Power and Environment
8.2.4 UPS alerts 
You can now set UPS alerts using Alerts & Logging: Alerts (refer to Chapter 7)
8.2.5 UPS status 
You can monitor the current status of all your Managed or Monitored UPS’\
s, whether they are on the network or connected 
serially or via USB:
• Select the Status: UPS Status menu and a table with the summary status of all connected UPS hardware \
will be 
displayed
• Click on any particular UPS System name in the table and you will be presented with a more detailed graphi\
cal 
information on the select UPS System 
• Click on any particular All Data for any UPS System in the table for more status and configuration inf\
ormation on the 
select UPS System 
• Select UPS Logs and you will be presented with the log table of the load, battery charge\
 level, temperature and other 
status information from all the Managed and Monitored UPS systems. This \
information will be logged for all UPS’s which 
were configured with Log Status checked. The information is also prese\
nted graphically  
						

							143
Chapter 8: Power and Environment
8.2.6 Overview of Network UPS Tools (NUT) 
Network UPS Tools (NUT) is a group of open source programs that provide a common in\
terface for monitoring and 
administering UPS hardware; and ensuring safe shutdowns of the systems w\
hich are connected.
NUT can be configured using the Management Console as described above,\
 or you can configure the tools and manage the 
UPS’s directly from the command line. This section provides an overvi\
ew of NUT. You can find full documentation at http://www.
networkupstools.org/doc. 
NUT is built on a networked model with a layered scheme of drivers, serv\
er and clients. 
1. The driver programs talk directly to the UPS equipment and run on the same host as\
 the NUT network server upsd. Drivers 
are provided for a wide assortment of equipment from most of the popular\
 UPS vendors and they understand the specific 
language of each UPS and map it back to a compatibility layer. This means both an expensive "smart" protocol UPS and a 
simple "power strip" model can be handled transparently.
2. The NUT network server program upsd is responsible for passing status data from the drivers to the client p\
rograms via 
the network. upsd can cache the status from multiple UPS’s and can then serve this sta\
tus data to many clients. upsd 
also contains access control features to limit the abilities of the clie\
nts (so only authorized hosts may monitor or control 
the UPS hardware).
3. There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based 
on the status. These clients can run on the same host as the NUT server \
or they can communicate with the NUT server 
over the network (enabling them to monitor any UPS anywhere). 
 The upsmon client enables servers that draw power through the UPS (i.e. Slaves of\
 the UPS) to shutdown gracefully when 
the battery power reaches critical. Additionally, one server is designated the Master of the UPS, and is responsible for\
 
shutting down the UPS itself when all Slaves have shut down. Typically, the Master of the UPS is the one connected to the 
UPS via serial or USB cable.
 upsmon can monitor multiple UPS’s, so high-end servers which receive power \
from multiple UPS’s simultaneously won't 
initiate a shutdown until the total power situation across all source UP\
S’s becomes critical.
 There also the two status/logging clients, upsc and upslog. The upsc client provides a quick way to poll the status of a 
UPS. It can be used inside shell scripts and other programs that need UP\
S status information. upslog is a background 
service that periodically polls the status of a UPS, writing it to a fi\
le.
 All these clients run on the Console Server (for Management Console pre\
sentations) but they also are run remotely (on 
locally powered servers and remote monitoring systems).
This layered NUT architecture enables: 
• Multiple architecture support: NUT can manage serial and USB-connected models with the same common interface. 
SNMP equipment can also be monitored (although at this stage this is st\
ill pre-release with experimental drivers and this 
feature will be added to the embedded UPS tools in future release). 
• Multiple clients monitoring one UPS: Multiple systems may monitor a sing\
le UPS using only their network connections. 
There’s a wide selection of client programs which support monitoring \
UPS hardware via NUT (Big Sister, Cacti, Nagios, 
Windows and more). Refer to www.networkupstools.org/client-projects.)
So NUT supports the more complex power architectures found in data cente\
rs, computer rooms and NOCs where many UPS’s 
from many vendors power many systems with many clients and each of the l\
arger UPS’s power multiple devices and many of 
these devices are themselves dual powered.   
						

							144
Chapter 8: Power and Environment
8.3 Environmental Monitoring
The Environmental Monitoring Device (EMD), model B090-EMD, can be conn\
ected to any Console Server serial port and 
each Console Server can support multiple EMD’s. Each EMD has one temp\
erature and one humidity sensor and one general 
purpose status sensor which can be connected to a smoke detector, water detector, vibration or open-door sensor. 
The B095-004/003 Console Server models also each has an internal tempera\
ture sensor.
Using the Management Console, Administrators can view the ambient temper\
ature and humidity and set the EMD to 
automatically send alarms progressively from warning levels to critical \
alerts.   
						

							145
Chapter 8: Power and Environment
8.3.1 Connecting the EMD 
The Environmental Monitoring Sensor (EMD) connects to any serial port \
on the Console Server via a special EMD Adapter and 
standard CAT5 cable. The EMD is powered over this serial connection and communicate\
s using a custom handshake protocol. 
It is not an RS232 device and should not be connected without the adapte\
r: 
• Plug the RJ plug on the EMD Adapter (model B090-EMD-ADP) into RJ45 Port on the EMD  
 (model B090-EMD). Then connect the Console Server serial port to the R\
J45 port of the  
 EMD Adapter using the provided UTP cable. If the 6 foot (2 meter) UTP \
cable provided with  
 the EMD is not long enough it can be replaced with a standard Cat5 UTP c\
able up to 33 feet  
 (10meters) in length (Tripp Lite N002 series cables)
  
• Screw the bare wires on any smoke detector, water detector, vibration sensor, open-door  
 sensor or general purpose open/close status sensors into the terminals o\
n the EMD:
  o B090-WLS  Console Server Water Leak Sensor
 o B090-DCS  Console Server Door Contact Sensor
 o B090-VS  Console Server Vibration Sensor
 o B090-SD-110  Console Server Smoke Detector - 110V
 o B090-SD-220  Console Server Smoke Detector - 220V
The EMD can be used only with a Console Server and cannot be connected t\
o standard RS232 serial ports on other 
appliances. 
• Select Environmental as the Device Type in the Serial & Network: Serial Port menu for the port to which the EMD is 
to be attached. No particular Common Settings are required. 
• Click Apply
• Select the Serial & Network: Environmental menu. This will display all the EMD connections that have already been \
configured
• Click Add   
						

							146
Chapter 8: Power and Environment
• Enter a Name and Description for the EMD and select pre-configured serial port that the EMD will b\
e Connected Via
• Provide L abels for each of the two alarms
• Check Log Status and specify the Log Rate (minutes between samples) if you wish the status from this EMD to be \
logged. These logs can be views from the Status: Environmental Status screen
• Click Apply
8.3.2 Environmental alerts 
You can now set temperature, humidity and probe status alerts using Alerts & Logging: Alerts (refer to Chapter 7)
8.3.3 Environmental status 
You can monitor the current status of all of EMDs and their probes
• Select the Status: Environmental Status menu and a table with the summary status of all connected EMD hardware \
will 
be displayed
• Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of 
the log history of the select EMD    
						

							147
Chapter 9: Authentication
The Tripp Lite Console Server is a dedicated Linux computer, and it embodies popular and proven Linux software modules for 
secure network access (OpenSSH) and communications (OpenSSL) and sophisticated user authentication (PAM, RADIUS, 
TACACS+,  Kerberos and LDAP). 
• This chapter details how the Administrator can use the Management Consol\
e to establish remote AAA authentication for 
all connections to the Console Server and attached serial and network ho\
st devices
• This chapter also covers establishing a secure link to the Management Co\
nsole using HTTPS and using OpenSSL and 
OpenSSH to establish a secure Administration connection to the Console Server\
9.1  Authentication Configuration
Authentication can be performed locally, or remotely using an LDAP, Radius or TACACS+ authentication server. The default 
authentication method for the Console Server is Local. 
Any authentication method that is configured will be used for authenti\
cation of any user attempting to log in through Telnet, 
SSH or the Web Manager to the Console Server and any connected serial port or networ\
k host devices. 
The Console Server can be configured to the default (Local) or an alternate authentication method (TACACS, RADIUS 
Kerberos or LDAP) with the option of a selected order in which local and remote authent\
ication is to be used:
Local TACACS /RADIUS/LDAP/Kerberos: Tries local authentication first, falling back to remote if local fails\
TACACS /RADIUS/LDAP/Kerberos Local: Tries remote authentication first, falling back to local if remote fail\
s
TACACS /RADIUS/LDAP/Kerberos Down Local: Tries remote authentication first, falling back to local if the remote \
authentication returns an error condition (e.g. the remote authenticati\
on server is down or inaccessible)
9.1.1  Local authentication 
• Select Serial and Network: Authentication and check Local   
• Click Apply   
						

							148
Chapter 9: Authentication
9.1.2 TACACS authentication 
Perform the following procedure to configure the TACACS+ authentication method to be used whenever the Console Server or 
any of its serial ports or hosts is accessed:
• Select Serial and Network: Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal  
• Enter the Server Address (IP or host name) of the remote Authentication/Authorization server. Multiple remote servers 
may be specified in a comma-separated list. Each server is tried in su\
ccession. 
• In addition to multiple remote servers, you can also enter for separate \
lists of Authentication/Authorization servers and 
Accounting servers. If no Accounting servers are specified, the Authen\
tication/Authorization servers are used instead.
• Enter the Server Password 
 When Ignore Privilege Level is enabled, the priv-lvl setting for all of the users defined on the TACACS AAA server will be 
ignored 
Note: The console server normally interprets a user with a TACACS priv-lvl of 12 or above as an admin user. There is also a 
special privilege level where a user with a priv-lvl of 15 is also given access to all configured serial ports. When the Ignore 
Privilege Level option is enabled (i.e., checked in the user interface), there are no \
escalations of privileges based on the  
priv-lvl value from the TACACS server. 
Also note that if the only privilege level configured for one or more \
TACACS users is the priv-lvl (e.g., no specific port access 
or group memberships set) level, you will revoke access to the console \
server for those users with whom this level is enabled. 
Users will not be a member of any group, even if the Retrieve Remote gro\
ups option in the Authentication menu is enabled.
• Click Apply. TACAS+ remote authentication will now be used for all user access to Cons\
ole Server and serially or network 
attached devices
TACACS+ The Terminal Access Controller Access Control System (TACACS+) security protocol is a recent protocol developed 
by Cisco. It provides detailed accounting information and flexible adm\
inistrative control over the authentication 
and authorization processes. TACACS+ allows for a single access control server (the TACACS+ daemon) to 
provide authentication, authorization, and accounting services independe\
ntly. Each service can be tied into its 
own database to take advantage of other services available on that serve\
r or on the network, depending on the 
capabilities of the daemon. There is a draft RFC detailing this protocol\
. Further information on configuring remote 
TACACS+ servers can be found at the following sites:
 http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
 http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter0\
9186a00800eb6d6.html
 http://cio.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_\
cr/secur_c/scprt2/sctplus.htm  
						

							149
Chapter 9: Authentication
9.1.3 RADIUS authentication 
Perform the following procedure to configure the RADIUS authentication \
method to be used whenever the Console Server or 
any of its serial ports or hosts is accessed:
• Select Serial and Network: Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or 
RADIUSDownLocal  
• Enter the Server Address (IP or host name) of the remote Authentication/ Authorization server. Multiple remote servers 
may be specified in a comma-separated list. Each server is tried in su\
ccession
• In addition to multiple remote servers, you can also enter for separate \
lists of Authentication/Authorization servers and 
Accounting servers. If no Accounting servers are specified, the Authen\
tication/Authorization servers are used instead
• Enter the Server Password 
• Click Apply. RADIUS remote authentication will now be used for all user access to C\
onsole Server and serially or network 
attached devices
RADIUS   The Remote Authentication Dial-In User Service (RADIUS) protocol was d\
eveloped by Livingston Enterprises as 
an access server authentication and accounting protocol. The RADIUS serv\
er can support a variety of methods to 
authenticate a user. When it is provided with the username and original password given by t\
he user, it can support 
PPP, PAP or CHAP, UNIX login, and other authentication mechanisms. Further information on configuring remote 
RADIUS servers can be found at the following sites:
 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d4fe\
8248-eecd-49e4-88f6-
9e304f97fefc.mspx
 http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml
 http://www.freeradius.org/  
						

							150
Chapter 9: Authentication
9.1.4 LDAP authentication 
With firmware version 3.11 and later, LDAP authentication now supports OpenLDAP servers using the Posix-style schema for 
user and group definitions.
Performing simple authentication against any LDAP server (AD or OpenLDAP\
) follow the common LDAP standards and 
protocols. Extra steps are required in configuring extra user data (e\
.g., groups, etc).
The console server may be configured for authentication and authorizat\
ion of group information from an LDAP server. This 
group information can be stored in a number of different ways. Active Di\
rectory has one method of storage, and OpenLDAP 
has two methods:
• Active Directory: Each entry for a user has multiple ‘memberOf’ attributes. Each ‘memberOf’ value is the full DN of the 
group they belong to (the user entry will be of objectClass “user”\
).
• OpenLDAP / Posix: Each entry for a user must have a ‘gidNumber’ attribute. Thi\
s will be an integer value that functions 
as the user’s primary group (e.g., mapping to the /etc/passwd file\
 within the group ID field). To determine the group, first 
search for an entry in the directory that contains that group ID. Doing \
this will also provide the group name (the users are 
of objectClass “posixAccount” and the groups are of objectClass “\
posixGroup”).
• OpenLDAP / Posix: Each group entry in the group tree (of objectClass ‘posixGroup\
’) may have multiple ‘memberUid’ 
attributes. These represent secondary groups (e.g., mapping to the /etc\
/groups file). Each attribute contains a username.
To accommodate these possibilities, the pam_ldap module has been modified to perform group queries for each of the thr\
ee 
styles. This allows for a ‘generic’ configuration and does not a\
ffect how the LDAP directory is set up.
There are only two parameters that need to be configured based upon a \
user’s search: LDAP username and group 
membership attributes.
To clarify which parameters to use, the descriptions for these fields h\
ave been updated to prompt the user for common or 
likely attributes. For example, the two configuration fields below use the following des\
criptions:
LDAP Username Attribute: The LDAP attribute that corresponds to the login name of the user (comm\
only ‘sAMAccountName’ 
for Active Directory, and ‘uid’ for OpenLDAP). 
LDAP Group Membership Attribute: The LDAP attribute that indicates group membership in a user record (co\
mmonly 
‘memberOf’ for Active Directory, and unused for OpenLDAP). 
Note: The libldap library is particular about ensuring SSL connections using certificates signed by a trusted CA. Setting up a 
connection to an LDAP server using SSL requires extra attention.