Cisco Cisco Email Security Appliance C390 사용자 가이드
8-331
Cisco IronPort AsyncOS 7.3 for Email Daily Management Guide
OL-23080-01
Chapter 8 Common Administrative Tasks
Adding Users
For LDAP servers, if the user fails authentication on any external server, the
appliance tries to authenticate the user as a local user defined on the Email
Security appliance. If the user does not exist on any external server or on the
appliance, or if the user enters the wrong password, access to the appliance is
denied.
appliance tries to authenticate the user as a local user defined on the Email
Security appliance. If the user does not exist on any external server or on the
appliance, or if the user enters the wrong password, access to the appliance is
denied.
If an external RADIUS server cannot be contacted, the next server in the list is
tried. If all servers cannot be contacted, the appliance tries to authenticate the user
as a local user defined on the Email Security appliance. However, if an external
RADIUS server rejects a user for any reason, such as an incorrect password or the
user being absent, access to the appliance is denied.
tried. If all servers cannot be contacted, the appliance tries to authenticate the user
as a local user defined on the Email Security appliance. However, if an external
RADIUS server rejects a user for any reason, such as an incorrect password or the
user being absent, access to the appliance is denied.
Figure 8-12
Enabling External Authentication
Enabling LDAP Authentication
In addition to using an LDAP directory to authenticate users, you can assign
LDAP groups to IronPort user roles. For example, you can assign users in the IT
group to the Administrator user role, and you can assign users in the Support
group to the Help Desk User role. If a user belongs to multiple LDAP groups with
different user roles, AsyncOS grants the user the permissions for the most
restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the
user the permissions for the Help Desk User role.
LDAP groups to IronPort user roles. For example, you can assign users in the IT
group to the Administrator user role, and you can assign users in the Support
group to the Help Desk User role. If a user belongs to multiple LDAP groups with
different user roles, AsyncOS grants the user the permissions for the most
restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the
user the permissions for the Help Desk User role.
Note
If an external user changes the user role for their LDAP group, the user should log
out of the appliance and then log back in. The user will have the permissions of
their new role.
out of the appliance and then log back in. The user will have the permissions of
their new role.
Before enabling external authentication using LDAP, define an LDAP server
profile and an external authentication query for the LDAP server. For more
information, see the “LDAP Queries” chapter in the Cisco IronPort AsyncOS for
Email Advanced Configuration Guide.
profile and an external authentication query for the LDAP server. For more
information, see the “LDAP Queries” chapter in the Cisco IronPort AsyncOS for
Email Advanced Configuration Guide.
To enable external authentication using LDAP: