Cisco Cisco Web Security Appliance S390 Betriebsanweisung
U S I N G E X T E R N A L A U T H E N T I C A T I O N
C H A P T E R 2 2 : S Y S T E M A D M I N I S T R A T I O N
501
You can configure the appliance to contact multiple external servers for authentication. You
might want to define multiple external servers to allow for failover in case one server is
temporarily unavailable. When you define multiple external servers, the appliance connects
to the servers in the order defined on the appliance.
might want to define multiple external servers to allow for failover in case one server is
temporarily unavailable. When you define multiple external servers, the appliance connects
to the servers in the order defined on the appliance.
When external authentication is enabled and a user logs into the Web Security appliance, the
appliance first determines if the user is the system defined “admin” account. If not, then the
appliance checks the first configured external server to determine if the user is defined there.
If the appliance cannot connect to the first external server, the appliance checks the next
external server in the list. If the user fails authentication on any external server, the appliance
tries to authenticate the user as a local user defined on the Web Security appliance. If the user
does not exist on any external server or on the appliance, or if the user enters the wrong
password, access to the appliance is denied.
appliance first determines if the user is the system defined “admin” account. If not, then the
appliance checks the first configured external server to determine if the user is defined there.
If the appliance cannot connect to the first external server, the appliance checks the next
external server in the list. If the user fails authentication on any external server, the appliance
tries to authenticate the user as a local user defined on the Web Security appliance. If the user
does not exist on any external server or on the appliance, or if the user enters the wrong
password, access to the appliance is denied.
Note — AsyncOS for Web connects to the external server over the M1 interface only.
The Web Security appliance assigns all users in the RADIUS directory to the administrator
user group. You cannot assign users to other user groups. When external authentication is
enabled and a user successfully authenticates as a local user, the local user has Administrator
user group privileges regardless of the configured user type.
user group. You cannot assign users to other user groups. When external authentication is
enabled and a user successfully authenticates as a local user, the local user has Administrator
user group privileges regardless of the configured user type.
To enable external authentication using RADIUS:
1. On the System Administration > Users page, click Enable.
The Edit External Authentication page is displayed.
2. Enable the Enable External Authentication option if it is not enabled already.
Figure 22-10 Enabling External Authentication Using RADIUS
3. Enter the host name for the RADIUS server.
4. Enter the port number for the RADIUS server. The default port number is 1812.
5. Enter the Shared Secret password for the RADIUS server.
6. Enter the number of seconds for the appliance to wait for a response from the server
before timing out.