Cisco Cisco Email Security Appliance C690 User Guide
8-33
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Chapter 8 Common Administrative Tasks
Working with User Accounts
External Authentication
If you store user information in an LDAP or RADIUS directory on your network,
you can configure your Cisco IronPort appliance to use the external directory to
authenticate users who log in to the appliance. To set up the appliance to use an
external directory for authentication, use the System Administration > Users page
in the GUI or the
you can configure your Cisco IronPort appliance to use the external directory to
authenticate users who log in to the appliance. To set up the appliance to use an
external directory for authentication, use the System Administration > Users page
in the GUI or the
userconfig
command and the
external
subcommand in the
CLI.
When external authentication is enabled and a user logs into the Email Security
appliance, the appliance first determines if the user is the system defined “admin”
account. If not, then the appliance checks the first configured external server to
determine if the user is defined there. If the appliance cannot connect to the first
external server, the appliance checks the next external server in the list.
appliance, the appliance first determines if the user is the system defined “admin”
account. If not, then the appliance checks the first configured external server to
determine if the user is defined there. If the appliance cannot connect to the first
external server, the appliance checks the next external server in the list.
For LDAP servers, if the user fails authentication on any external server, the
appliance tries to authenticate the user as a local user defined on the Email
Security appliance. If the user does not exist on any external server or on the
appliance, or if the user enters the wrong password, access to the appliance is
denied.
appliance tries to authenticate the user as a local user defined on the Email
Security appliance. If the user does not exist on any external server or on the
appliance, or if the user enters the wrong password, access to the appliance is
denied.
If an external RADIUS server cannot be contacted, the next server in the list is
tried. If all servers cannot be contacted, the appliance tries to authenticate the user
as a local user defined on the Email Security appliance. However, if an external
RADIUS server rejects a user for any reason, such as an incorrect password or the
user being absent, access to the appliance is denied.
tried. If all servers cannot be contacted, the appliance tries to authenticate the user
as a local user defined on the Email Security appliance. However, if an external
RADIUS server rejects a user for any reason, such as an incorrect password or the
user being absent, access to the appliance is denied.
Figure 8-15
Enabling External Authentication
Enabling LDAP Authentication
In addition to using an LDAP directory to authenticate users, you can assign
LDAP groups to Cisco IronPort user roles. For example, you can assign users in
the IT group to the Administrator user role, and you can assign users in the
Support group to the Help Desk User role. If a user belongs to multiple LDAP
groups with different user roles, AsyncOS grants the user the permissions for the
LDAP groups to Cisco IronPort user roles. For example, you can assign users in
the IT group to the Administrator user role, and you can assign users in the
Support group to the Help Desk User role. If a user belongs to multiple LDAP
groups with different user roles, AsyncOS grants the user the permissions for the