Cisco Cisco Prime Optical 9.3 Technical References
8
Cisco Prime Optical 9.3 Basic External Authentication
OL-23465-01
Caveats for Local Authentication When External Authentication Is Enabled
Step 5
To enable external authentication, you must restart the Prime Optical server. Enter the following
command:
command:
ctms-stop ; ctms-start
Caveats for Local Authentication When External Authentication
Is Enabled
Is Enabled
When external authentication is enabled, the local authentication system is subject to the following
caveats:
caveats:
•
Because user credentials (passwords) are not checked against passwords in the local database, the
following Prime Optical authentication features might not work in all cases:
following Prime Optical authentication features might not work in all cases:
–
User lockout
–
Autologin
The preceding features do not work when a user is logged in and the access server or the access
server administrator changes that user’s credentials. For example, the RADIUS RSA authentication
manager can authenticate users by means of hardware devices (tokens) that generate a
pseudorandom number that is used as a password. This number changes every minute, so a locked
out user does not know which password was used to log in successfully in the past. To prevent this
problem, open the Prime Optical client and in the Domain Explorer, choose Administration >
Control Panel > Security Properties and uncheck the Lockout Enable check box.
server administrator changes that user’s credentials. For example, the RADIUS RSA authentication
manager can authenticate users by means of hardware devices (tokens) that generate a
pseudorandom number that is used as a password. This number changes every minute, so a locked
out user does not know which password was used to log in successfully in the past. To prevent this
problem, open the Prime Optical client and in the Domain Explorer, choose Administration >
Control Panel > Security Properties and uncheck the Lockout Enable check box.
•
If the Prime Optical client disconnects from the Prime Optical server, the client automatically tries
to log in again using the cached username and password, which are no longer valid. The automatic
login attempts fail. To resolve this problem, close the automatic login wizard and launch the
Prime Optical client again.
to log in again using the cached username and password, which are no longer valid. The automatic
login attempts fail. To resolve this problem, close the automatic login wizard and launch the
Prime Optical client again.
•
Password aging rules and login preferences do not work, because they are demanded of the external
access server. For this reason, these rules must remain disabled on the Prime Optical client. When
external authentication is enabled, the following fields in the Control Panel > Security
Properties > Security tab are automatically set to 0 (disabled):
access server. For this reason, these rules must remain disabled on the Prime Optical client. When
external authentication is enabled, the following fields in the Control Panel > Security
Properties > Security tab are automatically set to 0 (disabled):
–
Password Aging
–
Password Expiration Early Notification
–
Max Retries
–
Login Disable Period
•
The password change feature changes the local password. For this reason, do not use the password
change feature when external authentication is enabled. Furthermore, password changing policies
are access server dependent. In the Domain Explorer, choose Administration > Users. In the
Cisco Prime Optical Users table, choose Edit > Create. In the Create New User wizard, uncheck
the Require Password Change on Next Login check box.
change feature when external authentication is enabled. Furthermore, password changing policies
are access server dependent. In the Domain Explorer, choose Administration > Users. In the
Cisco Prime Optical Users table, choose Edit > Create. In the Create New User wizard, uncheck
the Require Password Change on Next Login check box.
•
Although authentication is external, authorization is local. For example, user privileges are managed
locally.
locally.