Cisco Cisco Web Security Appliance S670 User Guide
Chapter 26 System Administration
Administering User Accounts
26-18
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
shows where you enable external authentication on the System
Administration > Users page.
Figure 26-9
Enabling External Authentication
You can configure the appliance to contact multiple external servers for
authentication. You might want to define multiple external servers to allow for
failover in case one server is temporarily unavailable. When you define multiple
external servers, the appliance connects to the servers in the order defined on the
appliance.
authentication. You might want to define multiple external servers to allow for
failover in case one server is temporarily unavailable. When you define multiple
external servers, the appliance connects to the servers in the order defined on the
appliance.
When external authentication is enabled and a user logs into the Web Security
appliance, the appliance first determines if the user is the system defined “admin”
account. If not, then the appliance checks the first configured external server to
determine if the user is defined there. If the appliance cannot connect to the first
external server, the appliance checks the next external server in the list. If the user
fails authentication on any external server, the appliance tries to authenticate the
user as a local user defined on the Web Security appliance. If the user does not
exist on any external server or on the appliance, or if the user enters the wrong
password, access to the appliance is denied.
appliance, the appliance first determines if the user is the system defined “admin”
account. If not, then the appliance checks the first configured external server to
determine if the user is defined there. If the appliance cannot connect to the first
external server, the appliance checks the next external server in the list. If the user
fails authentication on any external server, the appliance tries to authenticate the
user as a local user defined on the Web Security appliance. If the user does not
exist on any external server or on the appliance, or if the user enters the wrong
password, access to the appliance is denied.
Consider the following rules and guidelines when using external authentication:
•
AsyncOS for Web connects to the external server over the M1 interface only.
•
The Web Security appliance assigns all users in the RADIUS directory to the
administrator user group. You cannot assign users to other user groups. When
external authentication is enabled and a user successfully authenticates as a
local user, the local user has Administrator user group privileges regardless
of the configured user type.
administrator user group. You cannot assign users to other user groups. When
external authentication is enabled and a user successfully authenticates as a
local user, the local user has Administrator user group privileges regardless
of the configured user type.
•
Any user with a valid username and password in the RADIUS directory is
granted full access as an administrator on the Web Security appliance. No
authorization is performed on RADIUS users.
granted full access as an administrator on the Web Security appliance. No
authorization is performed on RADIUS users.
To enable external authentication using RADIUS:
Step 1
On the System Administration > Users page, click Enable.
The Edit External Authentication page is displayed.