Cisco Cisco Web Security Appliance S190 Guía Del Usuario
26-12
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 26 System Administration
Administering User Accounts
•
The
last
command displays information about users who have recently logged into the appliance.
RADIUS User Authentication
You can configure the Web Security appliance to use a RADIUS directory service to authenticate users
logging in to the appliance. You can use external authentication when logging into the appliance using
HTTP, HTTPS, SSH, and FTP. To set up the appliance to use an external directory for authentication,
use the System Administration > Users page in the web interface or the
logging in to the appliance. You can use external authentication when logging into the appliance using
HTTP, HTTPS, SSH, and FTP. To set up the appliance to use an external directory for authentication,
use the System Administration > Users page in the web interface or the
userconfig > external
CLI
command.
You can configure the appliance to contact multiple external servers for authentication. You might want
to define multiple external servers to allow for failover in case one server is temporarily unavailable.
When you define multiple external servers, the appliance connects to the servers in the order defined on
the appliance.
to define multiple external servers to allow for failover in case one server is temporarily unavailable.
When you define multiple external servers, the appliance connects to the servers in the order defined on
the appliance.
When external authentication is enabled and a user logs into the Web Security appliance, the appliance
first determines if the user is the system defined “admin” account. If not, then the appliance checks the
first configured external server to determine if the user is defined there. If the appliance cannot connect
to the first external server, the appliance checks the next external server in the list. If the appliance cannot
connect to any external server, it tries to authenticate the user as a local user defined on the Web Security
appliance. If the user does not exist on any external server or on the appliance, or if the user enters the
wrong password, access to the appliance is denied.
first determines if the user is the system defined “admin” account. If not, then the appliance checks the
first configured external server to determine if the user is defined there. If the appliance cannot connect
to the first external server, the appliance checks the next external server in the list. If the appliance cannot
connect to any external server, it tries to authenticate the user as a local user defined on the Web Security
appliance. If the user does not exist on any external server or on the appliance, or if the user enters the
wrong password, access to the appliance is denied.
Consider the following rules and guidelines when using external authentication:
•
You can configure up to ten RADIUS servers.
•
The appliance can communicate with RADIUS directories using either the Password Authentication
Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).
Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).
•
You can map all RADIUS users to the Administrator user role type or you can map RADIUS users
to different Web Security appliance user role types.
to different Web Security appliance user role types.
•
If you will also add local users, be sure that local user names do not duplicate
externally-authenticated user names.
externally-authenticated user names.
Enabling External Authentication Using RADIUS
Step 1
On the System Administration > Users page, click Enable.
example.com> last
Username Remote Host Login Time Logout Time Total Time
======== =========== ================ ================ ==========
admin 10.xx.xx.xx Sat May 15 23:42 still logged in 15m
admin 10.xx.xx.xx Sat May 15 22:52 Sat May 15 23:42 50m
admin 10.xx.xx.xx Sat May 15 11:02 Sat May 15 14:14 3h 12m
admin 10.xx.xx.xx Fri May 14 16:29 Fri May 14 17:43 1h 13m
shutdown Fri May 14 16:22