Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
30-22
Cisco AsyncOS 8.5 for Email User Guide
Chapter 30 Distributing Administrative Tasks
Passwords
Step 9
Enter the name of a group from the LDAP directory that you want the appliance to authenticate, and
select the role for the users in the group.
select the role for the users in the group.
Step 10
Optionally, click Add Row to add another directory group. Repeat steps
and
for each directory
group that the appliance authenticates.
Step 11
Submit and commit your changes.
Enabling RADIUS Authentication
You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco roles.
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
To assign RADIUS users to Cisco user roles, first set the CLASS attribute on the RADIUS server with
a string value of
a string value of
<radius-group>
, which will be mapped to Cisco user roles. The CLASS attribute may
contain letters, numbers, and a dash, but cannot start with a dash. AsyncOS does not support multiple
values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an
unmapped CLASS attribute cannot log into the appliance.
values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an
unmapped CLASS attribute cannot log into the appliance.
If the appliance cannot communicate with the RADIUS server, the user can log in with a local user
account on the appliance.
account on the appliance.
Note
If an external user changes the user role for their RADIUS group, the user should log out of the appliance
and then log back in. The user will have the permissions of their new role.
and then log back in. The user will have the permissions of their new role.
Procedure
Step 1
On the System Administration > Users page, click Enable.
Step 2
Check the Enable External Authentication option if it is not enabled already.
Step 3
Enter the hostname for the RADIUS server.
Step 4
Enter the port number for the RADIUS server. The default port number is 1812.
Step 5
Enter the Shared Secret password for the RADIUS server.
Step 6
Enter the number of seconds for the appliance to wait for a response from the server before timing out.
Step 7
(Optional) Click Add Row to add another RADIUS server. Repeat steps
–
for each RADIUS server.
Note
You can add up to ten RADIUS servers.
Step 8
Enter the number of seconds AsyncOS stores the external authentication credentials before contacting
the RADIUS server again to re-authenticate in the “External Authentication Cache Timeout” field.
Default is zero (0).
the RADIUS server again to re-authenticate in the “External Authentication Cache Timeout” field.
Default is zero (0).
Note
If the RADIUS server uses one-time passwords, for example passwords created from a token,
enter zero (0). When the value is set to zero, AsyncOS does not contact the RADIUS server again
to authenticate during the current session.
enter zero (0). When the value is set to zero, AsyncOS does not contact the RADIUS server again
to authenticate during the current session.