Cisco Cisco Email Security Appliance C160 Mode D'Emploi
30-21
Cisco AsyncOS 8.5 for Email User Guide
Chapter 30 Distributing Administrative Tasks
Passwords
External Authentication
If you store user information in an LDAP or RADIUS directory on your network, you can configure your
Cisco appliance to use the external directory to authenticate users who log in to the appliance. To set up
the appliance to use an external directory for authentication, use the System Administration > Users page
in the GUI or the
Cisco appliance to use the external directory to authenticate users who log in to the appliance. To set up
the appliance to use an external directory for authentication, use the System Administration > Users page
in the GUI or the
userconfig
command and the
external
subcommand in the CLI.
When external authentication is enabled and a user logs into the Email Security appliance, the appliance
first determines if the user is the system defined “admin” account. If not, then the appliance checks the
first configured external server to determine if the user is defined there. If the appliance cannot connect
to the first external server, the appliance checks the next external server in the list.
first determines if the user is the system defined “admin” account. If not, then the appliance checks the
first configured external server to determine if the user is defined there. If the appliance cannot connect
to the first external server, the appliance checks the next external server in the list.
For LDAP servers, if the user fails authentication on any external server, the appliance tries to
authenticate the user as a local user defined on the Email Security appliance. If the user does not exist
on any external server or on the appliance, or if the user enters the wrong password, access to the
appliance is denied.
authenticate the user as a local user defined on the Email Security appliance. If the user does not exist
on any external server or on the appliance, or if the user enters the wrong password, access to the
appliance is denied.
If an external RADIUS server cannot be contacted, the next server in the list is tried. If all servers cannot
be contacted, the appliance tries to authenticate the user as a local user defined on the Email Security
appliance. However, if an external RADIUS server rejects a user for any reason, such as an incorrect
password or the user being absent, access to the appliance is denied.
be contacted, the appliance tries to authenticate the user as a local user defined on the Email Security
appliance. However, if an external RADIUS server rejects a user for any reason, such as an incorrect
password or the user being absent, access to the appliance is denied.
Enabling LDAP Authentication
In addition to using an LDAP directory to authenticate users, you can assign LDAP groups to Cisco user
roles. For example, you can assign users in the IT group to the Administrator user role, and you can
assign users in the Support group to the Help Desk User role. If a user belongs to multiple LDAP groups
with different user roles, AsyncOS grants the user the permissions for the most restrictive role. For
example, if a user belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User role.
roles. For example, you can assign users in the IT group to the Administrator user role, and you can
assign users in the Support group to the Help Desk User role. If a user belongs to multiple LDAP groups
with different user roles, AsyncOS grants the user the permissions for the most restrictive role. For
example, if a user belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User role.
Note
If an external user changes the user role for their LDAP group, the user should log out of the appliance
and then log back in. The user will have the permissions of their new role.
and then log back in. The user will have the permissions of their new role.
Before You Begin
Define an LDAP server profile and an external authentication query for the LDAP server. For more
information, see
information, see
Procedure
Step 1
Choose System Administration > Users.
Step 2
Scroll down to the External Authentication section.
Step 3
Click Enable.
Step 4
Select the Enable External Authentication check box.
Step 5
Select LDAP for the authentication type.
Step 6
Enter the amount of time to store external authentication credentials in the web user interface.
Step 7
Select the LDAP external authentication query that authenticates users.
Step 8
Enter the number of seconds that the appliance waits for a response from the server before timing out.