Cisco Cisco Email Security Appliance C390 Mode D'Emploi
28-20
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 28 Distributing Administrative Tasks
Passwords
If an external RADIUS server cannot be contacted, the next server in the list is tried. If all servers cannot
be contacted, the appliance tries to authenticate the user as a local user defined on the Email Security
appliance. However, if an external RADIUS server rejects a user for any reason, such as an incorrect
password or the user being absent, access to the appliance is denied.
be contacted, the appliance tries to authenticate the user as a local user defined on the Email Security
appliance. However, if an external RADIUS server rejects a user for any reason, such as an incorrect
password or the user being absent, access to the appliance is denied.
Enabling LDAP Authentication
In addition to using an LDAP directory to authenticate users, you can assign LDAP groups to Cisco user
roles. For example, you can assign users in the IT group to the Administrator user role, and you can
assign users in the Support group to the Help Desk User role. If a user belongs to multiple LDAP groups
with different user roles, AsyncOS grants the user the permissions for the most restrictive role. For
example, if a user belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User role.
roles. For example, you can assign users in the IT group to the Administrator user role, and you can
assign users in the Support group to the Help Desk User role. If a user belongs to multiple LDAP groups
with different user roles, AsyncOS grants the user the permissions for the most restrictive role. For
example, if a user belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User role.
Note
If an external user changes the user role for their LDAP group, the user should log out of the appliance
and then log back in. The user will have the permissions of their new role.
and then log back in. The user will have the permissions of their new role.
Before You Begin
Define an LDAP server profile and an external authentication query for the LDAP server. For more
information, see
information, see
Procedure
Step 1
Choose System Administration > Users.
Step 2
Scroll down to the External Authentication section.
Step 3
Click Enable.
Step 4
Select the Enable External Authentication check box.
Step 5
Select LDAP for the authentication type.
Step 6
Enter the amount of time to store external authentication credentials in the web user interface.
Step 7
Select the LDAP external authentication query that authenticates users.
Step 8
Enter the number of seconds that the appliance waits for a response from the server before timing out.
Step 9
Enter the name of a group from the LDAP directory that you want the appliance to authenticate, and
select the role for the users in the group.
select the role for the users in the group.
Step 10
Optionally, click Add Row to add another directory group. Repeat steps
and
for each directory
group that the appliance authenticates.
Step 11
Submit and commit your changes.
Enabling RADIUS Authentication
You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco roles.
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).