Руководство Пользователя для Cisco Cisco Email Security Appliance C160
31-22
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 31 Distributing Administrative Tasks
Passwords
Step 6
Enter the amount of time to store external authentication credentials in the web user interface.
Step 7
Select the LDAP external authentication query that authenticates users.
Step 8
Enter the number of seconds that the appliance waits for a response from the server before timing out.
Step 9
Enter the name of a group from the LDAP directory that you want the appliance to authenticate, and
select the role for the users in the group.
select the role for the users in the group.
Step 10
Optionally, click Add Row to add another directory group. Repeat steps
and
for each directory
group that the appliance authenticates.
Step 11
Submit and commit your changes.
Enabling RADIUS Authentication
You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco roles.
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the
RADIUS directory to Cisco user roles. AsyncOS supports two authentication protocols for
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
To assign RADIUS users to Cisco user roles, first set the CLASS attribute on the RADIUS server with
a string value of
a string value of
<radius-group>
, which will be mapped to Cisco user roles. The CLASS attribute may
contain letters, numbers, and a dash, but cannot start with a dash. AsyncOS does not support multiple
values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an
unmapped CLASS attribute cannot log into the appliance.
values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an
unmapped CLASS attribute cannot log into the appliance.
If the appliance cannot communicate with the RADIUS server, the user can log in with a local user
account on the appliance.
account on the appliance.
Note
If an external user changes the user role for their RADIUS group, the user should log out of the appliance
and then log back in. The user will have the permissions of their new role.
and then log back in. The user will have the permissions of their new role.
Procedure
Step 1
On the System Administration > Users page, click Enable.
Step 2
Check the Enable External Authentication option if it is not enabled already.
Step 3
Enter the hostname for the RADIUS server.
Step 4
Enter the port number for the RADIUS server. The default port number is 1812.
Step 5
Enter the Shared Secret password for the RADIUS server.
Step 6
Enter the number of seconds for the appliance to wait for a response from the server before timing out.
Step 7
(Optional) Click Add Row to add another RADIUS server. Repeat steps
–
for each RADIUS server.
Note
You can add up to ten RADIUS servers.
Step 8
Enter the number of seconds AsyncOS stores the external authentication credentials before contacting
the RADIUS server again to re-authenticate in the “External Authentication Cache Timeout” field.
Default is zero (0).
the RADIUS server again to re-authenticate in the “External Authentication Cache Timeout” field.
Default is zero (0).