Setting the Authentication Configuration

About this task

Refer to the Authentication tab to define how user credential validation is conducted on behalf of a Management Access policy. Setting up an authentication scheme by policy allows for policy member credential validation collectively, as opposed to authenticating users individually.

To configure an external authentication resource:

Procedure

  1. Select the Authentication tab.
    Click to expand in new window
    GUID-F3BEEB87-08AD-4FE4-97D0-B7923CA192ED-low.png
  2. Define the following settings to authenticate management access requests:
    Local Use this option to enable/disable local authentication mode. Local authentication uses the local username/password database to authenticate a user. When disabled, an external authentication resource is used to validate user access requests. The external authentication resource could be a dedicated RADIUS or TACACS server.
    Note: By default the local authentication mode is enabled. Disabling local authentication enables the other parameters on the screen.
    RADIUS If authentication is to be handled by an external RADIUS server, select one of the following options:
    • External - Select this option to forward client authentication requests to an external RADIUS server. Enables external RADIUS server as the preferred authentication mode. However, this option does not provide fallback to local database authentication in case the server is unreachable or if the server rejects the request.
    • Fallback - Select this option to revert to local database authentication in case the external RADIUS server is unreachable.

      When this option is enabled, RADIUS authentication is attempted first. However, if the external RADIUS server is unreachable the local database is used to authenticate the user.

    • Fallthrough - Select this option to revert to local database authentication in the following scenarios:
      • If the external RADIUS server is unreachable.
      • If the external RADIUS server rejects the user authentication request.

      When this option is enabled, RADIUS authentication is attempted first. However, if the external RADIUS server is unreachable or rejects the authentication request the local database is used to authenticate the user.

    AAA Policy If enabling external RADIUS server authentication, select the AAA policy to use with the external RADIUS resource. Controllers, service platforms and access points not using their local RADIUS resource will need to inter-operate with a RADIUS and LDAP Server (AAA Servers) to provide user database information and user authentication data. The AAA policy points to this external RADIUS server resource.

    Select the Create icon as needed to define a new AAA policy or select the Edit icon to modify the configuration of an existing policy.

    TACACS If local authentication is disabled, and authentication is to be handled by an external TACACS server, select one of the following options:
    • Authentication - Select to enable TACACS authentication on login.
    • Fallback - Select this option to revert to local database authentication in case the TACACS server is unreachable.

      When this option is enabled, TACACS authentication is attempted first. However, if the external TACACS server is unreachable the local database is used to authenticate the user.

    • Fallthrough - Select this option to revert to local database authentication in the following scenarios:
      • If the external TACACS server is unreachable.
      • If the external TACACS server rejects the user authentication request.

      When this option is enabled, TACACS authentication is attempted first. However, if the TACACS server is unreachable or rejects the authentication request the local database is used to authenticate the user.

    • Accounting - Select to enable TACACS accounting on login.
    • Authorization - Select to enable TACACS authorization on login.
      • Authorization Fallback - Select to enable fallback on TACACS authorization failure. This option is only available when Authorization is selected.
    AAA TACACS Policy If enabling external TACACS server authentication, select the TACACS policy to use. The AAA TACACS policy points to this external TACACS server resource.

    Select an existing AAA TACACS policy (if available), or select Create to define a new policy or Edit to modify an existing one.

  3. Click OK to update the authentication configuration, or click Reset to revert to the last saved configuration.