The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the behavior of AsyncOS when external authentication is enabled on the Email Security Appliance (ESA).
The ESA can be configured to use external authentication via Lightweight Directory Access Protocol (LDAP). Users who also have a local account configured on the ESA cannot log into the GUI and the CLI.
If external user authentication is enabled, the ESA uses both authentication methods in order to find the user which tries to connect to the ESA. First the appliance tries to authenticate the user via the external LDAP server.
Note: The administrator account is only available locally.
The two possible scenarios are:
If the user exists in the LDAP database and also is assigned to a group which is allowed to manage the ESA, then the access is granted.
If the user exists in the LDAP database and is not in any of the ESA managing groups, access is not granted for the user. This also applies in case of a local profile available for that user.
If the user does not exist in the LDAP server the local user list is used for authentication.