If you create an authentication object referencing an external
authentication server, you can enable external authentication to let users
logging into the managed device authenticate to that server, rather than using
the local database.
When you enable external authentication, the system verifies the
user credentials against users on an LDAP or RADIUS server. In addition, if a
user has local, internal authentication enabled and the user credentials are
not found in the internal database, the system then checks the external server
for a set of matching credentials. If a user has the same username on multiple
systems, all passwords across all servers work. Note, however, that if
authentication fails on the available external authentication servers, the
system does not revert to checking the local database.
When you enable external authentication, you can set the default
user role for any user whose account is externally authenticated. You can
select multiple roles, as long as those roles can be combined. For example, if
you enable external authentication that retrieves only users in the Network
Security group in your company, you may set the default user role to include
the Security Analyst role so users can access collected event data without any
additional user configuration on your part. However, if your external
authentication retrieves records for other personnel in addition to the
security group, you would probably want to leave the default role unselected.
If no access role is selected, users can log in but cannot
access any functionality. After a user attempts to log in, their account is
listed on the user management page (),
where you can edit the account settings to grant additional permissions.
If you configure the system to use one user role and apply the
policy, then later modify the configuration to use different default user
roles, any user accounts created before the modification retain the first user
role until you modify the accounts, or delete and recreate them.
If you want to specify the set of users who can authenticate
against the LDAP server for shell access or for CAC authentication and
authorization, you must create separate authentication objects for each and
enable the objects separately.
If a user with internal authentication attempts to log in, the
system first checks if that user is in the local user database. If the user
exists, the system then checks the username and password against the local
database. If a match is found, the user logs in successfully. If the login
fails, however, and external authentication is enabled, the system checks the
user against each external authentication server in the authentication order
shown in the configuration. If the username and password match results from an
external server, the system changes the user to an external user with the
default privileges for that authentication object.
If an external user attempts to log in, the system checks the
username and password against the external authentication server. If a match is
found, the user logs in successfully. If the login fails, the user login
attempt is rejected. External users cannot authenticate against the user list
in the local database. If the user is a new external user, an external user
account is created in the local database with the default privileges from the
external authentication object.