You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco IronPort roles. The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the RADIUS directory to Cisco IronPort user roles. AsyncOS supports two authentication protocols for communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
To assign RADIUS users to Cisco IronPort user roles, first set the CLASS attribute on the RADIUS server with a string value of , which will be mapped to Cisco IronPort user roles. The CLASS attribute may contain letters, numbers, and a dash, but cannot start with a dash. AsyncOS does not support multiple values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an unmapped CLASS attribute cannot log into the appliance.
If the appliance cannot communicate with the RADIUS server, the user can log in with a local user account on the appliance.
NoteIf an external user changes the user role for their RADIUS group, the user should log out of the appliance and then log back in. The user will have the permissions of their new role.
To enable external authentication using RADIUS:
Step 1On the System Administration > Users page, click Enable. The Edit External Authentication page is displayed.
Step 2Select the Enable External Authentication check box.
Step 3Select RADIUS for the authentication type.
Figure 8-18Enabling External Authentication Using RADIUS
Step 4Enter the host name for the RADIUS server.
Step 5Enter the port number for the RADIUS server. The default port number is 1812.
Step 6Enter the Shared Secret password for the RADIUS server.
NoteWhen enabling external authentication for a cluster of Cisco IronPort appliances, enter the same Shared Secret password on all appliances in the cluster.
Step 7Enter the number of seconds that the appliance waits for a response from the server before timing out.
Step 8Select whether to use PAP or CHAP for RADIUS authentication.
Step 9Optionally, click Add Row to add another RADIUS server. Repeat steps 6 and 7 for each RADIUS server that your appliance uses for authentication.
Step 10Enter the amount of time to store external authentication credentials in the web user interface.
Step 11Select whether to map a group of RADIUS users to a Cisco IronPort role, or grant all RADIUS users the Administrator role. It is recommended that you map RADIUS groups to Cisco IronPort roles.
Step 12If you chose to map a RADIUS group to a Cisco IronPort role, enter the RADIUS CLASS attribute for the group and select the role for users with that CLASS attribute.
Step 13Optionally, click Add Row to add another group. Repeat steps 11 and 12 for each group of users that the appliance authenticates.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...