Authentication

Authentication Settings enable you to specify the settings and policies for user login sessions, password rules and lockouts, and external authentication options.

Sessions

The Session tab enables you to specify the maximum number of simultaneous sessions for a single user account, and the length of time after which a user session is automatically logged out or a user account disabled. By default, a single user account can have up to 15 simultaneous active sessions, and a user account is logged out after 15 minutes of inactivity.

To change session settings:

  1. Click Administration > Setup > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. On the Sessions tab, update the parameters described in the following table. 

    Parameters

    Description

    Max Simultaneous
    Logins/User

    The maximum number of simultaneous sessions allowed for a single user account. The default is 15 sessions.

    If Max Simultaneous Logins/User is set to 1, it is required to have at least another admin user, otherwise the admin user will not be able to log in.

    Logout Inactive
    Session After

    The length of time, in minutes, after which an inactive session is automatically ended. The default is 15 minutes.

    This value does not apply to the user interface pages accessed through the Monitor menu. If a user is on any of the Monitor menu pages and the session has been inactive for the specified number of minutes, the user’s session remains active.

    Disable Inactive
    Account After

    The number of days after which an inactive user account is disabled. The default is 0, meaning the account is never disabled.

  4. Click Save to make the changes, or click another tab to cancel.

Local Password

The Local Password tab enables you to set password policies, such as the minimum and maximum number of characters and other password requirements.

To change the password settings:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the Local Password tab.

    Use the parameters described in the following table to customize your password settings.

    Authentication Settings, Local Password tab

    Parameter

    Description

    Lockout Account (policy)

    Enable Account Lockout

    Select the checkbox to enable user accounts to be locked out as defined by the following settings. By default, the policy is disabled.

    Lockout Account After

    Number of failed login attempts after which a user account is locked out. The default is 3.

    Remember Failed Attempts For

    The length of time, in minutes, for which a failed login attempt is remembered. The default is 1.

    Lockout Account For

    The length of time, in minutes, for which a locked out account cannot be unlocked. The default is 15.

    Password Expiration (policy)

    Enable Password Expiration

    Select the checkbox to enable user passwords to expire as defined by the following settings. By default, the policy is disabled.

    Password Expires in

    Number of days after which the password expires. The default is 90.

    Notify User

    Number of days before expiration to notify the user. Select this option to allow users to update their password before expiration. The default is 5.

    Users Exempted From Password Expiration Policy

    Click the link to set the number of users whose password should never expire.

    For information on how to use this feature, see Users Exempted From Password Expiration.

    Password Strength Rules (policy)

    Enforce Password Strength

    Select the checkbox to enforce password policy as defined by the following settings. By default, the policy is disabled.

    Minimum Length

    Minimum number of characters that a password must contain. The default is 10.

    Maximum Length

    Maximum number of characters that a password can contain. The default is 20.

    Password Character Rules

    Password character rules define additional character requirements to ensure password strength.

    Numeric

    Minimum number of numeric characters (0-9) in a password. The default is 2.

    Uppercase

    Minimum number of uppercase characters (A-Z) in a password. The default is 0.

    Special

    Minimum number of non-digit and non-letter characters that are required in a password. The default is 2.

    Lowercase

    Minimum number of lowercase characters (a-z) in a password. The default is 0.

    Password Must be At Least N Characters Different From Old Password

    Minimum number of characters by which the new password must differ by from the previous one. The default is 2.

    Include “Forgot Password” link on Login Screen

    Select the checkbox to enable users to reset their local password using a “Forgot Password” link on the login page. By default, the option is disabled.

    An SMTP server must be configured on the system, and the username must have a correct email address for this feature to work successfully.

    If an SMTP server is not set, you cannot reset the password because the email containing the temporary password cannot be sent.

    You must specify an email address in the user settings for the user name. The temporary password is sent to that email address. If no email address is specified or if the email address is incorrect, the user will not receive the email.

    For information on how to use this feature, see Forgot Password.

  4. Click Save to save the changes, or click another tab to cancel.

Users Exempted From Password Expiration

Even though you have set a password expiration policy for most users, you may want to have a user whose password does not expire automatically.

To exempt a user from the password expiration policy:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the Local Password tab, and then click Users Exempted From Password Expiration Policy.

  4. The Exempt Users From Password Expiration page displays.

  5. Select users from the Non-exempted Users list and click the right arrow icon to move the selected users to the Exempted Users list. Do the reverse to remove users from the list of exempted users.

    You can select multiple users at the same time and move them over. Or you can move all users by clicking the icon.

  6. Click Save to save the policy or Cancel to exit.

Forgot Password

This feature is available only if the Include “Forgot Password” link on Login Screen setting on the Authentication Settings page (Setup > System Admin > Authentication > Local Password) is set to Yes. By default, this setting is set to No. An SMTP server must be configured in order to use this feature. For more details on how to enable it, see Local Password.

If you forget your system password, use this feature to receive an email that provides a temporary password.

The temporary password is valid until the time specified in the email. If you do not log in within the specified time, only an administrator can reset the password to generate another temporary password.

To reset your password:

  1. Click the Forgot Password link on the Login screen.

  2. Enter a user name on the Reset Password dialog box.

  3. Click Reset Password.

    An automated email with a temporary password is sent to the email address specified for that user.

External Authentication

Besides providing a local password authentication method, your system supports Client Certificate/CAC, LDAP, and RADIUS authentication. It is not possible to enable all authentication methods simultaneously. 

Note: CAC is a form of client certificate authentication. Information on client certificate authentication applies to CAC.

From the External Authentication tab, use the drop-down menu to choose one of the following authentication methods:

Local Password

This option is the default method and implements the local password policies set in the Local Password tab. Leave this as the default, or click Save if changing from another option.

Client Certificate Authentication

This authentication method requires that users authenticate using a client certificate. For each client certificate, a user account with a Distinguished Name (DN) matching the one in the client certificate must exist on your system. 

Caution: All SSL client certificates used for authentication must be FIPS compliant (hashed with FIPS-compliant algorithms) even if FIPS is not enabled on your system.

To configure client certificate authentication:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the External Authentication tab.

  4. From the drop-down menu, choose Client Certificate.

  5. Allow Local Password Fallback provides two options:

    • Allow Local Password Fallback for Default Admin Only

      Select this option to allow the default admin user to log in using only a username and password if the client certificate is not available or invalid. This privilege is restricted to the default admin user only. Other users must have a valid client certificate to gain access to the system. This option is enabled by default.

    • Allow Local Password Fallback for All Users

      Select this option to allow all users to log in using their local user name and password if their client certificate is invalid or unavailable.

      For more information, see Local Password Fallback.

  6. Click Save.

Client Certificate and Local Password Authentication

This authentication method requires that users authenticate using an SSL client certificate and a valid local password. Local Password refers to the password associated with the user credentials created in User Management in the Users/Groups section. See User Management for details.

A user account on your system must be defined with a Distinguished Name (DN) that matches the one in the client certificate.

For instructions on how to create a user DN, see Users and refer to the section called “Use Client DN” in the parameters table. 

Caution: All SSL client certificates used for authentication must be FIPS compliant (hashed with FIPS-compliant algorithms) even if FIPS is not enabled on your system.

To configure client certificate and password authentication:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the External Authentication tab.

  4. From the drop-down menu, choose Client Certificate AND Local Password.

  5. Allow Local Password Fallback provides two options:

    • Allow Local Password Fallback for Default Admin Only

      This option, always enabled, allows the default admin user to log in using only a username and password.

    • Allow Local Password Fallback for All Users

      This option is always disabled. You cannot enable it when using the Client Certificate AND Local Password authentication method.

      For more information, see Local Password Fallback.

  6. Click Save.

LDAP/AD and LDAPS Authentication

This authentication method authenticates users against an LDAP server. Even when LDAP is enabled, each user account must exist locally on your system. Although the user name specified locally can be different from the one specified on the LDAP server, the Distinguished Name (DN) specified for each user account must match the one in the LDAP server.

Tip: For steps on how to create a user DN, see Users, and the parameter Use Client DN.

To set up LDAP authentication:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the External Authentication tab.

  4. From the drop-down menu, choose LDAP.

  5. Allow Local Password Fallback provides two options:

    • Allow Local Password Fallback for Default Admin Only

      Select this option to allow the default admin user to log in using only a username and password if LDAP authentication fails. This privilege is restricted to the default admin user only. All others must be authenticated by LDAP. This option is enabled by default.

    • Allow Local Password Fallback for All Users

      Select this option to allow all users to log in using their local user name and password if LDAP authentication fails.

      For more information, see Local Password Fallback.

      LDAP Server has the following parameters:

      Parameter

      Description

      Server Hostname[:port] (optional)

      (Optional) Enter the host name or IP address and port of the LDAP server in the following format:

      ldap://<hostname or IP address >:<port>

      ldaps://<hostname or IP address >:<port>

      Additional steps are required for the use of LDAPS. See Using the LDAP over SSL (LDAPS) Protocol.

      Backup Server Hostname[:Port] (optional)

      (Optional) Enter the backup LDAP server to use if the primary server does not respond. If the server returns an authentication failure (bad password, unknown username, etc), then the backup server is not tried. The backup server is tried only when the primary server has a communication failure.

      Use the same format as the primary server to specify the host name and port.

      Request Timeout

      The length of time, in seconds, to wait for a response from the LDAP server. The default is 10.

  6. When finished, click Save.

Using the LDAP over SSL (LDAPS) Protocol

When choosing the LDAPS protocol to authenticate users, make sure the following conditions are true:

After uploading the SSL certificate, restart the aps process (Setup >
System Admin > Process Status > aps Restart
). 

Caution: If the aps process is not restarted, attempts to authenticate using LDAPS will fail.

RADIUS Authentication

This authentication method allows users to authenticate against a RADIUS server. Even when RADIUS authentication is enabled, each user account must exist locally on your system. The username must match the one in the RADIUS server, although the password can be different. A user must present a valid username and (RADIUS) password to be successfully authenticated.

To configure RADIUS authentication settings:

  1. Click Administration > System Admin.

  2. Click Authentication in the Users/Groups section.

  3. Choose the External Authentication tab.

  4. From the drop-down menu, choose RADIUS.

  5. Allow Local Password Fallback provides two options:

    • Allow Local Password Fallback for Default Admin Only

      Select this option to allow the default admin user to log in using only a username and password if RADIUS authentication fails. This privilege is restricted to the admin user only. All others must be authenticated by RADIUS. This option is enabled by default.

    • Allow Local Password Fallback for All Users

      Select this option to allow all users to log in using their local user name and password, if RADIUS authentication fails. For more information, see Local Password Fallback.

  6. Update the RADIUS Server parameters as necessary:  

    Parameter

    Description

    Server Hostname[:port]

    Enter the host name and port of the RADIUS server.

    Backup Server hostname[:port] (optional)

    (Optional) Enter the backup RADIUS server to use if the primary server does not respond. If the server returns an authentication failure (bad password, unknown username, etc), then the backup server is not tried. The backup server is tried only when the primary server has a communication failure.

    Use the same format as the primary server to specify the host name and port.

    Shared Authentication Secret

    Enter a RADIUS passphrase.

    NAS IP Address

    The IP address of the Network Access Server (NAS).

    Request Timeout

    The length of time, in seconds, to wait for a response from the RADIUS server (in seconds). The default is 10.

    Retry Request

    Number of times to retry a RADIUS request. The default is 1.

    RADIUS Protocol:

    Use the drop-down menu to choose a protocol option. The default is None.

  7. Click Save.

Local Password Fallback

You can use this feature to log in using your local user name and password if the external authentication (Certificate, LDAP, or RADIUS) fails, if you forgot your password to the authentication server, or if the authentication server is not available.

The Use Local Authentication allows the default admin to log in even when the remote authentication server is not available, by adding a Use Local Authentication checkbox to the login screen. Out-of-box, this option is enabled only for the default administrator. However, it is possible to allow local password fallback for all users. For example, you could configure the RADIUS authentication method to allow users to log in using local authentication instead of RADIUS should they fail to authenticate to the configured external RADIUS server(s).

For information on how to allow local password fallback for all users for all users, see Client Certificate Authentication , LDAP/AD and LDAPS Authentication, or RADIUS Authentication.

To log in when authentication fails:

  1. Select the Use Local Authentication checkbox. 

    Note: This option is only available to the default admin unless it has been enabled for other users.

  2. Enter your login and password and click Login.