Overview of the AAA Page
The following sections describe the settings and options available on the AAA page.
Authentication Priority
The Authentication Priority section of the AAA page specifies which authentication methods should be used for logging in to the GigaVUE HC Series node as well as the order in which they should be used. You can specify first, second, third, and fourth priority for the login method. For each priority, you can select one of the following:
Local |
TACACS+ |
RADIUS |
LDAP |
For details about setting the login methods, refer to Configure AAA Authentication Options.
User Mapping
User mapping specifies Map Order and the Map Default User. Map order specifies how externally authenticated logins (RADIUS, TACACS+, or LDAP) are mapped to local accounts. For Map Order, you can select the following:
Remote First—Maps externally authenticated logins in the following order: |
a. | Mapped to the matching local account name, if present. |
b. | If there is no matching local account, the local user mapping attribute provided by the AAA server is used. |
c. | If the local user mapping attribute is not present or does not specify a valid local user account, the account name specified by the Map Default User. |
This is the default.
Local Only—Maps all externally authenticated logins to the user specified by Map Default User. |
Remote Only—Maps externally authenticated logins in the following order: |
a. | Mapped to the matching local account name, if present. |
b. | If there is no matching local account, the local user mapping attribute provided by the AAA server is used. |
c. | If the local user mapping attribute is not present or does not specify a valid local user account, no further mapping is attempted. |
Map Default User specifies the account to which externally authenticated logins are mapped and how externally authenticated logins (RADIUS, TACACS+, or LDAP) are mapped to local accounts when Map Order is set to Remote First (if there is no matching local account) or Local Only. The default user is one of the following: admin, operator, or monitor.
Password
Select Enabled to set the number of days before a password expires. Use the Duration field to set the number of days.
Lockout
Track Authentication Failures enables or disables tracking of authentication failures. The default is disabled. Tracking can be used for informational purposes or with the Enable Lockout.
Disabling tracking does not clear any records of past authentication failures or the locks in the database. However, it prevents any updates to this database from being made. No new failures are recorded. It also disables lockout, preventing new lockouts from being recorded and existing lockouts from being enforced.
Enable Lockout, when selected, enables or disables locking out of user accounts based on authentication failures. This suspends the enforcement of any existing lockouts and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously, resume being enforced, but accounts that passed the Maximum Failure limit are not automatically locked at this time. They are permitted one more attempt, and then locked out. Lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time.
Lockouts only work if tracking is enabled. Enabling lockouts will automatically enable tracking. Disabling tracking will automatically disable lockouts
Lock Time specifies that no logins are permitted for this number of seconds following any login failure (not counting failures caused by the lockout mechanism, or the lock-time itself). This is not based on the number of consecutive failures.
Unlock Time specifies that if a user account is locked due to authentication failures, another login attempt will be permitted if this number of seconds has elapsed since the last login failure. That does not count failures caused by the lockout mechanism itself. A user must have been permitted to attempt to login, and then failed. After this interval has elapsed, the account does not become unlocked, nor does its history reset. It simply permits one more login attempt even if the account is locked. Unlike Maximum Failure, this does take effect immediately for all accounts.
If both Unlock Time and Lock Time are set, the unlock time must be greater than the lock time.
Maximum Failure sets the maximum number of consecutive authentication failures (attempts) permitted for a user account before the account is locked. After this number of failures, the account is locked and subsequent attempts are not permitted.
The Maximum Failure setting only impacts the lockouts imposed while the setting is active. It is not retroactive to previous logins. So if Maximum Failure is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice-versa.
Selecting Enable Admin Lockout overrides the global settings for tracking and lockouts for the admin account. When option is not selected, it means that the admin user will never be locked out, though their authentication failure history will still be tracked if tracking is enabled overall. This option applies only to the single account with the username admin. It does not apply to any other users with administrative privileges.
Non Local User Authentication
Track Authentication Failures enables tracking of authentication failures for non-local users.
When hashUsername is selected, a hash function is applied to the username and the hashed result is stored.
Maximum SSH Sessions
In the maximum number of SSH sessions section, users with administrative privileges can configure the number of concurrent SSH sessions that can be opened on a device. The range of SSH configurations supported globally is 1-10. SSH connection limit corresponds to the total active sessions across all users (not per individual user). Once the configured maximum limit is reached, the device will prevent from the opening of any new SSH sessions. The administrator can configure the maximum session limit from GigaVUE-FM or CLI.