General Parameters

The general RADIUS and LDAP parameters are described in the table below.

General RADIUS and LDAP Parameters

Parameter

Description

'Use Local Users Database'

configure system > mgmt-auth > use-local-users-db

[MgmtUseLocalUsersDatabase]

Defines when the device uses the Local Users table and Authentication server (LDAP or RADIUS) for authenticating users (based on login username-password credentials) attempting to log in to the device's management interface (e.g., Web or CLI).

[0] When No Auth Server Defined = (Default) If the Authentication server denies user access, no “fallback” to the device’s Local Users table occurs and the user is denied access.
[1] Always = If the Authentication server denies user access, the device uses the Local Users table to authenticate the user.

Note:

If there is no response from the Authentication server (connection timeout), you can configure (using the MgmtBehaviorOnTimeout parameter) whether the device denies access or whether it uses the Local Users table to authenticate the user.
If you have not configured an Authentication server, the device uses the Local Users table to authenticate the user.

'Behavior upon Authentication Server Timeout'

configure system > mgmt-auth > timeout-behavior

[MgmtBehaviorOnTimeout]

Defines the device's response when a connection timeout occurs with the LDAP/RADIUS server.

[0] Deny Access = User is denied access to the management platform.
[1] Verify Access Locally = (Default) Device verifies the user's credentials in its Local Users table (local database).

Note: The parameter is applicable to LDAP- and RADIUS-based management-user login authentication.

'Default Access Level'

configure system > mgmt-auth > default-access-level

[DefaultAccessLevel]

Defines the default access level for the device when the LDAP/RADIUS response doesn't include an access level attribute for determining the user's management access level.

The valid range is 0 to 255. The default is 200 (i.e., Security Administrator).

Note:

The parameter is applicable to LDAP- and RADIUS-based management-user login authentication and authorization.
If a user is not associated with any LDAP Group (at the LDAP server), the device automatically uses the value of this parameter as the access level.