General Parameters

The general RADIUS and LDAP parameters are described in the table below.

General RADIUS and LDAP Parameters

Parameter

Description

'Use Local Users Table for Authentication'

configure system > mgmt-auth > use-local-users-db

[MgmtUseLocalUsersDatabase]

Defines when and if the device uses the Local Users table when an Authentication server (LDAP or RADIUS) is used for authenticating users attempting to log into the device's management interfaces (e.g., Web or CLI).

[0] When No Auth Server Defined = (Default) If you haven't configured an Authentication server, the device uses the Local Users table (see Configuring Management User Accounts) to authenticate the user.

If you have configured an Authentication server, the device uses the server to authenticate the user.

If the user is not found in the server, the device denies access (i.e., doesn't fallback to Local Users table).
If there is no response from the server (connectivity timeout), the device either denies the user access or authenticates the user using the Local Users table (according to the 'Behavior upon Authentication Server Timeout' parameter).
[1] Always = The device uses the Authentication server to authenticate the user.
If the user is not found in the server, the device uses the Local Users table to authenticate the user.
If there is no response from the server (connectivity timeout), the device either denies the user access or authenticates the user using the Local Users table (according to the 'Behavior upon Authentication Server Timeout' parameter).
[2] Always Before Auth Server = The device uses the Local Users table to authenticate the user. If authentication fails, the device uses the Authentication server.

Note: If you haven't configured an Authentication server, the device always uses the Local Users table to authenticate the user.

'Behavior upon Authentication Server Timeout'

configure system > mgmt-auth > timeout-behavior

[MgmtBehaviorOnTimeout]

Defines the device's behavior when a connection timeout occurs with the LDAP/RADIUS Authentication server that is used for user login authentication.

[0] Deny Access = The device denies user access to its management interface.
[1] Verify Access Locally = (Default) The device authenticates the user using its Local Users table.

Note: The parameter is applicable to LDAP- and RADIUS-based user login authentication.

'Default Access Level'

configure system > mgmt-auth > default-access-level

[DefaultAccessLevel]

Defines the default access level for the device when the LDAP/RADIUS response doesn't include an access level attribute for determining the user's management access level.

The valid range is 0 to 255. The default is 200 (i.e., Security Administrator).

Note:

The parameter is applicable to LDAP- and RADIUS-based management-user login authentication and authorization.
If a user is not associated with any LDAP Group (at the LDAP server), the device automatically uses the value of this parameter as the access level.