You configure auth profiles at the users auth-profile level.
To create an auth profile, use the following command:
Admin@nodename# create users auth-profile <parameter>
Provide the following parameters:
Parameter |
Description |
---|---|
name |
The name of the MFA profile. |
description |
A description of the MFA profile. |
mfa |
Specify the multifactor authentication profile (if it is required). An MFA profile you specify must be already created. For more details about creating MFA profiles using CLI, see Configuring MFA (Multifactor Authentication) Profiles. |
idle-time |
Idle time before disconnection (in seconds). After the specified time without activity the user's status will change to Unknown user. |
expiration-time |
Authorized user time-to-live (in seconds). After the specified time the user's status will change to Unknown user and they will have to authorize again on the Captive portal. |
max-attempts |
Max authorization failures through the Captive portal allowed before the user account is locked. |
lockout-time |
Time (in seconds) for which the user account is locked if the specified number of max failures is reached. |
auth-methods |
Authentication method:
|
To edit authentication profile parameters, use the following command:
Admin@nodename# set users auth-profile <auth-profile-name> <parameter>
The list of parameters available to update is the same as for the create command.
Example of creating and editing a user authentication profile:
Admin@nodename# create users auth-profile name "New LDAP auth profile" auth-methods ldap [ "New LDAP connector" ] Admin@nodename# show users auth-profile "New LDAP auth profile" name : New LDAP auth profile max-attempts : 5 idle-time : 900 expiration-time : 86400 lockout-time : 300 mfa : none auth-methods : http-basic : off local-user-auth : off policy-accept : off ldap : New LDAP connector Admin@nodename# set users auth-profile "New LDAP auth profile" description "New LDAP auth profile description" Admin@nodename# show users auth-profile "New LDAP auth profile" name : New LDAP auth profile description : New LDAP auth profile description max-attempts : 5 idle-time : 900 expiration-time : 86400 lockout-time : 300 mfa : none auth-methods : http-basic : off local-user-auth : off policy-accept : off ldap : New LDAP connector
You can use the command line interface to delete an entire profile or individual authentication methods specified in a profile. To do this, use the following commands.
To delete an authentication profile:
Admin@nodename# delete users auth-profile <auth-profile-name>
To delete authentication methods configured in a profile, you need to specify an authentication method (available authorization methods are listed in the table above):
Admin@nodename# delete users auth-profile <auth-profile-name> auth-methods <auth-metod>