Configuring Authentication Profiles

You configure auth profiles at the users auth-profile level.

To create an auth profile, use the following command:

Admin@nodename# create users auth-profile <parameter>

Provide the following parameters:

Parameter

Description

name

The name of the MFA profile.

description

A description of the MFA profile.

mfa

Specify the multifactor authentication profile (if it is required). An MFA profile you specify must be already created. For more details about creating MFA profiles using CLI, see Configuring MFA (Multifactor Authentication) Profiles.

idle-time

Idle time before disconnection (in seconds). After the specified time without activity the user's status will change to Unknown user.

expiration-time

Authorized user time-to-live (in seconds). After the specified time the user's status will change to Unknown user and they will have to authorize again on the Captive portal.

max-attempts

Max authorization failures through the Captive portal allowed before the user account is locked.

lockout-time

Time (in seconds) for which the user account is locked if the specified number of max failures is reached.

auth-methods

Authentication method:

  • local-user-auth: authentication using the local user database.

  • policy-accept: no authentication is required, but the user must agree to the network usage policy before accessing the Internet. This is used with the Captive portal profile which uses the Captive portal policy authorization page.

  • http-basic: authentication using the HTTP Basic method.

  • ldap: authentication using an LDAP connector.

  • radius: authentication using a RADIUS server.

  • tacacs: authentication using a TACACS+ server.

  • ntlm: authentication using an NTLM server.

  • saml-idp: authentication using an SAML IDP server.

To edit authentication profile parameters, use the following command:

Admin@nodename# set users auth-profile <auth-profile-name> <parameter>

The list of parameters available to update is the same as for the create command.

Example of creating and editing a user authentication profile:

Admin@nodename# create users auth-profile name "New LDAP auth profile" auth-methods ldap [ "New LDAP connector" ] Admin@nodename# show users auth-profile "New LDAP auth profile" name : New LDAP auth profile max-attempts : 5 idle-time : 900 expiration-time : 86400 lockout-time : 300 mfa : none auth-methods : http-basic : off local-user-auth : off policy-accept : off ldap : New LDAP connector Admin@nodename# set users auth-profile "New LDAP auth profile" description "New LDAP auth profile description" Admin@nodename# show users auth-profile "New LDAP auth profile" name : New LDAP auth profile description : New LDAP auth profile description max-attempts : 5 idle-time : 900 expiration-time : 86400 lockout-time : 300 mfa : none auth-methods : http-basic : off local-user-auth : off policy-accept : off ldap : New LDAP connector

You can use the command line interface to delete an entire profile or individual authentication methods specified in a profile. To do this, use the following commands.

To delete an authentication profile:

Admin@nodename# delete users auth-profile <auth-profile-name>

To delete authentication methods configured in a profile, you need to specify an authentication method (available authorization methods are listed in the table above):

Admin@nodename# delete users auth-profile <auth-profile-name> auth-methods <auth-metod>