Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

User Authentication

 

When authentication is configured and a user enters an invalid user name and password combination, a message is displayed to indicate that the login was invalid.

If the user attempts to access the system multiple times with invalid information, the user must wait the configured amount of time before another attempt to access the system again. You can configure console settings to determine the maximum number of failed logins, and other related settings. For more information about configuring console settings for authentication, see JSA System Time.

JSA supports the following authentication types:

  • System authentication - Users are authenticated locally. System authentication is the default authentication type.

  • RADIUS authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, JSA encrypts the password only, and forwards the user name and password to the RADIUS server for authentication.

  • TACACS authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, JSA encrypts the user name and password, and forwards this information to the TACACS server for authentication. TACACS Authentication uses Cisco Secure ACS Express as a TACACS server. JSA supports up to Cisco Secure ACS Express 4.3.

  • Microsoft Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server that uses Kerberos.

  • LDAP - Users are authenticated by a Native LDAP server.

  • SAML single sign-on authentication – Users can easily integrate JSA with your corporate identity server to provide single sign-on, and eliminate the need to maintain JSA local users. Users who are authenticated to your identity server can automatically authenticate to JSA. They don't need to remember separate passwords or type in credentials every time they access JSA.

Prerequisite Checklist for External Authentication Providers

Before you can configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must complete the following tasks:

  • Configure the authentication server before you configure authentication in JSA. For more information, see your server documentation.

  • Ensure that the server has the appropriate user accounts and privilege levels to communicate with JSA. For more information, see your server documentation.

  • Ensure that the time of the authentication server is synchronized with the time of the JSA server.

  • Ensure that all users have appropriate user accounts and roles to allow authentication with the vendor servers.

Configuring Inactivity Timeout for a JSA User

If you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually.

  1. On the navigation menu, click Admin.
  2. In the User Management section, click Users.
  3. Select a user from the list and click Edit.
  4. In the User Details pane, enable the Override System Inactivity Timeout setting.
  5. Enter the number of minutes of inactivity before the user is logged out, and click Save.

External Authentication Guidelines for Administrative Users

Administrative users must be able to log into JSA when external authentication fails.

The JSA administrative roles have both the external and local authentication methods available in case the external authentication fails. If the remote authentication fails, the administrative users can log in by using the local password. A local password must be set for administrative users when external authentication is configured.

The local password is not set when you create a non-administrative users because the local password I not synchronized with the remote authority. Non-administrative users are only able to authenticate their username and password to the remote authority. If the remote authority is disabled or the other user credentials are rejected, the user cannot log in.

Administrative users must update both the local and remote authentication passwords at the same time to avoid issues when the user logs in to JSA and the remote authentication source is disabled. You cannot change the local administration password while the remote authority is active. To change the administration password, you must:

  1. Temporarily disable external authentication.

  2. Reset the password.

  3. Reconfigure external password.

Configuring System Authentication

You can configure local authentication on your JSA system. You can specify length, complexity, and expiry requirements for local passwords.

The local authentication password policy applies to local passwords for administrative users. The policy also applies to non-administrative users if no external authentication is configured.

When the local authentication password policy is updated, users are prompted to change their password if they log in with a password that does not meet the new requirements.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. Optional: In the General Authentication Settings tab, from the Authentication Module list box, select System Authentication, and then click Save Authentication Module.

    System authentication is the default authentication module. If you change from another authentication module, then you must deploy JSA before you do the next steps.

  4. In the Local Password Policy Configuration tab, select the password complexity settings for local authentication.

Configuring RADIUS authentication

You can configure RADIUS authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select RADIUS Authentication.
  4. Configure the parameters:

    1. In the RADIUS Server field, type the host name or IP address of the RADIUS server.

    2. In the RADIUS Port field, type the port of the RADIUS server.

    3. From the Authentication Type list box, select the type of authentication you want to perform.

      Choose from the following options:

      Option

      Description

      CHAP

      Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

      MSCHAP

      Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

      ARAP

      Apple Remote Access Protocol (ARAP) establishes authentication for AppleTalk network traffic.

      PAP

      Password Authentication Protocol (PAP) sends clear text between the user and the server.

    4. In the Shared Secret field, type the shared secret that JSA uses to encrypt RADIUS passwords for transmission to the RADIUS server.

  5. Click Save Authentication Module.

Configuring TACACS authentication

You can configure TACACS authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select TACACS Authentication.
  4. Configure the parameters:

    1. In the TACACS Server field, type the host name or IP address of the TACACS server.

    2. In the TACACS Port field, type the port of the TACACS server.

    3. From the Authentication Type list box, select the type of authentication you want to perform.

      Choose from the following options:

      Option

      Description

      ASCII

      American Standard Code for Information Interchange (ASCII) sends the user name and password in clear text.

      PAP

      Password Authentication Protocol (PAP) sends clear text between the user and the server. PAP is the default authentication type.

      CHAP

      Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

      MSCHAP

      Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

      MSCHAP2

      Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAP2) authenticates remote Windows workstations by using mutual authentication.

      EAPMD5

      Extensible Authentication Protocol using MD5 Protocol (EAPMD5) uses MD5 to establish a PPP connection.

    4. In the Shared Secret field, type the shared secret that JSA uses to encrypt TACACS passwords for transmission to the TACACS server.

  5. Click Save.

Configuring Active Directory authentication

You can configure Microsoft Active Directory authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select Active Directory.

    Configure the parameters:

    1. In the RADIUS Server field, type the host name or IP address of the RADIUS server.

    2. In the RADIUS Port field, type the port of the RADIUS server.

    3. From the Authentication Type list, select Active Directory and configure the following parameters.

      Configure the following parameters:

      Parameter

      Description

      Server URL

      Type the URL used to connect to the LDAP server, for example, ldaps://host:port.

      LDAP Context

      Type the LDAP context you want to use. For example, DC=JSA,DC=INC.

      LDAP Domain

      Type the domain that you want to use. For example, jsa.inc.

  4. Click Authentication Module.

Related Documentation