Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

User Authentication

 

When authentication is configured and a user enters an invalid user name and password combination, a message is displayed to indicate that the login was invalid.

If the user attempts to access the system multiple times with invalid information, the user must wait the configured amount of time before another attempt to access the system again. You can configure console settings to determine the maximum number of failed logins, and other related settings. For more information about configuring console settings for authentication, see JSA System Time.

JSA supports the following authentication types:

  • System authentication - Users are authenticated locally. System authentication is the default authentication type.

  • RADIUS authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, JSA encrypts the password only, and forwards the user name and password to the RADIUS server for authentication.

  • TACACS authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, JSA encrypts the user name and password, and forwards this information to the TACACS server for authentication. TACACS Authentication uses Cisco Secure ACS Express as a TACACS server. JSA supports up to Cisco Secure ACS Express 4.3.

  • Microsoft Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server that uses Kerberos.

  • LDAP - Users are authenticated by a Native LDAP server.

  • SAML single sign-on authentication – Users can easily integrate JSA with your corporate identity server to provide single sign-on, and eliminate the need to maintain JSA local users. Users who are authenticated to your identity server can automatically authenticate to JSA. They don't need to remember separate passwords or type in credentials every time they access JSA.

Prerequisite Checklist for External Authentication Providers

Before you can configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must complete the following tasks:

  • Configure the authentication server before you configure authentication in JSA. For more information, see your server documentation.

  • Ensure that the server has the appropriate user accounts and privilege levels to communicate with JSA. For more information, see your server documentation.

  • Ensure that the time of the authentication server is synchronized with the time of the JSA server.

  • Ensure that all users have appropriate user accounts and roles to allow authentication with the vendor servers.

Configuring Inactivity Timeout for a JSA User

If you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually.

  1. On the navigation menu, click Admin.
  2. In the User Management section, click Users.
  3. Select a user from the list and click Edit.
  4. In the User Details pane, enable the Override System Inactivity Timeout setting.
  5. Enter the number of minutes of inactivity before the user is logged out, and click Save.

External Authentication Guidelines for Administrative Users

Users must be able to log into JSA when external authentication fails.

JSA administrators can configure users to have both the external and local authentication methods available in case the external authentication fails. If the remote authentication fails, the administrative users can log in by using the local password. You can enable local authentication fallback for a user and set a local password for that user. A local password must be set for users when authenticating locally.

When external authentication is configured, the local password is not set when you create a non administrative user because the local password is not synchronized with the remote authority. Users are only able to authenticate their username and password to the remote authority unless local authentication fallback is enabled.

Local authentication fallback is not available with SAML authentication.

Configuring System Authentication

You can configure local authentication on your JSA system. You can specify length, complexity, and expiry requirements for local passwords.

The local authentication password policy applies to local passwords for administrative users. The policy also applies to non-administrative users if no external authentication is configured.

When the local authentication password policy is updated, users are prompted to change their password if they log in with a password that does not meet the new requirements.

  1. On the Admin tab, click Authentication.
  2. Click Authentication Module Settings.
  3. Optional: From the Authentication Module list, select System Authentication.

    System authentication is the default authentication module. If you change from another authentication module, then you must deploy JSA before you do the next steps.

  4. In the Local Password Policy Configuration tab, select the password complexity settings for local authentication.

Configuring RADIUS authentication

You can configure RADIUS authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select RADIUS Authentication.
  4. Configure the parameters:
    1. In the RADIUS Server field, type the host name or IP address of the RADIUS server.

    2. In the RADIUS Port field, type the port of the RADIUS server.

    3. From the Authentication Type list box, select the type of authentication you want to perform.

      Choose from the following options:

      Option

      Description

      CHAP

      Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

      MSCHAP

      Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

      ARAP

      Apple Remote Access Protocol (ARAP) establishes authentication for AppleTalk network traffic.

      PAP

      Password Authentication Protocol (PAP) sends clear text between the user and the server.

    4. In the Shared Secret field, type the shared secret that JSA uses to encrypt RADIUS passwords for transmission to the RADIUS server.

  5. Click Save Authentication Module.

Configuring TACACS authentication

You can configure TACACS authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select TACACS Authentication.
  4. Configure the parameters:
    1. In the TACACS Server field, type the host name or IP address of the TACACS server.

    2. In the TACACS Port field, type the port of the TACACS server.

    3. From the Authentication Type list box, select the type of authentication you want to perform.

      Choose from the following options:

      Option

      Description

      ASCII

      American Standard Code for Information Interchange (ASCII) sends the user name and password in clear text.

      PAP

      Password Authentication Protocol (PAP) sends clear text between the user and the server. PAP is the default authentication type.

      CHAP

      Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

      MSCHAP

      Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

      MSCHAP2

      Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAP2) authenticates remote Windows workstations by using mutual authentication.

      EAPMD5

      Extensible Authentication Protocol using MD5 Protocol (EAPMD5) uses MD5 to establish a PPP connection.

    4. In the Shared Secret field, type the shared secret that JSA uses to encrypt TACACS passwords for transmission to the TACACS server.

  5. Click Save.

Configuring Active Directory authentication

You can configure Microsoft Active Directory authentication on your JSA system.

  1. On the navigation menu (), click Admin.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list box, select Active Directory.

    Configure the parameters:

    1. In the RADIUS Server field, type the host name or IP address of the RADIUS server.

    2. In the RADIUS Port field, type the port of the RADIUS server.

    3. From the Authentication Type list, select Active Directory and configure the following parameters.

      Configure the following parameters:

      Parameter

      Description

      Server URL

      Type the URL used to connect to the LDAP server, for example, ldaps://host:port.

      LDAP Context

      Type the LDAP context you want to use. For example, DC=JSA,DC=INC.

      LDAP Domain

      Type the domain that you want to use. For example, jsa.inc.

  4. Click Authentication Module.