Home  Prev  cOS Stream 4.00.03 Administration Guide  Next

Chapter 17: Authentication

17.1. Authentication Profiles

Authentication refers to the process of verifying user identity before allowing access. The configuration object which controls authentication in cOS Stream is the AuthenticationProfile object. Each profile defines a specific set of parameters for performing authentication.

To enable authentication, authentication profiles must be associated with other configuration objects. For example, an IPsec interface can have a profile associated with it so that roaming clients that connect through the IPsec tunnel, trigger the authentication described by the profile.

An AuthenticationProfile object has the following key properties:

  • Agent Type

    This is the type of authentication that will be used. The choices are:

    1. BASIC - This is the default and indicates standard username/password authentication. For example, the profile associated with the RemoteMgmtSSH object should have this agent type to allow administration SSH access.

    2. EAP - This option is used in I-WLAN scenarios with IKEv2 IPsec tunnels. It encompasses three types of EAP payloads:

      • SIM
      • AKA
      • MD5

      Any of these EAP types can be explicitly disabled in the AuthenticationProfile object. For example, to disable MD5, the property AllowEAP_MD5 would be given a value of No.

  • LocalUserDB

    This is the LocalUserDatabase that will be used to authenticate users. If no local database is used, it should be set to an empty string: LocalUserDB="".

  • RemoteServer

    This is a list of one or more RadiusServer that will be used for authentication. They can be used instead of a user database.

  • RemoteLoadBalance

    This is the algorithm that is used to spread RADIUS requests amongst multiple RADIUS servers.

  • AuthOrder

    If both a local database and RADIUS server(s) are specified, this determines which to use first for authentication.

  • MultipleLogins

    This determines if multiple logins by the same username are allowed. If they are, the maximum number of logins is controlled by the MaxMultipleSessions property. The possible options are:

    1. AllowOne - Allow only one login. Any new login will not be allowed.
    2. AllowMultiple - Allow multiple simultaneous logins.
    3. ReplaceExisting - Allow one login but a new login will logout the existing.

  • SessionTimeout

    The amount of time with no activity before the session is disconnected.

  • LoginAttempts

    The maximum number of attempts to login before a username is locked out.

  • MaxLockoutTime

    The time that a username is prevented from trying to log in once a lockout occurs.

  • BruteForceAttackPrevention

    This sets a rate limit on the number of retries that can be attempted from the same IP address. This is enabled by default.

Example 17.1. Creating an Authentication Profile with a Local User Database

This example creates an authentication profile called int_auth that will reference a local user database called int_users that has already been defined. No RADIUS servers will be used.

Command-Line Interface

System:/> add AuthenticationProfile int_auth
			LocalUserDB=int_users

Example 17.2. Creating an Authentication Profile with RADIUS Servers

This example creates an authentication profile called ext_auth that will reference two RADIUS servers called rad1_server and rad2_server. A local database will not be used.

Command-Line Interface

System:/> add AuthenticationProfile ext_auth
			LocalUserDB=""
			RemoteServer=rad1_server,rad2_server
Home  Prev   Next