CAS mode
NSP CAS user authentication
In an NSP system that uses CAS and includes the NFM-P, the NFM-P provides local user authentication and management. An NSP system that uses CAS can also delegate to one or more external authentication sources.
Note: CAS mode is deprecated, and is to be removed in a future NSP release. Migrating to OAUTH2 mode as described in To migrate from CAS to OAUTH2 NSP user authentication is strongly recommended.
Note: The WS-NOC uses only CAS authentication.
CAS and remote authentication
In CAS mode, it is recommended to configure the NSP to delegate directly to one or more external authentication sources, rather than to an NFM-P system that in turn delegates to an external source.
Note: An NSP deployment that uses CAS and does not include the NFM-P requires the configuration of a remote authentication source such as LDAP, RADIUS, or TACACS+, or the NSP software deployment fails.
Note: In CAS mode, it is not recommended to configure external authentication sources in the NSP and also in the NFM-P, as redundant authentication requests may be sent and result in longer login times.
Table 4-1, CAS authentication source comparison describes the advantages and disadvantages of using various authentication sources with CAS.
Table 4-1: CAS authentication source comparison
|
Source |
Advantages |
Disadvantages |
|---|---|---|
|
External source such as LDAP, RADIUS, TACACS+ |
The NSP continues to authenticate users in the event that the NFM-P is unavailable. NSP users can continue to access NSP functions while the NFM-P is unavailable. |
You cannot configure an order of precedence for the authentication sources; the NSP determines the order during initialization. |
|
NFM-P, using local user database or external authentication source |
You can configure the order in which the NFM-P tries the external authentication sources. |
If the NFM-P is down, the NSP is unable to authenticate any users. |
|
The NFM-P can assign a user to a default user group if an authentication source does not return a group name. |
CAS login protection
An NSP system deployed with CAS or OAUTH2 authentication provides mechanisms to guard against unwanted system access by maintaining strict control over repeated login attempts. The following CAS login authentication mechanisms are available.
User login failures
During NSP deployment, you can specify whether, and for how long, to lock out users that exceed a specified number of consecutive login failures.
User login throttling
User login throttling limits the number of failed login attempts, based on a username and client source IP address combination, to discourage password guessing and other unauthorized login attempts. Login throttling is enabled by default. You can configure the login failure rate and a lockout period for login attempts that exceed the failure rate.
After a failed login attempt, subsequent login attempts by the same user from the same source IP address during the login threshold period are blocked for the duration of the specified lockout period.
The login threshold period is defined by two parameters: The rate_seconds parameter defines a time interval, in seconds, and the rate_threshold parameter defines the number of allowed login attempts during the time interval.
The lockout_period parameter specifies the number of seconds to block login attempts by a user from the same address that exceeds the login threshold.