OAUTH2 mode
NSP OAUTH2 user authentication
OAUTH2 authentication supports local and remote user management. The NSP Users and Security function is the interface for local user creation and administration.
NSP OAUTH2 mode does not use the NFM-P as an authentication source. In order to be authenticated by OAUTH2, the NFM-P users must undergo a migration to the NSP, as described in Migrating from CAS to OAUTH2.
Note: Because CAS mode is deprecated, migrating from CAS to OAUTH2 is strongly recommended.
Note: The WS-NOC supports CAS, but does not support OAUTH2.
OAUTH2 username convention
To be valid for NSP access via OAUTH2, a local or remote authentication source username must consist of only lowercase characters, for example, johndoe. The convention is enforced as follows:
-
You cannot create a local username that includes an uppercase character.
-
OAUTH2 cannot authenticate a remote authentication username that includes uppercase characters; during NSP login, the username is converted to lowercase before authentication is attempted.
OAUTH2 and remote authentication
OAUTH2 supports the use of multiple LDAP, RADIUS, and TACACS+ remote authentication sources. OAUTH2 first attempts to verify a set of user credentials against the local user database. If the user account is not found, or lacks the correct credentials, OAUTH2 then tries to verify the credentials against the remote authentication sources that are configured.
Note: During a remote user login attempt, if the remote authentication source returns a user group that does not exist in the NSP:
Note: OAUTH2 supports remote authentication servers that communicate using IPv4 or IPv6.
NSP OAUTH2 remote authentication has the following characteristics.
-
You can define multiple servers for each type of remote authentication source, for example, two LDAP servers.
-
RADIUS and TACACS+ authentication sources cannot be used in the same OAUTH2 deployment.
-
LDAP immediately follows local user authentication in priority, and is always above RADIUS or TACACS+.
-
RADIUS or TACACS+ is always the last authentication source to be tried.
OAUTH2 login protection
OAUTH2 provides functions for temporarily or permanently locking out users for login failures. Login failure management is configured during NSP deployment.
You cannot enable both temporary and permanent user lockout. If user lockout is to be enforced, only one mechanism can be active at any time.
Note: Temporary user lockout is enabled by default.
User login failures and permanent lockout
OAUTH2 can automatically lock out a user after a specified number of consecutive login failures. The user is prevented from logging in until an administrator unsuspends the user account. The user lockout applies only to local NSP users, and not to users defined in external authentication sources.
User login throttling and temporary lockout
A user that reaches a specified number of consecutive failed login attempts can be temporarily disabled for a specified wait interval. During the wait interval, further login attempts by the user are not processed. After the wait interval, OAUTH2 processes new login attempts by the user. If the user login attempts continue to fail, the login attempts are subsequently disabled for incrementally longer periods, up to a configurable maximum.
Note: Temporary lockout applies to local and external authentication source users.
OAUTH2 user activity logging
The NSP logs OAUTH2 activity for events such as user login, user logout, and system configuration changes, and can forward the log entries to a third-party processing system.
The log forwarding requires the following to be enabled in the NSP configuration file: