|
The following parameters are common to CAS and OAUTH2 authentication. |
|
authMode |
Authentication mode, which is one of the following:
Default: oauth2 |
|
hsts |
Whether to enable HSTS headers that tell client browsers to use only HTTPS and a valid CA certificate
Default: false |
|
session — CAS authentication parameters (deprecated)
Note: The parameters in this block are specific to CAS authentication, and are absent from the nsp-config.yml file in a new or upgraded deployment. |
|
concurrentLimitsEnabled |
Whether a maximum concurrent session limit is enabled
Values: true/false |
|
maxSessionsPerUser |
Maximum number of concurrent sessions per user - does not apply to admin group
Default: 10 |
|
maxSessionsForAdmin |
Maximum number of concurrent sessions for users in admin group
Default: 10 |
|
The following parameters are specific to OAUTH2 authentication.
Note: The sessionIdleTimeout value must be equal to or higher than the accessTokenLifeSpan value, or NSP client access may be compromised. The NSP verifies the parameter settings during deployment; however, the sessionIdleTimeout value is configurable after installation using NSP Users and Security, so care must be taken to set the value appropriately. |
|
sessionIdleTimeout |
Number of minutes after which to terminate an idle GUI-client session
Default: 60 |
|
accessTokenLifespan |
Client access-token validity duration, in minutes
Default: 60 |
|
bruteForceDetection parameters
The parameters in this block are specific to OAUTH2 authentication. |
|
enabled |
Whether to enable brute-force protection
Default: true |
|
permanentLockout |
Whether to enable permanent user lockout after the maxLoginFailures number of login failures
Default: false |
|
maxLoginFailures |
Number of allowed login failures before temporary or permanent lockout
Default: 5 |
|
waitIncrement |
Temporary lockout time, in seconds, after maxLoginFailures failed login attempts reached
Default: 60 |
|
quickCheck |
Number of milliseconds during which two consecutive login failures enable lockout period defined by minQuickWait parameter
Default: 1000 |
|
minQuickWait |
Lockout duration, in seconds, triggered by quickCheck violation
Default = 60 |
|
maxWait |
Maximum temporary lockout duration, in minutes
Default: 15 |
|
failureResetTime |
Number of hours after which to reset the login-failure counts
Default: 12 |
|
nfmp — NFM-P authentication parameters
The parameters in this block are common to CAS and OAUTH2 authentication. |
|
enabled |
Whether NFM-P is to perform user authentication
Default: true if using CAS and deployment includes NFM-P; false otherwise |
|
realms |
NFM-P realm list
Note: The realm parameters are defunct , and are not to be configured. |
|
realm |
NFM-P authentication realm name; first realm must be named “sam”
Default: sam |
|
display_name |
Realm name to display in NSP UI
Default: NFM-P 1 |
|
ldap — CAS LDAP parameters
The parameters in this block are specific to CAS authentication. |
|
enabled |
Whether LDAP is to be used for authentication
Default: false |
|
servers |
List of LDAP servers; specify a server using the parameters below |
|
type |
LDAP server type; valid values are:
-
AD
-
ANONYMOUS
-
AUTHENTICATED
Note: The AD and ANONYMOUS types do not allow the use of group search filters, so a user must belong to only the group specified by groupBaseDn. The AUTHENTICATED type requires bind credentials for LDAP querying, and allows the use of groupSearch filters. |
|
url |
LDAP server URL with IP address or hostname and port
Default: none |
|
security |
Type of LDAP server security
Values: SSL/STARTTLS/NONE |
|
timeout |
Timeout period, in seconds, for receiving an authentication response
Default: 10 |
|
userBaseDn |
User base dn value |
|
userFilter |
Filter criteria for username, for example, cn, uid, or userPrincipalName |
|
groupBaseDn |
The DN that contains the applicable NSP groups.
Note: Used for further refining the groups returned by the server |
|
groupSearch |
Custom group search options
Note: Can also be used for custom searches or further group filtering |
|
filter |
Group search filter criteria; ,must resolve to only one group for NSP authorization
Default: none |
|
attributeId |
Group attribute that identifies the NSP group name
Default: none
Note: In most cases, CN is adequate |
|
bind |
LDAP bind credentials for authenticated access only |
|
dn |
User with authority to bind to LDAP server
Default: none |
|
credential |
Password of bind user
Note: The password must be enclosed in double quotation marks.
Default: none |
|
minPoolSize |
Minimum pool size
Default: 0 |
|
maxPoolSize |
Maximum pool size
Default: 10 |
|
useEntryResolver |
Whether an entry resolver is to be used for extracting additional user information
Default: false |
|
principalAtrributes |
|
username |
Optional username attribute |
|
first_name |
Optional username attribute |
|
last_name |
Optional username attribute |
|
email |
Optional username attribute |
|
ldap — OAUTH2 LDAP parameters
The parameters in this block are specific to OAUTH2 authentication. |
|
enabled |
Whether LDAP is to be used for authentication
Default: false |
|
servers |
List of LDAP servers; specify a server using the parameters below |
|
type |
LDAP server type; valid values are:
|
|
name |
LDAP server name; text string |
|
url |
LDAP server URL with IP address or hostname and port, for example:
ldap://203.0.113.172:389
Default: none |
|
priority |
LDAP server priority, 0 is highest
Default: 0 |
|
usernameLdapAttribute |
LDAP attribute to map to OAUTH2 username, for example, cn, uid, or userPrincipalName |
|
rdnLdapAttribute |
LDAP attribute to use as rdn for typical user dn, typically cn |
|
uuidLdapAttribute |
LDAP attribute that uniquely identifies LDAP objects |
|
userObjectClasses |
Comma-separated list of user objectClasses |
|
customUserLdapFilter |
Additional filter for user searches |
|
searchScope |
Scope of user search in userDn; valid values are:
|
|
security |
LDAP server security type; valid values are:
|
|
timeout |
Timeout period for receiving LDAP server response, in milliseconds
Default: 5000 |
|
userDn |
DN of LDAP tree in which to find users |
|
userFilter |
User filter criteria |
|
groupDn |
DN of LDAP tree in which to find groups |
|
groupNameLdapAttribute |
LDAP attribute to map to user group |
|
groupsLdapFilter |
Groups filter criteria |
|
groupObjectClasses |
Comma-separated list of objectClasses for groups |
|
groupMembershipLdapAttribute |
Group attribute for user search |
|
groupMembershipUserLdapAttribute |
Username attribute in group membership |
|
groupMemberOfLdapAttribute |
User attribute that indicates group membership, usually memberOf |
|
bind |
LDAP bind credentials; for AUTHENTICATED server type only |
|
dn |
Bind user DN |
|
credential |
Bind user credential |
|
radius — RADIUS parameters
The parameters in this block are common to CAS and OAUTH2 authentication, with noted exceptions. |
|
enabled |
Whether RADIUS is to be used for authentication
Default: none |
|
address |
CAS—comma-separated list of RADIUS-server IP addresses or hostnames
OAUTH2—comma-separated list of colon-separated RADIUS-server IP addresses or hostnames and ports; for example:
203.0.113.150:1812,radius-server-a:1812
Default: none |
|
secret |
CAS—comma-separated list of shared server secrets enclosed in double quotation marks; for example:
“secret1,secret2”
CAS requires a separate secret entry for each RADIUS server in the configuration
OAUTH2—one shared server secret, used for each RADIUS server in the configuration
Default: none |
|
protocol |
Protocol to use—PAP or CHAP
Default: none |
|
retries |
Maximum number of attempts to reach server
Default: 3 |
|
timeout |
CAS—timeout, in seconds, for RADIUS-server connection attempts
Default: 60
OAUTH2—timeout, in milliseconds, for RADIUS-server connection attempts
Default: 5000 |
|
failoverOnException
(CAS only) |
Whether second server is tried if first server fails with exception
Default: none |
|
failoverOnRejection
(CAS only) |
Whether second server is tried if first server fails with rejection
Default: none |
|
authenticationPort
(CAS only) |
RADIUS port
Default: 1812 |
|
vendorId |
Vendor ID for VSA search
Default: 123 |
|
roleVsaId |
VSA ID used to identify group
Default: 3 |
|
mfa
(CAS only) |
Whether multi-factor authentication, or MFA, is enabled
Note: MFA is always enabled in OAUTH2 RADIUS.
Default: false |
|
nasId |
ID of the RADIUS Network Access Server (optional) |
|
nasIp |
IP address of the RADIUS Network Access Server (optional) |
|
nasIpv6 |
IPv6 address of the RADIUS Network Access Server (optional) |
|
tacacs — TACACS+ parameters
The parameters in this block are common to CAS and OAUTH2 authentication, with noted exceptions. |
|
enabled |
Whether TACACS+ authentication is to be used
Default: none |
|
address |
CAS—comma-separated list of TACACS+-server IP addresses or hostnames
OAUTH2—comma-separated list of colon-separated TACACS+-server IP addresses or hostnames and ports; for example:
203.0.113.167:1812,tacacs-server-a:1812
Default: none |
|
secret |
CAS—comma-separated list of shared server secrets enclosed in double quotation marks; for example:
“secret1,secret2”
CAS requires a separate secret entry for each TACACS+ server in the configuration
OAUTH2—one shared server secret, used for each TACACS+ server in the configuration
Default: none |
|
protocol |
Protocol to use
Default: PAP |
|
timeout |
CAS—timeout, in seconds, for TACACS+-server connection attempts
Default: 7
OAUTH2—timeout, in milliseconds, for TACACS+-server connection attempts
Default: 7000 |
|
failoverOnException
(CAS only) |
Whether second server is tried if first server fails with exception
Default: none |
|
failoverOnRejection
(CAS only) |
Whether second server is tried if first server fails with rejection
Default: none |
|
authenticationPort
(CAS only) |
TACACS+ port
Default: 49 |
|
defaultGroup |
Default group to assign if no group is defined on remote server for user
The group is assigned to a TACACS+ user if the vsaEnabled parameter is set to false.
Default: none |
|
vsaEnabled |
Whether VSA search is enabled
If set to true, a user group attribute is expected in the user authentication response/
Default: true |
|
roleVsaId |
Role used for VSA search
Default: sam-security-group |
|
vsaServiceId |
VSA search service identifier
Default: sam-app |
|
throttling — user login throttling parameters
Note: The parameters in this block are specific to CAS authentication, and are absent from the nsp-config.yml file in a new or upgraded deployment. |
|
enabled |
Whether to enable login throttling
Values: true/false |
|
rateThreshold |
Login failure threshold used for calculating login failure rate; see rate_seconds parameter
Default: 3 |
|
rateSeconds |
Number of seconds used for calculating login failure rate; exceeded if login attempt comes within rate_seconds/rate_threshold seconds of a previous failed login attempt
Default: 9 |
|
lockoutPeriod |
Number of seconds after throttling threshold exceeded to wait before attempting to authenticate the same user and source address combination
Default: 5 |
|
login_failure — user login failure parameters
Note: The parameters in this block are specific to CAS authentication, and are absent from the nsp-config.yml file in a new or upgraded deployment. |
|
enabled |
Whether to lock out users who have more consecutive login failures than specified by the threshold parameter
Values: true/false |
|
threshold |
Maximum number of consecutive login failures before user lockout
Default: 3 |
|
lockoutMinutes |
Number of minutes to lock the user out after the threshold parameter value is exceeded
Default: 1 |