NSP user authentication functions
Local and remote user management
NSP Users and Security is the interface for local user creation and administration, and supports the import of NFM-P users to the local user database, as described in Migrating from CAS to OAUTH2.
NSP username convention
To be valid for NSP access, a local or remote authentication source username must consist of only lowercase characters, for example, johndoe. The convention is enforced as follows:
-
You cannot create a local username that includes an uppercase character.
-
The NSP cannot authenticate a remote authentication username that includes uppercase characters. During NSP login, the username is converted to lowercase before authentication is attempted.
NSP remote authentication
You can define multiple LDAP, RADIUS, and TACACS+ remote authentication sources.
The NSP first attempts to verify a set of user credentials against the local user database. If the user account is not found, or lacks the correct credentials, the credentials are verified against the remote authentication sources.
Note: During a remote user login attempt, if the remote authentication source returns a user group that does not exist in the NSP, the user is denied NSP access.
Note: Remote authentication servers can communicate with the NSP using IPv4 or IPv6.
NSP remote authentication has the following characteristics.
-
You can define multiple servers for each type of remote authentication source, for example, two LDAP servers.
-
RADIUS and TACACS+ authentication sources cannot be used in the same OAUTH2 deployment.
-
LDAP immediately follows local user authentication in priority, and is always above RADIUS or TACACS+.
-
RADIUS or TACACS+ is always the last authentication source to be tried.
NSP login protection
NSP Users and Security provides functions for temporarily or permanently locking out users for login failures. Login failure management is configured during NSP deployment.
You cannot enable both temporary and permanent user lockout. If user lockout is to be enforced, only one mechanism can be active at any time.
Note: Temporary user lockout is enabled by default.
User login failures and permanent lockout
OAUTH2 can automatically lock out a user after a specified number of consecutive login failures. The user is prevented from logging in until an administrator unsuspends the user account. The user lockout applies only to local NSP users, and not to users defined in external authentication sources.
User login throttling and temporary lockout
A user that reaches a specified number of consecutive failed login attempts can be temporarily disabled for a specified wait interval. During the wait interval, further login attempts by the user are not processed. After the wait interval, OAUTH2 processes new login attempts by the user. If the user login attempts continue to fail, the login attempts are subsequently disabled for incrementally longer periods, up to a configurable maximum.
Note: Temporary lockout applies to local and external authentication source users.