Sample: how do I configure NFM-P user authentication?

Use case

Figure 9-1, Sample NFM-P user and user group authentication shows an example of how NFM-P performs user and user group authentication.

Note: RADIUS and TACACS+ authentication servers support multiple users. If the NFM-P cannot reach the first authentication server, the NFM-P sequentially attempts the user authentication using the remaining authentication servers.

If user authentication fails against the first authentication server in a sequence, for example, because of an incorrect password, there is no attempt to authenticate the user against the next authentication server in the sequence.

The NFM-P session log records unsuccessful user authentication attempts for known and unknown users. A user that is defined on an external AAA server but not in the NFM-P.

Figure 9-1: Sample NFM-P user and user group authentication

The following table lists the high-level tasks required to configure this sample.

Table 9-5: Sample NFM-P user authentication configuration

Task	Description
Pre-configurations	Ensure correct RADIUS or TACACS+ server configuration, according to your company requirements. PAP authentication is supported for RADIUS and TACACS+. The NFM-P must be able to communicate with the authentication servers to validate users. All configuration tasks require admin user privileges. The NFM-P server IP address must be configured as the client of the RADIUS or TACACS+ server. The NFM-P and RADIUS or TACACS+ server secret keys must match.
1. Configure the remote authentication order for all users	Choose Administration→Security→NFM-P Remote User Authentication from the NFM-P main menu. Set the authentication order parameters to the following, and then specify the RADIUS and TACACS+ servers on the RADIUS and TACACS tabs. Authentication Order 1—radius Authentication Order 2—tacplus Authentication Order 3—local
2. Create scope of command profiles	Choose Administration→Security→NFM-P User Security from the NFM-P main menu. Create a CLI scope of command profile and assign the default CLI management role to the profile. Create at least one scope of command profile that does not allow CLI access by assigning the default scope of command role, which has no access permissions to CLI management.
3. Create and configure user groups	Choose Administration→Security→NFM-P User Security from the NFM-P main menu. Create a CLI user group and at least one user group that does not allow CLI access. Assign the scope of command profile with CLI management access to the CLI user group. Assign the scope of command profile without CLI management access to the user group without CLI access. Authorization is done using user groups, so each user must belong to a user group with a local account on the NFM-P.
4. Create and configure user accounts	You can create local NFM-P user accounts by performing the following steps, or define remote users using RADIUS and TACACS+. The local accounts are available when RADIUS or TACACS+ authentication is not available. Choose Administration→Security→NFM-P User Security from the NFM-P main menu. Create users. Assign the appropriate user group to restrict or allow CLI access to each user.
5.Configure notification	Choose Administration→Security→NFM-P User Security from the NFM-P main menu. Configure the authentication failure action parameters, including the parameters that allow the e-mail account of the administrator to be notified after login failure.

Consider the following:

The NFM-P acts as a network access server. A network access server is considered a client of a remote access server.
The sequence of activity between the NFM-P, which is the authentication client, and the remote server, which is the authentication server, is the following:
- client requests authentication
- server replies to authentication request
- client requests logout and authentication stops
When the remote authentication servers are down and local authentication is used, the user must log in using NFM-P credentials, as described in Combined local and remote authentication .