Documentation
LiveWireEnabling PIV/CAC Authentication in LiveWireDownload PDF
Local User Management
When a directory server is not available, local accounts may be used to allow users to log in. This method, however, is discouraged as it is has various limitations and is difficult to manage in environments with multiple appliances.
To allow login, a local account must be created for each user on each appliance they are allowed to access. The local account name must match the username portion of the UPN contained in the user's certificate. The UPN has the format `username@domain` much like an email address (in fact, in some scenarios, a user's UPN and email address are the same). The UPN can be retrieved from the certificate by loading the user's certificate is a certificate viewer. There are numerous viewers available on the Internet or use the Windows certificate viewer. Note that the domain portion of the UPN is ignored in this scenario so if two users have the same username but different domains, they will be indistinguishable from each other when logging in.
As an example, viewing the certificate from a specific NIST PIV test card, the UPN is given in the Subject Alternative Name extension as `32015465737401@upn.example.com.` Here, the username is the string of digits `32015465737401`. To allow this user to log in with a local account, create a local account on the LiveWire with the name `32015465737401`. It is important to note that, in this case, a local username comprised of only digits is considered invalid in a Linux environment so the creation of the local account must be forced. For this reason, the use of local accounts with PIV or CAC cards is discouraged.