Engine Configuration—Security
The Security view of the Capture Engine Configuration Wizard lets you set security and authentication settings.
• Authentication:
• Enable OS Authentication Only: Select this check box to use the Operating System authentication only, and to disable all other third-party authentication mechanisms.
• Enable Third-party Authentication: Select this check box to enable third-party authentication using an Active Directory, RADIUS, or TACACS+ authentication server. For more information on enabling Third-party authentication, see Third-party authentication with Capture Engines.
• Insert: Click to display the Edit Authentication Setting dialog, which allows you to name the setting and select from one of the following Third-party Authentication types:
• Active Directory: Select this type to enable Active Directory authentication, and then configure the host information: Host (domain controller) and Port settings (Capture Engine (Windows)); or Realm (domain controller) and KDC settings (Capture Engine (Linux)).
• RADIUS: Select this type to enable RADIUS authentication, and then configure the Host (IP address), Port, and Secret settings (select Hide Typing to hide the settings) for the RADIUS authentication server.
• TACACS+: Select this type to enable TACACS+ authentication, and then configure the Host (IP address), Port, and Secret settings (select Hide Typing to hide the settings) for the TACACS+ authentication server.
• Edit: Click to edit the selected authentication setting.
• Delete: Click to delete the selected authentication setting.
• Move Up: Click to move the selected authentication setting higher up in the list.
• Move Down: Click to move the selected authentication setting lower up in the list.
NOTE: The order of the authentication settings in the list determines the order an authentication server is authenticated against.
Authentication settings are attempted in groups in a top/down order. For example, if the first setting at the top is a RADIUS setting, then all RADIUS settings in the list are attempted first before attempting the next group type in list. If an authentication server can not be reached because of either an incorrect or unreachable server IP, incorrect port, or incorrect shared secret, then the next setting in the group is attempted. If communication with the authentication server is good, but the user cannot be authenticated because of either an incorrect username, password, or a disabled account, then the next group type is attempted (if authenticating a RADIUS or TACACS+ setting), or the next setting in the list is attempted (if authenticating an Active Directory setting).
Authentication settings are attempted in groups in a top/down order. For example, if the first setting at the top is a RADIUS setting, then all RADIUS settings in the list are attempted first before attempting the next group type in list. If an authentication server can not be reached because of either an incorrect or unreachable server IP, incorrect port, or incorrect shared secret, then the next setting in the group is attempted. If communication with the authentication server is good, but the user cannot be authenticated because of either an incorrect username, password, or a disabled account, then the next group type is attempted (if authenticating a RADIUS or TACACS+ setting), or the next setting in the list is attempted (if authenticating an Active Directory setting).
NOTE: The Capture Engine operates within the security environment configured in the operating system. Refer to your operating system documentation for instructions on configuring security settings for your operating system.