About Security Settings
  
About Security Settings
You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems. General security settings are under Settings > Security: General Settings.
Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods are attempted.
To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add these attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = “monitor”
}
where you replace monitor with admin for write access.
Authentication Methods
Specifies the authentication method. Select an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted.
For RADIUS/TACACS+, fallback only when servers are unavailable
Specifies that the Core falls back to a RADIUS or TACACS+ server only when all other servers don’t respond. This is the default setting. When this feature is disabled, the Core does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure.
Safety Account
Creates a safety account so that admin or sys admin users can log in to the Core appliance even if remote authentication servers are unreachable. A safety account increases security and conforms to U.S. National Institute of Standards and Technology (NIST) requirements.
Only the selected safety account will be allowed to log in if the AAA server isn’t reachable. (Only one user can be assigned to the safety account.)
You can create a system administrator user under Administrator > Security: User Permissions.
Safety Account User
Selects the user from the drop-down list.
Authorization Policy
Appears only for some Authentication Methods. Optionally, select one of the policies from the drop-down list.
Remote First
Checks the remote server first for an authentication policy, and only check locally if the remote server does not have one set. This is the default behavior.
Remote Only
Checks the remote server only.
Local Only
Checks the local server only. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored.
Default User
Specifies the default role assigned by the AAA server administrator for remote authentication. If a TACACS+ server is configured for authentication and the authorization policy is set to Local Only, the TACACS+ authenticated user assumes the existing Default User privileges.