Configuring a Sequence of Authentication Types
If you enable SAML 2.0 authentication, RADIUS, TACACS+, and local authentication all will be disabled, and only the SAML identity provider will authenticate users.
When RADIUS and TACACS+ authentication servers are configured in AppResponse 11 you can add them to a sequence of authentication types (Local, RADIUS, or TACACS+) to be used when a user signs in. Authentication requests are made from the highest priority authentication type (1) to the lowest. Within each authentication type, requests are sequentially made to the configured servers in the order they appear in on the RADIUS and TACACS+ tabs. Authentication requests are made until a server accepts or rejects a request or the authentication types are exhausted.
◼ If a server does not respond, authentication proceeds to the next server.
◼ If authentication is rejected, there is no provision to try the next server of the same authentication type. For example, if two RADIUS servers are configured and the first server rejects a user, the second RADIUS server is not contacted.
You can choose to try the next authentication type if a higher-priority authentication type rejects a request. See
Setting the Sequence of Authentication Types for details. If not careful, you can lock yourself out of AppResponse 11 by doing the following:
• Removing Local authentication from the sequence and the remote servers (RADIUS or TACACS+) are unreachable.
• Clearing the
“Try next method on reject:” check box (
Step 6).
Riverbed recommends checking that authentication using RADIUS and TACACS+ works successfully before you remove local authentication or clear the "Try next method on reject." check box.
If locked out, contact Riverbed Support to recover the AppResponse 11 appliance or virtual edition.Specifying Authentication Types
1. Go to Administration > Account Management: Authentication to display the Authentication page.
2. Select the General tab.
3. A table shows the authentication types currently selected (Local by default).
4. Click Add to display a pop-up menu with other available authentication types.
5. Click Add following an authentication type to add it to the table.
6. When finished click the x in the upper-right corner of the pop-up menu.
Setting the Sequence of Authentication Types
1. Go to Administration > Account Management: Authentication to display the Authentication page.
2. Select the General tab.
3. A table shows the authentication types currently selected (Local by default).
4. The priority of each authentication type is shown in column 1, highest (1) to lowest.
5. Use three icons on the right-side of each table row to change a row’s priority:
– Click ^ to raise an authentication type’s priority.
– Click v to lower an authentication type’s priority.
– Click x to remove the authentication type.
6. Selecting the “Try next method on reject:” box (below the table) tries the next authentication type if a higher priority authentication type rejects a request. By default, this box is checked and a rejected request tries the next authentication type in the sequence.