The root Admin account is authenticated only through the NetMRI local authentication database. Other administrator accounts can be authenticated and authorized against an external server.
If you define one or more authentication servers under Authentication Services Settings, NetMRI uses the account information from those servers in the order given by priority to accept or reject a given username and password. The only exception is the admin account, which is always validated using the Local Database. NetMRI can be accessed by the system administrator even when authentication servers are down or cannot be accessed by the appliance.
You can disable the local authentication service, in which case only the primary Admin account will be locally authenticated. You can also change the priority level of the Local service, which affects the order in which the local service will be activated for authentication requests. For some applications, retaining the Local service as the highest priority is recommended.
You can also enable multiple server groups of different types to authenticate and authorize users. Each server group, whether LDAP, AD, RADIUS, TACACS+, SAML, or OCSP, and the mapping between the remote user groups with the local NetMRI roles, is referred to as an authentication service. You configure each authentication service to use a group of one or more authentication servers.
For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP, AD, SAML, or OCSP server. For information about user Roles and Privileges, see Creating Admin and User Accounts. The external server is used for the authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.
The following figure illustrates the authentication and authorization process for users authenticated by remote servers. In the example, two authentication services are configured, a RADIUS service and an Active Directory service. When the admin logs in with a user name and password, NetMRI uses the service configured with the highest Priority setting to authenticate the admin. If authentication fails, NetMRI tries the next highest-priority service, and so on. For each service, it tries each authentication server in the order given by their priority, until successful or all services fail, including the local authentication service. If all services fail to authenticate the login attempt, NetMRI denies access and generates an error notification.
If authentication succeeds, NetMRI tries to match the user's group names received from the remote server to those assigned to the local roles and device groups defined in the authentication service properties. If it finds a match, the NetMRI appliance applies the privileges of these roles in the specified device groups to the authenticated user. If the appliance does not find a match, it denies access.
When a new user is authenticated and authorized through one of the remote services, NetMRI automatically creates the new account locally on the appliance and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.
An admin can use an account's Force Local Authentication setting to prevent a user account from being authenticated and authorized by an external service. This requires the Local authentication service to be the highest-priority service. For information, see User Administration in NetMRI and its subsections.