Views:
The Authentication screen enables you to configure the mechanism with which the SMS server authenticates user login requests.
The SMS supports five types of user authentication: local, RADIUS, Active Directory, TACACS+, and CAC. You must choose one authentication method per SMS server:
  • Local – Authentication is performed locally on the SMS.
    Note
    Note
    In order for TPS devices to use this option, SMS port 443 must be open and accessible by the device.
  • RADIUS – Authentication is performed on the RADIUS server; user role and access rights are maintained on the SMS server. If the RADIUS server is unavailable, the SMS can authenticate local users. You cannot manage the SMS user account on the RADIUS server, and you can modify the user password only from the RADIUS server.
  • Active Directory – Authentication is performed on the Active Directory (AD) server; for SMS accounts, user role and access rights are maintained on the SMS server. If the AD server is unavailable, the SMS can authenticate local users if the Authentication Mode for the active group mapping is set to “Allow only users defined in the SMS to login.” If another mode has been configured, only users whose access privileges are maintained locally on the SMS are able to login. You cannot manage the SMS user account on the AD server; you can modify the user password only from the AD server.
  • TACACS+ – Authentication is performed on the TACACS+ server; user role and access rights are maintained on the SMS server. You can specify up to three TACACS+ servers.
    Because SMS authentication using TACACS+ does not support authorization, you must create a local user for all users that log in to SMS by using TACACS+. Create a local SMS user with the appropriate group memberships and clear the Local Authentication Only check box. A local password is only needed for Local Authentication failover (on TACACS+ timeout only).
  • CAC – Authentication is performed on the SMS server using Certificate Authority (CA) certificates and an ActivClient smart card reader. Users are validated against their Active Directory accounts. The SMS matches a user's group in Active Directory with a group on the SMS. If the SMS is in CAC Authentication mode, all SMS users must log in using CAC. No local users are allowed to log into the SMS client.
Only one authentication method per SMS server is permitted at any one time, but the SMS does allow an administrator to designate user accounts that must always be authenticated locally regardless of the designated authentication source. In this way, you can configure the SMS to use either RADIUS, Active Directory, or TACACS+ as an authentication source, but to specify user accounts that must be authenticated on the SMS.
Tip
Tip
We recommend that you have at least one superuser account that authenticates locally to ensure access for system troubleshooting.
Related information