User Manual

Security Database Configuration
11-9
SecurID ACE/Server
UNIX password file, via TFTP
You must assign a precedence number to each database method you wish to use. Precedence specifies the
search order in which the configured databases will be checked. The database location with the most
username/password pairs is usually given the highest precedence (1), setting it as the primary database. By
default, the local authentication database has a precedence of 1.
Note: See Database Search Order on page 11-27 for an example of database
precedence configuration.
Configure your precedence settings carefully. If a database is configured for a precedence slot that has
already been filled by another database, it will take over the precedence setting and return all of the previous
database types settings to their factory defaults.
Note: To check the database configuration, use the Show/Monitor/List Authentication
command (discussed on page 12-178). Databases are listed according to their
precedence numbers.
As you configure the authentication settings, keep in mind that all configured authentication methods will
be tried until one method succeeds or all methods have failed. If six databases are configured and the
database with the first precedence denies the user access, there are still five possible chances for the user to
pass authentication. Remember that when it comes to configuring multiple authentication methods, your
security is only as strong as the weakest method configured.
If you want the SCS to abort the authentication process at any invalid user or invalid password error,
enable Strict fail mode. Strict fail mode is disabled by default, but can be enabled with the Set/Define
Authentication Strictfail command.
Unless Strict fail mode is enabled, the SCS does not examine the reasons for authentication failures. It
simply notes the failure.
11.4.1 Local (NVR) Database
The local database is stored in NVR. Storing authentication locally offers the following advantages:
A network server is not required.
Local authentication functions even when the network is down.
Local authentication can execute and restrict user commands.
CHAP may be used for authentication.
Disadvantages include:
The SCS cannot share its databases with other servers.
The SCS cannot share existing databases.
The local database is limited by the size of the servers NVR.