User authentication attributes create exceptions to authentication policies for each specific user. These attributes also provide options for troubleshooting user authentication issues.
The following table describes the fields used to manage user authentication attributes.
A fixed passcode is similar to a password. Instead of using a SecurID PIN and tokencode to authenticate, a user can enter a fixed passcode to gain access. RSA recommends that you do not use fixed passcodes because they eliminate the advantages of two-factor authentication.
Clear Incorrect Passcodes
RSA Authentication Manager counts each time a user enters an incorrect passcode, clearing this count automatically with each correct passcode. If a user enters more incorrect passcodes than allowed by the SecurID token policy and then enters a correct passcode, Authentication Manager prompts the user for the next tokencode. The user gains access if the user successfully enters this tokencode.
When you clear the count of incorrect passcodes, the count is reset, and the user is not prompted for the next tokencode. However, if the user continues to enter incorrect passcodes and exceeds the number of failed logon attempts allowed by the lockout policy, the user is locked out of the system.
Clear cached copy of selected user's Windows credential
If your deployment uses RSA SecurID for Windows, Authentication Manager saves a cached version of the user’s Windows password.
If Windows password integration is enabled in the offline authentication policy, users can authenticate with only a Windows user name and an RSA SecurID passcode. This feature causes RSA Authentication Manager to save users’ Windows passwords, which become invalid if the Windows password has been changed. For example, if your Help Desk resets a user's Windows password in Active Directory, then the cached copy of the user’s original password is no longer valid. In that case, you can avoid a failed logon attempt by clearing the saved copy of the user's Windows password.
The default shell is the shell the user logs on to when accessing a UNIX machine.
A logon alias allows users to authenticate with their RSA SecurID tokens using User IDs other than their own. For example, suppose you assign the alias “root” to an administrator. The administrator can log on using the User ID “root” and his or her own token.
Logon aliases allow for situations where users are able to log on with their own User ID and a user group ID. The user group ID is associated with a user group that has access to a restricted or unrestricted agent. If a logon alias has been set up, Authentication Manager verifies the authentication using the user’s passcode, regardless of the account name the user used to log on to the operating system. For backward compatibility, a shell value is also maintained by the system.
To assign a logon alias to a user, you must have an agent, and the user must belong to a user group that is associated with the agent.
User RADIUS Profile
A RADIUS profile is a named collection of attributes that specify session requirements for a user requesting remote network access. Generally, you assign a RADIUS profile to multiple users.
RADIUS User Attributes
RADIUS user attributes are attributes that you assign to a user outside of a RADIUS profile. RADIUS user attributes take precedence over attributes in a RADIUS profile. A RADIUS user attribute can be mapped to an identity source attribute.