Authentication Using a Tenable Identity Exposure Account
The simplest authentication method is through a Tenable Identity Exposure account that requires a username and a password.
This authentication method offers a default lockout policy, a security control designed to mitigate brute force attacks against authentication mechanisms. It locks out user accounts after too many failed login attempts. When an account is locked, users do not have access to Tenable Identity Exposure APIs.
To configure authentication using a Tenable Identity Exposure account:
-
In Tenable Identity Exposure, click Systems > Configuration.
The configuration pane appears.
-
Under the Authentication section, click Tenable Identity Exposure.
-
In the Default profile drop-down box, select the profile for the user.
-
In the Default roles box, select the roles for the user.
-
Configure the lockout policy settings:
Setting Description Default Value Enabled -
Enabled — Tenable Identity Exposure blocks the account after a set number of failed login attempts.
-
Disabled — Tenable Identity Exposure does not lock the account after failed login attempts.
Enabled Lockout duration The time duration that Tenable Identity Exposure locks the account from any login attempts. Tenable Identity Exposure automatically unlocks the account after this time elapses to allow the user to attempt to log in again.
To configure the lockout duration:
-
Click on the slider to set a lockout duration.
-
Select Infinite if you do not want to unlock the account automatically after a set duration.
Note: If all the accounts within the 'Global Administrator' group become locked, Tenable Identity Exposure unlocks the default administrative account after 10 seconds.300 seconds Number of attempts before lockout The number of failed login attempts before Tenable Identity Exposure locks the account. 3 Redemption period The time interval during which Tenable Identity Exposure counts the number of unsuccessful login attempts. After a specified number of unsuccessful login attempts, Tenable Identity Exposure locks the account.
To set the redemption period:
-
Click on the slider to set a time interval.
-
Select "Infinite" if you do not want to set a time interval to count unsuccessful login attempts before Tenable Identity Exposure locks the account.
900 seconds -
-
Click Save.
To disable the lockout policy:
-
In Tenable Identity Exposure, click Systems > Configuration.
The configuration pane appears.
-
Click the Enabled toggle to turn off the lockout policy.
To view the list of locked accounts:
-
In Tenable Identity Exposure, go to Accounts > User accounts management.
In the list of users, Tenable Identity Exposure displays the locked accounts with a red padlock icon. Tenable Identity Exposure displays the following message to users with locked accounts: "Your account is blocked due to too many failed authentication attempts. You have to contact an administrator."
To unlock an account:
-
In Tenable Identity Exposure, click Accounts > User accounts management.
The user accounts management pane appears.
-
In the list of users, locate the locked account.
-
Click the pencil icon to edit the locked user account.
The user's information pane appears.
-
Click the Remove lockout button.
To grant permissions to user roles to configure the lockout policy:
-
In Tenable Identity Exposure, click Accounts > Roles management.
The Roles management pane appears.
-
Click the pencil icon next to a role name to edit the role.
The Edit a role pane appears.
-
Click the System configuration entities tab.
-
Under the Permissions Management section, select the Accounts Lockout Policy checkbox.
-
Click the toggle to Unauthorized or Granted.
A message confirms that Tenable Identity Exposure updated the user's permissions.
Note: Tenable Identity Exposure disables the lockout policy settings for users who only have read permission in this pane.