Network Security Management Administration Guide

CSC Users > Authentication Servers
Table of Contents

Authentication Servers

This feature is specific to On-premises solution where you can add the authentication types like Active Directory, LDAP, RADIUS and, Digital Certificate.

To add authentication servers

  1. Click Add to add new authentication servers.

  2. Authentication Type - There are four options to choose - Active Directory, LDAP, RADIUS and, Digital Certificate. This indicates the type of the Remote Authentication Server if it is an LDAP server, a Windows Active Directory, a RADIUS Server or a Digital Certificate. The configuration values for Active Directory and LDAP are same.

Add Authentication Server - Settings

  •  Name - Enter the name to identify the authentication server.

  • IP/FQDN - The hostname or the IP address of the Remote authentication server. Example: [mydc.example.com], [X.X.X.X] (ip address), [company.com].

  • Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.
  • Protocol Version - Choose a protocol version from the list. This is the LDAP protocol version on which the remote LDAP/AD server is running on
  • Base Distinguished Name - A distinguished name, that is, a globally unique name for a user. The base DN for a directory (say example.com) should be written in the form: [dc=example,dc=com].
  • Use SSL - Toggle this option to specify whether to use SSL for binding to the remote server. This is strongly recommended. For this, the remote server's CA certificate or the root certificate of the CA that signed the server's certificate should be present in KeyStore of SGMS as trusted CAs.
  • SSL Port - The default value is 636 in case of LDAP/AD servers.
  • Anonymous Login - Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (MS AD generally does not), then you could select this option.
  • Login User Distinguished Name - Distinguished name is used to authenticate to Directory Server when performing a bind. The value for this field should be specified as a DN (Distinguished Name). Example: [uid=xyz, ou=People, dc=example, dc=com] , [cn=jdoe, cn=users, dc=sv, dc=company, dc=com]
  • Login Password - Enter the password for the login user DN.
  • Connection Timeout (msecs) - Timeout period(in milliseconds). After this period of time, the connection attempt with the remote server will be given up if it is not successful.

Authentication Type - RADIUS

PRIMARY RADIUS SERVER

  • IP/FQDN - The hostname or the IP address of the Remote authentication server. Example: [mydc.example.com], [X.X.X.X] (ip address), [company.com].
  • Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.
  • Shared Secret - The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
  • Authentication Protocol - From the drop down list, choose the RADIUS Authentication Protocol to be used for authentication.
  • Radius Timeout (seconds) - The allowed range is 1-60 seconds with a default value of 5.
  • Max Retries - Enter the number of times SonicOS will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, with a recommended setting of 3 RADIUS server retries.

BACKUP RADIUS SERVER

  • IP/FQDN

  • Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.

  • Shared Secret - The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.

Authentication Type - Digital Certificate

  • Name - Enter the name to identify the authentication server.

  • CA Certificate - From the drop down list, choose any existing certificates. To add a new certificate, click Edit icon and select Add CA Certificate.

  • Select Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file.

  • Next, enter the Certificate Name and the Certificate Management Password (the password you defined when creating the .pfx file). Click Import.

  • Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file

  • Click Add File and browse to locate and open your Certificate .pfx file. Click Import to import the selected certificate.

Add Authentication Server - Schema

User Directory LDAP Schema

  • LDAP Schema - From the list choose the desired option. Selecting any of the predefined schemas will automatically populate the fields used by that schema with their correct values. Selecting User defined will allow you to specify your own values – use this only if you have a specific or proprietary LDAP schema configuration.

USER OBJECTS

  • Object Class - Select the attribute that represents the individual user account. The name of one of the standard object classes that the users belong to.
  • Login Name Attribute - The attribute name on the LDAP/AD server which represents the user id. This is the attribute on the LDAP server whose value would be used as the user id on the SGMS Login Page. Example: uid, sAMAccountName etc.
  • First Name Attribute - The attribute name on the LDAP server which represents First Name. Example: givenName.
  • Last Name Attribute - The attribute name on the LDAP server which represents Last name. Example: sn.
  • Email Attribute - The attribute name on the LDAP server which represents email id. Example: mail.
  • Telephone Attribute - The attribute name on the LDAP server which represents Telephone number. Example: telephoneNumber.

USER DIRECTORY LDAP SCHEMA 

  • Allow Only AD Group Members - Toggle the button to allow or deny AD Group Members. When enabled, it allows only those users that are members of the specified Active Directory Groups to login into NSM. With this option, it is also necessary to select the Host Type as [Active Directory] on the Settings Panel.

  • Active Directory Group(s) - Specify the AD Group names, members of which should be allowed to login into NSM. Multiple AD Groups can be specified as semicolon delimited. Example: [NSMUsers], [ADGroup1;AD group2;NSM Users;Group4]