Platform Help >> Operator Management >> Authentication Server

Authentication Server

This function allows you to configure the parameters of the RADIUS authentication servers or LDAP server for operator login authentication.

Operation Procedure

1. Click the System Management tab to enter the management page, and then click the Authentication Server link to enter the authentication server configuration page.
2. Configure the parameters of the RADIUS servers or LDAP server and then click OK.

Precautions

• Only an administrator can perform authentication server configurations.
• The operator password cannot exceed 32 characters. In RADIUS, LDAP, or TACACS authentication, the user password on the authentication server cannot exceed 32 characters, neither.
• You can edit the commonCfg.properties file to show or hide the Manage All Device Groups, Manage All Custom Views, and Operator Access Control List features as follows:
  a. Open the commonCfg.properties file in the \client\conf\ directory of system installation path.
  b. To hide the features, set showRadiusExtensions to false. To show the features, set showRadiusExtensions to true.
  c. Restart the JServer process for the configuration to take effect.

Parameters

RADIUS Server

• Authentication Type: Authentication type for the RADIUS server to use, PAP or CHAP.
• Primary Server: IP address or host name of the primary RADIU server.
• Secondary Server: IP address or host name of the secondary RADIU server, which is used when the primary RADIUS server is not available.
• Authentication Port: Number of the ports of the RADIUS servers for authentication service, 1812 by default.
• Shared Secret: Shared secret for authentication packets. It must be identical to that configured on the RADIUS server.
• Advanced Setting
  • Synchronize RADIUS Operator: Select this option to synchronize operator information with the RADIUS server. When an operator does not exist, the system uses the RADIUS server to authenticate the operator. After the operator passes authentication, the system permits the operator to log in. If the operator also matches the vendor and data information in a match rule, the system synchronizes the operator information.
  • Match rule parameters:
    Vendor ID: Vendor ID in the RADIUS response.
    Vendor Type: Vendor type in the RADIUS response.
    Data Type: Data type in the RADIUS response, including string type and integer type.
    Data Value: Value of the specified data type to identify the operator in the RADIUS response.
    Operator Group: Group to which the operator will be assigned if it matches the specified data type and value.
    Manage All Device Groups: Specify whether an operator matching the specified rule can manage all device groups. If you select No from this list for a match rule, you can click Select in the Device Group column for that match rule to customize a device group. If you select Yes from this list for a match rule, you cannot customize a device group for that match rule.
    Manage All Custom Views: Specify whether an operator matching the specified rule can manage all custom views. If you select No from this list for a match rule, you can click Select in the Custom View column for that match rule to customize a custom view. If you select Yes from this list for a match rule, you cannot customize a custom view for that match rule.
    Operator Access Control List: After adding a match rule, you can set an operator access control list for that match rule. An operator access control list created here provides the same function as that created when you create an operator.
    

LDAP Server

• LDAP Version: Version of the LDAP server, V2 or V3.
• Server Type: Type of the LDAP server, general LDAP server or Microsoft Active Directory.
• Server Address: IP address or host name of the LDAP server.
• Server Port: Listening port of the LDAP server, 389 by default.
• Base DN: Used for communication with the LDAP server.
• Admin DN: Used for communication with the LDAP server.
• Admin Password: Used for communication with the LDAP server.
• Username Attribute: Used for obtaining user information from the LDAP server.
• Require Security Connection (SSL): Specifies whether to use an SSL security connection for connecting to the LDAP server.
• Authentication File Configure: A certificate is an authentication file for securely connecting to the LDAP server. Without a certificate, a security connection cannot be established to the LDAP server.
• Advanced Setting
  • Synchronize LDAP Operator: Select this option to perform LDAP authentication on users who do not have accounts on the system. If an authenticated LDAP user matches the OU in a match rule, the user information is synchronized to the system. For example:
    1. LDAP user is stored on the LDAP server with the entry: CN=user1,OU=admin,DC=com,DC=domain,DC=www.
    2. Enter OU=admin,DC=com,DC=domain,DC=www in the OU field, and then select Administrator Group from Operator Group list.
    3. After the user passes LDAP authentication, user1 is added to the administrator group on the system.
  • OU: Part of the LDAP user entry that identifies the operator group of the user on the LDAP server.
  • Operator Group: Operator group on the system that matches the OU.
  • Operation: Allows you to define access rights to user groups, devices groups, and custom views for a synchronized operator. Synchronized operators and manually added operators use the same method for defining access rights.A synchronized operator will be deleted when the synchronization rule is deleted.

TACACS Server

• Authentication Type: Authentication type for the TACACS server to use, ASCII,PAP or CHAP.
• TACACS Server: IP address or host name of the TACACS server.
• Authentication Port: Authentication port number of the TACACS server. The default is 49.
• Shared Secret: Shared key for packet authentication. It must be the same as the shared key configured on the TACACS server.

By default, packet bodies are encrypted, and the Port and Rem_add fields are empty.

Third-party server

• Third-Party Name:Name of the third-party server that provides login authentication service. The name cannot exceed 16 characters.
• Third-Party Description: Description of the third-party server that provides login authentication service. The description cannot exceed 64 characters.
• Login Address: Address provided by the third-party server for authentication. The login address cannot exceed 64 characters. The system supports an HTTP or HTTPS login address. As a best practice, use HTTPS. The login address must be an absolute address and can receive login form parameters (parameters encoded through Base64) sent by POST.

Related Topics

• Operator Management