Applies To:

Show Versions Show Versions

Manual Chapter: Authentication Concepts
Manual Chapter
Table of Contents   |   Next Chapter >>

Authentication in Access Policy Manager

Access Policy Manager® provides several benefits when it comes to authenticating and authorizing your users.

Benefit Description
Policy component Administrators are able to add various types of supported authentication methods as basic components to their access policy.
Flexibility Administrators can combine multiple authentication mechanisms in an arbitrary manner for a single access policy.
Performance Administrators should see high optimization (approximately 250 logins/sec.)
Extensible Administrators can set up to retrieve user's credentials from multiple sources (for example, client certificate fields) as input to an authentication subsystem.
Customizable input Administrators can customize logon page input and add the customized logon page to their access policy.
Generic output Administrators can use the results from an authentication subsystem as input for various other functionality, for instance, resource assignments.

These illustrations depict the use of authentication as an access policy component. It also shows how various authentication schemas are combined together within a single access policy, and the result from authentication is used for assigning the appropriate resources to a user.

How does authentication work? Create a AAA server object
How to create an access policy for authentication Create an access policy

Differences between auth and query types

There are two types of authentication that pertain only to Active Directory and LDAP authentications, and they use two separate access policy items.

  • The auth type is authentication only. In this case, the Access Policy Manager® just verifies the user's credentials against an external server.
  • The query type causes the Access Policy Manager to query the external server for additional information about the user. The query type does not authenticate user credentials; to do so, add the auth type to your access policy.

The auth and query methods are independent of each other, and you do not necessarily need to have them configured within the same access policy.

Attention: If you use LDAP query, Access Policy Manager does not query for the primary group and add it to the memberOf attribute. You must manually look up the attribute memberOf as well as the primary group. (If you use AD query, you can use the information in the Fetch Primary Group attribute.)

What are nested groups?

The nested group feature is used to identify all groups that the user belongs to. Access Policy Manager stores all such groups in the memberOf session variable. For example, if user1 is a member of group1 and group2, and group1 is a member of group3 and group4, then user1 belongs to all four of these groups. In addition, group3 and group4 privileges are nested by user1 through group1.

If the nested group feature is disabled on the Access Policy Manager, then the memberOf session variable contains only groups that the user belongs to directly, for instance, group1 and group2.

If the nested group feature is enabled on the Access Policy Manager, then the memberOf session variable contains all groups the users belongs to, which includes group1, group2, group3, and group4.

Note: The nested groups feature works slightly differently for both LDAP and Active Directory. If you want to use nested groups for Active Directory query, you can also use it in conjunction with, or independently from, Fetch Primary Group option.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)