You can configure authentication and authorization using AAA servers with Access Policy Manager®. Access Policy Manager uses the concept of access policies to authenticate and authorize users on the system. The stringent nature of the authentication mechanism you use for Access Policy Manager should match the authentication level for your local network. That is, you should use standards for the Access Policy Manager authentication that are equally as high as those you use for your local network.
You can set up authentication using Access Policy Manager by any combination of the following methods.
Authentication method | Description |
---|---|
RADIUS | Uses the server at your site that supports using the RADIUS protocol. |
LDAP | Uses the server at your site that supports authentication using LDAP. |
Microsoft Active Directory | Uses the server at your site that supports Kerberos authentication against a Windows
2000 or later server. For a list of network ports required for authentication with Active
Directory, refer to the Microsoft KB article 832017 under sections such as:
|
HTTP | Uses external web-based authentication servers to validate user credentials, and to
control user access to specific network resources. This method includes HTTP basic, HTTP
NTLM, and HTTP form-based methods.
Note: For HTTP Auth, NTLMv2 is currently not
supported.
|
RSA SecurID over RADIUS | Uses the RADIUS protocol for authentication. To use this authentication method, you must select RADIUS as the authentication method. |
RSA Native SecurID | Uses the RSA Native SecurID protocol for authentication. You must have an authentication server set up and select SecurID as the authentication method. |
Oracle Access Manager | Uses the Oracle Access Manager (OAM) server for authentication and authorization to eliminate the need to deploy a WebGate proxy in front of each application. |
CRLDP | Distributes certificate revocation information across a network that identifies how the server obtains CRL information. |
Online Certificate Status Protocol (OCSP) | Retrieves the revocation status of the X.509 certificate to ensure the Access Policy Manager obtains real-time revocation status during the certificate verification process. |
Terminal Access Controller Access Control System (TACAS+) | Encrypts the entire body of the authentication packet. The system collects user credentials using the login screen agent in the access policy, and stores the collected credentials in the session.logon.last.username and session.logon.last.password session variables. |
To use route domains for AAA authentication traffic, you must use the pool option in the AAA server configuration. When Use Pool is the selected Server Connection option, the server address field can take an IP address with route domain (IPAddress%RouteDomain) format. The route domain value is ignored when the AAA server is configured in direct option.
Access Policy Manager® supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, Access Policy Manager authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
The following table lists the specific RADIUS attributes that Access Policy Manager® sends with RADIUS requests.
Attribute | Purpose |
---|---|
User-Name | Indicates the name of the authenticated user. |
User-Password | Indicates the password of the authenticated user. |
NAS-IP-Address | Indicates the identifying IP Address of the NAS. |
NAS-IPv6-Address | Indicates the identifying IPv6 Address of the NAS. |
NAS-Identifier | Indicates the identifying name of the NAS . |
Service-Type | Indicates the type of service the user has requested. |
NAS-Port | Indicates the physical port number of the NAS that is authenticating the user. |
You can report user session information to an external RADIUS accounting server. If you select this mode only, the system assumes that you have set up another type of authentication method to authenticate and authorize your users to access their resources.
This accounting data is used primarily for billing, statistical, and general network monitoring purposes.
These tables list specific RADIUS accounting attributes that Access Policy Manager® sends for RADIUS Accounting-Request start messages and RADIUS Accounting-Request stop messages.
Attribute | Purpose |
---|---|
User-Name | Indicates the name of the authenticated user. |
Acct-Session-Id | Indicates a unique accounting ID to make it easy to match start and stop records in a log file. It is essentially a user's session ID. |
Acct-Status-Type | Indicates whether the accounting-request marks the beginning of the user service (Start) or the end (Stop). |
Acct-Authentic | Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or by another remote authentication protocol. |
Service-Type | Indicates the type of service the user has requested. |
Nas-IP-Address | Identifies the IP address of the NAS that is requesting authentication of the user. The administrator can enter this address on the AAA RADIUS server configuration page. |
NAS-IPv6-Address | Indicates the identifying IPv6 Address of the NAS. |
NAS-Identifier | Indicates the identifying name of the NAS. |
NAS-Port | The physical port number of the NAS that is authenticating the user. It is always set to 0. |
Tunnel-Client-Endpoint | Contains the IP address of the initiator end of the tunnel. |
Class | Administrators can make resource assignments using this attribute. |
Attribute | Purpose |
---|---|
Acct-Terminate-Cause | Indicates how the session was terminated. Access Policy Manager supports three values for this attribute: User Request, Session Timeout, Admin Reset. |
Acct-Session-Id | A unique accounting ID to make it easy to match start and stop records in a log file. It is essentially a user's session ID. |
Acct-Status-Type | Indicates whether the accounting-request marks the beginning of the user service (Start) or the end (Stop). |
Acct-Session-Time | Indicates the number of seconds the user has received service for. |
Service-Type | Indicates the type of service the user has requested. |
Framed-IP-Address | Indicates the address configured for the user. |
NAS-IPv6-Address | Indicates the identifying IPv6 Address of the NAS. |
NAS-Identifier | Indicates the identifying name of the NAS . |
Acct-Input-Octets | Indicates the number of octets received from the port over the course of the service provided. |
Acct-Output-Octets |
Indicates the number of octets sent to the port in the course of delivering the service provided.
Note: If the user does not log off, but simply closes the web browser window, the
Access Policy Manager sends the RADIUS stop message when the user's session times out.
RADIUS accounting messages are sent asynchronously. The Access Policy Manager stores the
user sessions start and end information in its database, and sends them to the RADIUS
accounting server.
|
You can use LDAPS in place of LDAP when the authentication messages between the Access Policy Manager® and the LDAP server must be secured with encryption. However, there are instances where you will not need LDAPS and the security it provides. For example, authentication traffic happens on the internal side of the Access Policy Manager, and may not be subject to observation by unauthorized users. Another example of when not to use LDAPS is when authentication is used on separate VLANs to ensure that the traffic cannot be observed by unauthorized users.
LDAPS is achieved by directing LDAP traffic over a virtual server that uses server side SSL to communicate with the LDAP server. Essentially, the system creates an LDAP AAA object that has the address of the virtual server. That virtual server (with server SSL) directs its traffic to a pool, which has as a member that has the address of the LDAP server.
There are two types of authentication that pertain only to Active Directory and LDAP authentications, and they use two separate access policy items.
The auth and query methods are independent of each other, and you do not necessarily need to have them configured within the same access policy.
The nested group feature is used to identify groups to which the user belongs. Access Policy Manager® stores such groups in the memberOf session variable.
For example, if user1 is a member of group1 and group2, and group1 is a member of group3 and group4, then user1 belongs to all four of these groups. In addition, group3 and group4 privileges are nested by user1 through group1.
This is true, however, provided that the nested group feature is enabled on Access Policy Manager. The contents of the memberOf session variable differs depending on whether the nested group feature is enabled or disabled.
To set up this configuration, perform the procedures in the task list.
You can authenticate using Active Directory authentication with Access Policy Manager. We support using Kerberos-based authentication through Active Directory.
Access Policy Manager® supports password management for Active Directory authentication. This process works in the following sequence order:
If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.
Rules | Explanation |
---|---|
Cross-domain support and split domain from username are both enabled. | If you enable cross domain support, and enable split domain username at the login page, and then the user enters his user name, such as user@domain.com, Access Policy Manager® uses the user@domain.com as the user principal name to authenticate the user against USERNAME.COM domain. |
Cross-domain support is enabled but split domain from username is disabled | Access Policy Manager handles the user's input as a simple user name and escape "@" and "\" chars. In other words, Access Policy Manager uses user\@userdomain.com@DEFAULTREALM.COM to authenticate the user, where DEFAULTREALM.COM is the domain name that was configured on the AAA AD Server configuration page. |
If user does not specify a user's domain | Regardless of whether split domain from username option is enabled or disabled, Access Policy Manager uses user@defaultrealm.com to authenticate the user. |
HTTP authentication methods use external web-based servers to validate user credentials. Access Policy Manager®supports the following HTTP authentication methods:
If you choose to use HTTP form-based authentication, you must provide hidden form parameters and values if there are any. When present, these values are required by the authentication server login form at your location.
To set up this configuration, perform the procedures in the task list. You can choose to configure with HTTP Basic, HTTP NTLM, or HTTP form-based.
To set up this configuration, perform the procedures in the task list.
RSA Native SecurID is a two-factor authentication mechanism developed by RSA®, the Security Division of EMC®. This mechanism of authentication is based on a user PIN or password and code generated by an authenticator that is provided to the user.
A token is an authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user.
To set up this configuration, perform the procedures in the task list.
Access Policy Manager® supports authenticating and authorizing the client against Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending the certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that Access Policy Manager always obtains real-time revocation status during the certificate verification process.
To set up this configuration, perform the procedures in the task list.
This is an example of an access policy with all the associated elements needed to authenticate and authorize users with OCSP authentication. Notice that you must add either the Client Cert Inspection agent or the On-Demand Cert Auth agent before the OCSP Auth object in your access policy. One of those agents is required in order to receive the X.509 certificate from the user. This is also important since both agents store the user information as well as the issuer certificates in the session variables. This allows the OCSP Auth agent to check the revocation status of the user's certificate.
Access Policy Manager® supports authenticating and authorizing the client against Certificate Revocation List Distribution Point (CRLDP) servers. CRLDP is a mechanism used to distribute certificate revocation information across a network. Specifically, a distribution point is a Uniform Resource Identifier (URI) or directory name in a certificate that identifies how the server obtains CRL information. You can use distribution points in conjunction with CRLs to configure certificate authorization using any number of LDAP servers.
To set up this configuration, perform the procedures in the task list.
This is an example of an access policy with all the associated elements needed to authenticate and authorize your users with CRLDP authentication. Notice that you must add either the Client Cert Inspection agent or On-Demand Cert Auth agent before the CRLDP Auth object in your access policy. One of those agents is required in order to receive the X.509 certificate from the user. This is also important since both agents store the user information, as well as the issuer certificates, in the session variables. This allows the CRDLP Auth agent to check the revocation status of the user's certificate.
Access Policy Manager® supports authenticating and authorizing the client against Terminal Access Controller Access Control System (TACACS+) servers. TACACS+ is a mechanism used to encrypt the entire body of the authentication packet. If you use TACACS+ authentication, user credentials are authenticated on a remote TACACS+ server. If you use the TACACS+ Accounting feature, the accounting service sends start and stop accounting records to the remote server.
To set up this configuration, perform the procedures in the task list.
This is an example of an access policy with all the associated elements needed to authenticate and authorize users with TACACS+ authentication. Note that the server used for authentication can be different from the server used for TACACS+ accounting service.