Versions Compared

Old Version 12

changes.mady.by.user Viktoryia Varapayeva

Saved on

compared with

New Version 13

changes.mady.by.user Viktoryia Varapayeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

  1. In the Add Authentication Service dialog box, click the Servers tab.
  2. To add Active Directory servers to the service, click New. The Add Authentication Server dialog box opens
  3. In the Add Authentication Server dialog box, do the following:
    1. Enter the Host/IP Address.
    2. Choose the Encryption Type: None or SSL. For information, see Using a Certificate File for an LDAP or AD Service 15698485. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    3. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      Note
      titleNote

      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.


    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    5. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    6. Click Save to save your configuration.
    7. Click Cancel to close the dialog.

...

  1. Click the Servers tab.
    1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For more information, see Using a Certificate File for an LDAP or AD Service 15698485.
    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
    7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
    8. Click Save to save your configuration.
    9. Click Cancel to close the dialog.

...

  • You have enabled ports 443 (HTTPS) and 80 (HTTP) on the firewall to allow NetMRI to communicate with the IDP SAML server.
  • In NetMRI, you have specified the eth0 main MGMT IP address the in  on the Settings > General Settings > Advanced Settings > Configuration Management > Fully Qualified Domain NameName page.
  • You have downloaded a valid SSL certificate and private key files from the IDP SAML server and copied them onto your SAML server. You can generate a self-signed certificate and key using OpenSSL at https://www.openssl.org/docs/manmaster/man1/openssl-req.html.
  • On the IDP SAML server, you have configured the following attributes that NetMRI expects in the SAML assertion:
NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

...

For more information, see the next section. You can also configure the OCSP service using the cac command from the Admin Shelladministrative shell.

OCSP Authentication Configuration

...

  • The IP address of the OCSP server.
  • The OCSP server port must be allowed.
  • A valid pre-uploaded CA certificate for the OCSP server. You upload certificates to NetMRI in the Settings icon –> > General Settings –>  > Security –>  > CA Certificates. For more information see NetMRI Security Settings.

...