NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+ or LDAP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles a
nd privileges defined on the local NetMRI system. Doing so requires creating new
authentication services in NetMRI.
Use the
Authentication Services Settings page (Settings icon
–> General Settings –> Authentication Services) to configure authentication server settings.
| Anchor |
|---|
| Configuring NetMRI External Authenticati |
|---|
| Configuring NetMRI External Authenticati |
|---|
|
Configuring NetMRI External Authentication
Note: The root Admin account is authenticated only through the NetMRI local authentication database. Other administrator accounts can be authenticated and authorized against an external server.
If you define one or more authentication servers under Authentication Services Settings, NetMRI uses the account information from those servers in the order given by priority to accept or reject a given username and password. The only exception is the admin account, which is always validated using the Local Database. NetMRI can be accessed by the system administrator even when authentication servers are down or cannot be accessed by the appliance.
You can disable the local authentication service, in which case only the primary Admin account will be locally authenticated. You can also change the priority level of the Local service, which affects the order in which the local service will be activated for authentication requests. For some applications, retaining the Local service as highest priority is recommended.
You can also enable multiple server groups of different types to authenticate and authorize users. Each server group, whether LDAP, AD, RADIUS or TACACS+, and the mapping between the remote user groups with the local NetMRI roles, is referred to as an authentication service. You configure each authentication service to use a group of on or more authentication servers.
For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP or AD server (for information about user Roles and Privileges, see Creating Admin and User Accounts.) The external server is used for authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.
The following figure illustrates the authentication and authorization process for users authenticated by remote servers. In the example, two authentication services are configured: a RADIUS service and an Active Directory service. When an admin logs in with a user name and password, NetMRI uses the service configured with the highest Priority setting to authenticate the admin. If authentication fails, NetMRI tries the next-highest-priority service, and so on. For each service, it tries each authentication server in the order given by their priority, until successful or all services fail, including the local authentication service. If all services fail to authenticate the login attempt, NetMRI denies access and generates an error notification.
If authentication succeeds, NetMRI tries to match the user's group names received from the remote server to those assigned to the local roles and device groups defined in the authentication service properties. If it finds a match, the NetMRI appliance applies the privileges of these roles in the specified device groups to the authenticated user. If the appliance does not find a match, it denies access.
Note: When a new user is authenticated and authorized through one of the remote services, NetMRI automatically creates the new account locally on the appliance and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.
An admin can use an account's Force Local Authentication setting to prevent a user account from being authenticated and authorized by an external service. This requires the Local authentication service to be the highest-priority service. For information, see User Administration in NetMRI and its subsections.
| Anchor |
|---|
| Defining Authentication Services |
|---|
| Defining Authentication Services |
|---|
|
Defining Authentication ServicesIn all cases, configuring authentication protocols for the NetMRI appliance requires creating one or more authentication services from the Settings icon –> General Settings –> Authentication Services page:
...
The following sections describe each authentication and authorization services configuration.
| Anchor |
|---|
| Authenticating Users using AD (Active Di |
|---|
| Authenticating Users using AD (Active Di |
|---|
|
Authenticating Users using AD (Active Directory)Active Directory™ (AD)
is a Microsoft-proprietary distributed directory service based upon LDAP, that is a repository for user information. The NetMRI appliance can authenticate user accounts by verifying user names and passwords against an Active Directory server. NetMRI can use the AD authentication service to query the AD domain controller for the user's group membership information. NetMRI then matches the group names from the domain controller with the group names in its authentication service properties. It authorizes services and grants the administrative roles and privileges, for the remote user groups assigned to its local roles and the specified device groups.
The Active Directory schema is predefined for User and Group entries, which means that in NetMRI, you only need to specify the Domain of the AD server, along with its IP address.
| Anchor |
|---|
| Active Directory Service Configuration |
|---|
| Active Directory Service Configuration |
|---|
|
Active Directory Service ConfigurationConfiguring AD services requires knowledge of the following key values:
...
- Click the Servers tab.
- Click Add to add Active Directory servers to the service. The Add Authentication Server dialog opens.
- Enter the Host/IP Address.
- Choose the Encryption Type: None or SSL. (For information, see Using a Certificate File for an LDAP or AD Service.) In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.
- If using SSL, choose the certificate from the Certificate drop-down list. (The certificate can be loaded into NetMRI from the server that issued it.)
Note: When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.- Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
- If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
- Click Save to save your configuration.
- Click Cancel to close the dialog.
...
- Click the Remote Groups tab.
- In the Remote Group field, enter the name of an AD server's remote group.
- Choose the Role for the new remote group. (For information, see Defining and Editing Roles.)
- Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
- Click OK to complete the configuration.
- When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
- Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.
Importing the AD Server Certificate
If the Active Directory server authentication uses SSL, you upload the Active Directory server's CA certificate to NetMRI:
- Open the Settings icon –> General Settings –> Security page and click the CA Certificates tab.
- Click Import.
- In the pop-up window, enter a descriptive name for the certificate and click Browse to locate the Active Directory server's CA certificate.
- Click Import to import the CA certificate to NetMRI.
| Anchor |
|---|
| Authenticating Users Using LDAP |
|---|
| Authenticating Users Using LDAP |
|---|
|
Authenticating Users Using LDAPLDAP (Lightweight Directory Access Protocol)
is an internet protocol for accessing distributed directory services. NetMRI can authenticate and authorize admin accounts by verifying user names and passwords against the directory in LDAP. The directory service is an information storage model where all information is a collection of entries arranged in a hierarchical tree-like structure called a Directory Information Tree (DIT). Each entry in the directory consists of a set of attributes that each describe an information type, such as a network domain, country, company, organization, person, and so on. All entries have a globally unique Distinguished Name (DN) that typically represents a path to that entry in the directory tree. You use values called Base DNs in your LDAP service configuration to navigate the directory structure and locate your user accounts for authentication and authorization.
NetMRI queries the LDAP server for the user account's group membership information. The appliance matches the remote group names from the LDAP server with the group names in its local database. NetMRI then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance.
| Anchor |
|---|
| LDAP Authentication Service Configuratio |
|---|
| LDAP Authentication Service Configuratio |
|---|
|
LDAP Authentication Service ConfigurationConfiguring LDAP authentication services requires knowledge of the following key values:
...
- jsmith, People, corp100.com
dn: cn=jsmith,ou=People,dc=corp100,dc=com memberOf:cn=management,ou=Group,dc=corp100,dc=com
You must use the memberOf overlay or a similarly behaving overlay to define the membership. - Choose the Search Level, which determines how far the LDAP service searches in the directory tree. The Subtree value is the default and can be retained for most applications. Other options are:
- One Level: Searches the directory entries immediately below the base object.
- Base: searches only the base object.
- Subtree: Search the whole directory tree below and including the base object. This is the default.
- Choose the Authentication, which can either be Anonymous or Authenticated. (For a fuller description, see the subsection Server Authentication: Anonymous vs. Authenticated below.)
- If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server);
- Enter the Bind Password, which is associated with the Bind user for the server.
...
- Click the Servers tab.
- Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
- Enter the Host/IP Address.
- Choose the Encryption Type: None or SSL. (For information, see Using a Certificate File for an LDAP or AD Service.)
- If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
- Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
- If necessary, enter the Port value. LDAP's default TCP application port is 389.
- If necessary, choose the LDAP version. The default is V3; you may choose V2 if the LDAP server supports only that version.
- Click Save to save your configuration.
- Click Cancel to close the dialog.
...
- Click the Remote Groups tab.
- In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
- Choose the Role for the new remote group. (For information, see Defining and Editing Roles.)
- Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
- Click OK to complete the configuration.
- When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
- Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.
Using a Certificate File for an LDAP or AD Service
| Wiki Markup |
|---|
When you test the connection to the server, your NetMRI-to-LDAP server connections (or for Active Directory connections) allow for loading a current SSL certificate from a .PEM file. (See the section [<span style="color: #0000ff"><em>NetMRI</em></span> <span style="color: #0000ff"><em>Security</em></span> <span style="color: #0000ff"><em>Settings</em></span>|Introduction#bookmark51] for the process of adding SSL certificates to NetMRI.) This certificate automatically appears in the authentication server's *Certificate* drop-down menu after being loaded into NetMRI:
An LDAP connection test shows the following: Username: ****** Password:******
Process Started
2015-05-01 17:41:59 ------------------------------------------------------
2015-05-01 17:41:59 +++ BEGIN testing access to authentication servers +++
2015-05-01 17:41:59 +++ LDAP connection: username='jsmith', address='ldaps://172.16.23.2', port='636', *certPath='/var/local/netmri/certs/ca_repo/1430516467.501615.pem'{*}, version ='', timeout='5' +++
2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Authenticate user 'cn=jsmith,ou=People,dc=corp100,dc=com' with 'inet6 => Y'...
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Groups: \['administrators', 'dev'\]
2015-05-01 17:41:59 +++END testing access to authentication servers+++ 2015-05-01 17:41:59 ------------------------------------------------------
Authentication Test Completed
\\
If you set the *Encryption* menu to *None{*}, this option remains unavailable, and authentication tests will show a blank
certPath value in the test output.
\\ |
Server Authentication: Anonymous vs. AuthenticatedShould you have a provisioned Bind User DN (Distinguished Name) and Bind Password needed for the LDAP service, perhaps for a power user, or in cases where anonymous access is not granted by policy, you can use those values to provide another level of security between NetMRI and the servers comprising the LDAP service.
An anonymous bind takes place as follows:
2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.
An authenticated bind, using the correct Bind User DN and Bind Password appears as follows:
2015-05-01 18:23:06 Authenticate 'cn=root,dc=infoblox,dc=com'
2015-05-01 18:23:06 Authentication successful.
| Anchor |
|---|
| Authenticating Users using RADIUS |
|---|
| Authenticating Users using RADIUS |
|---|
|
Authenticating Users using RADIUSRADIUS (Remote Authentication Dial-In User Service) provides authentication, accounting, and authorization functions, through a communications stream between clients and a dedicated server. NetMRI directly supports authentication and authorization using FreeRADIUS; other widely used RADIUS implementations include GNU RADIUS and Microsoft IAS. RADIUS provides all user authentication in a single centralized database. After users are verified, they have access to any NetMRI administrative function permitted for their account.
| Anchor |
|---|
| RADIUS Service Configuration |
|---|
| RADIUS Service Configuration |
|---|
|
RADIUS Service ConfigurationConfiguring the RADIUS Service requires knowledge of the following key values:
...
- Click the Remote Groups tab.
- In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
- Choose the Role for the new remote group. (For information, see Defining and Editing Roles.)
- Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
- Click OK to complete the configuration.
- When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
- Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.
| Anchor |
|---|
| Configuration of RADIUS Server Attribute |
|---|
| Configuration of RADIUS Server Attribute |
|---|
|
Configuration of RADIUS Server Attributes, Users, and Group DefinitionsThe RADIUS server or servers require the following additional configurations to inter-operate with NetMRI:
...
- Add a new vendor and specific attribute to store the group value, and add into the answering Access-Accept packet
VENDOR infoblox 7779
ATTRIBUTENA-group-info 10 string infoblox
This declaration in the new dictionary file supports the default values that are reflected in the Add Authentication Service dialog in NetMRI when you configure a new RADIUS service. As previously noted, you can use whichever values you want, but those values must be correctly applied throughout the configuration.
Finally, for a query from the NetMRI appliance about a valid user/password, the Radius administrator must ensure that a response will contain the 'na-group-info' attribute with the list of groups' names of which the user is a member.
| Anchor |
|---|
| Authenticating Users Using TACACS+ (T+) |
|---|
| Authenticating Users Using TACACS+ (T+) |
|---|
|
Authenticating Users Using TACACS+ (T+)You can configure NetMRI to authenticate admins against TACACS+ (Terminal Access Controller Access-Control System Plus, or T+) servers. TACACS+ provides separate authentication, authorization, and accounting services. (NetMRI provides support only for authentication and authorization capabilities.) To ensure reliable delivery, T+ uses TCP as its transport protocol, and to ensure confidentiality, all protocol exchanges between the T+ server and its clients are encrypted. In this section, we assume that AAA administrators understand the details of TACACS+ configuration, and present simpler examples in this section.
To support TACACS+ authentication and authorization through NetMRI, you configure a custom service, infoblox, on the T+ server, and then define the user names and group names in the infoblox service's custom attribute na-group. (These services and attributes can be named differently according to preference; we use these values by convention in this document.)
Ensure that you apply each user group to the custom service infoblox (or however you choose to name the custom service). On NetMRI, you add the remote groups with the same names to the authentication service. When the TACACS+ server responds to an authentication and authorization request relayed from NetMRI and the response includes the na-group custom attribute, NetMRI matches the group name with the group in the authentication service and automatically assigns the admin to that group.
If you will use T+ only for authentication, the user accounts must all be defined in NetMRI with the User DIs matching the declared values on the T+ server. These accounts must be locally configured on NetMRI with the roles assigned to their specified device groups.
If you will use T+ for both authentication and authorization, and the configurations are done in the T+ server configuration file, the successfully authenticated and authorized users will be dynamically created in NetMRI with the roles defined through the configurations in the Authentication Service configured in NetMRI.
| Anchor |
|---|
| TACACS+ (T+) Service Configuration |
|---|
| TACACS+ (T+) Service Configuration |
|---|
|
TACACS+ (T+) Service ConfigurationUser authentication support in TACACS+ requires each user account to be defined in NetMRI with their defined User ID matching their declared value on the TACACS+ server.
For authorization settings, the T+ configuration file contains the group definitions and the relationships of each user account to those groups.
Configuring the TACACS+ Service requires knowledge of the following key values:
...
