Versions Compared

Old Version 1

changes.mady.by.user Youlia Ushakova

Saved on

compared with

New Version 2

changes.mady.by.user Viktoryia Varapayeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP, AD, SAML, or OCSP server. For information about user Roles and Privileges, see Creating Admin and User Accounts. The external server is used for the authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.

The following figure illustrates the authentication and authorization process for users authenticated by remote servers. In the example, two authentication services are configured, a RADIUS service and an Active Directory service. When the admin logs in with a user name and password, NetMRI uses the service configured with the highest Priority setting to authenticate the admin. If authentication fails, NetMRI tries the next highest-priority service, and so on. For each service, it tries each authentication server in the order given by their priority, until successful or all services fail, including the local authentication service. If all services fail to authenticate the login attempt, NetMRI denies access and generates an error notification.

...

  • Local: The appliance's local user account authentication database, containing user login verification, Role and privilege assignments, and device group assignments. The Local service is the default and cannot be removed from the system. If no other services are available, users will be requested to login log in using local credentials, which must also be configured by the administrator on the NetMRI appliance. For many deployments, the Local service should always be kept as the highest-priority service.
  • Active Directory: Allows NetMRI to use an Active Directory server or servers for external admin account verification and remote group authorization.
  • LDAP: Enables NetMRI to use a Lightweight Directory Access Protocol server or servers for external admin account verification and remote group authorization.
  • RADIUS: Allows NetMRI to use a RADIUS server or servers for external admin account verification and remote group authorization.
  • TACACS+: Allows NetMRI to use a TACACS+ server or servers for external admin account verification and remote group authorization.
  • SAML: Enables NetMRI to use a SAML server to authenticate users with their organization's single-sign-on.
  • OCSP: Allows the verification of client CA certificates.

...

  1. Click the Servers tab.
    1. Click Add to add Active Directory servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For information, see Using a Certificate File for an LDAP or AD Service. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      Note
      titleNote

      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.


    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    7. Click Save to save your configuration.
    8. Click Cancel to close the dialog.

...

NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

...