NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.
| Anchor | ||||
|---|---|---|---|---|
|
...
For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP, AD, SAML, or OCSP server. For information about user Roles and Privileges, see Creating Admin and User Accounts. The external server is used for the authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.
...
| Note | ||
|---|---|---|
| ||
When a new user is authenticated and authorized through one of the remote services, NetMRI automatically creates the new account locally on the appliance and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization. |
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- In the Add Authentication Service dialog box, click the Servers tab.
- To add Active Directory servers to the service, click New. The Add Authentication Server dialog box opens
- In the Add Authentication Server dialog box, do the following:
- Enter the Host/IP Address.
- Choose the Encryption Type: None or SSL. For information, see 15698485 Using a Certificate File for an LDAP or AD Service. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.
If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.
Note title Note When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.
- Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order in which servers in the services are queried by NetMRI.
- If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
- Click Save to save your configuration.
- Click Cancel to close the dialog.
...
| NetMRI SAML Attribute Key | SAML Attribute Value | Description | Example |
|---|---|---|---|
uid | username | User name as specified in the IDP user record. | jdoe |
urn:oid:1.2.840.113549.1.9.1 or mail | This is the person’s Email ID in the IDP user record. | jdoe@example.com | |
urn:oid:2.5.4.42 or givenName | givenName | Given name (first name) as specified in the IDP user record. | john |
urn:oid:2.5.4.4 or surname | surname | Surname (last name) as specified in the IDP user record. | doe |
| Group Attribute | Custom group attribute | User's relation to the organization or group. | memberOf eduPersonAffiliation |
To configure a NetMRI SAML authentication service, complete the following:
...