Versions Compared

Old Version 13

changes.mady.by.user Viktoryia Varapayeva

Saved on

compared with

New Version 14

changes.mady.by.user Viktoryia Varapayeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

Note
titleNote

When a new user is authenticated and authorized through one of the remote services, NetMRI automatically creates the new account locally on the appliance and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.

An admin can use an account's Force Local Authentication setting to prevent a user account from being authenticated and authorized by an external service. This requires the Local authentication service to be the highest-priority service. For information, see User Administration in NetMRI and its subsections.

Anchor
Defining Authentication Services
Defining Authentication Services
Anchor
bookmark217
bookmark217
Anchor
bookmark218
bookmark218
Defining Authentication Services

...

Active Directory™ (AD)

Anchor
bookmark220
bookmark220
is a Microsoft-proprietary distributed directory service based upon LDAP, that which is a repository for user information. The NetMRI appliance can authenticate user accounts by verifying user names and passwords against an Active Directory server. NetMRI can use the AD authentication service to query the AD domain controller for the user's group membership information. NetMRI then matches the group names from the domain controller with the group names in its authentication service properties. It authorizes services and grants the administrative roles and privileges, for the remote user groups assigned to its local roles and the specified device groups.

...

  1. In the Add Authentication Service dialog box, click the Servers tab.
  2. To add Active Directory servers to the service, click New. The Add Authentication Server dialog box opens
  3. In the Add Authentication Server dialog box, do the following:
    1. Enter the Host/IP Address.
    2. Choose the Encryption Type: None or SSL. For information, see 15698485. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    3. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      Note
      titleNote

      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.


    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of in which servers in the services are queried by NetMRI.
    5. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    6. Click Save to save your configuration.
    7. Click Cancel to close the dialog.

...

  1. Click the Remote Groups tab.
    1. In the Remote Group field, enter the name of an AD server's remote group.
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  2. To test the server settings, click Test. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

...

9. Choose the Authentication, which can either be Anonymous or Authenticated. For more information, see Anonymous vs. Authenticated Server AuthenticationAnonymousvs.AuthenticatedServerAuthentication.

a. If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server).

...

  1. Click the Servers tab.
    1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For more information, see 15698485 Using a Certificate File for an LDAP or AD Service.
    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
    7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
    8. Click Save to save your configuration.
    9. Click Cancel to close the dialog.

...

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

...

When you test the connection to the server, your NetMRI-to-LDAP server connections (or for Active Directory connections) allow for loading a current SSL certificate from a .PEM file. See the section NetMRI Security Settings for the process of adding SSL certificates to NetMRI. This certificate automatically appears in the authentication server’s Certificate drop-down menu after being loaded into NetMRI.

...

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

...

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

...

NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

...

  1. In the Add Authentication Service dialog, click the Remote Groups tab.
  2. Click New (the plus icon). The Add Remote Group dialog opens.
  3. In the Remote Group field, enter the name of a new remote users group for the SAML authentication service. The name must match the group name in the SAML server metadata. Here you map this group name to the NetMRI role(s) and device group(s).
  4. Description: Enter a textual description for the remote group.
  5. Click Save.
  6. Click Add Role and select a role from the drop-down list. For more information, see Defining and Editing Roles.
  7. In device groups: Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
  8. Click OK to complete the configuration.
  9. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple roles for the remote group.

...

  1. Go to the Settings icon > General Settings  > Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog opens.
  3. Name: Enter a meaningful name for the OCSP authentication service.
  4. Description: Enter a textual description for the OCSP authentication service.
  5. Timeout: Specify the server response timeout.
  6. Service Type: Choose OCSP.
  7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.
  8. Click Save.

You can now proceed to configuring configure servers as described in the next procedure.

...

  1. In the Edit Authentication Service dialog, click the Servers tab.
  2. Click New (the plus icon). The Add OCSP responder dialog appears.
  3. Enter the Host/IP Address.
  4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
  5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in the Settings icon > SecurityCA Certificates.
  6. Port: Specify the OCSP server port.
  7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.
  8. Certificates: Select the required certificate chain.
  9. Click Save.
  10. Test: Click to test the connection to the authentication servers.


    Note
    titleNote

    To additionally check the certificate for revocation, make sure to turn off the Disable service option in the Add Authentication Service dialog described in the previous procedure.


  11. Click Close.