Versions Compared

Old Version 2

changes.mady.by.user Viktoryia Varapayeva

Saved on

compared with

New Version 3

changes.mady.by.user Viktoryia Varapayeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

  1. In the Add Authentication Service dialog box, click the Servers tab.
  2. To add Active Directory servers to the service, click New. The Add Authentication Server dialog box opens
  3. In the Add Authentication Server dialog box, do the following:
    1. Enter the Host/IP Address.
    2. Choose the Encryption Type: None or SSL. For information, see Using a Certificate File for an LDAP or AD ServiceService topic on this page. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    3. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      NotetitleNote


      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.

    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order in which servers in the services are queried by NetMRI.
    5. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    6. Click Save to save your configuration.
    7. Click Cancel to close the dialog.

To assign the AD service's remote groups with NetMRI's local roles, complete the following:

...

Configuring LDAP authentication services requires knowledge of the following key values:

  • Base distinguished name (Base DN)
  • The User attribute.
  • The Group attribute.
  • Whether to use anonymous or verified (Authenticated) authentication between NetMRI and the LDAP service.
  • Bind User DN and Bind Password (if known; otherwise anonymous).
  • The Search Level (One Level, Base, or Subtree. Subtree is the default).
  • The names of the remote groups on the LDAP server containing the users intended to log in to the NetMRI appliance.

To configure an LDAP authentication service for NetMRI, complete the following:

  1. Go to the Settings icon > General Settings section > Authentication Services page.
  2. Enter the Name and Description.
  3. Set the Priority and Timeout of the LDAP service.
  4. Choose LDAP as the Service Type. The Service Specific Information pane updates to show the required LDAP settings.
  5. Enter the Base DN value for the new LDAP service (example: ou=management, dc=corp100, dc=local). Users' definitions may be split between two or more Base DNs, so be aware of how the directory service is structured.
  6. Enter the User Attribute. This will typically be cn for 'common name,' which is one of the components of the LDAP Distinguished Name attribute.
  7. Enter the Group Attribute, which will typically be specified as memberOf for NetMRI. This defines the group membership in the LDAP tree for individual user accounts in LDAP. NetMRI uses this attribute to retrieve the LDAP group name to which the users belong. The LDAP group will be mapped to NetMRI users group (see the Remote Groups tab).
    Example:
    ldapsearch -x -LLL -H ldap:/// -b uid=myuser,ou=people,dc=qanet,dc=local dn memberof
    dn: uid=myuser,ou=people,dc=qanet,dc=local
    memberof: cn=mygroup,ou=groups,dc=qanet,dc=local
    You must use the memberOf overlay or a similarly behaving overlay to define the membership.

...

  1. Choose the Search Level, which determines how far the LDAP service searches in the directory tree. The Subtree value is the default and can be retained for most applications. Other options are as follows:
    • One Level: Searches the directory entries immediately below the base object.
    • Base: Searches only the base object.
    • Subtree: Search the whole directory tree below and including the base object. This is the default.

...

  1. Choose the Authentication, which can either be Anonymous or Authenticated. For more information,

...

  1. see the Anonymous vs. Authenticated Server Authentication topic.

      ...

        1. If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server).

      ...

        1. Enter the Bind Password, which is associated with the Bind user for the server.

      ...


      ...

        1. Many LDAP services may not allow the use of the Bind User DN and Bind Password values, requiring the use of anonymous authentication for LDAP queries.

      ...

      1. Click Save.

      ...

      1. If desired, click Disable service (this completely disables the service but does not change or delete any settings) or Disable authorization (this disables the new service from performing any group searches but allows basic authentication of user accounts from the LDAP server).

      To configure the authentication service's LDAP servers, complete the following:

      1. Click the Servers tab.
        1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
        2. Enter the Host/IP Address.
        3. Choose the Encryption Type: None or SSL. For more information, see the Using a Certificate File for an LDAP or AD Service topic.
        4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
        5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
        6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
        7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
        8. Click Save to save your configuration.
        9. Click Cancel to close the dialog.

      To assign the LDAP service's remote groups with NetMRI's local roles, perform the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      To configure the authentication service's RADIUS servers, do the following:

      ...

      1. Click the Servers tab.

      ...

      1. Click Add to add RADIUS servers to the service. The Add Authentication Server dialog opens.
        1. Enter the Host/IP Address.
        2. Choose the Shared Secret for the RADIUS server.
        3. If necessary, enter the Port value. RADIUS's default UDP application port is 1812.
        4. Click Save to save your configuration.
        5. Click Cancel to close the dialog.

      To assign the RADIUS service's remote groups with NetMRI's local roles, perform the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      1. Ensure that all user accounts are defined with their necessary roles in NetMRI.
      2. Go to the Settings icon > General Settings section > Authentication Services page.
      3. Enter the Name and Description.
      4. Set the Priority and Timeout values.
      5. Choose TACACS+ as the Service Type. The Service Specific Information panel updates to show the required TACACS+ settings.
      6. Enter the Service Name and Group Attribute.
      7. Test NetMRI user account settings by entering the User Name and Password and clicking Test. A successful test returns the list of user roles defined in NetMRI for the test user.

      ...


      ...

      1. If the authentication server or its shared secret is incorrect, the message "Unable to get access information" will appear.
        If the test user name or password is incorrect, access is rejected. Access will also be rejected if no NetMRI Role is defined for the test user, on the NetMRI system.

      ...

      1. You can select to use TACACS+ only for authentication. In such cases, select the Disable authorization checkbox.

      ...

      1. If you wish to disable the current service select the Disable service checkbox.

      To configure the authentication service's TACACS+ servers, complete the following:

      ...

      1. Click the Servers tab.
        1. Click Add to add TACACS+ servers to the service. The Add Authentication Server dialog opens.
        2. Enter the Host/IP Address.
        3. Choose the Shared Secret for the server.
        4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the service are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
        5. If necessary, enter the Port value. The TACACS+ default application port is 49.
        6. Click Save to save your configuration.
        7. Click Cancel to close the dialog.

      To assign the TACACS+ service's remote groups with NetMRI's local roles, complete the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

      uid

      username

      User name as specified in the IDP user record.

      		jdoe

      urn:oid:1.2.840.113549.1.9.1 or mail

      mail

      This is the person’s Email ID in the IDP user record.

      		jdoe@example.com

      urn:oid:2.5.4.42 or givenName

      givenName

      Given name (first name) as specified in the IDP user record.

      		john

      urn:oid:2.5.4.4 or surname

      surname

      Surname (last name) as specified in the IDP user record.

      		doe
      Group AttributeCustom group attributeUser's relation to the organization or group.

      memberOf

      eduPersonAffiliation


      To configure a NetMRI SAML authentication service, complete the following:

      ...

      1. In the Edit Authentication Service dialog, click the Servers tab.
      2. Click New (the plus icon). The Add OCSP responder dialog appears.
      3. Enter the Host/IP Address.
      4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
      5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in the Settings icon > SecurityCA Certificates.
      6. Port: Specify the OCSP server port.
      7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.
      8. Certificates: Select the required certificate chain.
      9. Click Save.

      10. Test: Click to test the connection to the authentication servers.

        NotetitleNote


        To additionally check the certificate for revocation, make sure to turn off the Disable service option in the Add Authentication Service dialog described in the previous procedure.

      11. Click Close.