Versions Compared

Old Version 18

changes.mady.by.user Uday Dubey

Saved on

compared with

New Version 19

changes.mady.by.user Uday Dubey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

...

  1. Go to the Settings icon > General Settings > Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog box opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the AD service. The Priority value, in which higher values provide a lower priority for service execution ("3" provides a lower priority than "1") should be set to 1 if the AD service is planned to be the first of two or more authentication options.
  5. Choose Active Directory as the Service Type. The Service Specific Information pane updates to show the required AD settings.
  6. Enter the AD Domain value for the new AD service (example: engineering.corp100.com).
  7. Click Save.
  8. If desired, click Disable service (this completely disables the service, but does not change or delete any settings) or Disable authorization. This disables the new service from performing any group searches but allows basic authentication of user accounts from the Active Directory server, and requires the user accounts being defined locally on the appliance.

...

Note

When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog box.

  1. Click the Servers tab.
    1. Click Add to add Active Directory servers to the service. The Add Authentication Server dialog box opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For information, see the Using a Certificate File for an LDAP or AD   Service topic topic. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.

    6. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    7. Click Save to save your configuration.
    8. Click Cancel to close the dialog box.

To assign the AD service's remote groups with NetMRI's local roles, complete the following:

...

  1. Click the Servers tab.
    1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog box opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For more information, see the Using a Certificate File for an LDAP or ADService topic.
    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
    7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
    8. Click Save to save your configuration.
    9. Click Cancel to close the dialog box.

To assign the LDAP service's remote groups with NetMRI's local roles, perform the following:

...

  1. Go to the Settings icon > General Settings section > Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog box opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the new RADIUS service.
  5. Choose RADIUS as the Service Type. The Service Specific Information pane updates to show the required RADIUS settings.
  6. Retain the defaults for the Infoblox Vendor ID (set to 7779) and the Vendor Attribute ID (set to 10). These values are required for operation with any RADIUS server. These values may be set differently but must also be defined in the RADIUS dictionary file.

...

  1. Click the Servers tab. 
    1. Click Add to add RADIUS servers to the service. The Add Authentication Server dialog box opens.
    2. Enter the Host/IP Address.
    3. Choose the Shared Secret for the RADIUS server.
    4. If necessary, enter the Port value. RADIUS's default UDP application port is 1812.
    5. Click Save to save your configuration.
    6. Click Cancel to close the dialog box.

To assign the RADIUS service's remote groups with NetMRI's local roles, perform the following:

...

This declaration in the new dictionary file supports the default values that are reflected in the Add Authentication Service dialog box in NetMRI when you configure a new RADIUS service. As previously noted, you can use whichever values you want, but those values must be correctly applied throughout the configuration.

...

  1. Click the Servers tab.
    1. Click Add to add TACACS+ servers to the service. The Add Authentication Server dialog box opens.
    2. Enter the Host/IP Address.
    3. Choose the Shared Secret for the server.
    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the service are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
    5. If necessary, enter the Port value. The TACACS+ default application port is 49.
    6. Click Save to save your configuration.
    7. Click Cancel to close the dialog box.

To assign the TACACS+ service's remote groups with NetMRI's local roles, complete the following:

...

NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

  1. Go to the Settings icon > General Settings  > Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog box opens.
  3. Name: Enter a meaningful name for the SAML authentication service. This name will appear on the NetMRI login form. For example, Okta, Azure SSO, etc.
  4. Description: Enter a textual description for the SAML authentication service.
  5. Priority and Timeout: These settings do not apply with the SAML authentication type.
  6. Service Type: Choose SAML.
  7. In Service Specific Information, specify the following:
    • Entity ID: Enter the unique identifier of the SP entity (i.e. NetMRI) for the IDP.
    • IdP Metadata Url: Enter the IDP metadata URL.
    • IdP Group Attribute: User's relation to the organization or group. For example, memberOf.
    • IdP Certificate: Choose the certificate file.
    • Key: Choose the private key file.
  8. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form.
  9. Disable authorization: By default, this setting is turned on until remote groups are specified.
  10. Click Save. You can now proceed to remote group mapping or close the window.

...

  1. In the Add Authentication Service dialog box, click the Remote Groups tab.
  2. Click New (the plus icon). The Add Remote Group dialog box opens.
  3. In the Remote Group field, enter the name of a new remote users group for the SAML authentication service. The name must match the group name in the SAML server metadata. Here you map this group name to the NetMRI role(s) and device group(s).
  4. Description: Enter a textual description for the remote group.
  5. Click Save.
  6. Click Add Role and select a role from the drop-down list. For more information, see Defining and Editing Roles.
  7. In device groups: Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.
  8. Click OK to complete the configuration.
  9. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple roles for the remote group.

...

  1. Go to the Settings icon > General Settings  > Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog box opens.
  3. Name: Enter a meaningful name for the OCSP authentication service.
  4. Description: Enter a textual description for the OCSP authentication service.
  5. Timeout: Specify the server response timeout.
  6. Service Type: Choose OCSP.
  7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.
  8. Click Save.

...

  1. In the Edit Authentication Service dialog box, click the Servers tab.
  2. Click New (the plus icon). The Add OCSP responder dialog box appears.
  3. Enter the Host/IP Address.
  4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
  5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in Settings icon > Security > CA Certificates.
  6. Port: Specify the OCSP server port.
  7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.
  8. Certificates: Select the required certificate chain.
  9. Click Save.
  10. Test: Click to test connection to the authentication servers.
  11. Click Close.

...