Versions Compared

Old Version 1

changes.mady.by.user Youlia Ushakova

Saved on

compared with

New Version Current

changes.mady.by.user Uday Dubey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Anchor
bookmark214
bookmark214

Use the Authentication Services Settings page (Settings icon –> > General Settings –> > Authentication Services) to configure authentication server settings.

...

For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP, AD, SAML, or OCSP server. For information about user Roles and Privileges, see Creating Admin and User Accounts. The external server is used for the authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.

The following figure illustrates the authentication and authorization process for users authenticated by remote servers. In the example, two authentication services are configured, a RADIUS service and an Active Directory service. When the admin logs in with a user name and password, NetMRI uses the service configured with the highest Priority setting to authenticate the admin. If authentication fails, NetMRI tries the next highest-priority service, and so on. For each service, it tries each authentication server in the order given by their priority, until successful or all services fail, including the local authentication service. If all services fail to authenticate the login attempt, NetMRI denies access and generates an error notification.

...

In all cases, configuring authentication protocols for the NetMRI appliance requires creating one or more authentication services from the Settings icon –> > General Settings –> > Authentication Services page:

  • Local: The appliance's local user account authentication database, containing user login verification, Role and privilege assignments, and device group assignments. The Local service is the default and cannot be removed from the system. If no other services are available, users will be requested to login log in using local credentials, which must also be configured by the administrator on the NetMRI appliance. For many deployments, the Local service should always be kept as the highest-priority service.
  • Active Directory: Allows NetMRI to use an Active Directory server or servers for external admin account verification and remote group authorization.
  • LDAP: Enables NetMRI to use a Lightweight Directory Access Protocol server or servers for external admin account verification and remote group authorization.
  • RADIUS: Allows NetMRI to use a RADIUS server or servers for external admin account verification and remote group authorization.
  • TACACS+: Allows NetMRI to use a TACACS+ server or servers for external admin account verification and remote group authorization.
  • SAML: Enables NetMRI to use a SAML server to authenticate users with their organization's single-sign-on.
  • OCSP: Allows the verification of client CA certificates.

...

To configure an Active Directory authentication service for NetMRI, complete the following:

  1. Go to the Settings icon –> > NetMRI Settings section –> > Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the AD service. The Priority value, in which higher values provide a lower priority for service execution ("3" provides a lower priority than "1") should be set to 1 if the AD service is planned to be the first of two or more authentication options.
  5. Choose Active Directory as the Service Type. The Service Specific Information pane updates to show the required AD settings.
  6. Enter the AD Domain value for the new AD service (example: engineering.corp100.com).
  7. Click Save.
  8. If desired, click Disable service (this completely disables the service, but does not change or delete any settings) or Disable authorization. This disables the new service from performing any group searches but allows basic authentication of user accounts from the Active Directory server, and requires the user accounts being defined locally on the appliance.

...

  1. Click the Servers tab.
    1. Click Add to add Active Directory servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For information, see Using a Certificate File for an LDAP or AD Service bookmark225. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.

    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      Note
      titleNote

      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.


    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    7. Click Save to save your configuration.
    8. Click Cancel to close the dialog.

...

If the Active Directory server authentication uses SSL, upload the Active Directory server's CA certificate to NetMRI. See the following for directions:

  1. Open the Settings icon –> > General Settings –> > Security page and click the CA Certificates tab.
  2. Click Import.
  3. In the pop-up window, enter a descriptive name for the certificate and click Browse to locate the Active Directory server's CA certificate.
  4. Click Import to import the CA certificate to NetMRI.

...

To configure an LDAP authentication service for NetMRI, complete the following:

  1. Go to the Settings icon –> > NetMRI Settings section –> > Authentication Services page.
  2. Enter the Name and Description.
  3. Set the Priority and Timeout of the LDAP service.
  4. Choose LDAP as the Service Type. The Service Specific Information pane updates to show the required LDAP settings.
  5. Enter the Base DN value for the new LDAP service (example: ou=management, dc=corp100, dc=com). Users' definitions may be split between two or more Base DNs, so be aware of how the directory service is structured.
  6. Enter the User Attribute. This will typically be cn for 'common name,' which is one of the components of the LDAP Distinguished Name attribute.
  7. Enter the Group Attribute, which will typically be specified as memberOf for NetMRI. This defines the group membership in the LDAP tree for individual user accounts in LDAP. NetMRI uses this attribute to retrieve the LDAP group name to which the users belong. The LDAP group will be mapped to NetMRI users group (see the Remote Groups tab).
    Example:

    ldapsearch -x -LLL -H ldap:/// -b uid=myuser,ou=people,dc=qanet,dc=com dn memberof

    dn: uid=myuser,ou=people,dc=qanet,dc=com
    memberof: cn=mygroup,ou=groups,dc=qanet,dc=com

    You must use the memberOf overlay or a similarly behaving overlay to define the membership.

...

  1. Choose the Search Level, which determines how far the LDAP service searches in the directory tree. The Subtree value is the default and can be retained for most applications. Other options are as follows:
    • One Level: Searches the directory entries immediately below the base object.
    • Base: Searches only the base object.
    • Subtree: Search the whole directory tree below and including the base object. This is the default.

...

  1. Choose the Authentication, which can either be Anonymous or Authenticated. For more information, see 

...

  1. Anonymous vs. Authenticated Server Authentication.

      ...

        1. If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server).

      ...

        1. Enter the Bind Password, which is associated with the Bind user for the server.

          Note
          titleNote

          Many LDAP services may not allow the use of the Bind User DN and Bind Password values, requiring the use of anonymous authentication for LDAP queries.

      ...


      2. Click Save.

      ...

      1. If desired, click Disable service (this completely disables the service but does not change or delete any settings) or Disable authorization (this disables the new service from performing any group searches but allows basic authentication of user accounts from the LDAP server).

      To configure the authentication service's LDAP servers, complete the following:

      1. Click the Servers tab.
        1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
        2. Enter the Host/IP Address.
        3. Choose the Encryption Type: None or SSL. For more information, see Using a Certificate File for an LDAP or ADService bookmark225bookmark225.
        4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
        5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
        6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
        7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
        8. Click Save to save your configuration.
        9. Click Cancel to close the dialog.

      To assign the LDAP service's remote groups with NetMRI's local roles, perform the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      Anchor

      ...

      Using a Certificate File for an LDAP or AD Service
      Using a Certificate File for an LDAP or AD Service
      Using a Certificate File for an LDAP or AD Service

      When you test the connection to the server, your NetMRI-to-LDAP server connections (or for Active Directory connections) allow for loading a current SSL certificate from a .PEM file. See the section NetMRI Security Settings for the process of adding SSL certificates to NetMRI. This certificate automatically appears in the authentication server’s Certificate drop-down menu after being loaded into NetMRI.

      ...

      If you set the Encryption menu to None, this option remains unavailable, and authentication tests will show a blank certPath value in the test output.

      ...

      Anchor

      ...

      Anonymous vs. Authenticated Server Authentication
      Anonymous vs. Authenticated Server Authentication

      ...

      Anonymous vs. Authenticated Server Authentication

      Should you have a provisioned Bind User DN (Distinguished Name) and Bind Password needed for the LDAP service, perhaps for a power user, or in cases where anonymous access is not granted by policy, you can use those values to provide another level of security between NetMRI and the servers comprising the LDAP service.

      ...

      To configure a RADIUS authentication service for NetMRI, perform the following:

      1. Go to the Settings icon –> > NetMRI Settings section –> > Authentication Services page.
      2. Click New to add a new authentication service. The Add Authentication Service dialog opens.
      3. Enter the Name and Description.
      4. Set the Priority and Timeout of the new RADIUS service.
      5. Choose RADIUS as the Service Type. The Service Specific Information pane updates to show the required RADIUS settings.
      6. Retain the defaults for the Infoblox Vendor ID (set to 7779) and the Vendor Attribute ID (set to 10). These values are required for operation with any RADIUS server. These values may be set differently but must also be defined in the RADIUS dictionary file.

      ...

      To configure the authentication service's RADIUS servers, do the following:

      1. 1. Click the Servers tab.
        1. Click Add to add RADIUS servers to the service. The Add Authentication Server dialog opens.
        2. Enter the Host/IP Address.
        3. Choose the Shared Secret for the RADIUS server.
        4. If necessary, enter the Port value. RADIUS's default UDP application port is 1812.
        5. Click Save to save your configuration.
        6. Click Cancel to close the dialog.

      To assign the RADIUS service's remote groups with NetMRI's local roles, perform the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      1. Ensure that all user accounts are defined with their necessary roles in NetMRI.
      2. Go to the Settings icon –> NetMRI Settings section –> Authentication Services page.
      3. Enter the Name and Description.
      4. Set the Priority and Timeout values.
      5. Choose TACACS+ as the Service Type. The Service Specific Information panel updates to show the required TACACS+ settings.
      6. Enter the Service Name and Group Attribute.

      7. Test NetMRI user account settings by entering the User Name and Password and clicking Test. A successful test returns the list of user roles defined in NetMRI for the test user.

        Note
        titleNote

        If the authentication server or its shared secret is incorrect, the message "Unable to get access information" will appear.


        If the test user name or password is incorrect, access is rejected. Access will also be rejected if no NetMRI Role is defined for the test user, on the NetMRI system.

      ...

      1. You can select to use TACACS+ only for authentication. In such cases, check the Disable authorization check box.
        1. If you wish to disable the current service check the Disable service check box.

      To configure the authentication service's TACACS+ servers, complete the following:

      ...

      1. Click the Servers tab.
        1. Click Add to add TACACS+ servers to the service. The Add Authentication Server dialog opens.
        2. Enter the Host/IP Address.
        3. Choose the Shared Secret for the server.
        4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the service are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
        5. If necessary, enter the Port value. The TACACS+ default application port is 49.
        6. Click Save to save your configuration.
        7. Click Cancel to close the dialog.

      To assign the TACACS+ service's remote groups with NetMRI's local roles, complete the following:

      ...

      1. Click the Remote Groups tab.
        1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
        2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
        3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
        4. Click OK to complete the configuration.
        5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
      2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

      ...

      • You have enabled ports 443 (HTTPS) and 80 (HTTP) on the firewall to allow NetMRI to communicate with the IDP SAML server.
      • In NetMRI, you have specified the eth0 main MGMT IP address the in Settings ->  > General Settings ->  > Advanced Settings -Settings > Configuration Management ->  > Fully Qualified Domain Name.
      • You have downloaded a valid SSL certificate and private key files from the IDP SAML server and copied them onto your SAML server. You can generate a self-signed certificate and key using OpenSSL at https://www.openssl.org/docs/manmaster/man1/openssl-req.html.
      • On the IDP SAML server, you have configured the following attributes that NetMRI expects in the SAML assertion:
      NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

      uid

      username

      User name as specified in the IDP user record.

      		jdoe

      urn:oid:1.2.840.113549.1.9.1 or mail

      mail

      This is the person’s Email ID in the IDP user record.

      		jdoe@example.com

      urn:oid:2.5.4.42 or givenName

      givenName

      Given name (first name) as specified in the IDP user record.

      		john

      urn:oid:2.5.4.4 or surname

      surname

      Surname (last name) as specified in the IDP user record.

      		doe
      Group AttributeCustom group attributeUser's relation to the organization or group.

      memberOf

      eduPersonAffiliation


      To configure a NetMRI SAML authentication service, complete the following:

      1. Go to the Settings icon –> > General Settings  –> > Authentication Services.
      2. Click New (the plus icon). The Add Authentication Service dialog opens.
      3. Name: Enter a meaningful name for the SAML authentication service. This name will appear on the NetMRI login form. For example, Okta, Azure SSO, etc.
      4. Description: Enter a textual description for the SAML authentication service.
      5. Priority and Timeout: These settings do not apply with the SAML authentication type.
      6. Service Type: Choose SAML.
      7. In Service Specific Information, specify the following:
        • Entity ID: Enter the unique identifier of the SP entity (i.e. NetMRI) for the IDP.
        • IdP Metadata Url: Enter the IDP metadata URL.
        • IdP Group Attribute: User's relation to the organization or group. For example, memberOf.
        • IdP Certificate: Choose the certificate file.
        • Key: Choose the private key file.
      8. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form.
      9. Disable authorization: By default, this setting is turned on until remote groups are specified.
      10. Click Save. You can now proceed to remote groups mapping or close the window.

      ...

      • The IP address of the OCSP server.
      • The OCSP server port must be allowed.
      • A valid pre-uploaded CA certificate for the OCSP server. You upload certificates to NetMRI in Settings icon –> > General Settings –> > Security –>  > CA Certificates. For more information see NetMRI Security Settings.

      To configure an OCSP authentication service, complete the following:

      1. Go to the Settings icon –> > General Settings  –>  > Authentication Services.
      2. Click New (the plus icon). The Add Authentication Service dialog opens.
      3. Name: Enter a meaningful name for the OCSP authentication service.
      4. Description: Enter a textual description for the OCSP authentication service.
      5. Timeout: Specify the server response timeout.
      6. Service Type: Choose OCSP.
      7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.
      8. Click Save.

      ...