Authenticating Admins using Remote Authentication
- Poojary Dimple
NIOS supports the following remote authentication methods: AD domain controllers, RADIUS, LDAP, TACACS+, and Two-factor authentication and authenticates admins whose credentials are stored remotely on these servers. For more information, see About Remote Admins.
AD domain controllers
The minimum timeout value for AD domain controllers is one second. You must add domain controllers to an AD authentication server group and specify the minimum timeout value from the Grid Manager. To add domain controllers, from the Administration tab -> Authentication Server Groups tab -> Active Directory Services subtab, click the Add icon and enter the details in the Add Active Directory Authentication Service wizard. You can specify either SSL or CA Certificates as the encryption method. If you enable SSL encryption for AD, then CA certificates are used for LDAP communication. For more information, see Authenticating Admins Using Active Directory.
RADIUS
In this remote authentication process, NIOS sends an authentication request to a RADIUS server group. This is controlled by CC/FIPS mode. To configure a RADIUS authentication server group, from the Administration tab -> Authentication Server Groups tab, click the Add icon in the RADIUS Services subtab, and specify the details in the Add RADIUS Authentication Service wizard. For more information, see Authenticating Admins Using RADIUS.
Note: Do not use the RADIUS authentication method when you operate in the FIPS mode.
LDAP
NIOS authenticates admin accounts by verifying user names and passwords against LDAP. If you select SSL as the encryption type for LDAP, then the prefix of the LDAP URL is set to ldaps. Otherwise, it is set to ldap. To set encryption type for an LDAP server group, from the Administration tab -> Authentication Server Groups tab, click the Add icon in the LDAP Services subtab, and specify the details in the Add LDAP Authentication Service wizard. When you enable the common criteria mode, LDAP sets minimal TLS protocol to TLS 1.0 and TLS cipher suites to the following: '-ALL:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA':. For more information, see Authenticating Admins Using LDAP.
TACACS+
TACACS+ provides separate authentication, authorization, and accounting services. This is controlled by CC/FIPS mode. You can configure a custom service, infoblox, on the TACACS+ server, and then define a user group and specify the group name in the custom attribute infoblox-admin-group. To configure a TACACS+ authentication server group, from the Administration tab -> Authentication Server Groups tab, click the Add icon in the TACACS+ Services subtab, and specify the details in the Add TACACS+ Service wizard. For more information, see Authenticating Admin Accounts Using TACACS+ .
Note: Do not use the TACACS+ authentication method when you operate in the FIPS mode.
Two-factor authentication
You can configure NIOS to use the two-factor authentication method to authenticate users based on X.509 client certificates. In this authentication method, NIOS first negotiates SSL/TLS client authentication to validate client certificates and then authenticates the admins based on the configured authentication policy. You must first configure an authentication policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. To configure and enable the two-factor authentication service, from the Administration tab -> Authentication Server Groups tab, click the Add icon in the Certificate Authentication Services subtab. OCSP service validates the certificates.
NIOS performs lookup against local users by default. You can enable remote lookup for user membership by choosing an Active Directory as authentication service and specifying the username and password for this service. Note that the password must not be empty. For more information, see Authenticating Admins Using Two-Factor Authentication.