Page tree

Contents

NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.

Use the Authentication Services Settings page (Settings icon –> General Settings –> Authentication Services) to configure authentication server settings.

Configuring NetMRI External Authentication

Note

The root Admin account is authenticated only through the NetMRI local authentication database. Other administrator accounts can be authenticated and authorized against an external server.


If you define one or more authentication servers under Authentication Services Settings, NetMRI uses the account information from those servers in the order given by priority to accept or reject a given username and password. The only exception is the admin account, which is always validated using the Local Database. NetMRI can be accessed by the system administrator even when authentication servers are down or cannot be accessed by the appliance.

You can disable the local authentication service, in which case only the primary Admin account will be locally authenticated. You can also change the priority level of the Local service, which affects the order in which the local service will be activated for authentication requests. For some applications, retaining the Local service as the highest priority is recommended.

You can also enable multiple server groups of different types to authenticate and authorize users. Each server group, whether LDAP, AD, RADIUS, TACACS+, SAML, or OCSP, and the mapping between the remote user groups with the local NetMRI roles, is referred to as an authentication service. You configure each authentication service to use a group of one or more authentication servers.

For NetMRI user accounts, you define roles and privileges locally in the NetMRI appliance. All user account roles and privileges remain local to the NetMRI appliance and are not directly defined on the RADIUS, TACACS+, LDAP, AD, SAML, or OCSP server. For information about user Roles and Privileges, see Creating Admin and User Accounts. The external server is used for authentication of the user account. Authorization functions are tied to the assignments between the remote user group names and the NetMRI Roles in the desired NetMRI device groups.

The following figure illustrates the authentication and authorization process for users authenticated by remote servers. In the example, two authentication services are configured, a RADIUS service and an Active Directory service. When admin logs in with a user name and password, NetMRI uses the service configured with the highest Priority setting to authenticate the admin. If authentication fails, NetMRI tries the next highest-priority service, and so on. For each service, it tries each authentication server in the order given by their priority, until successful or all services fail, including the local authentication service. If all services fail to authenticate the login attempt, NetMRI denies access and generates an error notification.

If authentication succeeds, NetMRI tries to match the user's group names received from the remote server to those assigned to the local roles and device groups defined in the authentication service properties. If it finds a match, the NetMRI appliance applies the privileges of these roles in the specified device groups to the authenticated user. If the appliance does not find a match, it denies access.

Note

When a new user is authenticated and authorized through one of the remote services, NetMRI automatically creates the new account locally on the appliance and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.

An admin can use an account's Force Local Authentication setting to prevent a user account from being authenticated and authorized by an external service. This requires the Local authentication service to be the highest-priority service. For information, see User Administration in NetMRI and its subsections.

Defining Authentication Services

In all cases, configuring authentication protocols for the NetMRI appliance requires creating one or more authentication services from the Settings icon –> General Settings –> Authentication Services page:

  • Local: The appliance's local user account authentication database, containing user login verification, Role and privilege assignments and device group assignments. The Local service is the default and cannot be removed from the system. If no other services are available, users will be requested to login using local credentials, which must also be configured by the administrator on the NetMRI appliance. For many deployments, the Local service should always be kept as the highest-priority service.
  • Active Directory: Allows NetMRI to use an Active Directory server or servers for external admin account verification and remote group authorization.
  • LDAP: Enables NetMRI to use a Lightweight Directory Access Protocol server or servers for external admin account verification and remote group authorization.
  • RADIUS: Allows NetMRI to use a RADIUS server or servers for external admin account verification and remote group authorization.
  • TACACS+: Allows NetMRI to use a TACACS+ server or servers for external admin account verification and remote group authorization.
  • SAML: Enables NetMRI to use a SAML server to authenticate users with their organization's single-sign-on.
  • OCSP: Allows the verification of client CA certificates.

The following information is in the Authentication Services table:

  • Priority: The priority in the services list by which the service will be used by NetMRI. By default, the Local service retains the priority level of 1, placing it first in the Services list.
  • Name: The name of the service, defined by the administrator.
  • Service: The authentication service type, which may be Local, Active Directory, LDAP, RADIUSTACACS+SAML, or OCSP.
  • Status: This field will show Active or Disabled. Services are disabled or enabled by user choice or automatically if no authentication server is defined for the service.
  • Authorization: This field will show Active or Disabled. The authorization capability is disabled or enabled by user choice, or is disabled automatically if the service does not have a remote group assigned to the local Roles that are defined on NetMRI. When authorization is disabled, the user must be defined locally and associated with Roles and device groups on the appliance, but their login credentials will be checked by the remote server.
  • Description: A description for the service, defined by the administrator.

The following sections describe each authentication and authorization services configuration.

Authenticating Users Using AD (Active Directory)

Active Directory™ (AD) is a Microsoft-proprietary distributed directory service based upon LDAP, that is a repository for user information. The NetMRI appliance can authenticate user accounts by verifying user names and passwords against an Active Directory server. NetMRI can use the AD authentication service to query the AD domain controller for the user's group membership information. NetMRI then matches the group names from the domain controller with the group names in its authentication service properties. It authorizes services and grants the administrative roles and privileges, for the remote user groups assigned to its local roles and the specified device groups.

The Active Directory schema is predefined for User and Group entries, which means that in NetMRI, you only need to specify the Domain of the AD server, along with its IP address.

Active Directory Service Configuration

Configuring AD services requires knowledge of the following key values:

  • The Active Directory Domain.
  • Whether to use anonymous or verified (Authenticated) Authentication between NetMRI and the AD server.
  • An SSL certificate from the AD server if one is required.
  • The IP address of the AD server.
  • The port number (normally, you will retain the default).
  • The names of the remote groups on the AD server containing the users intended to log in to the NetMRI appliance.

To configure an Active Directory authentication service for NetMRI, complete the following:

  1. Go to the Settings icon –> NetMRI Settings section –> Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the AD service. The Priority value, in which higher values provide a lower priority for service execution ("3" provides a lower priority than "1") should be set to 1 if the AD service is planned to be the first of two or more authentication options.
  5. Choose Active Directory as the Service Type. The Service Specific Information pane updates to show the required AD settings.
  6. Enter the AD Domain value for the new AD service (example: engineering.corp100.com).
  7. Click Save.
  8. If desired, click Disable service (this completely disables the service, but does not change or delete any settings) or Disable authorization. This disables the new service from performing any group searches but allows basic authentication of user accounts from the Active Directory server, and requires the user accounts being defined locally on the appliance.

To configure the authentication service's Active Directory servers, complete the following:

  1. Click the Servers tab.
    1. Click Add to add Active Directory servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For information, see Using a Certificate File for an LDAP or AD Service. In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.
    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate can be loaded into NetMRI from the server that issued it.

      Note

      When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog.

    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
    7. Click Save to save your configuration.
    8. Click Cancel to close the dialog.

To assign the AD service's remote groups with NetMRI's local roles, complete the following:

  1. Click the Remote Groups tab.
    1. In the Remote Group field, enter the name of an AD server's remote group.
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

Importing the AD Server Certificate

If the Active Directory server authentication uses SSL, upload the Active Directory server's CA certificate to NetMRI. See the following for directions:

  1. Open the Settings icon –> General Settings –> Security page and click the CA Certificates tab.
  2. Click Import.
  3. In the pop-up window, enter a descriptive name for the certificate and click Browse to locate the Active Directory server's CA certificate.
  4. Click Import to import the CA certificate to NetMRI.

Authenticating Users Using LDAP

LDAP (Lightweight Directory Access Protocol) is an internet protocol for accessing distributed directory services. NetMRI can authenticate and authorize admin accounts by verifying user names and passwords against the directory in LDAP. The directory service is an information storage model where all information is a collection of entries arranged in a hierarchical tree-like structure called a Directory Information Tree (DIT). Each entry in the directory consists of a set of attributes that each describe an information type, such as a network domain, country, company, organization, person, and so on. All entries have a globally unique Distinguished Name (DN) that typically represents a path to that entry in the directory tree. You use values called Base DNs in your LDAP service configuration to navigate the directory structure and locate your user accounts for authentication and authorization.

NetMRI queries the LDAP server for the user account's group membership information. The appliance matches the remote group names from the LDAP server with the group names in its local database. NetMRI then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance.

LDAP Authentication Service Configuration

Configuring LDAP authentication services requires knowledge of the following key values:

    • Base distinguished name (Base DN)
    • The User attribute.
    • The Group attribute.
    • Whether to use anonymous or verified (Authenticated) authentication between NetMRI and the LDAP service.
    • Bind User DN and Bind Password (if known; otherwise anonymous).
    • The Search Level (One Level, Base, or Subtree. Subtree is the default).
    • The names of the remote groups on the LDAP server containing the users intended to log in to the NetMRI appliance.

To configure an LDAP authentication service for NetMRI, complete the following:

  1. Go to the Settings icon –> NetMRI Settings section –> Authentication Services page.
  2. Enter the Name and Description.
  3. Set the Priority and Timeout of the LDAP service.
  4. Choose LDAP as the Service Type. The Service Specific Information pane updates to show the required LDAP settings.
  5. Enter the Base DN value for the new LDAP service (example: ou=management, dc=corp100, dc=com). Users' definitions may be split between two or more Base DNs, so be aware of how the directory service is structured.
  6. Enter the User Attribute. This will typically be cn for 'common name,' which is one of the components of the LDAP Distinguished Name attribute.
  7. Enter the Group Attribute, which will typically be specified as memberOf for NetMRI. This defines the group membership in the LDAP tree for individual user accounts in LDAP. NetMRI uses this attribute to retrieve the LDAP group name to which the users belong. The LDAP group will be mapped to NetMRI users group (see the Remote Groups tab).
    Example:

ldapsearch -x -LLL -H ldap:/// -b uid=myuser,ou=people,dc=qanet,dc=com dn memberof

dn: uid=myuser,ou=people,dc=qanet,dc=com
memberof: cn=mygroup,ou=groups,dc=qanet,dc=com

You must use the memberOf overlay or a similarly behaving overlay to define the membership.

8. Choose the Search Level, which determines how far the LDAP service searches in the directory tree. The Subtree value is the default and can be retained for most applications. Other options are as follows:

    • One Level: Searches the directory entries immediately below the base object.
    • Base: Searches only the base object.
    • Subtree: Search the whole directory tree below and including the base object. This is the default.

9. Choose the Authentication, which can either be Anonymous or Authenticated. For more information, see Server Authentication: Anonymous vs. Authenticated.

a. If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server).

b. Enter the Bind Password, which is associated with the Bind user for the server.

Note

Many LDAP services may not allow the use of the Bind User DN and Bind Password values, requiring the use of anonymous authentication for LDAP queries.

10. Click Save.

11. If desired, click Disable service (this completely disables the service but does not change or delete any settings) or Disable authorization (this disables the new service from performing any group searches but allows basic authentication of user accounts from the LDAP server).

To configure the authentication service's LDAP servers, complete the following:

  1. Click the Servers tab.
    1. Click Add to add LDAP servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Encryption Type: None or SSL. For more information, see Using a Certificate File for an LDAP or ADService.
    4. If using SSL, choose the certificate from the Certificate drop-down list. The certificate must be loaded into NetMRI.
    5. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
    6. If necessary, enter the Port value. LDAP's default TCP application port is 389.
    7. If necessary, choose the LDAP version. The default is V3. You may choose V2 if the LDAP server supports only that version.
    8. Click Save to save your configuration.
    9. Click Cancel to close the dialog.

To assign the LDAP service's remote groups with NetMRI's local roles, perform the following:

1. Click the Remote Groups tab.

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  1. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

Using a Certificate File for an LDAP or AD Service

When you test the connection to the server, your NetMRI-to-LDAP server connections (or for Active Directory connections) allow for loading a current SSL certificate from a .PEM file. See the section NetMRI Security Settings for the process of adding SSL certificates to NetMRI. This certificate automatically appears in the authentication server’s Certificate drop-down menu after being loaded into NetMRI.

An LDAP connection test shows the following:

Username: ******
Password:******
Process Started
2015-05-01 17:41:59 ------------------------------------------------------
2015-05-01 17:41:59 +++ BEGIN testing access to authentication servers +++
2015-05-01 17:41:59 +++ LDAP connection: username='jsmith', address='ldaps://172.16.23.2', port='636', certPath='/var/local/netmri/certs/ca_repo/1430516467.501615.pem', version ='', timeout='5' +++
2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Authenticate user 'cn=jsmith,ou=People,dc=corp100,dc=com' with 'inet6 => Y'...
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Groups: ['administrators', 'dev']
2015-05-01 17:41:59 +++ END testing access to authentication servers +++
2015-05-01 17:41:59 ------------------------------------------------------
Authentication Test Completed

If you set the Encryption menu to None, this option remains unavailable, and authentication tests will show a blank certPath value in the test output.

Server Authentication: Anonymous vs. Authenticated

Should you have a provisioned Bind User DN (Distinguished Name) and Bind Password needed for the LDAP service, perhaps for a power user, or in cases where anonymous access is not granted by policy, you can use those values to provide another level of security between NetMRI and the servers comprising the LDAP service.

An anonymous bind takes place as follows:

2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.

An authenticated bind, using the correct Bind User DN and Bind Password appears as follows:

2015-05-01 18:23:06 Authenticate 'cn=root,dc=infoblox,dc=com'
2015-05-01 18:23:06 Authentication successful.

Authenticating Users Using RADIUS

RADIUS (Remote Authentication Dial-In User Service) provides authentication, accounting, and authorization functions, through a communications stream between clients and a dedicated server. NetMRI directly supports authentication and authorization using FreeRADIUS. Other widely used RADIUS implementations include GNU RADIUS and Microsoft IAS. RADIUS provides all user authentication in a single centralized database. After users are verified, they have access to any NetMRI administrative function permitted for their account.

RADIUS Service Configuration

Configuring the RADIUS Service requires knowledge of the following key values:

  • The Infoblox Vendor ID, 7779.
  • The specific Vendor Attribute, 10.
  • The IP address of the RADIUS server.
  • The shared secret for authenticating the NetMRI appliance on the RADIUS server.
  • The port number. Normally, you will retain the default value of 1812.
  • The names of the remote groups on the RADIUS server containing the users intended to log in to the NetMRI appliance.

To configure a RADIUS authentication service for NetMRI, perform the following:

  1. Go to the Settings icon –> NetMRI Settings section –> Authentication Services page.
  2. Click New to add a new authentication service. The Add Authentication Service dialog opens.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout of the new RADIUS service.
  5. Choose RADIUS as the Service Type. The Service Specific Information pane updates to show the required RADIUS settings.
  6. Retain the defaults for the Infoblox Vendor ID (set to 7779) and the Vendor Attribute ID (set to 10). These values are required for operation with any RADIUS server. These values may be set differently but must also be defined in the RADIUS dictionary file.

Note

You can change the Infoblox Vendor ID and Vendor Attribute values in your configuration, but ensure that you declare the same value in the external dictionary file on the RADIUS server. Infoblox recommends retaining the default values.

To configure the authentication service's RADIUS servers, do the following:

1. Click the Servers tab.

    1. Click Add to add RADIUS servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Shared Secret for the RADIUS server.
    4. If necessary, enter the Port value. RADIUS's default UDP application port is 1812.
    5. Click Save to save your configuration.
    6. Click Cancel to close the dialog.

To assign the RADIUS service's remote groups with NetMRI's local roles, perform the following:

1. Click the Remote Groups tab.

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  1. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

Configuration of RADIUS Server Attributes, Users, and Group Definitions

The RADIUS server or servers require the following additional configurations to inter-operate with NetMRI:

  • Set up an entry on the RADIUS server to allow NetMRI to access the RADIUS server.
  • Edits to the Dictionary file.
  • A new RADIUS attribute to identify the group names.

When you configure your RADIUS server files to support the Infoblox attributes, you can use modifiable RADIUS service parameters to support Infoblox features. On a basic level, the Infoblox Vendor ID (7779) and Vendor Attribute ID (10) values reflected in the following example should not be changed. Other RADIUS service parameters and attributes are described in this section. All examples use FreeRADIUS syntax, but many other RADIUS server types follow similar principles.

You must configure the RADIUS server to allow the NetMRI connection. To do so, the administrator adds the appliance IP address to the configuration, and defines a shared secret. in the case of FreeRADIUS, you add an entry in the /etc/raddb/clients.conf file. The following example shows IPv4 and IPv6 entries:

#Allow NetMRI

client 172.16.1.23/24 {

secret = #$*&@#$!

shortname = netmri

}

client 2001::db8:56ff:feb8:875c/96 {

secret = #$*&@#$!
shortname = ipv6_netmri

}

The FreeRADIUS server uses a primary dictionary file in its main /etc/raddb directory. A reference to an external dictionary file, such as dictionary.infoblox, should be added as follows:

$INCLUDE            dictionary.infoblox

You can declare the custom attribute using any name, but references must be consistent in the rest of the server configuration files that you create.

To support the custom dictionary, create a new text file named dictionary.infoblox in the /etc/raddb directory, containing the following Vendor ID value and attribute ID number:

#  Add a new vendor and specific attribute to store the group value, and add into the answering Access-Accept packet
VENDOR infoblox 7779
ATTRIBUTE      NA-group-info           10             string infoblox

This declaration in the new dictionary file supports the default values that are reflected in the Add Authentication Service dialog in NetMRI when you configure a new RADIUS service. As previously noted, you can use whichever values you want, but those values must be correctly applied throughout the configuration.

Finally, for a query from the NetMRI appliance about a valid user/password, the Radius administrator must ensure that a response will contain the 'na-group-info' attribute with the list of groups' names of which the user is a member.

Authenticating Users Using TACACS+ (T+)

You can configure NetMRI to authenticate admins against TACACS+ (Terminal Access Controller Access-Control System Plus, or T+) servers. TACACS+ provides separate authentication, authorization, and accounting services. NetMRI provides support only for authentication and authorization capabilities. To ensure reliable delivery, T+ uses TCP as its transport protocol, and to ensure confidentiality, all protocol exchanges between the T+ server and its clients are encrypted. In this section, we assume that AAA administrators understand the details of TACACS+ configuration, and present simpler examples in this section.

To support TACACS+ authentication and authorization through NetMRI, you configure a custom service, infoblox, on the T+ server, and then define the user names and group names in the infoblox service's custom attribute na-group. These services and attributes can be named differently according to preference. We use these values by convention in this document.

Ensure that you apply each user group to the custom service infoblox (or however you choose to name the custom service). On NetMRI, you add the remote groups with the same names to the authentication service. When the TACACS+ server responds to an authentication and authorization request relayed from NetMRI and the response includes the na-group custom attribute, NetMRI matches the group name with the group in the authentication service and automatically assigns the admin to that group.

If you use T+ only for authentication, the user accounts must all be defined in NetMRI with the User IDs matching the declared values on the T+ server. These accounts must be locally configured on NetMRI with the roles assigned to their specified device groups.

If you use T+ for both authentication and authorization, and the configurations are done in the T+ server configuration file, the successfully authenticated and authorized users will be dynamically created in NetMRI with the roles defined through the configurations in the Authentication Service configured in NetMRI.

TACACS+ (T+) Service Configuration

User authentication support in TACACS+ requires each user account to be defined in NetMRI with their defined User ID matching their declared value on the TACACS+ server.

For authorization settings, the T+ configuration file contains the group definitions and the relationships of each user account to those groups.

Configuring the TACACS+ Service requires knowledge of the following key values:

  • The na-group-info group attribute value defined for NetMRI in the TACACS+ configuration.
  • The IP address of the TACACS+ server.
  • The shared secret for authenticating the NetMRI appliance on the TACACS+ server.
  • The port number. Normally, you will retain the default value 49.
  • The names of the remote groups on the LDAP server containing the users intended to log in to the NetMRI appliance.

On NetMRI, for the TACACS+ authentication service, you define remote groups with the same names (test_admin_group, for example – the group names could be any preferred text string), and the roles these users can have in the specified device groups. When the TACACS+ server responds to an authentication and authorization request relayed from NetMRI, the response includes the group name. If NetMRI does not find a matching remote group in the authentication service, it will not allow the user to log in and will try the following service in its authentication services list.

To configure a TACACS+ authentication service for NetMRI, complete the following:

  1. Ensure that all user accounts are defined with their necessary roles in NetMRI.
  2. Go to the Settings icon –> NetMRI Settings section –> Authentication Services page.
  3. Enter the Name and Description.
  4. Set the Priority and Timeout values.
  5. Choose TACACS+ as the Service Type. The Service Specific Information panel updates to show the required TACACS+ settings.
  6. Enter the Service Name and Group Attribute.
  7. Test NetMRI user account settings by entering the User Name and Password and clicking Test. A successful test returns the list of user roles defined in NetMRI for the test user.

Note

If the authentication server or its shared secret is incorrect, the message "Unable to get access information" will appear.


If the test user name or password is incorrect, access is rejected. Access will also be rejected if no NetMRI Role is defined for the test user, on the NetMRI system.

8. You can select to use TACACS+ only for authentication. In such cases, check the Disable authorization check box.

    1. If you wish to disable the current service check the Disable service check box.

To configure the authentication service's TACACS+ servers, complete the following:

1. Click the Servers tab.

    1. Click Add to add TACACS+ servers to the service. The Add Authentication Server dialog opens.
    2. Enter the Host/IP Address.
    3. Choose the Shared Secret for the server.
    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the service are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
    5. If necessary, enter the Port value. The TACACS+ default application port is 49.
    6. Click Save to save your configuration.
    7. Click Cancel to close the dialog.

To assign the TACACS+ service's remote groups with NetMRI's local roles, complete the following:

1. Click the Remote Groups tab.

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).
    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.
    3. Check the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
    4. Click OK to complete the configuration.
    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.
  1. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

Subsequent login attempts are authenticated using the defined authentication servers, except for the admin user account.

Authenticating Users Using SAML

NetMRI uses the SAML (Security Assertion Markup Language) 2.0 authentication type for Single-Sign-On. SAML provides a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another, independent of the server DNS domains. By enabling SAML, user management is delegated to an external application, thus relieving IT administrators the complexity of maintaining user accounts in all the applications (also known as Service Providers) being used by the organization. Instead, IT administrators need to maintain one account in the Identity Provider (IDP) which can be used across Service Providers (SPs). IDP is the application server that maintains the user accounts of the entire organization. IT administrators can manage users access rights at one place. Your organization's users can login to the IDP directly and once logged in, they are transferred towards NetMRI as the Service Provider, without being prompted for the user ID and password.

NetMRI supports the following Identity Providers:

  • Azure SSO
  • Okta
  • Ping Identity
  • Shibboleth SSO
  • Others

If the SAML authentication service is configured for your organization, the NetMRI login form displays the corresponding button under Authenticate via SSO. Clicking on the button redirects you to the Identity Provider authentication page. After successfully authenticating on the Identity Provider side, you automatically return to NetMRI. Additionally, the NetMRI SAML service supports Just-in-Time (JIT) Provisioning and Single Log Out (SLO).

When the SAML service is activated, NetMRI still provides its standard login methods. If SAML authentication is disrupted, use standard ways to log in.

Note

The NetMRI SAML service supports only SP-initiated authentication flow.

SAML Authentication Configuration

For SAML authentication, you provide specific NetMRI and IDP server information and map your organization's remote user groups to the NetMRI user roles. Groups should contain users intended to log in to NetMRI via SSO.

Prerequisites for configuring SAML authentication:

  • You have enabled ports 443 (HTTPS) and 80 (HTTP) on the firewall to allow NetMRI to communicate with the IDP SAML server.
  • In NetMRI, you have specified the eth0 main MGMT IP address the in Settings -> General Settings -> Advanced Settings -> Configuration Management -> Fully Qualified Domain Name.
  • You have downloaded a valid SSL certificate and private key files from the IDP SAML server and copied them onto your SAML server. You can generate a self-signed certificate and key using OpenSSL at https://www.openssl.org/docs/manmaster/man1/openssl-req.html.
  • On the IDP SAML server, you have configured the following attributes that NetMRI expects in the SAML assertion:
NetMRI SAML Attribute KeySAML Attribute ValueDescriptionExample

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe
Group AttributeCustom group attributeUser's relation to the organization or group.

memberOf

eduPersonAffiliation


To configure a NetMRI SAML authentication service, complete the following:

  1. Go to the Settings icon –> General Settings  –> Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog opens.
  3. Name: Enter a meaningful name for the SAML authentication service. This name will appear on the NetMRI login form. For example, Okta, Azure SSO, etc.
  4. Description: Enter a textual description for the SAML authentication service.
  5. Priority and Timeout: These settings do not apply with the SAML authentication type.
  6. Service Type: Choose SAML.
  7. In Service Specific Information, specify the following:
    • Entity ID: Enter the unique identifier of the SP entity (i.e. NetMRI) for the IDP.
    • IdP Metadata Url: Enter the IDP metadata URL.
    • IdP Group Attribute: User's relation to the organization or group. For example, memberOf.
    • IdP Certificate: Choose the certificate file.
    • Key: Choose the private key file.
  8. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form.
  9. Disable authorization: By default, this setting is turned on until remote groups are specified.
  10. Click Save. You can now proceed to remote groups mapping or close the window.

Once you saved a SAML service configuration, NetMRI generates an SP Metadata link based on the data that you provided. To access the link, close the Add Authentication Service window and, in the Actions menu for the configured SAML service, select Edit. Click the SP Metadata link to open an XML document with the NetMRI metadata in a new window. Use this metadata to configure the connection between your IDP and NetMRI.

To map the SAML service’s remote groups to NetMRI local roles, complete the following:

  1. In the Add Authentication Service dialog, click the Remote Groups tab.
  2. Click New (the plus icon). The Add Remote Group dialog opens.
  3. In the Remote Group field, enter the name of a new remote users group for the SAML authentication service. The name must match the group name in the SAML server metadata. Here you map this group name to the NetMRI role(s) and device group(s).
  4. Description: Enter a textual description for the remote group.
  5. Click Save.
  6. Click Add Role and select a role from the drop-down list. For more information, see Defining and Editing Roles.
  7. In device groups: Select the check boxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow selection of individual device groups.
  8. Click OK to complete the configuration.
  9. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple roles for the remote group.

Authenticating Users Using OCSP

OCSP (Online Certificate Status Protocol) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The OCSP authentication type allows the verification of user certificates in order to increase security. You can use this authentication type for Common Access Cards (CAC).

You can configure the NetMRI OCSP authentication service to work in two ways:

  • Check user certificate for validity.
  • Check user certificate for validity and revocation.

For more information, see the next section. You can also configure the OCSP service using the cac command from the Admin Shell.

OCSP Authentication Configuration

For OCSP authentication, you configure the service and authorization servers. This service does not use remote groups. You can add only one OCSP service instance.

Prerequisites for configuring OCSP authentication:

  • The IP address of the OCSP server.
  • The OCSP server port must be allowed.
  • A valid pre-uploaded CA certificate for the OCSP server. You upload certificates to NetMRI in Settings icon –> General Settings –> Security –> CA Certificates. For more information see NetMRI Security Settings.

To configure an OCSP authentication service, complete the following:

  1. Go to the Settings icon –> General Settings  –> Authentication Services.
  2. Click New (the plus icon). The Add Authentication Service dialog opens.
  3. Name: Enter a meaningful name for the OCSP authentication service.
  4. Description: Enter a textual description for the OCSP authentication service.
  5. Timeout: Specify the server response timeout.
  6. Service Type: Choose OCSP.
  7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.
  8. Click Save.

You can now proceed to configuring servers as described in the next procedure.

To configure the OCSP authentication service's servers, complete the following:

  1. In the Edit Authentication Service dialog, click the Servers tab.
  2. Click New (the plus icon). The Add OCSP responder dialog appears.
  3. Enter the Host/IP Address.
  4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.
  5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in Settings icon -> Security -> CA Certificates.
  6. Port: Specify the OCSP server port.
  7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.
  8. Certificates: Select the required certificate chain.
  9. Click Save.
  10. Test: Click to test connection to the authentication servers.

    Note

    To additionally check the certificate for revocation, make sure to turn off the Disable service option in the Add Authentication Service dialog described in the previous procedure.

  11. Click Close.
  • No labels

This page has no comments.