Search

Page tree

Contents

Active Directory™ (AD) is a distributed directory service that is a repository for user information. The NIOS appliance can authenticate admin accounts by verifying user names and passwords against Active Directory. In addition, the NIOS appliance queries the AD domain controller for the group membership information of the admin. The appliance matches the group names from the domain controller with the admin groups on its local database. It then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance.
The following figure illustrates the Active Directory authentication process.

Authentication Using a Domain Controller

To configure NIOS to authenticate administrators using Active Directory domain controller groups, you must first configure user accounts on the domain controller. Then, on the NIOS appliance, do the following:

  • Configure one or more AD authentication server group on the appliance and add AD domain controllers to the group. For information about configuring an AD authentication service group for admins, see bookmark460 bookmark460.
  • If you configured admin groups on the AD controller, you must create those same groups on the NIOS appliance and specify their privileges and settings. Note that the admin group names must match those on the AD domain controller. You can specify a default group as well. The NIOS appliance assigns admins to the default group if none of the admin groups on the NIOS appliance match the admin groups on the AD domain controller or if there are no other admin groups configured. For information about configuring group permissions and privileges, see About Admin Groups .
  • Add the newly configured Active Directory service to the list of authentication services in the admin policy, and add the admin group names as well. See Defining the Authentication Policy for more information about configuring an admin policy.

Configuring an Active Directory Authentication Service Group

You can add multiple domain controllers to an AD authentication server group for redundancy. The NIOS appliance tries to connect with the first domain controller on the list. If it is unable to connect, it tries the next domain controller on the list, and so on.
To configure an Active Directory authentication server group on the NIOS appliance:

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Click the Active Directory Services subtab and click the Add icon.
  3. In the Add Active Directory Authentication Service wizard, complete the following:
    • Name: Enter a name for the service.
    • Active Directory Domain: Enter the AD domain name.
    • Domain Controllers: Click the Add icon and complete the following to add an AD domain controller:
      • Server Name or IP Address: Enter the FQDN or the IP address of the AD server that is used for authentication.
      • Comment: Enter additional information about the AD server.
      • Authentication Port: Enter the port number on the domain controller to which the appliance sends authentication requests. The default is 389.
      • Encryption: Select SSL from the drop-down list to transmit through an SSL (Secure Sockets Layer) tunnel. When you select SSL, the appliance automatically updates the authentication port to 636. Infoblox strongly recommends that you select this option to ensure the security of all communications between the NIOS appliance and the AD server. If you select this option, you must upload a CA certificate from the AD server. Click CA Certificates to upload the certificate. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
      • Connect through Management Interface: Select this so that the NIOS appliance uses the MGMT port for administrator authentication communications with just this AD server.
      • Disable server: Select this to disable an AD server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server.
      • Click Test to test the configuration. If the NIOS appliance connects to the domain controller using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the server, the appliance displays a message indicating an error in the configuration.
      • Click Add to add the domain controller to the group.

When you add multiple domain controllers, the appliance lists the servers in the order you added them. This list also determines the order in which the NIOS appliance attempts to contact a domain controller. You can move a server up or down the list by selecting it and clicking the up or down arrow.
You can also delete a domain controller by selecting it and clicking the Delete icon.

  • Timeout(s): The number of seconds that the NIOS appliance waits for a response from the specified authentication server. The default is 5.
  • Comment: Enter additional information about the service.
  • Disable: Select this to retain an inactive AD authentication service profile.

   4. Save the configuration and click Restart if it appears at the top of the screen.

Enabling Active Directory Authentication for Nested Groups

Windows servers support nesting groups in which you can add a group of admin users as a member of another group. Nested groups consolidate admin accounts and help reduce the number of permissions required for individual users or groups. In NIOS, you can enable a nested group query so the appliance can recursively look up and use the AD authentication service to authenticate members or admin accounts. These members or admin accounts can be part of the default nested group, outside of the default nested group, or located within a non-default custom organizational unit.

When an admin belongs to multiple paths of hierarchy, you can enable nested group query in order to apply the AD authentication service hierarchically in a parent-child structure. This enables the NIOS appliance to apply the AD authentication service to all the groups of which an admin is a member. For example, if User 1 is a member of the default nested Group C, and Group C is a member of Group B, and Group B is a member of Group A, then the authentication service is applicable to all the groups of which User 1 is a member. In this example, the appliance performs a recursive lookup in Group C, Group B, and Group A while authenticating User 1.

You can also define multiple organizational units and add non-default AD admins and groups to these units. You must specify the search paths for such organizational units in Additional Search Paths when you configure AD authentication for nested groups.


Note: Microsoft recommends that you create all non-default users and groups in different organizational units to apply Group Policy Objects and prevent corruption or misuse of critical default accounts and groups.


Infoblox supports AD authentication for nested groups in the following scenarios:


Note: In Active Directory, objects are referred to by the DN (Distinguished Name), which contains CN (Common Name), OU (Organizational Unit), and DC (Domain Component) that are delimited by commas and indicate where the object resides in an AD hierarchy.


  • Scenario 1: When the user is located within the default Users group.

In this example, the DC ad-31.local contains CN=Users that is the default user group or the container. Users Username, VPNUsers, and Computers are located within the default user group. When you enable a nested group query, the appliance uses the AD authentication service to authenticate the admin accounts that are within the default nested group CN=Users. The DN for users within the default user group are as follows:

    • DN: CN=Username, CN=Users, DC=ad-31, DC=local
    • DN: CN=VPNUsers, CN=Users, DC=ad-31, DC=local
    • DN: CN=Computers, CN=Users, DC=ad-31, DC=local
  • Scenario 2: When the user is located outside the default Users group.

In this example, users CN=Username2 and CN=Infrastructure are not located within the default user group or the container. The DN for users within the DC ad-31.local are as follows:

    • DN: CN=Username2, CN=Users, DC=ad-31, DC=local
    • DN: CN=Infrastructure, CN=Users, DC=ad-31, DC=local
  • Scenario 3: When the user is located within a non-default organizational unit.

Example of an additional search path for an organizational unit that is located within another one: OU=OU_New1, OU=OU_New, where directory OU_New1 is situated within the directory OU_New. This organizational unit contains the following users: Admin, ITadmins, and Users. The DN for these users are as follows:

    • DN: CN=Admin, OU=OU_New1, OU=OU_New
    • DN: CN=ITadmins, OU=OU_New1, OU=OU_New
    • DN: CN=Users, OU=OU_New1, OU=OU_New

Note that additional search paths are not valid for scenarios 1 and 2 mentioned above and you must enable the default search path for these scenarios by clearing the Disable Default Search Path check box.

The following figure illustrates how you can configure default and non-default nested groups and add users to these groups in a Windows Active Directory. It contains a DC ad-31.local that can contain default users group, organizational units or individual users. When you select the Disable Default Search Path check box, the AD authentication service authenticates the admin account that is mentioned in the additional search path for a non-default organizational unit.

Figure 4.7 Active Directory Authentication for Nested Groups

To enable AD authentication for nested groups on the NIOS appliance:

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Click the Active Directory Services subtab and click the Add icon.
  3. In the Add Active Directory Authentication Service wizard, complete the following:
    • NestedGroupQuery: This check box is deselected by default, meaning the nested group query is disabled. When nested group query is disabled, AD authentication service is applied to only one group of which the AD admin is a member. When you select this check box, AD authentication service is applied to all the nested groups of which an AD admin is a member. This setting is applicable to all the AD servers configured for the Active Directory authentication service.
      • Disable Default Search Path: Select the check box to disable the default search path. When you disable the default search path, the Active Directory authentication service searches for an AD admin in the non-default organizational units that are listed in Additional Search Paths.

      • Additional Search Paths: Click the Add icon to configure a list of additional search paths for the respective AD admin that is in a non-default organizational unit. Click the Delete icon to delete the selected search path. Note that you must not specify the DC when you define an additional search path for non-default organizational units. Example of an additional search path for an organizational unit that is located within another one: OU=OU_New1, OU=OU_New, where directory OU_New1 is situated within the directory OU_New.

  4. Save the configuration.

This page has no comments.