Configuring Remote Access Authentication Servers
In the Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for users in that database.
You can define these types of authentication servers:
-
RADIUS server - Define the details of a primary and secondary RADIUS server. The Quantum Spark Appliance can connect to these servers and recognize users defined in them and authenticated by them.
-
Active Directory domain - Define the details of the Active Directory domain that contains your organization's user information. The User Awareness feature can use these details to provide seamless recognition of users for logging purposes and user based policy configuration. This can be used for VPN remote access user authentication. When this is the case, additional configuration is necessary in the VPN > Remote Access Users page.
To add a RADIUS server:
-
Click Configure.
-
In the Primary tab, enter this information:
-
IP address - The IP address of the RADIUS server.
-
Port - The port number through which the RADIUS server communicates with clients. The default is 1812.
-
Shared secret - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Quantum Spark Appliance.
Note - You cannot use these characters in a password or shared secret:
{ } [ ] ` ~ | ‘ " \
Maximum number of characters: 255 -
Show - Displays the shared secret.
-
Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The timeout default is 3 seconds.
-
-
Repeat step 2 for a Secondary RADIUS server if applicable.
Note - if you want to remove information you entered in IP address and shared secret, you can click Clear.
-
Click Apply.
The primary and secondary servers (if defined) are added to the RADIUS section on the page.
RADIUS servers can be used for:
-
Defining a database of users with remote access privileges. Such users are both defined and authenticated by the RADIUS server.
-
Defining administrators. See the Users & Objects > Administrators page.
To edit a RADIUS server:
-
Click the IP address link of the RADIUS server you want to edit.
-
Make the necessary changes.
-
Click Apply.
The changes are updated in the RADIUS server.
To delete a RADIUS server:
Click the Remove link next to the RADIUS server you want to delete.
To configure remote access permissions for users defined in the RADIUS server:
-
Click permissions for RADIUSusers.
-
Select or clear the Enable RADIUS authentication for remote access users checkbox.
-
When selected, choose which users are given remote access permissions:
-
To allow all users defined in the RADIUS server to authenticate - Select All users defined on RADIUS server
-
Specific user groups defined in the RADIUS server - Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas.
-
To allow administrators with Read-only permissions to authenticate - Select Read-only Administrators
-
-
Click Apply.
To add an Active Directory domain:
-
In the Active Directory section, click New.
-
Enter this information:
-
Domain - The domain name.
-
IP address - The IP address of one of the domain controllers of your domain.
-
User name - The user must have administrator privileges to ease the configuration process and create a user based policy using the users defined in the Active Directory.
-
Password - The user's password.
Note - You cannot use these characters in a password or shared secret:
{ } [ ] ` ~ | ‘ " \
Maximum number of characters: 255 -
User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.
For example:
CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com
-
-
Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. Enter the branch in the Branch full DN in the text field.
-
Click Apply.
When an Active Directory is defined, you can select it from the table and choose Edit or Delete when necessary.
When you edit, note that the Domain information is read-only and cannot be changed.
When you add a new Active Directory domain, you cannot create another object using an existing domain.
To configure remote access permissions for all users defined in Active Directory:
By default, users defined in the Active Directory are not given remote access permissions. Instead, in the VPN > Remote Access Users page all users defined locally or in Active Directories can be selected to be granted remote access permissions per user.
-
Click permissions for Active Directory users.
-
Select All users in the Active Directory. With this option, it is not necessary to go to the VPN > Remote Access Users page and select specific users.
Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option and configure remote access permissions through VPN > Remote Access Users page.
-
Click Apply.
To change synchronization mode with the defined Active Directories:
-
Click Configure in the toolbar of the Active Directory table.
-
Select one of the options - Automatic synchronization or Manual synchronization.
When Manual synchronization is selected, you can sync the user database known to the appliance in all locations that this user database can be viewed. For example, the Users & Objects > Users page or the Source picker in the Firewall Rule Base in the Access Policy > Firewall Policy page.
Note - You cannot select a user from the Active Directory, only an Active Directory user group. You can select a local user.
-
Click Apply.
To edit an Active Directory:
-
Select the Active Directory from the list.
-
Click Edit.
-
Make the relevant changes and click Apply.
To delete an Active Directory:
-
Select the Active Directory from the list.
-
Click Delete.
-
Click OK in the confirmation message.
|
Note - This page is available from the VPN and Users & Objects tabs. |