Managing Authentication Servers

On the Users & Objects view > User Management section > Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for users in that database.

You can configure these types of authentication:

  • RADIUS server - Define the details of a primary and secondary RADIUS server. The Quantum Spark Appliance can connect to these servers and recognize users defined in them and authenticated by them.

    Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access.

  • TACACS+ server - TACACS+ is an access control mechanism that enables user authentication and authorization of users by a separate server on the network.

    Notes:

    • In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

    • The VPN view > Remote Access section > Authentication Servers page does not show the section TACACS+ Servers.

Configuring RADIUS Servers

RADIUS servers can be used for:

  • Defining a database of users with remote access privileges. Such users are both defined and authenticated by the RADIUS server.

  • Defining administrators. See the Users & Objects > User Management section > Administrators page.

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section RADIUS Servers, click Configure.

  3. In the Primary tab, enter this information:

    • IP address - The IP address of the RADIUS server.

    • Port - The port number through which the RADIUS server communicates with clients. The default is 1812.

    • Shared secret - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Quantum SparkAppliance.

      Select Show to see the shared secret.

      Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

    • Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The timeout default is 3 seconds.

    Note - Click Clear if you want to remove information you entered in IP address and Shared secret.

  4. On the Secondary tab, repeat Step 2 for a Secondary RADIUS server if applicable.

  5. Click Apply

    The primary and secondary servers (if defined) are added to the RADIUS section on the page.

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. Click the IP address link of the RADIUS server you want to edit.

  3. Make the necessary changes.

  4. Click Apply

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. Next to the RADIUS server you want to delete, click the Remove link.

  1. Click the Users & Objects view > Users Management section > Administrators page.

  2. In the line Administrator RADIUS authentication is, click Edit permissions.

  3. Select Enable RADIUS authentication for administrators.

  4. Select one of these:

    • Use roles defined on RADIUS server

    • Use default role for RADIUS users

      1. In the Default Administrators Role, select the applicable role.

      2. Optional: Select For Administrators use specific RADIUS group only.

        Enter the applicable RADIUS groups.

  5. Click Apply

  1. Click the Users & Objects view > Users Management section > Administrators page.

  2. Click the link in the sentence Remote access permissions for RADIUS users are disabled.

  3. Select Enable RADIUS authentication for User Awareness, Remote Access and Hotspot.

  4. Optional: Select For Remote Access use specific RADIUS groups only.

    Enter the applicable RADIUS groups.

  5. Click Apply

  6. Configure the remote access permissions for RADIUS users in the VPN view > Remote Access section > Remote Access Users page.

Configuring TACACS+ Servers

Notes:

  • In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

  • TACACS+ is used for administration only and not for Remote Access authentication.

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section TACACS+ Servers, click Configure.

  3. In the Primary tab, enter this information:

    • IP address - The IP address of the TACACS+ server.

    • Port - The port number through which the TACACS+ server communicates with clients. The default is 49.

    • Shared secret - The secret (pre-shared information used for message "encryption") between the TACACS+ server and the Quantum Spark Appliance.

      Select Show to see the shared secret.

      Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

    • Timeout (seconds) - A timeout value in seconds for communication with the TACACS+ server. The timeout default is 3 seconds.

    Note - Click Clear if you want to remove information you entered in IP address and Shared secret.

  4. On the Secondary tab, repeat Step 2 for a Secondary TACACS+ server if applicable.

  5. Click Apply

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. Next to the TACACS+ server you want to delete, click the Remove link.

  1. Click the Users & Objects view > Users Management section > Administrators page.

  2. In the line Administrator TACACS+ authentication is, click Edit permissions.

  3. Select Enable TACACS+ authentication for administrators.

  4. Select one of these:

    • Use roles defined on TACACS+ server

    • Use default role for TACACS+ users

      In the Default Administrators Role, select the applicable role.

  5. Click Apply

Configuring Active Directory Servers

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section Active Directory section, click New.

  3. Enter this information:

    • Domain - The domain name.

      You cannot create another object with the same Domain as an existing Active Directory domain object.

    • IP address - The IP address of one of the domain controllers of your domain.

    • User name - The user must have administrator privileges to ease the configuration process and create a user based policy using the users defined in the Active Directory.

    • Password - The user's password.

      Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

    • User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.

      For example: CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com

  4. Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory.

    1. Click New.

    2. Enter the branch in the Branch full DN in the text field.

    3. Click Apply

  5. Click Apply

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section Active Directory section, select the Active Directory domain.

  3. Click Edit.

  4. Make the applicable changes.

    You cannot change the Domain.

  5. Click Apply

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section Active Directory section, select the Active Directory domain.

  3. Click Delete.

  4. Click OK in the confirmation message.

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section Active Directory section, click Configure.

  3. Select the applicable option:

    • Automatic synchronization

    • Manual synchronization

      Note - With this option, you can synchronize the user database known to the appliance in all locations that this user database can be viewed.

      For example:

      • The Users & Objects view > User Management section > Users page.

      • The Access Policy > view > Firewall section > Policy page > Source picker.

        You cannot select a user from the Active Directory, only an Active Directory user group.

        You can select a local user.

  4. Click Apply

By default, users defined in the Active Directory are not given remote access permissions. Instead, in the VPN > Remote Access section > Remote Access Users page all users defined locally or in Active Directories can be selected to be granted remote access permissions per user.

  1. Click the Users & Objects view > Users Management section > Authentication Servers page.

  2. In the section Active Directory section, click the link in the sentence Remote access permissions for Active Directory users are set in.

  3. Select All users in Active Directory.

    With this option, it is not necessary to go to the VPN view > Remote Access section > Remote Access Users page and select specific users.

    Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization.

    Usually you keep the Selected Active Directory user groups option and configure remote access permissions on the VPN view > Remote Access section > > Remote Access Users page.

  4. Click Apply