SevOne logo
You must be logged into the NMS to search.

Table of Contents (Start)

Authentication Settings

The Authentication Settings page enables you to configure SevOne NMS users to access the application via LDAP, RADIUS, and TACACS protocol authentication. The System Authentication tab enables you to upload security certificates.

To access the Authentication Settings page from the navigation bar, click the Administration menu, select Access Configuration, and then select Authentication Settings.

images/download/attachments/50045999/AuthSettings.png

User Authentication

The User Authentication tab enables you to configure SevOne NMS to use LDAP, RADIUS, and TACACS protocol authentication.

  • Lightweight Directory Access Protocol (LDAP) - An application protocol to query and modify directory services that run over TCP/IP to enable maintenance of centralized user directories to which distributed applications authenticate.

  • Remote Authentication Dial In User Service (RADIUS) - A network protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

  • Terminal Access Controller Access-Control System (TACACS) - A remote authentication protocol that communicates with an authentication server commonly used in UNIX networks.

LDAP

The LDAP subtab enables you to configure communication with the LDAP protocol authentication server. SevOne NMS supports LDAP authentication for individual users and LDAP group synchronization for Active Directory and OpenSSL. Group synchronization occurs once per hour.

Any LDAP authenticated user who has the Must Change Password at Next Logon (or similar) setting on the LDAP server and has NOT changed said password will NOT be able to log on to SevOne NMS. Either disable this setting for the user on the LDAP server or ensure that LDAP users change their passwords elsewhere before attempting to log on SevOne NMS.

When LDAP Group Synchronization is enabled, SevOne NMS attempts to synch LDAP users from any configured groups into the SevOne NMS user repository on an hourly basis. Relevant properties are populated per the following:

  • givenname -> First Name

  • sn -> Last Name

  • mail -> Email

Perform the following steps to manage LDAP authentication.

SevOne NMS maintains consistency between the remote LDAP server and the synced local users who have only an LDAP role. This means that when such a user is removed from the remote LDAP server, SevOne NMS also removes the corresponding local user.

  1. Click Add Server above the server list or click images/download/attachments/50045999/editnew.png to display the Add/Edit LDAP Server pop-up.

    1. In the Server field, enter the host name or IP address of the LDAP server.

    2. In the Port field, enter the network port of the LDAP server. The default LDAP port is 389. The default LDAPS port is 636 which has been deprecated.

    3. In the Bind DN field, enter the name of the user SevOne NMS is to use to authenticate to the directory. This is the username that is authorized to perform searches within the context of the Base DN in the previous step.

      Example: cn=guest

    4. In the Bind Password field, enter the password for the user name you enter in the previous step. This is not required in LDAP version 3 (LDAPv3).

    5. In the Confirm Password field, reenter the bind password.

    6. In the Base DN field, enter the base distinguished name (DN) on which to do LDAP queries. The top level of the LDAP directory tree is the base, referred to as the base DN from which a search starts. For an Active Directory system this is typically dc=example, dc=com.

    7. In the Username Field, enter the LDAP field SevOne NMS is to check to find user names. In Active Directory, this is typically sAMAccountName. Many other directories use cn or uid.

    8. Click the Encryption drop-down.

      • Select No Encryption to not use encryption.

      • Select StartTLS to use StartTLS. StartTLS secures the LDAP credentials and data. StartTLS is sometimes referred to as the TLS upgrade operation because it upgrades a normal LDAP connection to a connection that is protected by TLS/SSL.

      • Select SSL (LDAPS, dep) to use Secure Socket Layers (SSL). SSL secures LDAP data. A method to secure LDAP communication is to use an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The use of LDAP over SSL was common in LDAPv2. This usage has been deprecated along with LDAPv2.

    9. Click Save.

  2. Repeat to add additional servers.

  3. In the server list, the StartTLS column and the SSL column enable you to change the related settings.

  4. Click images/download/attachments/50045999/link.png in the Actions column to test the connection to the LDAP server.

  5. In the Synchronized Groups section, click the Group drop-down and select the server group to which to associate the server you select. LDAP groups are the equivalent of SevOne NMS user roles.

    LDAP groups are associated with SevOne User Roles nested in the LDAP folder. The LDAP sync process will automatically perform the following actions:

    • Create or delete User Roles within the LDAP folder hierarchy for any LDAP groups present during the sync.

    • Create new user accounts for any users present in the LDAP groups.

    • Add or remove User Roles to individual user accounts based on their LDAP group assignment.

    LDAP roles created by the sync will have no permissions by default and must be maintained manually. If LDAP group assignment is changed for a user, the next LDAP sync will modify the user's roles in the NMS accordingly.

    User roles not nested within the LDAP roles folder can be assigned to LDAP users but require manual management by an administrator.

  6. If the group you are looking for does not appear, click Add Group to display the Add Group pop-up.

    1. Click the Server drop-down and select a server.

    2. In the Search field, enter at least one letter to filter the search results and press Enter.

    3. In the list of groups, click the + next to the group name to display the group members.

    4. Select the check box for each group to add.

    5. Click Add to add the groups you select.

  7. Click on Delete Selected to remove the group that is currently displayed in the Group: input box. Use the down arrow to select any group you wish to delete. All users that are only assigned to this group will be deleted. Users that have other group memberships will be retained.

  8. In the Settings section, click the Guest User drop-down and select the guest user to provide permissions for anyone who logs on with a valid LDAP ID but no SevOne NMS account.

  9. Select the Ignore SSL/TLS Certificates check box to skip verification of the server (not recommended). If you change this setting you must contact SevOne Support for it to properly take effect.

  10. Click Save LDAP Settings.

RADIUS

The RADIUS tab enables you to configure SevOne NMS to communicate with the RADIUS protocol authentication server.

  1. Click Add Server above the server list or click images/download/attachments/50045999/editnew.png to display the Add/Edit RADIUS Server pop-up.

    1. In the IP Address field, enter the IP address for the RADIUS server.

    2. In the Port field, enter the RADIUS sever port number.

    3. In the Shared Secret field, enter the RADIUS server shared secret.

    4. Click Save.

  2. Repeat to add additional servers.

  3. Click the Encryption drop-down and select the type of encryption to use.

  4. Click the Guest User drop-down and select the guest user to provide permissions for anyone who logs on with a valid RADIUS ID but no SevOne NMS account.

  5. In the RADIUS NAS Identifier field, enter the RADIUS NAS identifier, if required (default - localhost if left blank).

  6. In the RADIUS Calling Station ID field, enter the RADIUS calling station identifier, if required (default - 127.0.0.1 if left blank).

  7. Click Save RADIUS Settings.

TACACS

The TACACS subtab enables you to configure SevOne NMS to communicate with the TACACS protocol authentication server. The servers in the list are tested in the sequence in which they appear in the list. If the first server is running and the user does not have the proper credentials, then the user cannot log on. If that server is not running then the second server in the list attempts to log the user on.

  1. Click Add Server above the server list or click images/download/attachments/50045999/editnew.png to display the Add/Edit TACACS Server pop-up.

    1. In the IP Address field, enter the IP address of the TACACS authentication server.

    2. Click Save.

  2. Repeat to add additional servers.

  3. In the Shared Secret field, enter the shared secret for the server.

  4. Click the Guest User drop-down and select the user to provide permissions for anyone who logs on with a valid TACACS ID but no SevOne NMS account.

  5. Click Save TACACS Settings.

System Authentication

The System Authentication tab enables you to upload security certificates. SevOne NMS uses authentication certificates for LDAP. You also need to upload a certificate if you want to use the HTTP plugin and/or the Web Status plugin with a log on via https. You must upload the CA Root Certificates to enable SevOne NMS to communicate with an LDAP server that has certificates that are signed by an unknown CA. The certificates must be base64-encoded PEM files. It can take up to fifteen minutes for a certificate to synchronize across your SevOne cluster.

  1. Click Add Certificate to display the Upload SSL/TLS Root Certificate pop-up.

  2. Click images/download/attachments/50045999/folder.png to locate and select the certificate.

  3. Click Upload to upload the certificate.

Created with Scroll Wiki HTML Exporter for Confluence.