The access management framework supports the following types of AAA
servers: Local, External (standards-based), and External (other).
Local includes "Local Authentication Server", "Certificate
Server".
External (standards-based) includes "LDAP Server", "RADIUS
Server".
External (other) includes "MDM Server", "RSA ACE Server", "TOTP
Server".
AAA Traffic Management
Ivanti Connect Secure Virtual appliances and Appliances allow the administrator to choose the communicating interface or the network for each authentication server.
This feature allows the AAA traffic across physical interfaces, VLAN ports, and virtual ports on physical and VLAN ports.
Configuring AAA Traffic Management Across Interfaces
To configure AAA traffic management across interfaces:
Select the gateway from the Gateways list, and click Authentication > Authentication Servers.
Click Enable Auth Traffic Control.
In the Confirm Traffic Decoupling Enabling prompt, click Enable Traffic Decoupling.
Configuring Authentication
Servers
To add an authentication server:
Log into the nSA as a Tenant Admin.
From the ICS menu, click Gateways > Gateways
List. In the Gateways list page, select the standalone ICS
Gateway or Cluster node that you want to configure.
From the ICS menu, click Authentication > Authentication
Servers.
Click the Add icon and select the Authentication server type from
the list.
Configuring Local
Authentication Server
You can create multiple local authentication server instances. When
you define a new local authentication server, you must give the server a
unique name and configure options for passwords.
To create a local authentication server:
Select Authentication > Authentication
Servers.
Click the Add icon and select Local from the list
to display the configuration page.
Complete the configuration and save changes.
Enter a Server Name.
Select Password Options.
Select the Allow users to change passwords
option if you want users to be able to change their passwords.
Select the Force password change after option to
specify the number of days after which a password expires. The default
is 64 days.
Select the Prompt users to change password
option to specify when to prompt the user to change passwords.
Select the Enable account lockout for users
option to manage user authentication failures for admin users of local
authentication server.
Enter the number of consecutive wrong password attempts after
which the admin user account will be locked. The default value is 3
retries.
Enter the time in minutes for which admin user account will
remain locked. The default value is 10 minutes.
Configuring ACE
Authentication Server
RSA Authentication Manager (formerly known as ACE/Server) is an
authentication and authorization server that allows user authentication
based on credentials from the RSA SecurID® product from RSA Security
Inc.
To configure authentication with the ACE server:
Select Authentication > Authentication
Servers.
Click the Add icon and select ACE from the list to
display the configuration page.
Complete the configuration and save changes.
Enter a Server Name.
Enter the default port of the authentication server.
Click and browse Import New Config File to
upload the sdconf.rec configuration file.
Select the Enable User Record Synchronization
option to retain the bookmarks and individual preferences regardless of
which system you log in to.
Enter a logical authentication server name.
Configuring RADIUS
Authentication Server
To configure authentication with the RADIUS server:
Select Authentication > Authentication
Servers.
Click the Add icon and select RADIUS from the
list to display the configuration page.
Complete the configuration and save changes.
Settings page
Enter a Server Name.
Enter the name that identifies the Network Access Server (NAS)
client to the RADIUS server.
Enter the name or IP address of the RADIUS server.
Enter the authentication port value for the RADIUS server.
Default port number: 1812, 1645 (legacy servers).
Enter the NAS IP address. If you leave this field empty, the
internal IP address is passed to RADIUS requests. You can also fill this
field with IPv6 address.
Enter the interval of time in seconds to wait for a response from
the RADIUS server before timing out the connection.
Enter the number of times to try to make a connection after the
first attempt fails.
Select the Users authenticate using tokens or one-time
passwords option to prompt the user for a token instead of a
password.
Click Next.
Backup server & Accounting page (required only
if Backup server exists)
Enter the secondary RADIUS server.
Enter the Authentication Port.
Enter the Shared Secret.
Enter the Accounting Port.
Enter the user information to the RADIUS accounting
server.
Enter Interim Update Interval in minutes to
achieve more precise billing for long-lived session clients and during
network failure.
Select the Use VPN Tunnel assigned IP Address for
FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute value in RADIUS
Accounting option to use the VPN Tunneling IP address for the
FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute instead of the
pre-authenticated (original) IP address. Framed IPv6 addresses based
attribute fetching and parsing:
NAS-IPv6-Address
Login-IPv6-Host
Enable the Send Interim Updates for sub sessions created
inside parent sessions check box to send interim updates for
sub sessions (child sessions) created inside parent sessions.
Click Next.
Rules page
Select the Enable processing of Radius Disconnect
Requests check box. The Radius Disconnect requests received
from the backend Radius server will terminate sessions that match the
attributes in the request.
Select the Enable User Record Synchronization
option to retain the bookmarks and individual preferences regardless of
which system you log in to.
Enter a logical authentication server name.
Configuring
Certificate Authentication Server
The certificate server is a local server that allows user
authentication based on the digital certificate presented by the user
without any other user credentials.
To configure authentication with the Certificate server:
Select Authentication > Authentication
Servers.
Click the Add icon and select Certificate from the
list to display the configuration page.
Complete the configuration and save changes.
Enter a Server Name.
Enter a username template. Specify how the system should
construct a username. You may use any combination of certificate
variables contained in angle brackets and plain text.
Select the Enable User Record Synchronization
option to retain the bookmarks and individual preferences regardless of
which system you log in to.
Enter a logical authentication server name.
From the drop-down list, select the Secondary Authentication server. From 22.6R1 version, nSA supports SAML Authentication server as a Secondary Authentication server.
Configuring LDAP
Authentication Server
Lightweight Directory Access Protocol (LDAP) facilitates the access
of online directory services. LDAP directory consists of a collection of
attributes with a name, known as a distinguished name (DN). Each of the
entry's attributes, known as a relative distinguished name (RDN), has a
type and one or more values. The types are typically mnemonic strings,
such as CN for common name. The valid values for each field depend on
the types.
To configure authentication with the LDAP server:
Select Authentication > Authentication
Servers.
Click the Add icon and select LDAP from the list
to display the configuration page.
Complete the configuration and save changes.
Settings page
Enter a Server Name.
Select the Enable Domain Name option if you want
to fetch a list of servers from the DNS server. Clear this option if you
want to manually enter all the domain controllers host names.
Enter the LDAP server name or the IP address.
(Optional) Enter the parameters for backup LDAP server1. Default
port number: 389
Enter the parameters for backup LDAP port1.
(Optional) Specify the parameters for backup LDAP
server2.
Enter the parameters for backup LDAP port2.
Select the backend LDAP server type from the following choices:
Generic, Active Directory, iPlanet, Novell eDirectory.
Select one of the following options for the connection to the
LDAP server:
Unencrypted - The device sends the username and password to the LDAP
Directory Service in cleartext.
LDAPS - The device encrypts the data in the LDAP authentication
session using the Secure Socket Layer (SSL) protocol before sending it
to the LDAP Directory Service.
Start TLS - The device allows both secure and plain requests against
an LDAP server on a single connection.
Enter the time (in seconds) to wait for connection to the primary
LDAP server, and then to each backup LDAP server. Default: 15
seconds
Enter the time (in seconds) to wait for search results from a
connected LDAP server.
Click Next.
Authentication & Users page
Select the Authentication required to search
LDAP option to require authentication when performing search or
password management operations.
Enter the administrator DN for queries to the LDAP
directory.
Enter the password for the LDAP server.
Enter the backup administrator DN for queries to the LDAP
directory, as a fallback when primary Admin DN fails (due to account
expiration).
Enter the backup administrator password for the LDAP server.
Under Finding user entries:
Enter the base DN under which the users are located. For example,
dc=sales,dc=acme, dc=com.
Enter a unique variable that can be used to do a fine search in the
tree. For example, samAccountname=<username> or
cn=<username>.
Select the Strip domain from Windows username
option to pass the username without the domain name to the LDAP
server.
Click Next.
Membership & Sync page
Enter the base DN to search for user groups.
Enter a unique variable which can be used to do a fine search in
the tree. For example, samAccountname=<username> or
cn=<GROUPNAME>.
Enter all the members of a static group. For example, member or
uniquemember (iPlanet specific Deprecated for 21.x).
Select the Reverse group search option to start
the search from the member instead of the group. This option is
available only for Active Directory server types.
Enter an LDAP query that returns the members of a dynamic group.
For example, memberURL.
Enter how many levels within a group to search for the user. The
higher the number, the longer the query time, so we recommend that you
specify to perform the search no more than two levels deep.
Select one of the following options: Nested groups in Server
Catalog, Search all nested groups.
Configuring SAML
Authentication Server
SAML is an XML-based framework for communicating user authentication,
entitlement, and attribute information. The standard defines the
XML-based assertions, protocols, bindings, and profiles used in
communication between SAML entities. SAML is used primarily to implement
Web browser single sign-on (SSO). SAML enables businesses to leverage an
identity-based security system like Ivanti Connect Secure to enforce
secure access to web sites and other resources without prompting the
user with more than one authentication challenge.
For complete details on the SAML standard, see the OASIS web
site:
To configure authentication with the SAML server:
Select Authentication > Authentication
Servers.
Click the Add icon and select SAML from the list to
display the configuration page.
Complete the configuration and save changes.
Settings
Enter a name to identify the server instance.
Select SAML version used by the SAML IdP.
Select to override the Host FQDN for the SAML server. Host FQDN
is used to update the Unique SAML Identifier and ACS URL of the SAML
Authentication Server.
Select Manual or Metadata for Configuration Mode. If a metadata
file or location is available from the SAML identity provider, use the
metadata option to make configuration simpler and less prone to
error.
Enter Identity Provider Entity ID. The identity
provider entity ID is sent as the Issuer value in the assertion
generated by the SAML identity provider.
Enter Identity Provider Single Sign On Service
URL. The identity provider SSO service URL is a URL provisioned
by the SAML identity provider. The setting is required to support
service-provider-initiated SSO.
Specify User Name Template to derive the
username from the assertion.
Specify the maximum allowed difference in time between the system
clock and the SAML identity provider server clock.
Select Support Single Logout. Single logout is a
mechanism provided by SAML for logging out a particular user from all
the sessions created by the identity provider. Select this option if the
system must receive and send a single logout request for the peer SAML
identity provider.
Click Save Changes. The SAML Authentication
Server gets listed in the Authentication Servers page.
SSO
Select the SSO tab.
Select Artifact to use the Artifact binding. The
system then contacts the Artifact Resolution Service (ARS) to fetch the
assertion using SOAP protocol. If the ARS is hosted on a HTTPS URL, then
the certificate presented by the ARS is verified by the system.
Select POST to use the POST binding, the system
uses a response signing certificate to verify the signature in the
incoming response or assertion. The certificate file must be in PEM or
DER format. The certificate you select should be the same certificate
used by the identity provider to sign SAML responses.
Use the Add and Remove buttons
to select authentication context classes to be sent in the
authentication requests to the SAML identity provider. These are
included in the RequestedAuthnContext element.
Click Save Changes.
Metadata Settings
Select the Metadata tab.
Enter the number of days the metadata is valid. Valid values are
0 to 9999. 0 specifies the metadata does not expire.
Select Do Not Publish SA Metadata if you do not
want to publish the metadata at the location specified by the
Entity ID field.
Select Download Metadata. This button appears
only after you have saved the authentication server configuration. Use
this button to download the metadata of the current SAML service
provider.
Click Save Changes.
Configuring TOTP
Authentication Server
Time-based One-Time Password (TOTP) algorithm as defined in RFC6238
is an authentication mechanism where a one-time password (a.k.a token)
is generated by the authentication server and client from a shared
secret key and the current time. ICS can act as TOTP authentication
server. Any third-party TOTP applications (for example, Windows
Authenticator or Google Authenticator) available on the mobile and
desktop client platforms generate TOTP tokens.
To configure the TOTP server as Local:
Select Authentication > Authentication
Servers.
Click the Add icon and select TOTP from the list to
display the configuration page.
Complete the configuration and save changes.
TOTP Auth Server Settings - Local
Select Local as Server Type. TOTP context is
created locally and user database is maintained locally on the same
device.
Time Skew - Specify maximum time difference between Ivanti
Connect Secure and end user device while authenticating a user's token.
(minimum: 1 minute, maximum: 5 minutes).
Number of attempts allowed - Specify maximum number of
consecutive wrong attempts allowed after which account will be locked
(minimum: 1 attempt, maximum: 5 attempts).
Custom message for registration page - Specify a custom message
which can be shown on new TOTP user registration web-page.
Allow Auto Unlock - When checked, locked account will be
automatically unlocked after specified period. (minimum: 10 minutes,
maximum: 90 days).
Allow new TOTP user registration to happen via external port -
When unchecked (default), new TOTP user registrations will happen only
via internal port.
Accept TOTP authentication from remote ICS devices - When
checked, REST access to this TOTP server is allowed from other Ivanti
Connect Secure devices.
Display QR code during user registration - When checked, displays
QR code during user registration.
Disable generation of backup codes - When unchecked, generates
backup codes.
TOTP Auth Server Settings - Remote
Select Remote as Server Type. In this
configuration, authentication checks take place on the remote TOTP
server.
If the Allow new TOTP user registration to happen via
external port option is not selected, new TOTP user
registrations happen only via company intranet network.
Enter remote host name or IP address where the TOTP server is
configured. The IP address or host name must match the common name
mentioned in the remote TOTP server certificate.
Enter TOTP Server Name configured on the Remote TOTP server.
Enter the REST API login name.
Enter the REST API password.
Enter the realm name, which refers to the realm that should be used
for authenticating the REST user (using the auth. server mapped to the
Realm).
Use the Test Connection button to validate the connection to the
remote TOTP server.
Exporting/Importing TOTP Users
To export/import TOTP users:
1.Select Authentication > Authentication Servers.
2.Click the link for the authentication server you want to manage.
3.Click the Users tab to display the user accounts table. The user accounts table includes entries for the accounts that have been created.
4.Use the Export and Import buttons located at the bottom of the user accounts table to export and import TOTP users data.
5.(Optional)To enhance the security of the TOTP users' data, Ivanti recommends to encrypt the data with a password. This password should adhere to Ivanti Password policy. To import the user data, enter the password if file is password protected.
Configuring MDM
Authentication Server
The access management framework MDM authentication server
configuration includes details on how the system communicates with the
MDM Web RESTful API service and how it derives the device identifier
from the certificates presented by endpoints.
To configure authentication with the MDM server:
Select Authentication > Authentication
Servers.
Click the Add icon and select MDM from the list to
display the configuration page.
Complete the configuration and save changes.
Type - Select one of the following options: VMWare Workspace One (formerly AirWatch), Ivanti (formerly MobileIron),
Microsoft Intune
Applicable to VMWare Workspace One and Ivanti
Enter the URL for the MDM server. This is the URL the MDM has
instructed you to use to access its RESTful Web API (also called a
RESTful Web service).
Enter the URL for the MDM report viewer. This URL is used for links
from the Active Users page to the MDM report viewer.
Enter a timeout period (5-60 seconds) for queries to the MDM server.
The default is 15 seconds.
Enter the username and password for an account that has privileges
to access the MDM RESTful Web API.
(AirWatch only) Copy and paste the AirWatch API tenant code.
Applicable to Microsoft Intune
Enter Azure AD Tenant ID.
Enter Web application ID that has been registered in Azure AD.
Enter Secret key of the web application registered in azure AD.
Enter a timeout period (5-60 seconds) for queries to the MDM server.
The default is 15 seconds.
Device Identifier
Construct a template to derive the device identifier from the
certificate attributes. The template can contain textual characters as
well as variables for substitution.
Select the device identifier type that matches the selection in the
MDM SCEP certificate configuration:
UUID - The device Universal Unique Identifier. This is the key
device identifier supported by MobileIron MDM.
Serial Number - The device serial number.
UDID - The device Unique Device Identifier. This is the key
device identifier supported by AirWatch MDM.
Device ID - The device unique identifier.
Configuring
Active Directory Authentication Server
Active Directory is a directory service used in Windows domain
networks. It is included in most Windows server operating systems.
Enterprise servers that run Active Directory are called domain
controllers. An Active Directory domain controller authenticates and
authorizes users and computers in a Windows domain network.
When you use Active Directory as the authentication and authorization
service for your Ivanti access management framework, users can sign in
to Ivanti Connect Secure using the same username and password they use
to access their Windows desktops. You can also use Active Directory
group information in role mapping rules.
To configure authentication with the MDM server:
Select Authentication > Authentication
Servers.
Click the Add icon and select Active Directory from
the list to display the configuration page.
Complete the configuration and save changes.
Specify a name to identify the server within the system.
Specify the NetBIOS domain name for the Active Directory
domain.
Specify the FQDN of the Active Directory domain.
Specify a username that has permission to join computers to the
Active Directory domain.
Specify the password for the special user.
Select Save Credentials. If this setting is not
enabled, the credentials entered will be destroyed after successfully
joining the domain.
Specify the machine account name. The default computer name is
derived from the license hardware in the following format:
0161MT2L00K2C0. We recommend the Computer Name string contain no more
than 14 characters to avoid potential issues with the AD/NT server. Do
not include the '$' character.
Specify the protocol to use during authentication. The system
attempts authentication using the protocols you have enabled in the
order shown on the configuration page. For example, if you have selected
the check boxes for Kerberos and NTLMv2, the system sends the
credentials to Kerberos. If Kerberos succeeds, the system does not send
the credentials to NTLMv2. If Kerberos is not supported or fails, the
system uses NTLMv2 as the next protocol in order.
Contact trusted domains. Select this option to contact domain
controllers of trusted domains directly without proxying authentication
requests and group membership checks through the domain
controller.
Enter the maximum number of simultaneous domain connections (1 to
10).
Enable periodic password change of machine account. Select this
option to change the domain machine account password for this
configuration.
