Authentication and Directory Servers


Introduction

The access management framework supports the following types of AAA servers: Local, External (standards-based), and External (other).

  • Local includes “Local Authentication Server”, “Certificate Server”.

  • External (standards-based) includes “LDAP Server”, “RADIUS Server”.

  • External (other) includes “MDM Server”, “RSA ACE Server”, “TOTP Server”.

Configuring Authentication Servers

To add an authentication server:

  1. Log into the nSA as a Tenant Admin.

  2. From the ICS menu, click Gateways > Gateways List. In the Gateways list page, select the standalone ICS Gateway or Cluster node that you want to configure.

  3. From the ICS menu, click Authentication > Authentication Servers.

  4. Click the Add icon and select the Authentication server type from the list.

gwlist

FIGURE 285 Configuring Authentication Servers

Configuring Local Authentication Server

You can create multiple local authentication server instances. When you define a new local authentication server, you must give the server a unique name and configure options for passwords.

To create a local authentication server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select Local from the list to display the configuration page.

  3. Complete the configuration and save changes.

    • Enter a Server Name.

    • Select Password Options.

    • Select the Allow users to change passwords option if you want users to be able to change their passwords.

    • Select the Force password change after option to specify the number of days after which a password expires. The default is 64 days.

    • Select the Prompt users to change password option to specify when to prompt the user to change passwords.

    • Select the Enable account lockout for users option to manage user authentication failures for admin users of local authentication server.

    • Enter the number of consecutive wrong password attempts after which the admin user account will be locked. The default value is 3 retries.

    • Enter the time in minutes for which admin user account will remain locked. The default value is 10 minutes.

      gwlist

      FIGURE 286 Local Authentication Server

Configuring ACE Authentication Server

RSA Authentication Manager (formerly known as ACE/Server) is an authentication and authorization server that allows user authentication based on credentials from the RSA SecurID® product from RSA Security Inc.

To configure authentication with the ACE server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select ACE from the list to display the configuration page.

  3. Complete the configuration and save changes.

    • Enter a Server Name.

    • Enter the default port of the authentication server.

    • Click and browse Import New Config File to upload the sdconf.rec configuration file.

    • Select the Enable User Record Synchronization option to retain the bookmarks and individual preferences regardless of which system you log in to.

    • Enter a logical authentication server name.

      gwlist

      FIGURE 287 ACE Authentication Server

Configuring RADIUS Authentication Server

To configure authentication with the RADIUS server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select RADIUS from the list to display the configuration page.

  3. Complete the configuration and save changes.

    Settings page

    • Enter a Server Name.

    • Enter the name that identifies the Network Access Server (NAS) client to the RADIUS server.

    • Enter the name or IP address of the RADIUS server.

    • Enter the authentication port value for the RADIUS server. Default port number: 1812, 1645 (legacy servers).

    • Enter the NAS IP address. If you leave this field empty, the internal IP address is passed to RADIUS requests. You can also fill this field with IPv6 address.

    • Enter the interval of time in seconds to wait for a response from the RADIUS server before timing out the connection.

    • Enter the number of times to try to make a connection after the first attempt fails.

    • Select the Users authenticate using tokens or one-time passwords option to prompt the user for a token instead of a password.

    • Click Next.

      gwlist

      FIGURE 288 RADIUS Authentication Server

    Backup server & Accounting page (required only if Backup server exists)

    • Enter the secondary RADIUS server.

    • Enter the Authentication Port.

    • Enter the Shared Secret.

    • Enter the Accounting Port.

    • Enter the user information to the RADIUS accounting server.

    • Enter Interim Update Interval in minutes to achieve more precise billing for long-lived session clients and during network failure.

    • Select the Use VPN Tunnel assigned IP Address for FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute value in RADIUS Accounting option to use the VPN Tunneling IP address for the FRAMED-IP-ADDRESS/FRAMED-IPV6-ADDRESS attribute instead of the pre-authenticated (original) IP address. Framed IPv6 addresses based attribute fetching and parsing:

      • NAS-IPv6-Address

      • Login-IPv6-Host

    • Enable the Send Interim Updates for sub sessions created inside parent sessions check box to send interim updates for sub sessions (child sessions) created inside parent sessions.

    • Click Next.

      gwlist

      FIGURE 289 RADIUS Authentication Server

    Rules page

    • Select the Enable processing of Radius Disconnect Requests check box. The Radius Disconnect requests received from the backend Radius server will terminate sessions that match the attributes in the request.

    • Select the Enable User Record Synchronization option to retain the bookmarks and individual preferences regardless of which system you log in to.

    • Enter a logical authentication server name.

      gwlist

      FIGURE 290 RADIUS Authentication Server

Configuring Certificate Authentication Server

The certificate server is a local server that allows user authentication based on the digital certificate presented by the user without any other user credentials.

To configure authentication with the Certificate server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select Certificate from the list to display the configuration page.

  3. Complete the configuration and save changes.

    • Enter a Server Name.

    • Enter a username template. Specify how the system should construct a username. You may use any combination of certificate variables contained in angle brackets and plain text.

    • Select the Enable User Record Synchronization option to retain the bookmarks and individual preferences regardless of which system you log in to.

    • Enter a logical authentication server name.

      gwlist

      FIGURE 291 Certificate Authentication Server

Configuring LDAP Authentication Server

Lightweight Directory Access Protocol (LDAP) facilitates the access of online directory services. LDAP directory consists of a collection of attributes with a name, known as a distinguished name (DN). Each of the entry’s attributes, known as a relative distinguished name (RDN), has a type and one or more values. The types are typically mnemonic strings, such as CN for common name. The valid values for each field depend on the types.

To configure authentication with the LDAP server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select LDAP from the list to display the configuration page.

  3. Complete the configuration and save changes.

    Settings page

    • Enter a Server Name.

    • Select the Enable Domain Name option if you want to fetch a list of servers from the DNS server. Clear this option if you want to manually enter all the domain controllers host names.

    • Enter the LDAP server name or the IP address.

    • (Optional) Enter the parameters for backup LDAP server1. Default port number: 389

    • Enter the parameters for backup LDAP port1.

    • (Optional) Specify the parameters for backup LDAP server2.

    • Enter the parameters for backup LDAP port2.

    • Select the backend LDAP server type from the following choices: Generic, Active Directory, iPlanet, Novell eDirectory.

    • Select one of the following options for the connection to the LDAP server:

      • Unencrypted - The device sends the username and password to the LDAP Directory Service in cleartext.

      • LDAPS - The device encrypts the data in the LDAP authentication session using the Secure Socket Layer (SSL) protocol before sending it to the LDAP Directory Service.

      • Start TLS - The device allows both secure and plain requests against an LDAP server on a single connection.

    • Enter the time (in seconds) to wait for connection to the primary LDAP server, and then to each backup LDAP server. Default: 15 seconds

    • Enter the time (in seconds) to wait for search results from a connected LDAP server.

      gwlist

      FIGURE 292 LDAP Authentication Server

    • Click Next.

    Authentication & Users page

    • Select the Authentication required to search LDAP option to require authentication when performing search or password management operations.

    • Enter the administrator DN for queries to the LDAP directory.

    • Enter the password for the LDAP server.

    • Enter the backup administrator DN for queries to the LDAP directory, as a fallback when primary Admin DN fails (due to account expiration).

    • Enter the backup administrator password for the LDAP server.

      gwlist

      FIGURE 293 Finding user entries

    • Under Finding user entries:

      • Enter the base DN under which the users are located. For example, dc=sales,dc=acme, dc=com.

      • Enter a unique variable that can be used to do a fine search in the tree. For example, samAccountname=<username> or cn=<username>.

      • Select the Strip domain from Windows username option to pass the username without the domain name to the LDAP server.

    • Click Next.

Membership & Sync page

  • Enter the base DN to search for user groups.

  • Enter a unique variable which can be used to do a fine search in the tree. For example, samAccountname=<username> or cn=<GROUPNAME>.

  • Enter all the members of a static group. For example, member or uniquemember (iPlanet specific Deprecated for 21.x).

  • Select the Reverse group search option to start the search from the member instead of the group. This option is available only for Active Directory server types.

  • Enter an LDAP query that returns the members of a dynamic group. For example, memberURL.

  • Enter how many levels within a group to search for the user. The higher the number, the longer the query time, so we recommend that you specify to perform the search no more than two levels deep.

  • Select one of the following options: Nested groups in Server Catalog, Search all nested groups.

    gwlist

    FIGURE 294 Determining group membership

Configuring SAML Authentication Server

SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. SAML is used primarily to implement Web browser single sign-on (SSO). SAML enables businesses to leverage an identity-based security system like Ivanti Connect Secure to enforce secure access to web sites and other resources without prompting the user with more than one authentication challenge.

For complete details on the SAML standard, see the OASIS web site:

To configure authentication with the SAML server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select SAML from the list to display the configuration page.

  3. Complete the configuration and save changes.

Settings

  • Enter a name to identify the server instance.

  • Select SAML version used by the SAML IdP.

  • Select to override the Host FQDN for the SAML server. Host FQDN is used to update the Unique SAML Identifier and ACS URL of the SAML Authentication Server.

  • Select Manual or Metadata for Configuration Mode. If a metadata file or location is available from the SAML identity provider, use the metadata option to make configuration simpler and less prone to error.

  • Enter Identity Provider Entity ID. The identity provider entity ID is sent as the Issuer value in the assertion generated by the SAML identity provider.

  • Enter Identity Provider Single Sign On Service URL. The identity provider SSO service URL is a URL provisioned by the SAML identity provider. The setting is required to support service-provider-initiated SSO.

  • Specify User Name Template to derive the username from the assertion.

  • Specify the maximum allowed difference in time between the system clock and the SAML identity provider server clock.

  • Select Support Single Logout. Single logout is a mechanism provided by SAML for logging out a particular user from all the sessions created by the identity provider. Select this option if the system must receive and send a single logout request for the peer SAML identity provider.

  • Click Save Changes. The SAML Authentication Server gets listed in the Authentication Servers page.

    auth_saml

    FIGURE 295 SAML Authentication Server Settings

SSO

  • Select the SSO tab.

  • Select Artifact to use the Artifact binding. The system then contacts the Artifact Resolution Service (ARS) to fetch the assertion using SOAP protocol. If the ARS is hosted on a HTTPS URL, then the certificate presented by the ARS is verified by the system.

  • Select POST to use the POST binding, the system uses a response signing certificate to verify the signature in the incoming response or assertion. The certificate file must be in PEM or DER format. The certificate you select should be the same certificate used by the identity provider to sign SAML responses.

  • Use the Add and Remove buttons to select authentication context classes to be sent in the authentication requests to the SAML identity provider. These are included in the RequestedAuthnContext element.

  • Click Save Changes.

    auth_saml_sso

    FIGURE 296 SSO Settings

Metadata Settings

  • Select the Metadata tab.

  • Enter the number of days the metadata is valid. Valid values are 0 to 9999. 0 specifies the metadata does not expire.

  • Select Do Not Publish SA Metadata if you do not want to publish the metadata at the location specified by the Entity ID field.

  • Select Download Metadata. This button appears only after you have saved the authentication server configuration. Use this button to download the metadata of the current SAML service provider.

  • Click Save Changes.

    auth_saml_metadata

    FIGURE 297 Metadata Settings

Configuring TOTP Authentication Server

Time-based One-Time Password (TOTP) algorithm as defined in RFC6238 is an authentication mechanism where a one-time password (a.k.a token) is generated by the authentication server and client from a shared secret key and the current time. ICS can act as TOTP authentication server. Any third-party TOTP applications (for example, Windows Authenticator or Google Authenticator) available on the mobile and desktop client platforms generate TOTP tokens.

To configure the TOTP server as Local:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select TOTP from the list to display the configuration page.

  3. Complete the configuration and save changes.

TOTP Auth Server Settings - Local

  • Select Local as Server Type. TOTP context is created locally and user database is maintained locally on the same device.

  • Time Skew - Specify maximum time difference between Ivanti Connect Secure and end user device while authenticating a user’s token. (minimum: 1 minute, maximum: 5 minutes).

  • Number of attempts allowed - Specify maximum number of consecutive wrong attempts allowed after which account will be locked (minimum: 1 attempt, maximum: 5 attempts).

  • Custom message for registration page - Specify a custom message which can be shown on new TOTP user registration web-page.

  • Allow Auto Unlock - When checked, locked account will be automatically unlocked after specified period. (minimum: 10 minutes, maximum: 90 days).

  • Allow new TOTP user registration to happen via external port - When unchecked (default), new TOTP user registrations will happen only via internal port.

  • Accept TOTP authentication from remote ICS devices - When checked, REST access to this TOTP server is allowed from other Ivanti Connect Secure devices.

  • Display QR code during user registration - When checked, displays QR code during user registration.

  • Disable generation of backup codes - When unchecked, generates backup codes.

    gwlist

    FIGURE 298 TOTP Authentication Server

TOTP Auth Server Settings - Remote

  • Select Remote as Server Type. In this configuration, authentication checks take place on the remote TOTP server.

  • If the Allow new TOTP user registration to happen via external port option is not selected, new TOTP user registrations happen only via company intranet network.

  • Enter remote host name or IP address where the TOTP server is configured. The IP address or host name must match the common name mentioned in the remote TOTP server certificate.

  • Enter TOTP Server Name configured on the Remote TOTP server.

  • Enter the REST API login name.

  • Enter the REST API password.

  • Enter the realm name, which refers to the realm that should be used for authenticating the REST user (using the auth. server mapped to the Realm).

  • Use the Test Connection button to validate the connection to the remote TOTP server.

Configuring MDM Authentication Server

The access management framework MDM authentication server configuration includes details on how the system communicates with the MDM Web RESTful API service and how it derives the device identifier from the certificates presented by endpoints.

To configure authentication with the MDM server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select MDM from the list to display the configuration page.

  3. Complete the configuration and save changes.

    • Type - Select one of the following options: AirWatch, MobileIron, Microsoft Intune

Applicable to AirWatch and MobileIron

  • Enter the URL for the MDM server. This is the URL the MDM has instructed you to use to access its RESTful Web API (also called a RESTful Web service).

  • Enter the URL for the MDM report viewer. This URL is used for links from the Active Users page to the MDM report viewer.

  • Enter a timeout period (5-60 seconds) for queries to the MDM server. The default is 15 seconds.

  • Enter the username and password for an account that has privileges to access the MDM RESTful Web API.

  • (AirWatch only) Copy and paste the AirWatch API tenant code.

Applicable to Microsoft Intune

  • Enter Azure AD Tenant ID.

  • Enter Web application ID that has been registered in Azure AD.

  • Enter Secret key of the web application registered in azure AD.

  • Enter a timeout period (5-60 seconds) for queries to the MDM server. The default is 15 seconds.

Device Identifier

  • Construct a template to derive the device identifier from the certificate attributes. The template can contain textual characters as well as variables for substitution.

  • Select the device identifier type that matches the selection in the MDM SCEP certificate configuration:

    • UUID - The device Universal Unique Identifier. This is the key device identifier supported by MobileIron MDM.

    • Serial Number - The device serial number.

    • UDID - The device Unique Device Identifier. This is the key device identifier supported by AirWatch MDM.

    • IMEI - The device unique identifier. IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes information on the origin, model, and serial number of the device. This is the key device identifier supported by Microsoft Intune.

      gwlist

      FIGURE 299 MDM Authentication Server

Configuring Active Directory Authentication Server

Active Directory is a directory service used in Windows domain networks. It is included in most Windows server operating systems. Enterprise servers that run Active Directory are called domain controllers. An Active Directory domain controller authenticates and authorizes users and computers in a Windows domain network.

When you use Active Directory as the authentication and authorization service for your Ivanti access management framework, users can sign in to Ivanti Connect Secure using the same username and password they use to access their Windows desktops. You can also use Active Directory group information in role mapping rules.

To configure authentication with the MDM server:

  1. Select Authentication > Authentication Servers.

  2. Click the Add icon and select Active Directory from the list to display the configuration page.

  3. Complete the configuration and save changes.

  • Specify a name to identify the server within the system.

  • Specify the NetBIOS domain name for the Active Directory domain.

  • Specify the FQDN of the Active Directory domain.

  • Specify a username that has permission to join computers to the Active Directory domain.

  • Specify the password for the special user.

  • Select Save Credentials. If this setting is not enabled, the credentials entered will be destroyed after successfully joining the domain.

  • Specify the machine account name. The default computer name is derived from the license hardware in the following format: 0161MT2L00K2C0. We recommend the Computer Name string contain no more than 14 characters to avoid potential issues with the AD/NT server. Do not include the ‘$’ character.

  • Specify the protocol to use during authentication. The system attempts authentication using the protocols you have enabled in the order shown on the configuration page. For example, if you have selected the check boxes for Kerberos and NTLMv2, the system sends the credentials to Kerberos. If Kerberos succeeds, the system does not send the credentials to NTLMv2. If Kerberos is not supported or fails, the system uses NTLMv2 as the next protocol in order.

  • Contact trusted domains. Select this option to contact domain controllers of trusted domains directly without proxying authentication requests and group membership checks through the domain controller.

  • Enter the maximum number of simultaneous domain connections (1 to 10).

  • Enable periodic password change of machine account. Select this option to change the domain machine account password for this configuration.

  • Click Save Changes.

    auth_ad

    FIGURE 300 Active Directory Authentication Server