Integrating User Directories
============================
You can configure the Policy Server to authenticate to external authentication
systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems.
RADIUS
------
Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported
client-server protocol that provides centralized authentication, authorization,
and accounting functions.
You can configure Policy Server to integrate with existing external RADIUS
Server for User Authentication. When a user is authenticated through a captive
web portal or an agent, the user password is authenticated through a RADIUS
server.
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **RADIUS Server** section in the main window
#. For **Server Address**, enter the RADIUS server's IP Address or FQDN.
#. For **Server Port**, enter the RADIUS server's port (Default is 1812)
#. For **Shared Secret Key**, enter the pre-shared secret key for RADIUS
authentication.
#. Click **Update**
.. _intergrate-external-ldap:
LDAP (Active Directory)
-----------------------
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to
maintain data that may include departments, people, groups of people,
passwords, email addresses, and much more. Genian NAC can be integrated with
LDAP to collect User Information and validate User Credentials.
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **LDAP Server** section in the main window
#. Enter the following:
- **Server Address**:
- **Server Port**: (*LDAP=389, LDAPS=636*)
- **Base DN**: (*e.g. CN=Users,DC=company,DC=com*)
- **Bind DN**: (*Should be FQDN: e.g. Administrator@company.com*) (*Bind
Account should have Administrator Privileges*)
- **Bind Password**:
- **User Naming Attribute**: (*e.g. sAMAccountName*)
- **SSL Connection**: (*Turn on if using LDAPS*)
#. Click **Update**
#. Click **Test** to test configuration settings (*Test account can be any User
Account found within the Base DN*)
.. note:: Known Issues
LDAP Server connection failed. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP
server, TLSv1.0=-1:Can't contact LDAP server'
Possible Fix: Update AD(LDAP) Server Operating System to latest patches. Known issues authenticating against Active directory over Secure LDAP on un-patched servers due to encryption incompatibility.
EMAIL is the service provided by most organizations, making it an easy choice
to provide the user directory. You can check the user's username and password
using **SMTP**, **POP3**, and **IMAP**.
IMAP
----
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **IMAP Server** section in main window
#. Enter in **Server Address**, **Server Port**, and **Domain Name**
#. Click **Update**
#. Click **Test** to test configuration settings
**Examples**
============================ ===================== ======== ==============
Service Name Server Name Port Domain
============================ ===================== ======== ==============
Google G Suites imap.gmail.com 993 Your Domain
Exchange Online (Office 365) outlook.office365.com 993 Your Domain
============================ ===================== ======== ==============
POP3
----
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **POP3 Server** section in main window
#. Enter in **Server Address**, **Server Port**, and **Domain Name**
#. Click **Update**
#. Click **Test** to test configuration settings
**Examples**
============================ ===================== ======== ==============
Service Name Server Name Port Domain
============================ ===================== ======== ==============
Google G Suites pop.gmail.com 995 Your Domain
Exchange Online (Office 365) outlook.office365.com 995 Your Domain
============================ ===================== ======== ==============
SMTP
----
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **SMTP Server** section in main window
#. Enter in **Server Address**, **Server Port**, **Connection Security** and
**Domain Name**
#. Click **Update**
#. Click **Test** to test configuration settings
**Examples**
============================ ===================== ======== ====================== ==============
Service Name Server Name Port Connection Security Domain
============================ ===================== ======== ====================== ==============
Google G Suites smtp.gmail.com 465 SMTPS Your Domain
Office 365 smtp.office365.com 587 MSA/STARTTLS Your Domain
============================ ===================== ======== ====================== ==============
.. note:: Known Issues
Gmail Error: "Authentication failed.Authentication failed.SMTP(535-5.7.8:Username and Password not accepted. Learn more at https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt)"
Fix: Turn on Less secure app access in Google account settings / security or use SAML integration
SAML 2.0
--------
Security Assertion Markup Language (`SAML`_) is an open standard that allows
exchanging authentication and authorization data between parties. SAML consists
of an End User and a Service Provider (SP) that requires authentication, and an
Identity Provider (IdP) that provides authentication services. If Genian NAC is
integrated with Google through SAML, Genian NAC becomes SP and Google becomes
IdP.
The following are the basic configuration steps for SAML integration.
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **SAML2** section in main window
#. Copy the **SP Entity ID** and **SP ACS URL** values
#. Input these values into the *IdP server* during Genian NAC SAML
configuration.
#. For **IdP Entity ID** and **IdP SSO URL** , enter the values obtained from
the IdP server.
#. For **x509 Certificate**, Paste the certificate issued by the IdP server.
#. Click **Update**
#. Click **Test** to test configuration settings
.. toctree::
:maxdepth: 1
integrate-external/saml-okta
integrate-external/saml-okta-adminconsole
integrate-external/saml-gsuite
Webhook Authentication Integration
--------------------------------------
When a user attempts to log in to the Webhook authentication integration, a Webhook event occurs and Genian NAC invokes the Webhook URL.
This is an authentication method in which a user logs in when a successful return value from the called URL is returned to the Genian NAC.
Here's how to set up to use the Webhook authentication integration.
1. Policy -> Node Policy , Select the node policy for which you want to enable Webhook authentication.
2. Advanced -> Authentication Policy -> Authentication Method -> Assign SAML after clicking ASSIGN
- **The authentication method located at the top of the authentication method list is used for authentication.**
3. Preferences -> User Authentication -> Authentication Integration -> Webhook
4. Set the URL and call method to call when the event occurs. (Get, select the call method during POST.)
.. code-block::
ex) content-type - json
Get Method : https://called URL/?id={_USERID}&pwd={_USERPASSWORD}
Post Method : https://called URL
5. For POST method, select **content-type** and enter the appropriate POST data for the data format.
.. code-block::
ex)
content-type - application/json
Post Data : id={_USERID}&pwd={_USERPASSWORD}
6. Enter Regex for Authentication. ( **Creates a return success value.** )
7. Enter Regex for Result Message
8. Enter Charset for Result Message
.. note:: To enable SSL-based encrypted communication, modify the Webhook URL to https.
Testing Integration
-------------------
You can test the integration configurations of **RADIUS**, **LDAP**, **IMAP**,
**POP3**, **SMTP**, or **SAML** to verify successful connections.
#. Go to **Preferences** in the top panel
#. Go to **User Authentication > Authentication Integration** in the left
Preferences panel
#. Find **Authentication Test** section at the bottom of main window
#. Click **Update** if you made any configuration changes
#. Click **Test** to test configuration settings
.. _SAML: https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Troubleshooting
---------------
- :doc:`/troubleshoot/ldap-search-failed-1`