Integrating User Directories

You can configure the Policy Server to authenticate to external authentication systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems.

RADIUS

You can configure the Policy Server to integrate with existing external RADIUS servers for user authentication. When a user is authenticated through a Captive Web Portal (CWP) or an agent, the user's password is authenticated through the RADIUS server.

Go to Settings in the top left menu.
In the left settings menu, go to User Authentication > Authentication Integration.

In the RADIUS Authentication Integration menu, configure the following:

Server Address : Set the IP address or FQDN of the external RADIUS authentication server to integrate with.
Server Port : Set the RADIUS authentication server service port. (Default port: 1812)
Authentication Key : Set the authentication key for mutual authentication with the RADIUS authentication server.
Click the Modify button.

LDAP (Active Directory) Server Integration

You can configure the Policy Server to integrate User Authentication with Active Directory.

Go to Settings in the top menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the Authentication Integration window, find the LDAP Authentication Integration menu.
Find and enter the options below:
- Server Address: Set the address/domain of the server system for LDAP (Active Directory) authentication integration.
- Server Port: Set the LDAP service port number. (Standard values: Non-SSL=389, SSL=636)
- Base DN: Set the LDAP Base DN. (e.g., CN=Users,DC=geni,DC=genians,DC=com)
- Bind DN: Set the Bind DN value for user search. Leave blank if Anonymous search is possible. (Domain example: Administrator@genians.com / Bind account must have administrator privileges.)
- Bind Password: Set the Bind DN password for user search.
- Search Attribute: Set the attribute name containing the user ID (Active Directory: sAMAccountName).
- SSL Connection: Select whether to use an SSL connection when connecting to the LDAP server.
- Use Secondary LDAP : Select whether to use Secondary LDAP.
Click the Modify button.
Click Test to test the configuration settings. (The test account can be any user account found within the Base DN.)

Note

Known Issues

Error message: "Failed to connect to LDAP server. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP server, TLSv1.0=-1:Can't contact LDAP server' "
Solution: Update the LDAP server firmware to the latest patch. This is a "known issue attempting to authenticate against Active Directory via LDAP on un-patched servers," and it occurs due to encryption incompatibility.

Email is a service provided by most organizations, making it the easiest choice to provide the user directory. You can verify a user's ID and password using SMTP, POP3, and IMAP used in Email.

IMAP

Go to Settings in the top menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the main window, find IMAP Authentication Integration.
Enter IMAP Server, IMAP Port, and User Domain.
Click the Modify button.
Click the Authentication Test > Test button to test user authentication.

Example

Service Name	Server Name	Port	Domain
Google G Suites	imap.gmail.com	993	Your Domain
Exchange Online (Office 365)	outlook.office365.com	993	Your Domain

POP3

Go to Settings in the top menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the main window, find POP3 Authentication Integration.
Enter POP3 Server, POP3 Port, and User Domain.
Click the Modify button.
Click the Authentication Test > Test button to test user authentication.

Example

Service Name	Server Name	Port	Domain
Google G Suites	pop.gmail.com	995	Your Domain
Exchange Online (Office 365)	outlook.office365.com	995	Your Domain

SMTP

Go to Settings in the top menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the main window, find SMTP Authentication Integration.
Enter SMTP Server, SMTP Port, and User Domain.
Click the Modify button.
Click the Authentication Test > Test button to test user authentication.

Note

Genian NAC supports only smtps. (SMTP over SSL)

Example

Service Name	Server Name	Port	Domain
Google G Suites	smtp.gmail.com	465	Your Domain

Troubleshooting

Error

Confirmed Issues with Gmail SMTP Authentication Integration : * Authentication Test: Authentication failed. SMTP(535-5.7.8:Username and Password not accepted. Learn more at 535 5.7.8 https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt) * Genian NAC Log : Login failed. ERRMSG='Authorize(Account disabled)' * Solution : Configure 'Less secure app access' in Google account settings/security.

SAML 2.0

SAML (Security Assertion Markup Language) is an open standard that allows exchanging authentication and authorization data between parties. SAML consists of an End User and a Service Provider (SP) that requires authentication, and an Identity Provider (IdP) that provides authentication services. When Genian NAC is integrated with Google through SAML, Genian NAC becomes the SP and Google becomes the IdP.

The following are the basic configuration steps for SAML integration.

Go to Settings in the top menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the main window, find SAML2.
Copy the SP Entity ID and SP ACS URL values.
Enter the copied corresponding values from Genian NAC into the IdP server.
For IdP Entity ID and IdP SSO URL, enter the values obtained from the IdP server.
For x509 Certificate, enter the certificate issued by the IdP server.
Click the Modify button.
Click the Authentication Test > Test button to test user authentication.

OIDC (OpenID Connect)

`OIDC`_ (OpenID Connect) is an open standard authentication layer built on top of OAuth 2.0. Through OIDC, clients can verify the identity of end users based on the authentication of an Authorization Server and obtain basic profile information. When Genian |product_name| is integrated with an external Identity Provider through OIDC, Genian |product_name| becomes the Relying Party (RP) and the external system becomes the OpenID Provider (OP).

The following OIDC Providers are supported:

Testing Integration

This is an authentication method where a user logs in when a successful return value from the called URL is returned to Genian NAC.

The following is how to set up to use Webhook authentication integration.

In Policy - Node Policy, click and select the node policy for which you want to enable Webhook authentication.
In the Node Policy detailed settings, click the assign button for Authentication Method and add Webhook. (The authentication method located at the top of the authentication method list is used for authentication.)
Go to Settings - Authentication Integration - Webhook Authentication Integration.

4. When an event occurs, set the URL to call and the Call Method. (Select the call method between GET and POST.) .. _OIDC: https://openid.net/connect/

Example) Data format - json
GET Method : http://{URL to call}/?id={_USERID}&pwd={_USERPASSWORD}
POST Method : http://{URL to call}/

For POST method, select Data Transfer Type and enter the appropriate POST data for the data format.

Example) Data format - application/json
POST Data : id={_USERID}&pwd={_USERPASSWORD}

Enter the regular expression for result verification. ( Create a return success value. )
Enter the regular expression for the result message.
Set the character set for the result message.

Note

To use SSL-based encrypted communication, modify the Webhook URL to https.

Authentication Integration Test

You can test the integration configurations of RADIUS, LDAP, IMAP, POP3, SMTP, or Webhook to verify successful connections.

Go to Settings in the top left menu.
In the left settings menu, go to User Authentication > Authentication Integration.
In the main window, find Authentication Test.
If you have made changes to the settings, click Modify.
Click Test to test the changed settings.