Single Sign-On
If user authentication through RADIUS is applied to the network, user authentication can be automatically performed through accounting packet provided by RADIUS client such as Access Point. Genian ZTNA receives external RADIUS accounting packets, saves them as audit records, and uses them as user authentication information.
When network access is granted to the user by the NAS, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier. Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage. Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access. Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval.
Via RADIUS Accounting
The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers.
To enable single sign on from external RADIUS Servers:
- Go to Preferences in top panel
- Go to Service > RADIUS Server in the left Preferences panel
Under Accounting Server
- For Single Sign-On, select On.
- For Acct-Status-Type, select events to update authentication status from the following: Start, Stop, Interim-Update.
- For Shared Secret Key, enter the pre-shared secret key for RADIUS client authentication.
- For Attribute to Match, select MAC and IP when RADIUS accounting packet contains Calling-Station-Id and Framed-IP-Address. If accounting packet doesn't have Framed-IP-Address attribute or generated by Generating Accounting option on Authentication Server setting, select MAC.
- For Node Status, choose All Nodes or Up Nodes for authentication eligibility.
- Click Update
Via AD Domain Login
Genian ZTNA can read Active Directory domain logon user information and register the user as authenticated on that node. This may be accomplished with, or without an endpoint agent.
To use any method of AD Single Sign-On, you must enable it under the Node Policy you wish to apply it to:
Apply SSO to Node Policies:
- Navigate to Policy in the top panel.
- Go to Node Policy and select a policy to allow AD SSO.
Under Authentication Policy:
- For Single Sign-On Method, select Active Directory.
- For Domain Name, enter your domain name as FQDN.
- Click Update.
Enable Agent Based AD SSO
- Install the agent as shown in Installing Agent.
- The agent execution/installation account must be set as Domain account. If the agent is installed to a local account, SSO cannot function.
Enable Agentless AD SSO
This feature performs agentless SSO through WMI query to the Domain Controller (Supports all nodes that have authenticated to the domain). ZTNA Network sensor perform SSO authentication by comparing AD server domain logon event logs with the network sensor detected device host/domain name through netbios. Therefore, the network sensor must communicate with device netnios, remote wmi.
Navigate to Preferences in the top panel, then select Authentication Integration > AD Single Sign-On on the left panel.
Under AD Single Sign-On:
- For Connect to AD Server from, Specify the sensor to connect to the AD server. If you do not select any, connect from Policy Server.
- For Server Address, Specify a server address / domain for AD(Active Directory) Single Sign-On. Automatically authenticate users if the node is joined to a domain.
- For User ID, Specify the User ID for monitoring the server's event log.
- For Password, Specify the Password for monitoring the server's event log.
- For Secondary AD, Specify whether to use a secondary AD.
- Click Update button.
Choose AD connection Settings:
- By default this query is performed by the Policy Server.
- To perform the query from a Network Sensor, navigate to Preferences > Beta Features and select a Sensor from the Connect to AD SSO Server from drop down list.
Domain Controller Configuration:
Be sure the Bind DN account user is part of the following groups:
Administrative account status is not required for these privileges.
- Distributed COM Users
- Event Log Readers
- Server Operators
Run 'wmimgmt.msc' on the command prompt
From the Security tab on WMI Control Properties:
Select the CIMV2 folder
Click Security, Click Add and then select the Bind DN Account.
Check both Allow for Enable Account and Remote Enable
Apply changes
How to check whether device is joined to AD domain :
- How to check on the AD server:
- Go to Control Panel > Active Directory Users and Computers
- Click Domain> Computers and check a joined computer list.
- How to check on the Client computer:
- Open the Command Prompt
- Type
ping [AD domain]
and check the connection.
- Please check Agentless Q&A on Frequently Asked Questions page.