Integrating User Directories

You can configure the Policy Server to authenticate to external authentication systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems.

RADIUS

Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions.

You can configure Policy Server to integrate with existing external RADIUS Server for User Authentication. When a user is authenticated through a captive web portal or an agent, the user password is authenticated through a RADIUS server.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find RADIUS Server section in the main window
4. For Server Address, enter the RADIUS server's IP Address or FQDN.
5. For Server Port, enter the RADIUS server's port (Default is 1812)
6. For Shared Secret Key, enter the pre-shared secret key for RADIUS authentication.
7. Click Update

LDAP (Active Directory)

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain data that may include departments, people, groups of people, passwords, email addresses, and much more. Genian ZTNA can be integrated with LDAP to collect User Information and validate User Credentials.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find LDAP Server section in the main window
4. Enter the following:
   • Server Address:
   • Server Port: (LDAP=389, LDAPS=636)
   • Base DN: (e.g. CN=Users,DC=company,DC=com)
   • Bind DN: (Should be FQDN: e.g. Administrator@company.com) (Bind Account should have Administrator Privileges)
   • Bind Password:
   • User Naming Attribute: (e.g. sAMAccountName)
   • SSL Connection: (Turn on if using LDAPS)
5. Click Update
6. Click Test to test configuration settings (Test account can be any User Account found within the Base DN)

Note

Known Issues

LDAP Server connection failed. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP server, TLSv1.0=-1:Can't contact LDAP server'

Possible Fix: Update AD(LDAP) Server Operating System to latest patches. Known issues authenticating against Active directory over Secure LDAP on un-patched servers due to encryption incompatibility.

EMAIL is the service provided by most organizations, making it an easy choice to provide the user directory. You can check the user's username and password using SMTP, POP3, and IMAP.

IMAP

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find IMAP Server section in main window
4. Enter in Server Address, Server Port, and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Domain
Google G Suites	imap.gmail.com	993	Your Domain
Exchange Online (Office 365)	outlook.office365.com	993	Your Domain

POP3

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find POP3 Server section in main window
4. Enter in Server Address, Server Port, and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Domain
Google G Suites	pop.gmail.com	995	Your Domain
Exchange Online (Office 365)	outlook.office365.com	995	Your Domain

SMTP

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find SMTP Server section in main window
4. Enter in Server Address, Server Port, Connection Security and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Connection Security	Domain
Google G Suites	smtp.gmail.com	465	SMTPS	Your Domain
Office 365	smtp.office365.com	587	MSA/STARTTLS	Your Domain

Note

Known Issues

Gmail Error: "Authentication failed.Authentication failed.SMTP(535-5.7.8:Username and Password not accepted. Learn more at https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt)"

Fix: Turn on Less secure app access in Google account settings / security or use SAML integration

SAML 2.0

Security Assertion Markup Language (SAML) is an open standard that allows exchanging authentication and authorization data between parties. SAML consists of an End User and a Service Provider (SP) that requires authentication, and an Identity Provider (IdP) that provides authentication services. If Genian ZTNA is integrated with Google through SAML, Genian ZTNA becomes SP and Google becomes IdP.

The following are the basic configuration steps for SAML integration.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find SAML2 section in main window
4. Copy the SP Entity ID and SP ACS URL values
5. Input these values into the IdP server during Genian ZTNA SAML configuration.
6. For IdP Entity ID and IdP SSO URL , enter the values obtained from the IdP server.
7. For x509 Certificate, Paste the certificate issued by the IdP server.
8. Click Update
9. Click Test to test configuration settings

• okta (SAML2.0) - CWP
• Okta (SAML2.0) - Web Console

Testing Integration

You can test the integration configurations of RADIUS, LDAP, IMAP, POP3, SMTP, or SAML to verify successful connections.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find Authentication Test section at the bottom of main window
4. Click Update if you made any configuration changes
5. Click Test to test configuration settings

Troubleshooting

• LDAP Search Failed - Operations Error