.. _sso: Single Sign-On ================ If user authentication through RADIUS is applied to the network, user authentication can be automatically performed through accounting packet provided by RADIUS client such as Access Point. Genian NAC receives external RADIUS accounting packets, saves them as audit records, and uses them as user authentication information. When network access is granted to the user by the NAS, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier. Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage. Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access. Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval. Via RADIUS Accounting ----------------------- The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers. To enable single sign on from external RADIUS Servers: #. Go to **Preferences** in top panel #. Go to **Service > RADIUS Server** in the left Preferences panel Under **Accounting Server** #. For **Single Sign-On**, select **On**. #. For **Acct-Status-Type**, select events to update authentication status from the following: **Start, Stop, Interim-Update**. #. For **Shared Secret Key**, enter the pre-shared secret key for RADIUS client authentication. #. For **Attribute to Match**, select **MAC and IP** when RADIUS accounting packet contains **Calling-Station-Id** and **Framed-IP-Address**. If accounting packet doesn't have **Framed-IP-Address** attribute or generated by **Generating Accounting** option on Authentication Server setting, select **MAC**. #. For **Node Status**, choose **All Nodes** or **Up Nodes** for authentication eligibility. #. Click **Update** Via AD Domain Login --------------------- Genian NAC can read Active Directory domain logon user information and register the user as authenticated on that node. This may be accomplished with, or without an endpoint agent. To use any method of AD Single Sign-On, you must enable it under the Node Policy you wish to apply it to: **Apply SSO to Node Policies:** #. Navigate to **Policy** in the top panel. #. Go to **Node Policy** and select a policy to allow AD SSO. Under **Authentication Policy:** #. For **Single Sign-On Method**, select **Active Directory**. #. For **Domain Name**, enter your domain name as FQDN. #. Click **Update**. Enable Agent Based AD SSO ''''''''''''''''''''''''''' #. Install the agent as shown in :doc:`/install/installing-agent`. - The agent execution/installation account must be set as Domain account. If the agent is installed to a local account, SSO cannot function. Enable Agentless AD SSO ''''''''''''''''''''''''' This feature performs agentless SSO through WMI query to the Domain Controller (Supports all nodes that have authenticated to the domain). NAC Network sensor perform SSO authentication by comparing AD server domain logon event logs with the network sensor detected device host/domain name through netbios. Therefore, the network sensor must communicate with device netbios, remote wmi. #. Navigate to **Preferences** in the top panel, then select **Authentication Integration > AD Single Sign-On** on the left panel. Under **AD Single Sign-On:** - For **Connect to AD Server from**, Specify the sensor to connect to the AD server. If you do not select any, connect from Policy Server. - For **Server Address**, Specify a server address / domain for AD(Active Directory) Single Sign-On. Automatically authenticate users if the node is joined to a domain. - For **User ID**, Specify the User ID for monitoring the server's event log. - For **Password**, Specify the Password for monitoring the server's event log. - For **Secondary AD**, Specify whether to use a secondary AD. - Click **Update** button. #. Choose **AD connection Settings**: - By default this query is performed by the Policy Server. - To perform the query from a Network Sensor, navigate to **Preferences > Beta Features** and select a Sensor from the **Connect to AD SSO Server from** drop down list. **Domain Controller Configuration:** #. Be sure the Bind DN account user is part of the following groups: Administrative account status is not required for these privileges. - Distributed COM Users - Event Log Readers - Server Operators #. Run 'wmimgmt.msc' on the command prompt #. From the Security tab on WMI Control Properties: #. Select the CIMV2 folder #. Click Security, Click Add and then select the Bind DN Account. #. Check both Allow for **Enable Account** and **Remote Enable** #. Apply changes **How to check whether device is joined to AD domain :** #. How to check on the AD server: - Go to **Control Panel > Active Directory Users and Computers** - Click **Domain> Computers** and check a joined computer list. #. How to check on the Client computer: - Open the **Command Prompt** - Type ``ping [AD domain]`` and check the connection. .. toctree:: :maxdepth: 1 ms-wmi - Please check Agentless Q&A on :ref:`faq` page.