Integrating User Directories ============================ You can configure the Policy Server to authenticate to external authentication systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems. RADIUS ------ Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions. You can configure Policy Server to integrate with existing external RADIUS Server for User Authentication. When a user is authenticated through a captive web portal or an agent, the user password is authenticated through a RADIUS server. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **RADIUS Server** section in the main window #. For **Server Address**, enter the RADIUS server's IP Address or FQDN. #. For **Server Port**, enter the RADIUS server's port (Default is 1812) #. For **Shared Secret Key**, enter the pre-shared secret key for RADIUS authentication. #. Click **Update** .. _intergrate-external-ldap: LDAP (Active Directory) ----------------------- Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain data that may include departments, people, groups of people, passwords, email addresses, and much more. Genian NAC can be integrated with LDAP to collect User Information and validate User Credentials. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **LDAP Server** section in the main window #. Enter the following: - **Server Address**: - **Server Port**: (*LDAP=389, LDAPS=636*) - **Base DN**: (*e.g. CN=Users,DC=company,DC=com*) - **Bind DN**: (*Should be FQDN: e.g. Administrator@company.com*) (*Bind Account should have Administrator Privileges*) - **Bind Password**: - **User Naming Attribute**: (*e.g. sAMAccountName*) - **SSL Connection**: (*Turn on if using LDAPS*) #. Click **Update** #. Click **Test** to test configuration settings (*Test account can be any User Account found within the Base DN*) .. note:: Known Issues LDAP Server connection failed. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP server, TLSv1.0=-1:Can't contact LDAP server' Possible Fix: Update AD(LDAP) Server Operating System to latest patches. Known issues authenticating against Active directory over Secure LDAP on un-patched servers due to encryption incompatibility. EMAIL is the service provided by most organizations, making it an easy choice to provide the user directory. You can check the user's username and password using **SMTP**, **POP3**, and **IMAP**. IMAP ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **IMAP Server** section in main window #. Enter in **Server Address**, **Server Port**, and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ============== Service Name Server Name Port Domain ============================ ===================== ======== ============== Google G Suites imap.gmail.com 993 Your Domain Exchange Online (Office 365) outlook.office365.com 993 Your Domain ============================ ===================== ======== ============== POP3 ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **POP3 Server** section in main window #. Enter in **Server Address**, **Server Port**, and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ============== Service Name Server Name Port Domain ============================ ===================== ======== ============== Google G Suites pop.gmail.com 995 Your Domain Exchange Online (Office 365) outlook.office365.com 995 Your Domain ============================ ===================== ======== ============== SMTP ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **SMTP Server** section in main window #. Enter in **Server Address**, **Server Port**, **Connection Security** and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ====================== ============== Service Name Server Name Port Connection Security Domain ============================ ===================== ======== ====================== ============== Google G Suites smtp.gmail.com 465 SMTPS Your Domain Office 365 smtp.office365.com 587 MSA/STARTTLS Your Domain ============================ ===================== ======== ====================== ============== .. note:: Known Issues Gmail Error: "Authentication failed.Authentication failed.SMTP(535-5.7.8:Username and Password not accepted. Learn more at https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt)" Fix: Turn on Less secure app access in Google account settings / security or use SAML integration SAML 2.0 -------- Security Assertion Markup Language (`SAML`_) is an open standard that allows exchanging authentication and authorization data between parties. SAML consists of an End User and a Service Provider (SP) that requires authentication, and an Identity Provider (IdP) that provides authentication services. If Genian NAC is integrated with Google through SAML, Genian NAC becomes SP and Google becomes IdP. The following are the basic configuration steps for SAML integration. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **SAML2** section in main window #. Copy the **SP Entity ID** and **SP ACS URL** values #. Input these values into the *IdP server* during Genian NAC SAML configuration. #. For **IdP Entity ID** and **IdP SSO URL** , enter the values obtained from the IdP server. #. For **x509 Certificate**, Paste the certificate issued by the IdP server. #. Click **Update** #. Click **Test** to test configuration settings .. toctree:: :maxdepth: 1 integrate-external/saml-okta integrate-external/saml-okta-adminconsole integrate-external/saml-gsuite Webhook Authentication Integration -------------------------------------- When a user attempts to log in to the Webhook authentication integration, a Webhook event occurs and Genian NAC invokes the Webhook URL. This is an authentication method in which a user logs in when a successful return value from the called URL is returned to the Genian NAC. Here's how to set up to use the Webhook authentication integration. 1. Policy -> Node Policy , Select the node policy for which you want to enable Webhook authentication. 2. Advanced -> Authentication Policy -> Authentication Method -> Assign SAML after clicking ASSIGN - **The authentication method located at the top of the authentication method list is used for authentication.** 3. Preferences -> User Authentication -> Authentication Integration -> Webhook 4. Set the URL and call method to call when the event occurs. (Get, select the call method during POST.) .. code-block:: ex) content-type - json Get Method : https://called URL/?id={_USERID}&pwd={_USERPASSWORD} Post Method : https://called URL 5. For POST method, select **content-type** and enter the appropriate POST data for the data format. .. code-block:: ex) content-type - application/json Post Data : id={_USERID}&pwd={_USERPASSWORD} 6. Enter Regex for Authentication. ( **Creates a return success value.** ) 7. Enter Regex for Result Message 8. Enter Charset for Result Message .. note:: To enable SSL-based encrypted communication, modify the Webhook URL to https. Testing Integration ------------------- You can test the integration configurations of **RADIUS**, **LDAP**, **IMAP**, **POP3**, **SMTP**, or **SAML** to verify successful connections. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **Authentication Test** section at the bottom of main window #. Click **Update** if you made any configuration changes #. Click **Test** to test configuration settings .. _SAML: https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Troubleshooting --------------- - :doc:`/troubleshoot/ldap-search-failed-1`