If user authentication through RADIUS is applied to the network, user authentication can be automatically performed through accounting packet provided by RADIUS client such as Access Point. Genian NAC receives external RADIUS accounting packets, saves them as audit records, and uses them as user authentication information.
When network access is granted to the user by the NAS, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier. Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage. Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access. Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval.
Via RADIUS Accounting¶
The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers.
To enable single sign on from external RADIUS Servers:
- Go to Preferences in top panel
- Go to Service > RADIUS Server in the left Preferences panel
Under Accounting Server
- For Single Sign-On, select On.
- For Acct-Status-Type, select events to update authentication status from the following: Start, Stop, Interim-Update.
- For Shared Secret Key, enter the pre-shared secret key for RADIUS client authentication.
- For Attribute to Match, select MAC and IP when RADIUS accounting packet contains Calling-Station-Id and Framed-IP-Address. If accounting packet doesn't have Framed-IP-Address attribute or generated by Generating Accounting option on Authentication Server setting, select MAC.
- For Node Status, choose All Nodes or Up Nodes for authentication eligibility.
- Click Update
Via AD Domain Login¶
Genian NAC can read Active Directory domain logon user information and register the user as authenticated on that node. This may be accomplished with, or without an endpoint agent.
To use any method of AD Single Sign-On, you must enable it under the Node Policy you wish to apply it to:
Apply SSO to Node Policies:
- Navigate to Policy in the top panel.
- Go to Node Policy and select a policy to allow AD SSO.
Under Authentication Policy:
- For Single Sign-On Method, select Active Directory.
- For Domain Name, enter your domain name as FQDN.
- Click Update.
Enable Agent Based AD SSO¶
- Install the agent as shown in Installing Agent.
- The agent execution/installation account must be set as Domain account. If the agent is installed to a local account, SSO cannot function.
Enable Agentless AD SSO¶
This feature performs agentless SSO through WMI query to the Domain Controller (Supports all nodes that have authenticated to the domain).
Navigate to Preferences in the top panel, then select Authentication Integration on the left panel.
Under LDAP Server:
- For Server Address, Set the IP or domain of the external LDAP (ActiveDirectory) server to integrate with.
- For Bind DN, Set the Bind DN value for monitoring the server's event log.
- For Bind Password, Set Bind DN password for event log monitoring of the server.
- Change the Single Sign-On option to On.
- Click Update button.
Choose AD connection Settings:
- By default this query is performed by the Policy Server.
- To perform the query from a Network Sensor, navigate to Preferences > Laboratory and select a Sensor from the Connect to AD SSO Server from drop down list.
Domain Controller Configuration:
Be sure the Bind DN account user is part of the following groups:
Administrative account status is not required for these privileges.
- Distributed COM Users
- Event Log Readers
- Server Operators
Run 'wmimgmt.msc' on the command prompt
From the Security tab on WMI Control Properties:
Select the CIMV2 folder
Click Security, Click Add and then select the Bind DN Account.
Check both Allow for "Enable Account" and "Remote Enable"