Integrating User Directories

You can configure the Policy Server to authenticate to external authentication systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems.

RADIUS

Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions.

You can configure Policy Server to integrate with existing external RADIUS Server for User Authentication. When a user is authenticated through a captive web portal or an agent, the user password is authenticated through a RADIUS server.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find RADIUS Server section in the main window
4. For Server Address, enter the RADIUS server's IP Address or FQDN.
5. For Server Port, enter the RADIUS server's port (Default is 1812)
6. For Shared Secret Key, enter the pre-shared secret key for RADIUS authentication.
7. Click Update

LDAP (Active Directory)

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain data that may include departments, people, groups of people, passwords, email addresses, and much more. Genian NAC can be integrated with LDAP to collect User Information and validate User Credentials.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find LDAP Server section in the main window
4. Enter the following:
   • Server Address:
   • Server Port: (LDAP=389, LDAPS=636)
   • Base DN: (e.g. CN=Users,DC=company,DC=com)
   • Bind DN: (Should be FQDN: e.g. Administrator@company.com) (Bind Account should have Administrator Privileges)
   • Bind Password:
   • User Naming Attribute: (e.g. sAMAccountName)
   • SSL Connection: (Turn on if using LDAPS)
5. Click Update
6. Click Test to test configuration settings (Test account can be any User Account found within the Base DN)

Note

Known Issues

LDAP Server connection failed. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP server, TLSv1.0=-1:Can't contact LDAP server'

Possible Fix: Update AD(LDAP) Server Operating System to latest patches. Known issues authenticating against Active directory over Secure LDAP on un-patched servers due to encryption incompatibility.

EMAIL is the service provided by most organizations, making it an easy choice to provide the user directory. You can check the user's username and password using SMTP, POP3, and IMAP.

IMAP

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find IMAP Server section in main window
4. Enter in Server Address, Server Port, and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Domain
Google G Suites	imap.gmail.com	993	Your Domain
Exchange Online (Office 365)	outlook.office365.com	993	Your Domain

POP3

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find POP3 Server section in main window
4. Enter in Server Address, Server Port, and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Domain
Google G Suites	pop.gmail.com	995	Your Domain
Exchange Online (Office 365)	outlook.office365.com	995	Your Domain

SMTP

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find SMTP Server section in main window
4. Enter in Server Address, Server Port, Connection Security and Domain Name
5. Click Update
6. Click Test to test configuration settings

Examples

Service Name	Server Name	Port	Connection Security	Domain
Google G Suites	smtp.gmail.com	465	SMTPS	Your Domain
Office 365	smtp.office365.com	587	MSA/STARTTLS	Your Domain

Note

Known Issues

Gmail Error: "Authentication failed.Authentication failed.SMTP(535-5.7.8:Username and Password not accepted. Learn more at https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt)"

Fix: Turn on Less secure app access in Google account settings / security or use SAML integration

SAML 2.0

Security Assertion Markup Language (SAML) is an open standard that allows exchanging authentication and authorization data between parties. SAML consists of an End User and a Service Provider (SP) that requires authentication, and an Identity Provider (IdP) that provides authentication services. If Genian NAC is integrated with Google through SAML, Genian NAC becomes SP and Google becomes IdP.

The following are the basic configuration steps for SAML integration.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find SAML2 section in main window
4. Copy the SP Entity ID and SP ACS URL values
5. Input these values into the IdP server during Genian NAC SAML configuration.
6. For IdP Entity ID and IdP SSO URL , enter the values obtained from the IdP server.
7. For x509 Certificate, Paste the certificate issued by the IdP server.
8. Click Update
9. Click Test to test configuration settings

• Okta (SAML2.0) - CWP
• Okta (SAML2.0) - Web Console
• Google G suite(SAML2.0)

Webhook Authentication Integration

When a user attempts to log in to the Webhook authentication integration, a Webhook event occurs and Genian NAC invokes the Webhook URL.

This is an authentication method in which a user logs in when a successful return value from the called URL is returned to the Genian NAC.

Here's how to set up to use the Webhook authentication integration.

1. Policy -> Node Policy , Select the node policy for which you want to enable Webhook authentication.
2. Advanced -> Authentication Policy -> Authentication Method -> Assign SAML after clicking ASSIGN
   • The authentication method located at the top of the authentication method list is used for authentication.
3. Preferences -> User Authentication -> Authentication Integration -> Webhook
4. Set the URL and call method to call when the event occurs. (Get, select the call method during POST.)

ex) content-type - json
Get Method : https://called URL/?id={_USERID}&pwd={_USERPASSWORD}
Post Method : https://called URL

5. For POST method, select content-type and enter the appropriate POST data for the data format.

ex)
content-type - application/json
Post Data : id={_USERID}&pwd={_USERPASSWORD}

6. Enter Regex for Authentication. ( Creates a return success value. )
7. Enter Regex for Result Message
8. Enter Charset for Result Message

Note

To enable SSL-based encrypted communication, modify the Webhook URL to https.

Testing Integration

You can test the integration configurations of RADIUS, LDAP, IMAP, POP3, SMTP, or SAML to verify successful connections.

1. Go to Preferences in the top panel
2. Go to User Authentication > Authentication Integration in the left Preferences panel
3. Find Authentication Test section at the bottom of main window
4. Click Update if you made any configuration changes
5. Click Test to test configuration settings

Troubleshooting

• LDAP Search Failed - Operations Error