29. General Settings » User Authentication

If you need to configure LDAP or RADIUS authentication, or enable pop-up notifications during/after login, open Configuration » General Settings » User Authentication.

USER_AUTHENTICATION8.01_png

User Authentication Settings parameters:
Persistent Sessions – Enables cookie-based authentication when a user selects Remember on the login page. Once authenticated, sessions for that user skip the login prompt for 30 days
Authorization Mode – Determines how Authentication Services (listed below) will be used:
Authorize only local users – Only authenticates users defined in General Settings » User Management with Authentication = Remote
Authorize local and remote users – Also allows authentication of users not defined locally, as long as they can be authenticated by the listed services
Authentication Services – Add LDAP or RADIUS servers in this grid to be used for authentication
Pop-up Notifications – Fill in the fields if you want pop-up windows on the login page or immediately after a successful login. Content can be plain text or HTML

29.1. LDAP

USER_AUTHENTICATION_LDAP_8.2

LDAP Service parameters:
Priority – Specifies the order in which Console contacts multiple authentication services. The authentication process halts on the first successful login
Template User – Remotely authenticated users without a local Console account inherit the privileges of this Template User
LDAP Host – The IP or hostname of the LDAP server. For SSL connections, use ldaps://<IP>:<port>/
Login Attribute – The LDAP attribute containing the username. Common choices: mailNickname or sAMAccountName for Active Directory, or uid for OpenLDAP or IBM Directory Server
Base DN – The starting point in the LDAP hierarchy where Console should begin searching for usernames for authorization requests. The base DN may be something equivalent to the organization, group, or domain name (AD) of the external directory: dc=domain,dc=com
Bind User DN/Password – The distinguished name/password of an LDAP user allowed to search the Base DN
Search Filter – Limits which users can authenticate using this configuration. For example, “|(department=*NOC*)(department=ISP)” matches any user in a department containing “NOC” or exactly “ISP”. The initial “|” (pipe) indicates a logical OR across each parenthesized expression

Note

For troubleshooting the LDAP Service, try these commands:

tcpdump -i <ethernet interface> -n -X host <LDAP IP> displays the packets exchanged between the Console and the LDAP host
ldapsearch -x -LLL -H “<LDAP Host>” -x -D “<Bind User DN>” -b “<Base DN>” -w “<Bind Password>” -E pr=2000000/noprompt -o ldif-wrap=no dumps the entire LDAP structure, which helps you find the correct Search Filter

29.2. RADIUS

USER_AUTHENTICATION_RADIUS_8.2

RADIUS Service parameters:
Priority – Specifies the order in which Console tries each authentication service. The process ends on the first successful login
Template User – Allows remotely authenticated users who lack a local Console account to inherit the privileges of this “template” user
RADIUS Host – IP address or hostname of the RADIUS server
RADIUS Port – Port on which the RADIUS server listens for authentication (often 1812)
RADIUS Protocol – Select the authentication protocol used by your RADIUS setup:
PAP – Password Authentication Protocol (simple 2-way handshake)
CHAP – Challenge-Handshake Authentication Protocol
MSCHAP – Microsoft’s version of CHAP
MSCHAP2 – Enhanced Microsoft CHAP v2
RADIUS Secret – Provide the shared secret (credentials) for connecting to the RADIUS server