Authentication servers (auth servers) are external sources of user accounts used for authorization in the realm management web console. A realm authentication server works similar to a UGMC authentication server, the only difference is where each is used.
LDAP Connector
An LDAP connector allows you to:
-
Obtain information on users and groups from Active Directory or other LDAP servers. FreeIPA is supported with an LDAP server.
-
Authorize UGMC users via Active Directory/FreeIPA domains.
To create an LDAP connector, click Add, select Add LDAP connector, and provide the following settings:
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the use of this authentication server. |
|
Name |
The name of the authentication server. |
|
SSL |
This specifies whether SSL is required to connect to the LDAP server. |
|
LDAP domain name or IP address |
The IP address of the domain controller, the domain controller FQDN or the domain FQDN (e.g., test.local). If the domain controller FQDN is specified, UserGate will obtain the domain controller's address using a DNS request. If the domain FQDN is specified, UserGate will use a backup domain controller if the primary one fails. |
|
Bind DN ("login") |
The username for connecting to the LDAP server. Must be in the DOMAIN\username or username@domain format. This user must be already created in the domain. |
|
Password |
The user's password for connecting to the domain. |
|
LDAP domains |
The list of domains served by the specified domain controller, e.g., in case of a domain tree or an Active Directory domain forest. Here you can also specify the short NetBIOS domain name. |
|
Search roots |
The list of LDAP server paths relative to which the system will search for users and groups. Specify the full name, e.g., ou=Office,dc=example,dc=com. |
After creating a server, you should validate the settings by clicking Check connection. If your settings are correct, the system will report that; otherwise, it will tell you why it cannot connect.
The LDAP connector configuration is now complete. When logging in to the console, LDAP users should specify their usernames in the following formats:
domain\user/system or user@domain/system
RADIUS Authentication Server
You can authorize users in the UserGate web console using a RADIUS authentication server, with the console working as a RADIUS client. When authorization is done using a RADIUS server, UserGate sends the username and password information to the RADIUS server, which then responds as to whether or not the authentication was successful.
To add a RADIUS authentication server, click Add, select Add RADIUS server, and provide the following settings:
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the use of this authentication server. |
|
Name |
The name of the RADIUS authentication server. |
|
Description |
An optional description of the server. |
|
Shared secret |
Pre-shared key used by the RADIUS protocol for authentication. |
|
Addresses |
Specify the server's IP address and the UDP port on which the RADIUS server listens for authentication requests (the default port number is 1812). |
To authorize users in UserGate's web interface using a RADIUS server, you need to configure an authentication profile. Подробнее о создании и настройке профилей читайте в разделе Профили аутентификации области.
TACACS+ Authentication Server
You can authorize users in the UserGate administrative console using a TACACS+ authentication server. In this case, UserGate transmits the username and password information to the auth servers, and then the TACACS+ servers respond as to whether the authentication was successful.
To add a RADIUS authentication server, click Add, select Add RADIUS server, and provide the following settings:
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the use of this authentication server. |
|
Name |
The name of the TACACS+ authentication server. |
|
Description |
An optional description of the server. |
|
Secret |
Pre-shared key used by the TACACS+ protocol for authentication. |
|
Address |
The IP address for the TACACS+ server. |
|
Port |
The UDP port on which the TACACS+ server listens for authentication requests. |
|
Use single TCP connection |
Use a single TCP connection for communicating with the TACACS+ server. |
|
Timeout (sec.) |
The authentication timeout for the TACACS+ server. The default is 4 seconds. |
To authorize users in UserGate's web interface using a TACACS+ server, you need to configure an authentication profile. Подробнее о создании и настройке профилей читайте в разделе Профили аутентификации области.