UGMC Auth Servers

Authentication servers (auth servers) are external sources of user accounts used for authorization in the UGMC web console. UGMC supports the following types of authentication servers: LDAP connector, RADIUS, and TACACS+.

LDAP Connector

An LDAP connector allows you to:

  • Obtain information on users and groups from Active Directory or other LDAP servers. FreeIPA is supported with an LDAP server.

  • Authorize UGMC users via Active Directory/FreeIPA domains.

To create an LDAP connector, click Add, select Add LDAP connector, and provide the following settings:

Name

Description

Enabled

Enables or disables the use of this authentication server.

Name

The name of the authentication server.

SSL

This specifies whether SSL is required to connect to the LDAP server.

LDAP domain name or IP address

The IP address of the domain controller, the domain controller FQDN or the domain FQDN (e.g., test.local). If the domain controller FQDN is specified, UserGate will obtain the domain controller's address using a DNS request. If the domain FQDN is specified, UserGate will use a backup domain controller if the primary one fails.

Bind DN ("login")

The username for connecting to the LDAP server. Must be in the DOMAIN\username or username@domain format. This user must be already created in the domain.

Password

The user's password for connecting to the domain.

LDAP domains

The list of domains served by the specified domain controller, e.g., in case of a domain tree or an Active Directory domain forest. Here you can also specify the short NetBIOS domain name.

Search roots

The list of LDAP server paths relative to which the system will search for users and groups. Specify the full name, e.g., ou=Office,dc=example,dc=com.

After creating a server, you should validate the settings by clicking Check connection. If your settings are correct, the system will report that; otherwise, it will tell you why it cannot connect.

The LDAP connector configuration is now complete. When logging in to the console, LDAP users should specify their usernames in the following formats:

domain\user/system or user@domain/system

RADIUS Authentication Server

You can authorize users in the UserGate web console using a RADIUS authentication server, with the console working as a RADIUS client. When authorization is done using a RADIUS server, UserGate sends the username and password information to the RADIUS server, which then responds as to whether or not the authentication was successful.

To add a RADIUS authentication server, click Add, select Add RADIUS server, and provide the following settings:

Name

Description

Enabled

Enables or disables the use of this authentication server.

Name

The name of the RADIUS authentication server.

Description

An optional description of the server.

Shared secret

Pre-shared key used by the RADIUS protocol for authentication.

Addresses

Specify the server's IP address and the UDP port on which the RADIUS server listens for authentication requests (the default port number is 1812).

To authorize users in UserGate's web interface using a RADIUS server, you need to configure an authentication profile. Подробнее о создании и настройке профилей читайте в разделе Профили аутентификации UGMC.

TACACS+ Authentication Server

You can authorize users in the UserGate administrative console using a TACACS+ authentication server. In this case, UserGate transmits the username and password information to the auth servers, and then the TACACS+ servers respond as to whether the authentication was successful.

To add a TACACS+ authentication server, click Add, select Add TACACS+ server, and provide the following settings:

Name

Description

Enabled

Enables or disables the use of this authentication server.

Name

The name of the TACACS+ authentication server.

Description

An optional description of the server.

Secret

Pre-shared key used by the TACACS+ protocol for authentication.

Address

The IP address for the TACACS+ server.

Port

The UDP port on which the TACACS+ server listens for authentication requests.

Use single TCP connection

Use a single TCP connection for communicating with the TACACS+ server.

Timeout (sec.)

The authentication timeout for the TACACS+ server. The default is 4 seconds.

To authorize users in UserGate's web interface using a TACACS+ server, you need to configure an authentication profile. Подробнее о создании и настройке профилей читайте в разделе Профили аутентификации UGMC.