How to - Implement Clientless Single SignOn Authentication in Single Active Directory Domain...
-
Upload
lkernan1234 -
Category
Documents
-
view
83 -
download
0
description
Transcript of How to - Implement Clientless Single SignOn Authentication in Single Active Directory Domain...
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
1
Applicable to Version: 10.00 onwards
Note: Please check OS Compatibility Matrix before following this document.
Matrix is available at:
http://docs.cyberoam.com/default.asp?id=229&SID=&Lang=1
This article describes how to implement Clientless single sign on authentication with Active Directory integration.
Cyberoam ADS integration feature allows Cyberoam to map the users and groups from Active Directory for the purpose of authentication.
Prerequisites:
NetBIOS Domain name
FQDN Domain name
Search DN
Active Directory Server IP address
Administrator Username and Password (Active Directory Domain)
IP address of Cyberoam Interface connected to Active Directory server
Import AD groups
Configure Clientless SSO
Configuring ADS authentication
Logon to Cyberoam Web Admin Console and follow the below given steps:
Step 1: Create ADS User Groups
Instead of creating AD groups again in Cyberoam, you can import AD groups into
Cyberoam using Import Wizard.
One can import groups only after integrating and defining AD parameters into
Cyberoam.
Step 2: Configure Cyberoam to use Active Directory
Go to Identity Authentication Authentication Server and click Add to configure Active Directory parameters
Cyberoam allows implementing AD integration in two ways:
Tight Integration With tight integration, Cyberoam synchronizes groups with AD every time the user tries to logon. Hence, even if the group of a user is
changed in Cyberoam, on subsequent log in attempt, user logs on as the
member of the same group as configured in Active Directory. In this case group
membership of each user is as defined in the Active Directory.
How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
2
Loose Integration With loose integration, Cyberoam does the Group management and does not synchronize groups with AD when user tries to logon.
By default, users will be the member of Cyberoam default group irrespective of
Active Directory group, administrator can change the group membership.
Cyberoam will use authentication attribute for authenticating users with Active
Directory.
Parameters Values
Server Type Active Directory
Server Name AD_Server
Server IP 192.168.1.1
Port 389 It is the port on which ADS server listens for the authentication requests. If your AD server is using another port, specify port number in Port field.
NetBios Domain elitecore If you do not know NetBIOS name, refer to section Determine NetBIOS Name, FQDN and Search DN.
ADS Username administrator Active Directory Administrator Username
Password As per your requirement Active Directory Administrator password
Integration Type Loose Integration with Cyberoam
Domain Name elitecore.com
Search Queries DC=elitecore, DC=com
Click Test Connection to check whether Cyberoam is able to connect to the Active Directory or not. If Cyberoam is able to connect to the Active Directory, click OK to
save the configuration.
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
3
Step 3: Select Active Directory as Authentication Server
Go to Identity Authentication Firewall and select Active Directory as preferred authentication server.
Authentication Server List displays all the configured servers while Selected
Authentication server List displays servers that will be used for authentication when
user tries to login.
In case of multiple servers, authentication request will be forwarded as per the order
configured in the Selected Authentication server List
Note:
By default, local database is selected. Make sure that the Active Directory server is
selected and it is configured on top in the Selected Authentication server List.
You can select 2 authentication mechanisms: The one on top will be primary and the
other one will be the secondary. In case primary server is not responding, Cyberoam
will attempt to check in the secondary server.
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
4
Step 4: Test Active Directory integration
Go to http://:8090 to open the Captive Portal (HTTP client)
login page.
Specify username and password
Username will be displayed on Identity Live Users page if user is able to log on to Cyberoam successfully.
This completes the AD configuration.
Import AD Groups
To import AD groups into Cyberoam use Import Wizard before configuring for single
sign on.
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
5
Clientless Single Sign on Implementation
Transparent Authentication (Clientless Single Sign on)
Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite (CTAS).
With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to Windows through his windows username and password. Hence, eliminating the need of multiple logins and username & passwords.
But, Clientless Single Sign On not only eliminates the need to remember multiple passwords Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation.
Cyberoam Transparent Authentication Suite (CTAS)
CTA Suite consists of
CTA Agent It monitors user authentication request coming on the domain controller and sends information to the Collector for Cyberoam authentication.
CTA Collector It collects the user authentication request from multiple agents, processes the request and sends to Cyberoam for authentication.
How does Cyberoam CTA Agent work?
User Authentication Information Collection Process
1. User tries to log on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller tries to authenticate user credentials.
2. This authentication process is captured and communicated to CTA Collector over default port 5566 by CTA Agent real time.
3. CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default port 6060
4. Cyberoam queries Active Directory to determine users group membership and registers user in Cyberoam database
Based on data from CTA Agent, Cyberoam queries AD server to determine group membership and based on which access is granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated and are considered as Unauthenticated or Guest user. For users that are not logged into the domain, the HTTP Login screen prompting for a manual login will be displayed for further authentication.
Step 5: Installing CTA Suite
Download CTA Suite from www.cyberoam.com/cyberoamclients.html
Extract ctas.rar and install CTA Suite on Domain controller by following the on-screen instructions. Administrative right is required to install CTA Suite.
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
6
Check for Cyberoam Transparent Authentication Suite tab from Start All Programs.
If installed successfully, Cyberoam Transparent Authentication Suite tab will be added.
Consider the below given hypothetical network example where single domain controller is configured and follow the below given steps to configure Cyberoam Transparent Authentication:
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
7
Step 6: Configure CTA Collector from CTA Collector Tab on Primary Domain Controller
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
8
If logoff detection settings is enabled and firewall is configured on the Workstation, please allow the traffic to and from Domain controller.
For E.g. If ping is selected in log off detection and workstation firewall does not allow ping, Cyberoam will always detect user as logged out.
Step 7: Configure Agent from CTA Agent Tab on Primary Domain Controller
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
9
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
10
Step 8: Configure Collector Port in Cyberoam
Logon to CLI Console with default password, go to Option 4 Cyberoam Console and execute following command at the prompt:
console>cyberoam auth cta enable
console>cyberoam auth cta collector add collector-ip collector-port
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
11
Step 9. Configure CTAS Fault Tolerance
For Cyberoam versions 10.02.0 Build 473 onwards, you can configure high availability of collectors by executing the following commands:
console> cyberoam auth cta collector add collector-ip collector-port
create-new-collector-group
console> cyberoam auth cta collector add collector-ip collector-port
collector-group
Step 9: Enable Security Event logging on Active Directory
This completes the configuration.
Determine NetBIOS Name, FQDN and Search DN
On the ADS server:
Go to Start Programs Administrative Tools Active Directory Users and Computers
Right Click the required domain and go to Properties tab
Search DN will be based on the FQDN. In the given example FQDN is elitecore.com and Search DN will be DC=elitecore, DC=com
-
How To - Implement Clientless Single Sign On Authentication with Active Directory
12
Document Version: 3.0 - 15/07/2011
Configuring ADS authenticationClientless Single Sign on ImplementationDetermine NetBIOS Name, FQDN and Search DN