Servers sub-tab

Authentication server configuration is done on this page.

Edit Local Authentication

Click on the Index of the Local authentication server to enable/disable it, or set 2-Factor Authentication if a method is configured in the 2-Factor tab:

Add Remote Server

1. Go to Security :: Authentication :: Servers.
2. Click Add (displays dialog):
3. On Methoddrop-down, select one (LDAP or AD, RADIUS, TACACS+, Kerberos). (Additional options display, depending on selection):
   • On 2 Factor Authentication drop-down, select one (None, Enabled)
   • On Status drop-down, select one (Enabled, Disabled)
   • Select Fallback if denied access checkbox
   • Enter Remote Server (IP address of remote server).
4. If Method selection is: LDAP or AD
   1. Enter Base (root DN or a sublevel DN – highest point used to search for users or groups).
   2. Select/unselect Authorize users authenticated with ssh public key checkbox (default: disabled).
   3. On Secure drop-down, select one (On, Off, Start_TLS) (default: Off).
   4. Select/unselect Global Catalog Server checkbox (if enabled, uses an Active Directory Global Catalog Server).
   5. Enter LDAP Port (or accept "default").
   6. Enter Database Username,  Database Password and Confirm Password.
   7. Enter Login Attribute (contains username - for AD, default: sAMAccountName).
   8. Enter Group Attribute (group identifier - for AD, default: memberOf).
   9. Enter Search Filter.
   10. Select/unselect Search Nested Groups (AD only) checkbox (default: disabled).
   11. Enter Group Base.
       Example: OpenLDAP Configuration

       Status: True; Fallback if denied access: True; Remote Server: 192.168.1.1; Base: dc=zpe, dc=net; Secure: Off; Global Catalog Server: False; Database Username: cn=admin, dc=zpe, dc=net; Login Attribute: cn; Group Attribute: Member, UID
       Example: Active Directory Configuration

       Status: True; Fallback if denied access: True; Remote Server: 192.168.1.1; Base: dc=zpesystems, dc=com; Secure: Start TLSl; Global Catalog Server: True; Database Username: cn=Administrator, cn=Users, dc=zpesystems, dc=com; Login Attribute: sAMAccountName; Group Attribute: memberOf
5. If Method selection: RADIUS (displays dialog). 
   1. Enter Accounting Server.
   2. Enter Radius Port (or accept "default").
   3. Enter Radius Accounting Port (or accept "default").
   4. Enter Secret and Confirm Secret.
   5. Enter Timeout.
   6. Enter Retries.
   7. Select Enable ServiceType attribute association to local authorization group checkbox (allows assignment of Radius Service Types to Nodegrid local groups).

      Configure Nodegrid as a FreeRadius Server - CLI Procedure (example) 1. Create the file "/usr/share/freeradius/dictionary.zpe" with the content listed below: VENDOR ZPE 42518 BEGIN-VENDOR ZPE ATTRIBUTE ZPE-User-Groups 1 string END-VENDOR ZPE 2. Edit the file "/usr/share/freeradius/dictionary". In the file, add a line with dictionary.zpe (suggested location). $INCLUDE dictionary.zpe $INCLUDE dictionary.jradius 3. In /etc/freeradius/users, assign user groups. Define the "Framed-Filter-ID" attribute (as before) or define a new attribute "ZPE-User-Groups". NOTE If both attributes are defined, "ZPE-User-Groups" takes precedence.

6. If Method selection: TACACS+ (displays dialog).
   1. Enter Accounting Server.
   2. Select Authorize users authenticated with ssh public key checkbox.
   3. Enter TACACS+ Port (default: 49).
   4. On Service drop-down, select one (PPP, Shell, raccess) (default: raccess).
   5. Enter Secret and Confirm Secret.
   6. Enter Timeout (default: 2).
   7. Enter Retries (default: 2).
   8. On TACACS+ Version drop-down, select one (V0, V1, V0_V1, V1_V0) (default: V1).
   9. Enter Enforce Source IP for AAA authentication (available in v5.8+).
   10. Select Enable User-Level attribute of Shell and raccess services association to local authorization group checkbox (expands dialog with 15 User Levels).
       Per instruction, “Enter local authorization group name for each User Level.”
       NOTE

       User Level displays User Level 1 through User Level 15.
7. If Method selection is: Kerberos (displays dialog).
   1. Enter Realm Domain Name.
   2. Enter Domain Name.
8. Click Save.

Set 2-Factor Authentication for Admin/Root Users

1. Go to Security :: Authentication :: Servers.
2. In Index column, click the index to be updated (displays dialog).
   
3. Select Apply 2-Factor Authentication for Admin and Root users checkbox (if not selected, Admin and Root roles can use single logon).
4. Click Save.

Edit a Server

1. Go to Security :: Authentication :: Servers.
2. In Index column, click the index to be updated (displays dialog).
3. Make changes, as needed.
4. Click Save.

Delete a Server

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox.
3. Click Delete.
4. On the confirmation dialog, click OK.

Move Index Priority Up

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox.
3. Click Up to move the selection up in the table.
4. Click Save.

Move Index Priority Down

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox.
3. Click Down to move the selection down in the table.
4. Click Save.

Enable/disable Console Authentication

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox).
3. Click Console (displays dialog).
4. Select Enable Admin and Root users Fallback to Local Authentication on Console checkbox.
5. Click Save.

Set Default Group

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox.
3. Click Default Group (displays dialog). 
4. On Default Group for Remote Server drop-down, select one.
5. Click Save.

Set Realms 

(available in v5.6+)

Realms allow the user to select authentication server when logging in with the notation user@server or server\user.

1. Go to Security :: Authentication :: Servers.
2. Locate and select checkbox.
3. Click Realms (displays dialog). 
4. Select Enable Authentication Server Selection Based on Realms checkbox.
5. Click Save.