Configure Authentication

By default, Guardium® user logins are authenticated by Guardium, independent of any other application.

For the Guardium admin user account, login is always authenticated by Guardium alone. For all other Guardium user accounts, authentication can be configured to use either RADIUS or LDAP. In the latter cases, additional configuration information for connecting with the authentication server is required.
Note: FreeRadius client software is supported.

When an alternative authentication method is used, all Guardium users must still be defined as users on the Guardium appliance. It is only the authentication that is performed by another application.

While user accounts and roles are managed by the accessmgr user, the authentication method used is managed by the admin user. This is a standard separation-of-duties best practice.

To configure authentication, see the proceeding topic.

Configure Guardium Authentication

  1. Click Setup > Tools and Views > Portal to open the Authentication Configuration.
  2. Select the Guardium radio button in the Authentication Configuration panel.
  3. Click Apply.

Configure RADIUS Authentication

  1. Click Setup > Tools and Views > Portal to open the Authentication Configuration.
  2. Select the RADIUS radio button in the Authentication Configuration panel. Additional fields will appear in the panel.
  3. In the Primary Server box, enter host name or IP address of the primary RADIUS server.
  4. Optionally enter the host name or IP address of the secondary and tertiary RADIUS servers.
  5. Enter the UDP Port used (1812 or 1645) by RADIUS.
  6. Enter the RADIUS server Shared Secret, twice.
  7. Enter the Timeout Seconds (the default is 120).
  8. Select the Authentication Type:
    • PAP - password authentication protocol
    • CHAP - Challenge-handshake authentication protocol
    • MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication protocol
  9. Optionally click Test to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click the Apply button to save changes.
  10. Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.

Configure LDAP Authentication

  1. Click Setup > Tools and Views > Portal to open the Authentication Configuration.
  2. Select the LDAP radio button in Authentication Configuration.
  3. In the Server box, enter the host name or IP address of the LDAP server.
  4. Enter the Port number (the default is 636 for LDAP over SSL).
  5. Enter the User RDN Type (relative distinguished name type) type, which is uid by default.
    Note:

    This attribute identifies a user for LDAP authentication. The Access Manager should be made aware of what attribute is used here, since the Access Manager performs the LDAP User Import operation. Click on this help link LDAP User Import for further information on Importing LDAP Users.

    If a user is using SamAccountName as the RDN value, the user must use either a =search or =[domain name] in the full name.

    Examples: SamAccountName=search, SamAccountName=dom

  6. Enter the User Base DN (distinguished name).
  7. Mark or clear the Use SSL checkbox, as appropriate for your LDAP Server.
  8. Optional. To inspect one or more trusted certificates, click Trusted Certificates and follow the instructions in that panel.
  9. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the instructions in that panel.
  10. Optional. Click Test to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click Apply to save changes.
  11. Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.