Authentication Servers
An administrator can add and use more than one external authentication server. A maximum of five Authentication Servers can be configured in cascading manner using the priority. This means, if user cannot be found in highest priority server, the user will be searched in the lower priority servers also.
- To configure the HySecure Authentication priority, open the Management Console and expand Access Management.
- Select VPN Domain from the submenu. Simply use the drop down list in the Authentication Servers box to specify the priority order for authenticating users to HySecure.
- You can delete servers from the priority list by using the Delete Server option. Note: Deleting servers from this list does NOT remove the authentication servers from the system.
Authorization Servers
In case the authentication server cannot provide role/group information for an incoming user, a separate authorization server can be specified which will be used to provide user role information. Authentication servers like OTP tokens or RSA Secure ID servers may not provide role information to HySecure. HySecure requires user's role to assign applications to the user. With such servers an additional external authentication server or native groups can be used to decide the role of the user.
The authentication is done with the external authentication server and then the username is searched in the configured external authorization server.
Authorization servers can also be configured in cascading manner using the priority. A maximum of two authorization servers can be configured.
- Selecting the option same as Authentication Server will cause the authorization to happen with the authentication server through which the user is authenticated.
- Simply add your chosen Authentication server which is to be used for Authorization search on login.
Authentication Servers
As well as having a local database of users who can authenticate to HySecure, you can configure authentication servers which will allow integration with LDAP based directories such as Active Directory or RADIUS based authentication systems. Once configured, these Authentication Servers become active in the VPN Domains and Access Controls pages.
Adding Authentication Server
- Open HySecure management console.
- Click to expand Access Management, and then click Authentication Servers.
- Click Add to specify a new Authentication Server.
- Choose from one of AD/LDAP, Radius or ProID.
Adding LDAP Server
New option to add LDAP as a separate authentication server was added in HySecure 5016.
- Go to AUTH MANAGEMENT > Authentication Servers.
- Click the Add button and select AD/LDAP.
- Select LDAP as server type and enter LDAP details as shown below.
| # | FIELD | TYPE | DESCRIPTION |
|---|---|---|---|
| 1 | Server Name | String | Enter an identifier for the External AD/LDAP Authentication Server in this field. This identifier is used to identify the server being configured, in different reports, logs and configuration screens of HySecure |
| 2 | IP Address / Host Name | IP or String | Enter the IP address, host name, or FQDN of the AD/LDAP server. This will be the Primary Server address |
| 3 | Enable Failover Option | CheckBox | Select this checkbox if there are failover servers available |
| 4 | List of Failover Servers | IP Or String list | Enter semicolon seperated IP or hostnames which will act as AD failover servers. A max of 20 servers can be added to the list |
| 5 | Port | Number | The default AD/LDAP port number 389 is displayed in the Port field. Please note that you can change this port number if your AD/LDAP server runs on a different port. In case secure connection is to be established with the AD, then a default SSL port 636 will need to be entered and the "Enable SSL" checkbox on this page will need to be checked |
| 6 | Admin Bind DN | id=value pair(s) | Enter the Distinguished Name of Admin in this field. E.g. for an admin of domain "mycompany.com", admin's DN can be cn=admin,cn=users,dc=mycomapny,dc=com. This DN will be used to login to the AD for any needed operations |
| 7 | Admin Password | String | Enter the admin password in this field. |
| 8 | Base DN | id=value pair | Enter the Base Distinguished Name on the AD server under which the users will be searched. Base DN for say domain "mycompany.com" and finance department can be in the form of OU=finance,dc=mycompany,dc=com |
| 9 | User Search Attribute | String | Enter the search attribute of user record in AD/LDAP, which should be used for searching the user in the AD. The search might be needed when user logs into HySecure by providing his name. This name can then be matched with the configured attribute value in AD. By default it is 'samAccountName'. However, if the AD is configured with the attrribute 'cn' containing the username, then this field should have value as 'cn' "User Principal Name" support is also available to support login through email id. To achieve this, enter "upn" in this field. Additional configuration for upn support is needed by selecting the appropriate "Domain Suffix Configuration" |
| 10 | User Group Search Attribute | String | This field should contain the attribute of the User Record on AD/LDAP to extract the group information of the user for authorization purpose. The group information is needed in case the policies are configured for groups rather than for users. By default, the attribute used is 'MemberOf' |
| 11 | User Email Address Attribute | String | Enter the attribute of the user record on AD/LDAP, which can be used to extract the mail address of user. This attribute is typically used to send OTP during logging in to HySecure. The default attribute which gets used is 'mail' |
| 12 | User Mobile Number Attribute | String | Enter the attribute of the user record on AD/LDAP which can be used to extract the Mobile Number of the user. This attribute is typically used to send OTP over sms, during logging in to HySecure. The default attribute which gets used is 'telephoneNumber'. |
| 13 | Enable SSL | CheckBox | This should be checked if encrypted communication is expected with the AD. In this case, the "Port" field should contain the port used for encrytped communication with AD, which by default is 636. This should also be checked when it is expected that the AD password can be changed from HySecure itself using the Self Service Portal, as the password change needs to be encrypted |
Domain Suffix Configuration
| # | FIELD | DESCRIPTION |
|---|---|---|
| 1 | Use the domain name entered by user | Select this option to use the domain as entered by the user while logging in. For e.g., if the user enters name as username@mycompany.com, then the domain is considered as mycompany.com and the user is searched in that domain |
| 2 | Use the domain name configured here | Select this option and enter the domain to use. In this case, the user would need to enter just the name, while logging in and the user is searched in the domain entered in this field |
User Interface Configuration
| # | FIELD | DESCRIPTION |
|---|---|---|
| 1 | Message for Users | Enter the message which you expect to be displayed to the user on the login window of the client. In absence of this message a default message gets displayed |
| 2 | Username label | Enter the name of label to be displayed against the username on the login window of the client. |
| 2 | Password label | Enter the name of label to be displayed against the Password on the login window of the client. |
Adding RADIUS Server
| # | FIELD | TYPE | DESCRIPTION |
|---|---|---|---|
| 1 | Server Name | String | Enter an identifier of the External RADIUS Authentication Server in this field. This identifier is used to identify the server being configured, in different reports, logs and configuration screens of HySecure |
| 2 | IP Address / Host Name | IP or String | Enter the IP address, host name, or FQDN of the RADIUS server. |
| 3 | Port | Number | The default RADIUS port number 1812 is displayed in the Port field. Please note that you can change this port number as needed. |
| 4 | Shared Secret | String | Enter the shared secret of admin to be used for communication with the RADIUS server |
| 5 | Server Prefix | String |
- Type the administration password of the RADIUS server in the Shared Secret field.
- Click Submit to save the configuration data or Reset to clear all data in this screen. Radius configuration info updated successfully message will be displayed. NB: The AD/LDAP and RADIUS users must download the root certificate (cacert.cer) and import it to the list of Trusted Root Certification Authorities.
Adding ProID Server
One or more ProID servers can be created and assigned to VPN domain. ProID server only provides authentication services. Authorization service is not provided by ProID server. We recommend Active Directory is used in conjunction with ProID to provide group assignment of resource access.
For more information on installing and configuring the ProID server please refer to HySecure - ProID Install Guide.
Type an identifier of the External ProID Authentication Server in Server Name field. Type the IP address, host name, or FQDN of the ProID server, in the Host Name field. The port number should be changed to 8443 in the Port field. Type the Organization ID on the ProID authentication server in the Org ID field. (Contact your ProID Authentication Server administrator to get the Org ID value).
Type the Caller ID on the ProID authentication server in the Caller ID field. (Contact your ProID Authentication Server administrator to get the Caller ID value).
The Tokens listed can be enabled and used to authenticate users. Enable Dual Authentication - If checked user will be asked to enter HySecure credentials as well as OTP. User Interface Configuration:
- Message for users - This message will be sent to user with OTP
- Username label, Password label, OTP labels - These labels will be displayed to the user in the portal.
Click Submit to save the configuration data or Reset to clear all data in this screen.