Table of Contents
Advertisement
Chapter 6: Authentication Using External Servers
The Default Redirect URL field on the General HTTP Settings page (see "HTTP Server
3.
Settings" on page 10-2).
Note: If the user is assigned a role on the Edit Role page with Thank You HTML text
specified, the browser displays the Thank You page and no redirection occurs. The user
can click on the link to go the URL, but they are not automatically redirected to that link.
Location
Optional. Specify the user location from which the RADIUS authentication request must
originate by selecting a defined user location from the Location drop-down menu. If a
user location is specified, the RADIUS authentication request will not be attempted if the
request does not come from that location.
Notes
Optional. Enter a meaningful description for the external RADIUS authentication server in
the Notes field.
Saving the
Click Save to store the information to the BSC database or Save and create another to
Settings
continue to define external RADIUS authentication servers. You may be prompted to
restart the BSC. We recommend that you do not restart the BSC until you have completely
finished configuring the BSC for use in your network.
LDAP/Active Directory Authentication
Note: You may need to set up the BSC to communicate with an LDAP/Active Directory
authentication server over Secure Sockets Layer (SSL). To do so, you must first upload the
appropriate certificate(s) to the BSC as described in "Configuring External Server
Authentication Over SSL" on page 10-21before following the steps in this section to set
up the an LDAP/Active Directory authentication server.
LDAP uses a database schema to store user information and authentication credentials.
The database uses a hierarchical tree structure with a root at the base of the tree and
branches as the top of the tree.
Objects in the tree are classified based upon the LDAP schema.
dc= domain container or domain controller
cn= common name
ou=organizational unit
The base entry specifies the level of the tree where the BlueSecure Controller starts to look
at the database. The base entry field value should specify a level low enough in the tree
to allow the BlueSecure Controller to search for all the user credentials at or above the
level of the base entry.
The unique ID attribute field specifies the unique identifier that is used to distinguish each
user record in the LDAP database. userid is a common unique identifier that is use by
many LDAP servers. The Microsoft Active Directory Server LDAP implementation uses
sAMAccountName as the unique identifier.
The BlueSecure Controller must bind to the LDAP server to look up the user in the LDAP
database. The BlueSecure Controller can use anonymous binding when it is supported by
the LDAP server. The LDAP user is used to bind to LDAP servers that do not support
anonymous binding. The LDAP user field must contain the distinguished name of the LDAP
user. An LDAP distinguished name is equivalent to a DNS fully qualified domain name or
a disk operating system explicit directory path. The Microsoft Active Directory Server
LDAP implementation does not support anonymous binding.
Dynamic role assignment parses the LDAP attributes to determine which role a user should
be assigned to. The dynamic role assignment logic operates on a first match basis. If
there is no match, the user will be assigned to the default role. The default role can also
be used when dynamic role assignment is not configured.
6-6
Advertisement
Table of Contents
