• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How to -_implement_clientless_single_sign_on_authentication_in_single_active_directory_domain_controller_environment
 

How to -_implement_clientless_single_sign_on_authentication_in_single_active_directory_domain_controller_environment

on

  • 395 views

 

Statistics

Views

Total Views
395
Views on SlideShare
395
Embed Views
0

Actions

Likes
0
Downloads
15
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How to -_implement_clientless_single_sign_on_authentication_in_single_active_directory_domain_controller_environment How to -_implement_clientless_single_sign_on_authentication_in_single_active_directory_domain_controller_environment Document Transcript

    • How ToHow ToClientless Single Sign On Clientless with Active Directory - Implement - Implement Authentication Single Sign On Authentication in Single Active Directory Domain Controller Environment Applicable to – All the versions of Windows This article describes how to implement Clientless single sign on authentication with Active Directory integration. Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from Active Directory for the purpose of authentication. Prerequisites:  NetBIOS Domain name  FQDN Domain name  Search DN  Active Directory Server IP address  Administrator Username and Password (Active Directory Domain)  IP address of Cyberoam Interface connected to Active Directory server  Import AD groups  Configure Clientless SSOConfiguring ADS authentication Logon to Cyberoam Web Admin Console and follow the below given steps: Step 1: Create ADS user groups. Please check Cyberoam version before you continue as this is version specific step. All Versions below 9.5.3 build 14 Go to Group> Add Group and create all the ADS user groups For mapping the ADS user groups with the Cyberoam user groups, create all the ADS user groups into Cyberoam before ADS users log on to Cyberoam for the first time. If the ADS groups are not created in Cyberoam, all the users will be assigned to the Default group of Cyberoam. If all the ADS user groups are created in Cyberoam before users log on to Cyberoam then user will be automatically created in the respective group when they log on to Cyberoam. Version 9.5.3.14 or above Instead of creating groups again in Cyberoam, you can import AD groups into Cyberoam using Import Wizard. One can import groups only after integrating and defining AD parameters into Cybeoam. If you intend to import group, skip this step. Step 2: Define Authentication parameters Go to User>Authentication Settings Select „Active Directory‟ under Configure Authentication & Integration parameters 1
    • How To - Implement Clientless Single Sign On Authentication with Active DirectorySelect Default Group.Cyberoam will create user(s) in the respective groups if groups are already created in Cyberoamotherwise user will be created in the group selected as Default group.Click Update to save the settingsStep 3: Configure Cyberoam to use Active DirectoryClick Add to configure Active Directory parametersSpecify IP address of Active DirectorySpecify TCP/IP port number in Port field. It is the port on which ADS server listens for theauthentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your ADserver is using another port, specify port number in Port field. 2
    • How To - Implement Clientless Single Sign On Authentication with Active DirectorySpecify NetBIOS Domain name. If you do not know NetBIOS name, refer to section „DetermineNetBIOS Name, FQDN and Search DN‟.Specify Active Directory Administrator Username and passwordCyberoam allows implementing AD integration in two ways:  Tight Integration – With tight integration, Cyberoam synchronizes groups with AD every time the user tries to logon. Hence, even if the group of a user is changed in Cyberoam, on subsequent log in attempt, user logs on as the member of the same group as configured in Active Directory. In this case group membership of each user is as defined in the Active Directory.  Loose Integration – With loose integration, Cyberoam does the Group management and does not synchronize groups with AD when user tries to logon. By default, users will be the member of Cyberoam default group irrespective of Active Directory group, administrator can change the group membership. Cyberoam will use authentication attribute for authenticating users with Active Directory.Click “Test Connection” to check whether Cyberoam is able to connect to the Active Directory ornot. If Cyberoam is able to connect to the Active Directory, click Add to save the configuration.Step 4: Add Domain QueryIf Cyberoam is able to connect to the Active Directory, click Add to enter Domain name 3
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryEnter Domain name (FQDN Domain Name)Click Add and enter Search DN. Check the steps provided in section „Determine NETBIOS Name,FQDN and Search DN‟ to find the Search DN.Click OK to save the query. 4
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryClick Save to save the Domain detailsStep 5: Test Active Directory integrationGo to Help>Downloads and click HTTP to open the HTTP client login page.Specify username and password 5
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryUsername will be displayed on User>Manage Live Users page if user is able to log on toCyberoam successfully.This completes the AD configuration.Import AD GroupsIf you have deployed v 9.5.3 build 14 or above, import AD groups into Cyberoam using ImportWizard before configuring for single sign on. 6
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryClientless Single Sign on Implementation Transparent Authentication (Clientless Single Sign on) Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite (CTAS). With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to Windows through his windows username and password. Hence, eliminating the need of multiple logins and username & passwords. But, Clientless Single Sign On not only eliminates the need to remember multiple passwords – Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation. Cyberoam Transparent Authentication Suite (CTAS) CTA Suite consists of CTA Agent – It monitors user authentication request coming on the domain controller and sends information to the Collector for Cyberoam authentication. CTA Collector – It collects the user authentication request from multiple agents, processes the request and sends to Cyberoam for authentication. How does Cyberoam CTA Agent work? User Authentication Information Collection Process 1. User tries to log on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller tries to authenticate user credentials. 2. This authentication process is captured and communicated to CTA Collector over default port 5566 by CTA Agent real time. 3. CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default port 6060 4. Cyberoam queries Active Directory to determine user‟s group membership and registers user in Cyberoam database Based on data from CTA Agent, Cyberoam queries AD server to determine group membership and based on which access is granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated and are considered as “Unauthenticated” or “Guest” user. For users that are not logged into the domain, the HTTP Login screen prompting for a manual login will be displayed for further authentication. Step 6: Installing CTA Suite Download CTA Suite from www.cyberoam.com/cyberoamclients.html Extract ctas.rar and install CTA Suite on Domain controller by following the on-screen instructions. Administrative right is required to install CTA Suite. 7
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryCheck for “Cyberoam Transparent Authentication Suite” tab from “Start” > “All Programs”.If installed successfully, “Cyberoam Transparent Authentication Suite” tab will be added.Consider the below given hypothetical network example where single domain controller isconfigured and follow the below given steps to configure Cyberoam Transparent Authentication: 8
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryStep 7: Configure CTA Collector from CTA Collector Tab on Primary Domain ControllerIf “logoff detection settings” is enabled and firewall is configured on the Workstation, please allowthe traffic to and from Domain controller. 9
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryStep 8: Configure Agent from CTA Agent Tab on Primary Domain Controller 10
    • How To - Implement Clientless Single Sign On Authentication with Active Directory 11
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryStep 9: Configure CyberoamLogon to CLI Console with default password, go to Option 4 Cyberoam Console and executefollowing command at the prompt:corporate>cyberoam cta enablecorporate>cyberoam cta collector add collector-ip <ipaddress> collector-port<port number>Please make sure that you restart management services after enabling the CTA services. 12
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryStep 10: Enable Security Event logging on Active DirectoryThis completes the configuration. 13
    • How To - Implement Clientless Single Sign On Authentication with Active DirectoryDetermine NetBIOS Name, FQDN and Search DN On the ADS server:  Go to Start>Programs > Administrative Tools > Active Directory Users and Computers  Right Click the required domain and go to Properties tab  Search DN will be based on the FQDN. In the given example FQDN is elitecore.com and Search DN will be DC=elitecore, DC=com Document Version: 2.0-15/07/2011 14