Enabled

A check box indicating whether the RADIUS user accounts must be authenticated using Authentication, Authorization, and Accounting (AAA).

If selected, RADIUS user accounts are authenticated by the server selected from the Radius Server option.

If cleared, RADIUS user accounts are not authenticated.

RADIUS Server

Select the RADIUS server being used for AAA.

RADIUS Authentication Protocol

A drop-down menu containing all supported RADIUS authentication methods. This menu is used instead of the authentication protocol of the configured RADIUS profile. The currently supported methods are:

• Password Authentication Protocol (PAP): The password is transmitted in plain text to the RADIUS server.

• RFC 5090/Digest: The password uses a client and server one time to generate an MD5 authentication token for use with an RFC 5090–compliant RADIUS server.

• Challenge-Handshake Authentication Protocol (CHAP): The password is salted with a rolling ID, hashed, and transmitted to the RADIUS server.

RADIUS Realm

The realm to use when generating the Digest authentication token. Use the same value in this field as the value configured on the RADIUS server.

Use RADIUS as Fall-through Authenticator

Select this option to enable a back end authentication server to handle any authentication requests for users that are not defined in the EMS user list.

This is done by sending an Access-Request packet to the RADIUS server, which looks for a specific attribute in the Access-Accept response as defined in the Role Name Attribute option. If the attribute is present, it must match a predefined role in the EMS (that is, System Administrator, Security Administrator, and so on) or the authorization fails and the user login request is rejected. If the attribute is not present in the request, the authorization fails and the user login request is rejected.

Disabling fall-through authentication will log out all users logged in using that functionality. A new option has been added to the user's list to forcibly log out any logged in user. This option is only available to users with System Administrator level privileges.

Role Name Attribute

Enter a name you want to use as the role name attribute. By default, Role Name Attribute is set to Avaya-SBCE-Role-Name.

If you are using attributes that are defined in the standard RADIUS dictionary, you can use the standard dictionary and a custom dictionary is not required.

However, if you are using the default attribute name Avaya-SBCE-Role-Name, or are using a vendor-specific attribute as the role attribute name, you must create a custom dictionary definition. A custom dictionary is required to handle the attribute the Avaya SBC requires for authorization. A sample dictionary is provided below, which can be modified with any values if necessary. If a different RADIUS attribute is desired, then any attribute can be used including both default values and custom values.

###########################################################
# WARNING: This dictionary file is intended to be a sample and 
# is intended to illustrate how to define attributes for use with
# the Avaya SBCE SSO fall-through authentication functionality.  
# The identifiers in this file have not been officially allocated 
# and may need modification to interop with other vendor specific 
# attributes from Avaya or other vendors.
####################################################################
VENDOR Avaya-SBCE 6889
BEGIN-VENDOR Avaya-SBCE
 
ATTRIBUTE   Avaya-SBCE-Role-Name    1       string
 
END-VENDOR Avaya-SBCE

Enabled

Controls whether LDAP authentication is enabled.

Primary Server Address

The IP address and optional port of the primary LDAP server. If no port is specified, the default port is used. The default ports are 389 for non-secure/STARTTLS and 636 for SSL/TLS.

Secondary Server Address

(Optional) The IP address and optional port of the secondary LDAP server. If no port is specified, the default port is used. The default ports are 389 for non-secure/STARTTLS and 636 for SSL/TLS.

Secure Mode

Select one of the following options:

• None: No encryption (not recommended)

• SSL/TLS: Secure connection established via TLS handshake (highly recommended)

• STARTTLS: Secure connection established by unsecure connection and upgrading to secure connection (for legacy support, not recommended)

CA Certificate PEM File

The path to the Privacy Enhanced Mail (PEM) file on the EMS server that contains trust anchors for the certificate when connecting with SSL or TLS. You must create this file and put it on the EMS server. If a path is not specified, use the default path of:

/usr/local/ipcs/etc/cert/gui/ldap-auth.pem.

If a path is specified and the PEM file does exist, it is used to build a trust manager that is in turn used to verify the LDAP server certificate upon connection. If at least one certificate matches a CA certificate in the trust manager, the verification succeeds. Otherwise, the verification fails and the connection attempt fails.

If a path is specified but the PEM file does not exist, all certificates are trusted. That is, no certificate verification is done on the LDAP server and all certificates are accepted.

Bind DN

The distinguished name (DN) used when initially authenticating to the LDAP server to do a user lookup. This user name must have appropriate permissions to search and read users that need to authenticate.

Bind Password

The password to send with the Bind DN when initially authenticating to the LDAP server.

Base DN

The base DN to use when searching for users.

User Domain

(Optional) An optional domain to use in LDAP searches.

User Search Filter

A filter used to search for an LDAP user. Only the first entry that matches is retrieved, so this filter should be as specific as possible. The {username} and {domain} can be used as placeholders for the actual values when authentication takes place.

If no domain is specified, the filter defaults to (sAMAccountName={username}). If a domain is specified, the filter defaults to (userPrincipalName={username}@{domain}).

Timeout

The timeout, in seconds, before a connection attempt to the primary LDAP server is marked as failed and the next connection attempt is made (if a secondary LDAP server exists).

Use LDAP as Fall-through Authenticator

Select this option to enable a back end authentication server to handle authentication requests for users that are not defined in the EMS user list.

This is done by fetching a specified LDAP attribute when running the User Search Filter on the LDAP server to find a user matching the provided credentials as defined in the Role Name Attribute option.

If the attribute is present, it must match a predefined role in the EMS (that is, System Administrator, Security Administrator, and so on) or any authorization attempts for the user will fail and the user's login requests will be rejected. If the attribute is not present on the user, any authorization attempts for the user fail and the user's login requests are rejected.

Disabling fall-through authentication will log out all users logged in using that functionality. A new option has been added to the user's list to forcibly log out any logged in user. This option is only available to users with System Administrator level privileges.

Role Name Attribute

Enter a name you want to use as the role name attribute. By default, Role Name Attribute is set to Avaya-SBCE-Role-Name. This attribute is not defined in most LDAP schemas and must be defined to function correctly. Alternatively, any other LDAP attribute can be used as long as it is a string value.

For an example of how to define a custom attribute in Microsoft Active Directory, see:

https://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx

Enabled

Controls whether X.509 certificate authentication is enabled. X.509 certificate authentication cannot be enabled unless the CA Trust Anchors Privacy Enhanced Mail (PEM) file exists on the file system.

CA Trust Anchors PEM File

This is a PEM file that should contain all CA trust anchors used to verify X.509 certificates. Multiple entries should be concatenated together.

CA Intermediaries PEM File

This is a PEM file that should contain all intermediate CAs used to construct trust chains used to validate certificates. These certificates are not implicitly trusted and are only used in reconstructing the trust chain. Multiple entries should be concatenated together.

CRL File

This is a PEM file that should contain all certificate revocation lists used to revoke X.509 certificates. Multiple entries should be concatenated together.

Authentication Mode

The method used to authenticate X.509 certificate users. Select one of the following options:

• Accept X.509 Certificate or Password: The user will be authenticated if either a valid certificate or a valid password is provided.

• Require X.509 Certificate: The user will be authenticated only if a valid certificate is provided. Any password entered by the user is ignored.

• Require X.509 Certificate and Password: The user will be authenticated only if both a valid certificate and valid password is provided.