Add authentication methods to LDAP Server or Active Directory Server elements
Authentication Methods specify the allowed authentication methods for the users stored on the Active Directory or LDAP server.
You can optionally use LDAP authentication for simple password authentication against LDAP database on the external directory server where user accounts are stored. When users authenticate to the NGFW Engine, the NGFW Engine sends the user name and password to the external directory server for authentication. The external directory server checks the user name and password against the user’s credentials in the directory, then responds to the firewall whether authentication succeeds or fails.
You can optionally use the Internet Authentication Service (IAS) in previous Windows Server versions or the Network Policy Server (NPS) in Windows Server 2008 to authenticate end users. You must configure the IAS/NPS as a RADIUS server, and define each Firewall engine that authenticates users as a separate RADIUS client for IAS/NPS. Use the NDI addresses when you define Firewall Clusters as RADIUS clients for IAS/NPS. The IAS/NPS must have access to user information in the Active Directory. The user accounts must have remote access permissions. Set up the IAS/NPS as explained in the Microsoft Server documentation. The SMC does not support the Message-Authenticator attribute option available in the IAS/NPS, and is not NAP-capable. Only PAP authentication is supported.
 For more details about the product and how to configure features, click Help or
            press F1.
Steps
- On the Authentication tab of the Active Directory Server or LDAP Server properties, configure the settings according to the type of server.
- Click OK.
Active Directory Server Properties dialog box
Use this dialog box to define Active Directory Server properties.
| Option | Definition | 
|---|---|
| General tab | |
| Name | The name of the element. | 
| IP Address | Specifies the server IP address. IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address. | 
| Resolve | Automatically resolves the IP address of the server. | 
| Location | A Location is needed if NAT is applied between a Firewall or Management Server and the Active Directory server. | 
| Contact Addresses | 
 | 
| LDAP Protocol | Specifies the LDAP protocol that is used for the LDAP connection. 
 | 
| LDAP Port (Optional) | Specifies the port number if the server communicates on a port other than the default TCP 389 port. The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add an Access rule to allow the traffic. | 
| Timeout | Specifies the time (in seconds) that SMC components wait for the server to reply. | 
| TLS Profile (When the LDAP Protocol is LDAPS or Start TLS) | Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Click Select to select a TLS Profile element. | 
| TLS Server Identity (When the LDAP Protocol is LDAPS or Start TLS) | Determines how the identity of the LDAP server is verified. 
 | 
| Base DN | Enter the LDAP tree under which the authenticating users accounts are stored. Example: (DNS-based tree) dc=example,dc=com Example: ("O-based" tree used, for example, in Novell eDirectory) ou=astronauts,o=government,st=Florida,c=US | 
| Anonymous (Optional) | When selected, allows NGFW Engines and Management Servers to connect to the LDAP server without a user name and password. When the option is selected, the Bind User ID and Bind Password options are not available. | 
| Bind User ID | Define the Distinguished Name of the User ID that the Firewalls and Management Servers use to connect to the server. This
								user account must exist in the user database. Make sure the account you use has the permissions to manage other user
								accounts. Example: (DNS-based tree) uid=ExampleOrganization,ou=Administrators,dc=example,dc=com Example: ("O-based" tree used, for example, in Novell eDirectory) uid=ExampleOrganization,ou=Administrators,ou=astronauts, o=government,st=Florida,c=US | 
| Bind Password | Specifies the password for the user account that the Firewalls and Management Servers use to connect to the server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. | 
| Category (Optional) | Includes the element in predefined categories. Click Select to select a category. | 
| Tools Profile | Adds commands to the element right-click menu.Click Select to select an element. | 
| Comment (Optional) | A comment for your own reference. | 
| Check Connectivity | Tests connectivity to the Active Directory Server. | 
| Option | Definition | 
|---|---|
| Object Classes tab | |
| User ObjectClass | Allows you to add user objectclasses manually. If your Active Directory server has Active Directory server user object classes that are not defined in the SMC by default, you must add those object classes to the Active Directory Server Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication. | 
| Add | Adds the user objectclass name to the list of available classes. | 
| Remove | Removes the user objectclass name from the list of available classes. | 
| Group ObjectClass | Allows you to add group objectclasses manually. If your Active Directory server has Active Directory group object classes that are not defined in the SMC by default, you must add those object classes to the Active Directory Object classes in the server properties. This way, the existing classes on the Active Directory server can also be used for authentication. | 
| Add | Adds the group objectclass name to the list of available classes. | 
| Remove | Removes the group objectclass name to the list of available classes. | 
| Option | Definition | 
|---|---|
| Attributes tab | |
| Schema | 
 | 
| UserId | Specifies the name of the attribute that is used as the UserID. This attribute can be used to identify users by their UserID in certificate authentication. | 
| Group Member | Specifies the name that the server uses for the Group Member Attribute. The default value is member for standard schema, and sgMember for updated schema. | 
| Authentication (Updated Schema only) | Specifies the Authentication Attribute for storing the authentication method information. The default value is sgauth. | 
| Display Name (Updated Schema only) | Specifies the name that the server uses for the Display Name attribute. | 
| E-mail (Updated Schema only) | Specifies the name of the attribute that is used for storing user email addresses. This attribute can be used to identify users by their email address in certificate authentication. | 
| User Principal Name (UPN) | Specifies the name of the attribute for storing the user principal name. This attribute can be used to identify users by their user principal name in certificate authentication. | 
| Mobile (Updated Schema only) | Specifies the name of the attribute for storing user mobile phone numbers. | 
| Framed IP | This option is included for backward compatibility with legacy NGFW software versions. | 
| Password Method Password | Specifies the name of the password attribute for the Password Authentication Method. | 
| Mobile Text Method Password | Specifies the name of the password attribute for the Mobile Text Authentication Method. | 
| Mobile ID Challenge Method PIN | Specifies the name of the PIN attribute for the Mobile ID Challenge Authentication Method. | 
| Mobile ID Synchronized Method PIN | Specifies the name of the PIN attribute for the Mobile ID Synchronized Authentication Method. | 
| Option | Definition | 
|---|---|
| Client Certificate tab | |
| User Search for Client Certificate Authentication | Specifies the name of the value in the distinguished name that is checked to verify the client identity. The following values are supported: 
 | 
| Option | Definition | 
|---|---|
| Authentication tab | |
| User Network Policy Server Method (NPS) | When selected, uses the Windows server IAS/NPS. | 
| Port Number | Specifies the port for your Windows server IAS/NPS. | 
| Shared Secret | Specifies the shared secret defined for RADIUS clients on the Active Directory server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. | 
| Number of Retries | If an SMC component's attempts to connect to the Active Directory server fails, specifies the number of times it tries to connect again before giving up on the authentication. | 
| IP Address (Optional) | Specifies the IP address for authentication when the authentication service on the Active Directory server uses a different IP address than the server itself. | 
| Authentication Methods | Specifies the supported authentication methods for the Active Directory Server. Click Add to select authentication methods. Note: The
										User password authentication method requires you to update the schema with SMC-specific
									attributes. Alternatively, you can use the LDAP Authentication authentication method to authenticate users using user names and passwords
									stored in the external LDAP database without updating the schema. Note: If you use the Active Directory Server with the Integrated User ID Service for user
									identification, the supported authentication methods are User Password  and LDAP Authentication. | 
| Remove | Removes the selected elements from the External Authentication Methods list. | 
| Option | Definition | 
|---|---|
| Advanced tab | |
| Secondary IP Addresses | Allows you to specify any additional device IP addresses. You can enter the additional IP addresses here instead of creating additional elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing. You can add several IPv4 and IPv6addresses (one at a time). 
 | 
| Timeout | The time (in seconds) that SMC Components wait for the server to reply. | 
| Max Entries | The maximum number of LDAP entries that are returned in an LDAP response. | 
| No Limit | Deselect to specify the maximum number of LDAP entries returned. | 
| Page Size (Optional) | The maximum number of LDAP entries that are returned on each page of the LDAP response. | 
| No Pages | Deselect to specify the maximum number of LDAP entries returned on each page. | 
| Option | Definition | 
|---|---|
| Monitored Servers tab | |
| Server Type | The type of server from which the Integrated User ID Service receives information about users' IP addresses. The Active Directory server can receive information from Domain Controller servers and Exchange Servers. | 
| IP Address | The IP address of the Domain Controller server or Exchange Server. Both IPv4 and IPv6 addresses are supported. | 
| User | The user name of a user in the domain that has permission to execute WMI queries from a remote computer. Note: Enter only the user name without any domain information. The domain information is automatically added to the user name.  | 
| Password | The password for the user account with Domain Admin credentials. | 
| Add | Adds a row to the table. Allows you to define a Domain Controller server or an Exchange Server. | 
| Edit | Allows you to edit the settings of the selected server. | 
| Remove | Removes the selected row from the table. | 
| Option | Definition | 
|---|---|
| Monitoring tab | |
| Log Server | The Log Server that monitors the status of the element. | 
| Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view. | 
| Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. | 
| Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. | 
| Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. | 
| Time Zone | Selects the time zone for the logs. | 
| Encoding | Selects the character set for log files. | 
| SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. | 
| NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). | 
| Option | Definition | 
|---|---|
| NAT tab (All optional settings) | |
| Firewall | Shows the selected firewall. | 
| NAT Type | Shows the NAT translation type: Static or Dynamic. | 
| Private IP Address | Shows the Private IP Address. | 
| Public IP Address | Shows the defined Public IP Address. | 
| Port Filter | Shows the selected Port Filters. | 
| Comment | An optional comment for your own reference. | 
| Add NAT Definition | Opens the NAT Definition Properties dialog box. | 
| Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. | 
| Remove NAT Definition | Removes the selected NAT definition from the list. | 
LDAP Server Properties dialog box
Use this dialog box to define Lightweight Directory Access Protocol (LDAP) Server properties.
| Option | Definition | 
|---|---|
| General tab | |
| Name | The name of the element. | 
| IP Address | Specifies the server IP address. IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address. | 
| Resolve | Automatically resolves the IP address of the server. | 
| Location | Specifies the location for the server if there is a NAT device between the server and other SMC components. | 
| Contact Addresses | 
 | 
| LDAP Protocol | Specifies the LDAP protocol that is used for the LDAP connection. 
 | 
| LDAP Port (Optional) | The port number if the server communicates on a port other than the default port (TCP port 389). The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add a Access rule to allow the traffic. | 
| TLS Profile (When the LDAP Protocol is LDAPS or Start TLS) | Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Click Select to select a TLS Profile element. | 
| TLS Server Identity (When the LDAP Protocol is LDAPS or Start TLS) | Determines how the identity of the LDAP server is verified. 
 | 
| Base DN | The LDAP tree under which the authenticating users’ accounts are stored. Example (DNS-based tree): dc=example,dc=com Example (“O-based” tree used, for example, in Novell eDirectory): ou=astronauts,o=government,st=Florida,c=US | 
| Anonymous (Optional) | When selected, allows NGFW Engines and Management Servers to connect to the
							LDAP server without a user name and password. When the option is selected, the Bind User ID and Bind Password options are not available. | 
| Bind User ID | The Distinguished Name of the User ID that the NGFW Engines and Management
							Servers use to connect to the server. This user account must exist in the user database. Make sure the account you use has
							the privileges to manage other user accounts. Example (DNS-based tree): uid=ExampleOrganization,ou=Administrators,dc=example,dc=com Example (“O-based” tree used, for example, in Novell eDirectory): uid=ExampleOrganization,ou=Administrators,ou=astronauts, o=government,st=Florida,c=US | 
| Bind Password | The password for the user account that the Firewalls and Management Servers use to connect to the server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. | 
| Category (Optional) | Includes the element in predefined categories. Click Select to select a category. | 
| Tools Profile | Adds commands to the element right-click menu.Click Select to select an element. | 
| Comment (Optional) | A comment for your own reference. | 
| Check Connectivity | Tests connectivity to the LDAP Server. | 
| Option | Definition | 
|---|---|
| Object Classes tab | |
| User ObjectClass | Allows you to add user objectclasses manually. If your LDAP server has LDAP user object classes that are not defined in the SMC by default, you must add those object classes to the LDAP Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication. | 
| Add | Adds the user objectclass name to the list of available classes. | 
| Remove | Removes the user objectclass name to the list of available classes. | 
| Group ObjectClass | Allows you to add group objectclasses manually. If your LDAP server has LDAP group object classes that are not defined in the SMC by default, you must add those object classes to the LDAP Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication. | 
| Add | Adds the group objectclass name to the list of available classes. | 
| Remove | Removes the group objectclass name to the list of available classes. | 
| Option | Definition | 
|---|---|
| Attributes tab | |
| Schema | 
 | 
| UserId | Specifies the name of the attribute that is used as the UserID. This attribute can be used to identify users by their UserID in certificate authentication. | 
| Group Member | The name that the server uses for the Group Member Attribute. By default, the attribute is set to member for standard schema, and sgMember for updated schema. | 
| Authentication (Updated Schema only) | The Authentication Attribute for storing the authentication method information. By default, the attribute is set to sgauth. | 
| Display Name | Specifies the name that the server uses for the Display Name attribute. | 
| Specifies the name of the attribute that is used for storing user email addresses. This attribute can be used to identify users by their email address in certificate authentication. | |
| User Principal Name (UPN) | Specifies the name of the attribute for storing the user principal name. This attribute can be used to identify users by their user principal name in certificate authentication. | 
| Mobile | Specifies the name of the attribute for storing user mobile phone numbers. | 
| Framed IP | This option is included for backward compatibility with legacy NGFW software versions. | 
| Password Method Password | The name of the password attribute for the Password Authentication Method. | 
| Mobile Text Method Password | The name of the password attribute for the Mobile Text Authentication Method. | 
| Mobile ID Challenge Method PIN | The name of the PIN attribute for the Mobile ID Challenge Authentication Method. | 
| Mobile ID Synchronized Method PIN | The name of the PIN attribute for the Mobile ID Synchronized Authentication Method. | 
| Option | Definition | 
|---|---|
| Client Certificate tab | |
| User Search for Client Certificate Authentication | Specifies the name of the value in the distinguished name that is checked to verify the client
								identity. The following values are supported: 
 | 
| Option | Definition | 
|---|---|
| Authentication tab | |
| Authentication Methods | Specifies the supported authentication methods for the LDAP Server. Click Add to select authentication methods. Note: The User password authentication method requires you to
								update the schema with SMC-specific attributes. Alternatively, you can
								use the LDAP Authentication authentication method to authenticate users using user names and
								passwords stored in the external LDAP database without updating the schema. | 
| Remove | Removes the selected authentication method. | 
| Option | Definition | 
|---|---|
| Advanced tab | |
| Secondary IP Addresses | Allows you to specify any additional device IP addresses. You can enter the additional IP addresses here instead of creating additional elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing. You can add several IPv4 and IPv6addresses (one at a time). 
 | 
| Timeout | The time (in seconds) that SMC Components wait for the server to reply. | 
| Max Entries | The maximum number of LDAP entries that are returned in an LDAP response. | 
| No Limit | Deselect to specify the maximum number of LDAP entries returned. | 
| Page Size (Optional) | The maximum number of LDAP entries that are returned on each page of the LDAP response. | 
| No Pages | Deselect to specify the maximum number of LDAP entries returned on each page. | 
| Option | Definition | 
|---|---|
| Monitoring tab | |
| Log Server | The Log Server that monitors the status of the element. | 
| Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view. | 
| Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. | 
| Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. | 
| Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. | 
| Time Zone | Selects the time zone for the logs. | 
| Encoding | Selects the character set for log files. | 
| SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. | 
| NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). | 
| Option | Definition | 
|---|---|
| NAT tab (All optional settings) | |
| Firewall | Shows the selected firewall. | 
| NAT Type | Shows the NAT translation type: Static or Dynamic. | 
| Private IP Address | Shows the Private IP Address. | 
| Public IP Address | Shows the defined Public IP Address. | 
| Port Filter | Shows the selected Port Filters. | 
| Comment | An optional comment for your own reference. | 
| Add NAT Definition | Opens the NAT Definition Properties dialog box. | 
| Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. | 
| Remove NAT Definition | Removes the selected NAT definition from the list. |