What is remote NFM-P user access?

Remote user access overview
CAUTION 

CAUTION

Security Risk

Using unsecure LDAP for remote authentication poses a great security risk.

If you intend to use LDAP for remote access, it is strongly recommended that you use only a server that uses secure LDAP, or LDAPS.

In addition to local account management, NFM-P user authentication and authorization can be accomplished via remote servers. The NFM-P supports the following remote user access protocols:

Functional description

You can configure NFM-P access for users that log in through a third-party server in a corporate network. For example, a person who does not have an NFM-P user account can log in to the NFM-P using their corporate credentials. The NFM-P forwards the credentials to a remote authentication server, and grants or denies access to the user based on the remote server response.

If a remote authentication server is configured to authorize users, the remote server also sends the name of a user group in a successful authentication response. If the NFM-P has a user group with the same name, the user is assigned to the group and granted access based on the group properties. Otherwise, the user is assigned to a default external user group.

When a remote session terminates, the associated NFM-P user account remains, and the user preferences, such as filters, apply to subsequent sessions.

Successful remote authentication for an XML API user requires that the remote server and the NFM-P use the same password format. The XML API users can log in using a clear-text or MD5-hashed password, if the remote server supports MD5 password hashing. See “Secure communication” in the NSP NFM-P XML API Developer Guide for more information.

Configuration

You use the NFM-P Remote Authentication Manager to configure the protocols and define the authentication order for users. For example, if you specify an order of RADIUS, LDAP, local, the NFM-P tries to authenticate each remote user via RADIUS; if the RADIUS servers are unavailable, the NFM-P tries LDAP, and upon failure tries to match the user credentials to a local NFM-P account.

How do I configure NFM-P remote user authentication? describes how to configure the general remote access properties, such as the authentication types, the authentication order, and the remote servers.

Assigning remote users to NFM-P user groups

User authorization is the assignment of a user to a user group after successful user authentication. By default, the NFM-P assigns a remote user to a default user group, if one is specified. Optionally, you can configure the NFM-P to assign a group specified by a remote server. If no default group is specified, and remote group assignment is not configured, the authorization fails and the user is denied access.

After a remote server authenticates a user, if the name of the user group sent by the remote server matches an NFM-P user group name, the NFM-P creates a user account for the login session and grants the appropriate access rights. Otherwise, authorization fails and the NFM-P denies user access.

RADIUS or TACACS+ user authorization

In order for a remote RADIUS or TACACS+ server to assign an NFM-P user group, you must preconfigure the NFM-P and the remote server. See How do I enable remote user authorization via RADIUS? for information about enabling authorization for RADIUS users, and How do I enable remote user authorization via TACACS+? for information about enabling authorization for TACACS+ users.

Note: A RADIUS authentication success message that is sent to the NFM-P contains the user group name.

For TACACS+, authentication must succeed before an authorization message containing the user group name is sent to the NFM-P.

LDAP/S user authorization

For each LDAP or LDAPS server that you specify using the NFM-P Remote Authentication Manager, you can include LDAP group lookup criteria. The group name that the LDAP server returns in an authentication success message must match an existing NFM-P group name.

Note: Microsoft Windows Active Directory uses LDAP or LDAPS as an underlying protocol.

One-time password use

For increased security, a GUI user can provide an authentication token to an LDAP, RADIUS or TACACS+ server that is validated only once. You can enable one-time password use during NFM-P remote authentication policy configuration, as described in How do I configure NFM-P remote user authentication? .

Note: The one-time password function is not available to XML API clients.

To change the one-time password setting in a remote authentication policy, you require a scope of command that has Update/Execute access to the srmrmtauth package.

After a communication failure between a GUI client and a main server when one-time password use is in effect, the GUI client is unable to obtain authentication using the cached credentials from the previous login attempt. When this occurs, the client prompts the user to log in to the remote authentication server again, but does not automatically close the GUI, in order to preserve the current view until the user is authenticated.

Combined local and remote authentication

An NFM-P operator can integrate an existing LDAP, RADIUS, or TACACS+ user account with an NFM-P user account by creating an NFM-P user account that has the same name as the remote account. A remote NFM-P user can subsequently log in to the NFM-P using the remote credentials, if the password observes the NFM-P password constraints.

Note: If the password of a remote user does not abide by the NFM-P password constraints, the NFM-P cannot authenticate the user.

An NFM-P user name:

Note: If a RADIUS or TACACS+ server is configured to perform user authorization, the NFM-P requires a user group from the remote server, and the following conditions apply:

For example, a user named jane has the following accounts:

When jane is authenticated by RADIUS, she gains access to the NFM-P by typing in jane and accessforjane. If the RADIUS server is down, jane is authenticated locally by the NFM-P after typing jane and LetJane1In!.