Authentication

Fudo Enterprise has a broad spectrum of authentication methods for user’s authentication against the target server. Those are:

Mentioned authentication methods require defining connections to the external authentication servers.


External authentication server definition

To add an external CERB, Radius, Active Directory or LDAP authentication server, proceed as follows.

  1. Select Settings > Authentication.
  2. Click Add an external authentication source.
  3. Select authentication service type: CERB, Radius, Active Directory or LDAP.
  4. Provide configuration parameters depending on selected external authentication system type.
  5. Click Save.

Parameter Description
CERB  
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Service CERB service used for authenticating Fudo Enterprise users.
Secret Secret used to establish server connection.
Second factor Additional verification step with authentication methods OATH, SMS or DUO.
RADIUS  
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
NAS ID RADIUS server NAS-Identifier parameter.
Secret Secret used to establish server connection.
Repeat secret Repeat secret used to establish server connection.
Second factor Additional verification step with authentication methods OATH, SMS or DUO.
LDAP  
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Bind DN Template containing a path which will be used to create queries to LDAP server.
Encrypted connection This option is required to be checked for the domain users who change their passwords in the Access Gateway.
Server certificate LDAP server certificate.
Second factor Additional verification step with authentication methods OATH, SMS or DUO.
Active Directory  
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Active Directory domain Domain which will be used for authenticating users in Active Directory.
Encrypted connection This option is required to be checked for the domain users who change their passwords in the Access Gateway.
Server certificate Active Directory server certificate.
Login The privileged account’s login name to modify a user password on the Active Directory server.
Secret Secret used to establish server connection to modify a user password on the Active Directory server.
Repeat secret Secret used to establish server connection to modify a user password on the Active Directory server.
Second factor Additional verification step with authentication methods OATH, SMS or DUO.

Warning

When additional authentication method (OATH, SMS or DUO) is selected as a Second factor for synchronization with External authentication server (AD / LDAP / CERB / RADIUS), it won’t be enough to just select one of the External authentication server source within the User definition. The additionally selected authentication method should be configured within the User definition as a primary authentication method. Then users’ authentication methods will be automatically synchronized according to External authentication server settings.

Note

Please note that when configuring Radius authentication within Fudo Enterprise, only the Password Authentication Protocol (PAP) is supported. It’s important to ensure that your Radius server is configured to accept PAP requests to guarantee compatibility and successful authentication with Fudo Enterprise.

Note

  • The Active Directory external authentication method uses the Kerberos protocol as the first step.
  • This functionality is enabled by default.
  • To disable the Kerberos authentication option globally, select Settings > System, go to User authentication and sessions section and deselect Kerberos authentication enabled option.
../../_images/5-4-kerberos-global-off.png
  • If enabled, Kerberos is used in RDP sessions authentication against the server and the Active Directory external authentication method.

Note

In case of cluster configuration, select a labeled IP address from the Bind address drop-down list and make sure that other nodes have IP addresses assigned to this label. For more information refer to the Labeled IP addresses topic.

OATH authentication definition

Refer to the Two-factor OATH authentication with Google Authenticator page.


SMS authentication definition


  1. Select Settings > Authentication.
  2. Choose SMS Authentication tab.
../../_images/5-3-sms-auth.png
  • Input Token length.

Note

The token’s length should be in the range of 4-16.

  • Input Account ID.
  • Input Product token.
  • Input API address and its port.

Note

The values for Account ID, Product token and API address are given by CM.COM service. You need to have a registered account there to be able to obtain the required information.

  • Select the Bind address.
  1. Click Save.

Configure SMS authentication method for the User:

  1. Go to Management > Users.
  1. Find and select the user for whom you want to enable SMS authentication.
  • Input a phone number in the User data tab, in the Phone input field.
../../_images/5-4-create-user-step3.png
  • In the Settings tab, under the Authentication section choose SMS type from the Add authentication method drop-down list.
../../_images/5-4-users-auth-type.png
  • Choose Static password or External authentication (AD or LDAP) as a First factor.
  • Provide static password or external authentication source.
  • Select Required password change on next login option if needed.
  1. Click Save.
  1. Log in to the Access Gateway with SMS code.

DUO authentication definition


  1. Download and install Duo Mobile phone application.
  2. Sign up for a personal account on Duo Security.
  1. Select Settings > Authentication.
  1. Choose DUO Authentication tab.
../../_images/5-3-duo-auth.png
  1. Input from the personal Duo Security profile: API address, Integration key and Secret key.
  2. Select the Bind address.
  1. Click Save.

Configure DUO authentication method for the User:

  1. Go to Management > Users.
  1. Find and select the user for whom you want to enable DUO authentication.
../../_images/5-4-users-auth-type.png
  • In the Settings tab, under the Authentication section choose DUO type from the Add authentication method drop-down list.
  • Choose Static password or External authentication (AD or LDAP) as a First factor.
  • Provide DUO User.
  • Provide DUO User Id.
  1. Click Save.
  1. Log in to the Access Gateway by tapping Accept on push notification from Duo Mobile application.

OpenID Connect authentication definition

This authentication method is configured globally and is not tied to any particular user. Thus even if a user has no authentication methods configured, they can authenticate using OpenID Connect in Access Gateway and Admin Panel.


Follow the steps to configure the OpenID Connect authentication method:

  1. Select Settings > Authentication.
  2. Choose OpenID Connect authentication tab.
  3. Click Add an external authentication source.
  4. Check the Enabled option to globally enable OpenID Connect authentication.
  5. Provide Name (Azure, Okta or any other Identity Provider).
  6. Input Configuration URL.

Note

This URL is specific for every Identity Provider and allows identifying one for correct configuration. Example of Configuration URL for Google: https://accounts.google.com/.well-known/openid-configuration.

  1. Provide Client ID, Client secret. Those values are available after the registration on selected provider.
  2. Add Username mapping and Email mapping. Those fields are useful when user’s name has different naming convention.
  3. Provide Bind address.
../../_images/5-3-openid-connect-auth.png
  1. Click Save.

Note

The algorithm to determine the user’s identity is following:

  1. The user is initially identified using the sub claim from the OpenID Connect (OIDC) provider.
  2. If the user is not identified using the sub claim from the OIDC provider, the next step involves checking the autolink setting for the OIDC provider. If this setting is false, the process concludes without finding the user. However, if the autolink setting is true, the search process continues.
  3. If Username mapping is defined, a search for a corresponding claim in the data is conducted. Once the claim is located in the JSON data, the system then looks for the user with that name.
  4. If Username mapping is not defined, the claim is not found in the data or the user is not found by name, the next step is to verify if Email mapping is defined. If it is defined and exists in JSON data, the process then tries to identify the user based on this email.
  5. When neither Username mapping nor Email mapping is defined, the system will seek to identify the user by their name or email. This is done by searching for the upn or unique_name claims within the data, in this specified order.
  6. When the email claim is used for user identification, it is mandatory for the email_verified field to be included in the data and set to true.
  7. The last step checks if the found user has a sub claim stored already, but different from the one received from the OIDC provider. If they don’t match, it fails.
  8. The received user sub claim is stored in the database for future use.
  1. Log in using the defined authentication method:
../../_images/5-3-azure-okta-login.png

Related topics: