WUI Authorization Options

Click the WUI Authorization Options button on the Remote Access screen to display the WUI Authentication and Authorization screen. This option is only available when Session Management is enabled.

The WUI Authentication and Authorization screen enables the administration of the available authentication (login) and authorization (allowed permissions) options.

Authentication

Users must be authenticated before logging on to the LoadMaster. The LoadMaster allows authentication of users to be performed using the RADIUS and LDAP authentication methods as well as Local User authentication.

When all authentication methods are selected, the LoadMaster attempts to authenticate users using the authentication methods in the following order:

  1. RADIUS
  2. LDAP
  3. Local Users

For example, if the RADIUS server is not available then the LDAP server is used. If the LDAP server is also not available, then Local User authentication methods are used.

If neither RADIUS nor LDAP authentication methods are selected, then the Local User authentication method is selected by default.

Authorization

LoadMaster allows the users to be authorized by either RADIUS or using Local User authorization. The user’s authorization decides what level of permissions the user has and what functions on the LoadMaster they are allowed to perform.

Note: The RADIUS Authentication check box must be enabled to use the RADIUS Authorization method. Authentication is for access (to ensure the user has a valid username and password) and authorization is used for permissions.

When both authorization methods are selected, the LoadMaster initially attempts to authorize the user using RADIUS. If this authorization method is not available, the LoadMaster attempts to authorize the user using the Local User authorization. Authorization using LDAP is not supported.

If neither RADIUS nor LDAP authentication methods are selected, then the Local User authentication method is selected by default.

You must configure the RADIUS server that you are using to authorize the same user permissions that appear on the WUI's user permissions page (with the exception of 'All Permissions'). The Reply-Message returned by the RADIUS server indicates the permissions it is allowing. On a Linux system, the message looks similar to the following:

LMUSER Cleartext-Password := "1fourall"Reply-Message = "real,vs,rules,backup,certs,cert3,certbackup,users"

The preceding example is of a RADIUS user configuration on a RADIUS server deployed on a Linux system. The LoadMaster determines the user's permissions from the "Reply-Message" (the permissions are similar to the ones for a local WUI user on the LoadMaster).

Note: The bal user is always authenticated and authorized using the Local User authentication and authorization methods. Disabling Local User authentication does not lock out the bal user. Bal is an admin/super user and is allowed to log in to the LoadMaster WUI even if Local User Authentication is disabled on the LoadMaster.

RADIUS Server Configuration

RADIUS Server

The IP address and Port of the RADIUS Server that is to be used to authenticate user WUI access to the LoadMaster.

Shared Secret

This input field is for the Shared Secret of the RADIUS Server.

A Shared Secret is a text string that serves as a password between the LoadMaster and the RADIUS server.

Backup RADIUS Server

The IP address and Port of the backup RADIUS Server that is to be used to authenticate user WUI access to the LoadMaster. This server will be used in case of failure of the main RADIUS Server.

Backup Shared Secret

This text box is to enter the Shared Secret of the backup RADUS Server.

Revalidation Interval

Specifies how often a user should be revalidated by the RADIUS server.

Send NAS Identifier

If this check box is disabled (default), a NAS identifier is not sent to the RADIUS server. If it is enabled, a Network Access Server (NAS) identifier string is sent to the RADIUS server. By default, this is the hostname. Alternatively, if a value is specified in the RADIUS NAS Identifier text box, this value is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

Sending the NAS identifier serves two purposes:

  • It helps to classify the device type that is sending the request as opposed to simply sending the host IP address which makes troubleshooting and consuming logs easier.
  • It enables customized authentication responses to be sent back from the server based on the identifier.

Send Vendor Specific

In LoadMaster firmware version 7.2.51 and above, there is a check box called Send Vendor Specific in the User Interface (UI) when a RADIUS Server is set. When the Send Vendor Specific check box is enabled and a user is logging into the LoadMaster UI using RADIUS authentication with Cisco Access Control Server (ACS) or Identity Services Engine (ISE), the LoadMaster sends an Attribute Value Pair (AVP) to the server as part of the login request which contains Progress Kemp's vendor ID. The server can use this AVP upon receipt to identify the LoadMaster device. The format and requirements for this attribute are in Section 5.26 of RFC 2865.

The Progress Kemp vendor ID is 12196.

RADIUS NAS Identifier

If the Send NAS Identifier check box is selected, the RADIUS NAS Identifier field is shown. When specified, this value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

LDAP Endpoint

Select the relevant LDAP Endpoint to use. Click the Manage LDAP Configuration button to go to the LDAP Configuration screen. For further information on LDAP endpoints, refer to the LDAP Configuration section.

In LoadMaster firmware version 7.2.53, support for PIV smart card authentication was added. As a result, a new Select Certificate to User Mapping drop-down list was added to the Certificates & Security > Remote Access > WUI Authorization Options screen. This field has the following values:

  • User Principal Name (default value)

  • Subject

  • Issuer and Subject

  • Issuer and Serial Number

Some configuration caveats are below:

  • Session Management must be enabled (Certificates & Security > Admin WUI Access) to see the WUI Authorization Options button.

  • The Admin Login Method in Certificates & Security > Remote Access must be set to a Client certificate method to see the new Select Certificate to User Mapping drop-down list.

  • The Pre-Auth Click Through Banner must be set in Certificates & Security > Admin WUI Access before you can select a Client certificate method as the Admin Login Method in Certificates & Security > Remote Access.

  • After a certificate is revoked, the certificate fails authentication. However, sometimes it remains in the cache so to make it fail instantly ensure to use the Flush OCSPD Cache option in System Configuration > System Administration > Logging Options > Debug Options.

  • If the LDAP query returns more than one match, the login fails.

  • If the Authority Information Access (AIA) is present in the certificate, the LoadMaster attempts to connect with the provided AIA. If this does not work, it tries to connect with the local server.

  • If the LoadMaster cannot get the status of the server configured in the certificate AIA, the LoadMaster does not fail back to the local server.

  • If the certificate cannot be validated because the server is unavailable, there is an option in Certificates & Security > OCSP Configuration called Allow Access on Server Failure where you can decide if you want to pass the authentication or not. Enabling this check box treats an OCSP server connection failure or timeout as if the OCSP server has returned a valid response. That is, the client certificate is treated as valid.

If client users are being authenticated with client certificates, the Common Name (CN) is normalized to lowercase. Therefore, the associated local user entries (with no password), which may be required for permissions, should be in lowercase also.

Remote User Groups

Any remote user groups that are selected are displayed here. To select, clear, or order the groups, click Select groups.

Note: It is important to select and apply the group, or groups. If there are no groups selected, no group checking is performed and remote users can log in without a group check.

The groups displayed on this screen are taken from the remote user groups set up in System Configuration > System Administration > User Management. For more information, refer to the User Management section.

When a user logs in, a check of the user groups on the Active Directory is performed if all the following conditions are met:

  • If LDAP WUI Authentication is enabled
  • A list of groups is defined
  • The user logging in is not locally defined or the Local Users option is disabled

You can change the order of the groups on this screen. The first group is checked first. On the first group match, access is enabled and no further groups are checked. If no groups are matched, user access fails and an appropriate log is reported in the syslog. If the user logs in using the group check, the matched group permissions are granted.

Nested Groups

You can enable or disable user nested groups on the WUI Authentication and Authorization screen by using the Nested groups check box.

Domain

Specify the domain to use if no domain is provided in the username when group WUI authentication is in use. It is always used as the domain for group search if the Windows logon is used in the format prefix\username.

Note: The Domain field only appears if a group, or groups, are assigned.

Server Certificate Validation

This check box only appears if StartTLS or LDAPS is the the LDAP Protocol for the selected LDAP Endpoint.

Note: There is a known issue that Server Certificate Validation does not work with StartTLS.

When Server Certificate Validation is enabled, it ensures that the host name or IP address that was used to initiate the secure connection resides in the Certificate Subject or Subject Alternative Names (SAN) of the certificate.

Server Certificate Validation is disabled by default.

Local Users Configuration

Use ONLY if other AAA services fail

When selected, the Local Users authentication and authorization methods are used only if the RADIUS and/or LDAP authentication and authorization services fail to respond/time out.

Test AAA for User

To test a user’s credentials, enter their username and password in the Username and Password fields and click the Test User button.

A message appears to inform you whether the user is validated or not. This is a useful utility to check a user’s credentials without having to log in or out.