Authentication Protocol

This dropdown allows you to select the transport protocol used to communicate with the authentication server. The options are:

  • LDAP
  • RADIUS
  • RSA-SecurID
  • Certificates
Note: If you create an SSO domain with the Authentication Protocol set to Certificates, ensure to set the LDAP Protocol to LDAPS in the LDAP endpoint.
  • RADIUS and LDAP
  • RSA-SecurID and LDAP
  • SAML
  • OIDC / OAUTH
Note: The fields displayed on this screen will change depending on the Authentication protocol selected.

LDAP Endpoint

Select the LDAP endpoint to use. For further information on LDAP endpoints, refer to the LDAP Configuration section.

Note: This option is only available if the Authentication Protocol is set to LDAP, RADIUS and LDAP or RSA-SecurID and LDAP.

RADIUS/RSA-SecurID Server(s)

Type the IP address(es) of the server(s) which are used to authenticate the domain.

Multiple server addresses can be entered within this text box. Each entry must be separated by a space.

Radius Shared Secret

The shared secret to be used between the RADIUS server and the LoadMaster (48 character limit).

Note: This field is only available if the Authentication Protocol is set to RADIUS or RADIUS and LDAP.

Send NAS Identifier

If this check box is disabled (default), a NAS identifier is not sent to the RADIUS server. If it is enabled, a Network Access Server (NAS) identifier string is sent to the RADIUS server. By default, this is the hostname. Alternatively, if a value is specified in the RADIUS NAS Identifier text box, this value is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

Note: This field is only available if the Authentication Protocol is set to RADIUS or RADIUS and LDAP.

Sending the NAS identifier serves two purposes:

  • It helps to classify the device type that is sending the request as opposed to simply sending the host IP address which makes troubleshooting and consuming logs easier.
  • It enables customized authentication responses to be sent back from the server based on the identifier.

RADIUS NAS Identifier

If the Send NAS Identifier check box is selected, the RADIUS NAS Identifier field is shown. When specified, this value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

Note: This field is only available if the Authentication Protocol is set to RADIUS or RADIUS and LDAP and the Send NAS Identifier check box is enabled.

Check Certificate to User Mapping

This option is only available when the Authentication Protocol is set to Certificates. When this option is enabled - in addition to checking the validity of the client certificate - the client certificate will also be checked against the altSecurityIdentities (ASI) attribute of the user on the Active Directory.

Note: In LoadMaster firmware version 7.2.53, support for Personal Identity Verification (PIV) smart cards was added. As a result, the Check Certificate to User Mapping check box changed to a drop-down list with a number of options. For further details, refer to the following section: PIV Smart Card Support.

If this option is enabled and the check fails, the login attempt will fail. If this option is not enabled, only a valid client certificate (with the username in the SubjectAltName (SAN)) is required to log in, even if the altSecurityIdentities attribute for the user is not present or not matching.

For more information, refer to the Kerberos Constrained Delegation, Feature Description.

Allow fallback to check Common Name

Enabling this option allows a fallback to check the Common Name (CN) in the certificate when the SAN is not available.

Note: This field only appears when the Authentication Protocol is set to Certificates.

Domain/Realm

The login domain to be used. This is also used with the logon format to construct the normalized username, for example;

  • Principalname: <username>@<domain>
  • Username: <domain>\<username>
Note: If the Domain/Realm field is not set, the Domain name set when initially adding an SSO domain is used as the Domain/Realm name.

RSA Authentication Manager Config File

Note: This option is only available when the Authentication Protocol is set to RSA-SecurID.

This file needs to be exported from the RSA Authentication Manager.

Note: For more information on the RSA authentication method, including how to configure it, refer to the RSA Two Factor Authentication, Feature Description.

RSA Node Secret File

Note: This option is only available when the Authentication Protocol is set to RSA-SecurID.

A node secret must be generated and exported in the RSA Authentication Manager.

Note: It is not possible to upload the RSA node secret file until the RSA Authentication Manager configuration file is uploaded. The node secret file is dependent on the configuration file.

Logon Format

This drop-down list allows you to specify the format of the login information that the client has to enter.

Note: The options available vary depending upon which Authentication Protocol is selected.

Not Specified: The username will have no normalization applied to it - it is taken as it is typed.

Principalname: Selecting this as the Logon format means that the client does not need to enter the domain when logging in, for example username@domain. The SSO domain added in the corresponding text box is used as the domain in this case.

Note: When using RADIUS as the Authentication protocol the value in this SSO domain field must exactly match for the login to work. It is case sensitive.

Username: Selecting this as the Logon format means that the client needs to enter the domain and username, for example domain\username.

Username Only: Selecting this as the Logon Format means that the text entered is normalized to the username only (the domain is removed).

Note: The Username Only option is only available for the RADIUS and RSA-SecurID protocols.

Logon Format (Phase 2 Real Server)

Specify the logon string format used to authenticate to the Real Server.

The Logon Format (Phase 2 Real Server) field only appears if the Authentication Protocol is set to one of the following options:

  • RADIUS

  • RSA-SecurID

Logon Format (Phase 2 LDAP)

Specify the logon string format used to authenticate to LDAP.

The Logon Format (Phase 2 LDAP) field only appears if the Authentication Protocol is set to one of the following options:

  • RADIUS and LDAP
  • RSA-SecurID and LDAP

For further details, refer to the following section: Appendix A - Expected Normalization Results (for LDAP Only) from Example Configurations

Logon Transcode

Enable or disable the transcode of logon credentials, from ISO-8859-1 to UTF-8, when required.

If this option is disabled, log in using the format that the client dictates. If this option is enabled, check if the client uses UTF-8. If the client does not use UTF-8, use ISO-8859-1.

User Account Control Check

If the UAC check interval value is set to 0 minutes (default value), then UAC is not performed periodically for users after successful login.

When you specify an interval value in the range of 1 to 300 minutes, the periodic UAC check is performed per user for the requests received after the interval expiry.

The UAC detects:

  • Unknown users

  • Disabled accounts

  • Locked accounts

  • Expired passwords on accounts

Extended ESP user logs provide the results of the UAC check. Additional information is logged for the user such as start session time, total duration, protocol information, KCD information, and blocked user events.

The check may occur on new connection establishment or as part of existing sessions. The msDS-User-Account-Control-Computed and userAccountControl attributes are used to determine the UAC status.

Failed Login Attempts

The maximum number of consecutive failed login attempts before the user is locked out. Valid values range from 0 to 99. Setting this to 0 means that users will never be locked out.

Note: When a user is locked out, all existing logins for that user are terminated, along with future logins.

Reset Failed Login Attempt Counter after

When this time (in seconds) has elapsed after a failed authentication attempt (without any new attempts) the failed login attempts counter is reset to 0. Valid values for this text box range from 60 to 86400. This value must be less than the Unblock timeout value.

Unblock timeout

The time (in seconds) before a blocked account is automatically unblocked, that is, unblocked without administrator intervention. Valid values for this text box range from 60 to 86400. This value must be greater than the Reset Failed Login Attempt Counter after value.

Session timeout

The idle time and max duration values can be set here for trusted (private) and untrusted (public) environments. The value that is used is dependent on whether the user selects public or private on their login form. Also, either max duration or idle time can be specified as the value to use.

Idle time: The maximum idle time of the session in seconds, that is, idle timeout.

Max duration: The max duration of the session in seconds, that is, session timeout.

Note: Valid values for these fields range from 60 to 604800 (seconds).

Use for Session Timeout: A switch to select the session timeout behaviour (max duration or idle time).

Note: The underlying network traffic may render the session active, even if there is no obvious user interaction.

Use LDAP Endpoint for Healthcheck

Select this check box to use the LDAP endpoint administrator username and password for health checking. If this is enabled, the Test User and Test User Password textboxes will not be available.

For more information on LDAP endpoints, refer to the LDAP Configuration section.

Note: This option is only available for the following protocols; LDAP, Certificates, RADIUS and LDAP and RSA-SecurID and LDAP.

Test User and Test User Password

In these two fields, enter credentials of a user account for your SSO Domain. The LoadMaster will use this information in a health check of the Authentication Server. This health check is performed every 20 seconds.