Live Chat Software by Kayako |
Knowledgebase
|
Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
Posted by Julius Montealegre on 25 June 2010 03:46 PM
|
|||||||||||||||||||||||
Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
Applicable to – All the versions of Windows
This article describes how to implement Clientless single sign on authentication with Active Directory integration.
Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from Active Directory for the purpose of authentication.
Prerequisites:
* NetBIOS Domain name
* FQDN Domain name
* Search DN
* Active Directory Server IP address
* Administrator Username and Password (Active Directory Domain)
* IP address of Cyberoam Interface connected to Active Directory server
* Import AD groups
* Configure Clientless SSO
Configuring ADS authentication
Logon to Cyberoam Web Admin Console and follow the below given steps:
Step 1. Create ADS User Groups
Instead of creating AD groups again in Cyberoam, you can import AD groups into Cyberoam using Import Wizard.
One can import groups only after integrating and defining AD parameters into Cyberoam.
Step 2: Configure Cyberoam to use Active Directory
Go to User à Authentication Server and click “Add” to configure Active Directory parameters
Cyberoam allows implementing AD integration in two ways:
* Tight Integration – With tight integration, Cyberoam synchronizes groups with AD every time the user tries
to logon. Hence, even if the group of a user is changed in Cyberoam, on subsequent log in attempt, user logs on
as the member of the same group as configured in Active Directory. In this case group membership of each user
is as defined in the Active Directory.
* Loose Integration – With loose integration, Cyberoam does the Group management and does not synchronize
groups with AD when user tries to logon. By default, users will be the member of Cyberoam default group irrespective
of Active Directory group, administrator can change the group membership. Cyberoam will use authentication attribute
for authenticating users with Active Directory.
Step 3: Test Active Directory integration
Go to http://
Username will be displayed on Identity > Live Users page if user is able to log on to Cyberoam successfully.
This completes the AD configuration.
Import AD Groups
To import AD groups into Cyberoam use Import Wizard before configuring for single sign on.
Clientless Single Sign on Implementation
Transparent Authentication (Clientless Single Sign on)
Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite (CTAS).
With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to Windows through
his windows username and password. Hence, eliminating the need of multiple logins and username & passwords.
But, Clientless Single Sign On not only eliminates the need to remember multiple passwords – Windows and Cyberoam,
it also eliminates the installation of SSO clients on each workstation. Hence, delivering high ease-of-use to end-users,
higher levels of security in addition to lowering operational costs involved in client installation.
Cyberoam Transparent Authentication Suite (CTAS)
CTA Suite consists of
CTA Agent – It monitors user authentication request coming on the domain controller and sends information to the
Collector for Cyberoam authentication.
CTA Collector – It collects the user authentication request from multiple agents, processes the request and sends to
Cyberoam for authentication.
How does Cyberoam CTA Agent work?
User Authentication Information Collection Process
1. User tries to log on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller
tries to authenticate user credentials.
2. This authentication process is captured and communicated to CTA Collector over default port 5566 by CTA Agent
real time.
3. CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default
port 6060
4. Cyberoam queries Active Directory to determine user’s group membership and registers user in Cyberoam database
Based on data from CTA Agent, Cyberoam queries AD server to determine group membership and based on which access is
granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated
and are considered as “Unauthenticated” or “Guest” user. For users that are not logged into the domain, the HTTP Login screen
prompting for a manual login will be displayed for further authentication.
Step 4: Installing CTA Suite
Download CTA Suite from http://www.cyberoam.com/clientless_sso.html
Extract ctas.rar and install CTA Suite on Domain controller by following the on-screen instructions. Administrative right is required
to install CTA Suite.
Check for “Cyberoam Transparent Authentication Suite” tab from “Start” > “All Programs”.
If installed successfully, “Cyberoam Transparent Authentication Suite” tab will be added.
Consider the below given hypothetical network example where single domain controller is configured and follow
the below given steps to configure Cyberoam Transparent Authentication:
Step 5: Configure CTA Collector from CTA Collector Tab on Primary Domain Controller
If “logoff detection settings” is enabled and firewall is configured on the Workstation, please allow the traffic to and
from Domain controller. If ping is blocked, Cyberoam will always detect user as logged out.
Step 6. Configure Agent from CTA Agent Tab on Primary Domain Controller
Step 7. Configure Cyberoam
Logon to CLI Console with default password, go to Option 4 Cyberoam Console and execute following command at the prompt:
corporate>cyberoam auth cta enable
corporate>cyberoam auth cta collector add collector-ip 
Step 8. Enable Security Event logging on Active Directory
| |||||||||||||||||||||||
 (5 vote(s)) Helpful Not helpful |
|||||||||||||||||||||||
Comments (0)