How To Implement Clientless Single Sign On in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable Version: 10.00 onwards Overview Cyberoam Clientless Single Sign On Authentication With Cyberoam Clientless Single Sign On authentication, user automatically logs on to Cyberoam when he/she logs on to Windows using his/her windows username and password, eliminating the need of multiple logins. Furthermore, it also eliminates the need to install SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation. Cyberoam provides Clientless Single Sign On in the form of Cyberoam Transparent Authentication Suite (CTAS). The CTA Suite consists of: CTA Agent It monitors user authentication requests and sends information to the Collector for authentication. CTA Collector It collects the user authentication request from multiple agents, processes the request and sends to Cyberoam for authentication. How does Cyberoam CTAS work? User Authentication Information Collection Process User logs on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller authenticates user credentials. The CTA Agent captures and communicates this authentication process to CTA Collector over default TCP port 5566 in real time. CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default UDP port 6677. Cyberoam queries Active Directory to determine user s group membership and registers user in Cyberoam database Based on data from CTA Agent, Cyberoam queries AD server to determine group membership, based on which access is granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated and are considered as Unauthenticated users. For users that are not logged into the domain, the Captive Portal prompting for a manual login will be displayed for further authentication. Scenario Implement Clientless Single Sign On (SSO) authentication with Active Directory integration in a Single Domain Controller Environment, as shown in the diagram below.
ADS Configuration Login to your AD Server using Administrator profile and follow the steps below to install and configure CTAS. Step 1: Download and Install CTAS Download CTAS from http://www.cyberoam.com/cyberoamclients.html and install it in your AD Server. Step 2: Configure CTAS in ADS Once CTAS is installed, launch it from Start > All Programs > CTAS > Cyberoam Transparent Authentication Suite or Desktop shortcut. Configure CTA Collector Switch to CTA Collector tab and configure parameters as given below. Parameter Value Description Cyberoam Appliances 192.168.1.121 Workstation Polling Settings Logoff Detection Settings Dead Entry Timeout 2 Listening to the Cyberoam Appliances on Port Listening to the remote CTA Agents (if any) on Port WMI Disabled 6677 5566 Specify Cyberoam IP Address to which CTA Collector has to forward user information. Specify User Information Polling method. Available options: WMI Registry Read Access Enable if you want to monitor user logoff. If enabled, specify the Detection Method (Pinging the workstation or Polling through WMI or Registry Read Access) Specify if you want a user to be logged off from Cyberoam, after the mentioned time, even when the Logoff Detection for the users is disabled. Specify the UDP port on which the CTA collector is to listen for requests from Cyberoam Appliance. Specify the TCP port on which the CTA collector is to listen for requests from Remote CTA Agents.
Note: - Make sure that the AD Server has UDP port 6677 and TCP port 5566 open for communication between CTAS and Cyberoam, and CTA Collector and CTA Agent respectively. - If you enable Logoff Detection Settings, ensure that firewall on all workstations are configured such that they allow traffic to and from the Domain Controller. o If ping is selected as log off detection method, ensure that workstation firewall allows ping packets. o If WMI Polling method is selected, ensure that workstation firewall allows traffic over UDP port 135.
Configure CTA Agent Switch to CTA Agent tab and configure parameters as given below. Parameter Value Description CTA Agent Mode EVENTLOG Select Workstation Communication Method Monitored Networks 192.168.1.0/24 Specify the networks to be monitored for user authentication. Multiple networks can be added.
General Settings Switch to the General tab and start the CTA Agent service. Step 3: Enable Security Event Logging Go to Start > Administrative Tools > Local Security Policy to view Security Settings. Traverse to Security Settings > Local Policies > Audit Policy and double click on Audit account logon events to view the Audit account logon events Properties window. Enable Audit of Success and Failure logon events, as shown in the screen below.
Cyberoam Configuration After implementing CTAS on the AD Server, you can integrate it with Cyberoam by following the steps below. Step 1: Configure Cyberoam to use Active Directory as Authentication Server. Refer to the article How To Integrate with Active Directory for details. Step 2: Configure Collector Port and Group in Cyberoam Logon to Cyberoam CLI Console using Administrator password. Go to Option 4. Cyberoam Console. Execute following command to enable Cyberoam Transparent Authentication. console> cyberoam auth cta enable
Execute the following commands to add collector IP and collector port, and create a collector group. console> cyberoam auth cta collector add collector-ip <ip-address> collector-port <port> create-new-collector-group Note: For Cyberoam firmware version below 10.02.0 Build 473, add the collector IP and collector port using the following command. console> cyberoam auth cta collector add collector-ip <ipaddress> collector-port<port number> This completes the configuration of Clientless SSO on your ADS and Cyberoam. Document Version: 2.8 5 August, 2014