NetIQ Advanced Authentication Framework Depoyment Guide Version 5.1.0
Tabe of Contents 1 Tabe of Contents 2 Introduction 3 About This Document 3 NetIQ Advanced Authentication Framework Overview 4 About NetIQ Advanced Authentication Framework 4 NetIQ Server Appiance Functionaity 4 Terms 5 Authenticator 5 Authentication Chain 5 Authentication Method 5 Event 6 Net IQ Server Appiance Depoyment 7 Instaing NetIQ Server Appiance 8 Standaone 9 Farm Starter 11 Farm Member 15 First Login To NetIQ Admin Interface 18 Configuring NetIQ Server Appiance 20 Index 26 2
Introduction About This Document Purpose of the Document This Depoyment Guide is intended for system administrators and describes the procedure of NetIQ Advanced Authentication Framework Server appiance depoyment. Document Conventions Warning. This sign indicates requirements or restrictions that shoud be observed to prevent undesirabe effects. Import ant not es. This sign indicates important information you need to know to use the product successfuy. Not es. This sign indicates suppementary information you may need in some cases. Tips. This sign indicates recommendations. Terms are itaicized, e.g.: Authenticator. Names of GUI eements such as diaogs, menu items and buttons are put in bod type, e.g.: the Logon window. 3
NetIQ Advanced Authentication Framework Overview In thischapter: About NetIQ Advanced Authentication Framework NetIQ Server Appiance Functionaity Terms About NetIQ Advanced Authentication Framework NetIQ Advanced Authentication Framework is a software soution that enhances the standard user authentication process by providing an opportunity to ogon with various types of authenticators. Why choose NetIQ Advanced Authentication Framework? NetIQ Advanced Authentication Framework......makes the authentication process easy and secure (no compex passwords, secret words, etc.)...prevents unauthorized use of your computer...protects you from fraud, phishing and simiar iega actions onine...can be used to provide secure access to your office NetIQ Server Appiance Functionaity Benefits of using NetIQ Server appiance are evident. NetIQ Server appiance... is cross-patform contains an inbuit RADIUS server supportsintegration with NetIQ AccessManager does not require scheme extending providesadministrators with a capabiity of editing the configured settingsthrough webbased NetIQ Admin Interface 4
Terms In thischapter: Authenticator Authentication Chain Authentication Method Event Authenticator Authenti cator is data submitted by a user for the purpose of his/ her personaity vaidation. Both common character strings (e.g. symboic password) and data received from a hardware authentication device (e.g. digita fingerprint mode, memory card ID) can appear as an authenticator. Two authenticator types are usuay distinguished: reference authenticator and current authenticator. Reference authenticator isdata submitted by a user to the system asa part of registration procedure, whie current authenti cator - a part of authentication procedure. Particuar characteristics of these data depend on the authentication method seected by the user, such as password, or digita fingerprint mode, or memory card ID, etc. A successfu ogon isperformed ony when the reference and current authenticators match. Authentication Chain Authentication Chai n is a configured authentication process in which a user must pass credentias to a modue instances defined in it. It means that authentication chain processes requests and appies severa authentication methods. Authentication chains are configured ony when a singe set of credentias is not sufficient. Authentication Method Aut hent icat ion met hod verifies the identity of someone who wants to access data, resources, or appications. Vaidating that identity estabishes a trust reationship for further interactions. 5
Event Event is the authentication moment or appication where the framework shoud authenticate to. 6
NetIQ Server Appiance Depoyment To increase performance, it is recommended to insta severa NetIQ Servers in the domain. In this case, the servers wi automaticay join in a custer and function as an integra authentication service. It wi increase not ony the speed of the requests processing, but aso the safety of the whoe system. Instaing severa NetIQ Servers aso increases faut toerance. If for some reason one of the servers stops, the user sti has a possibiity to ogon by authenticator. In thischapter: Instaing NetIQ Server Appiance First Login to NetIQ Admin Interface Configuring NetIQ Server Appiance 7
Instaing NetIQ Server Appiance NetIQ Server appiance can be instaed in graphic or text mode. For more information, see the Instaing Server chapter of the Server - Instaation Guide. After the instaation of NetIQ Server appiance, it is required to configure the mode the appiance wi run. Seect one of the foowing server modes: Standaone is used for demo. It is an a- sufficient server that is not suitabe for production environment. Farm Starter is the first instaed server. It wi have the master roe and wi initiaize the database and generate encryption keys for your environment. Farm Member is every extra server. The fie created at your Farm Starter shoud be imported and connected to your environment. 8
St andaone To configure the St andaone server: 1. Go to the NetIQ Admin Interface. Enter the URL in the browser's navigation bar in the foowing format: https:/ / <IP Address>/ admin/ (the required URL is dispayed after NetIQ Server instaation). Read the Hep wizard. Cick Cose after reading it. 2. Seect the St andaone server mode and cick Next. 3. Cick the Save & Rest art button to write configuration and restart services. Services wi berestartedwithin30seconds. 9
10
Farm St art er To configure the Farm St art er server: 1. Go to the NetIQ Admin Interface. Enter the URL in the browser's navigation bar in the foowing format: https:/ / <IP Address>/ admin/ (the required URL is dispayed after NetIQ Server instaation). Read the Hep wizard. Cick Cose after reading. 2. Seect the Farm St art er server mode and cick Next. 3. Enter the password to the Password text fied. Cick the Test button to verify the connection. If connection is estabished successfuy, cick Next to continue. 11
4. Cick the Creat e button to generate encryption key fie. 5. After generating encryption key fie, cick the N ext button to continue. 12
6. Enter the password and confirm it. Cick the Prepare button to prepare encryption key fie. After preparing it, cick the Downoad ink to downoad the encryption fie. Save it in a secure pace. You wi need it for new Farm Member servers configuration. Cick N ext to continue. 7. Cick the Save & Rest art button to write configuration and restart services. Services wi berestartedwithin30seconds. 13
14
Farm M em b er To configure the Farm M ember server: 1. Go to the NetIQ Admin Interface. Enter the URL in the browser's navigation bar in the foowing format: https:/ / <IP Address>/ admin/ (the required URL is dispayed after NetIQ Server instaation). Read the Hep wizard. Cick Cose after reading it. 2. Seect the Farm M ember server mode and cick Next. 3. Enter your Farm St art er server IP address to the host [:port ] text fied and your password to the Password text fied. Cick the Test button to verify the connection. If connection is 15
estabished successfuy, cick Next to continue. 4. Upoad the encryption key fie that was generated by your Farm St art er server. Cick the Choose Fie button and add an appicabe fie. Enter the your password to the Password text fied and cick Upoad. Cick Next to continue. 5. Cick the Save & Rest art button to write configuration and restart services. Services wi berestartedwithin30seconds. 16
17
First Login To NetIQ Admin Interface After setting up an appicabe server mode, the NetIQ Admin Interface wi be dispayed. To og in to NetIQ Admin Interface, foow the steps: 1. Enter administrator'sogin in the foowing format: repository\user (oca\admin by defaut). Cick Next to continue. 2. The Admin Password chain is automaticay pre-seected by the system as the ony avaiabe method. Enter the password to the Password text fied (admin by defaut) and cick Next to og in. 18
3. The main page of NetIQ Admin Interface wi be dispayed. 19
Configuring NetIQ Server Appiance NetIQ Admin Interface contains the Hep option which contains detaied instructions on how to configure a settings for your authentication framework. You are provided with a capabiity to ca the Hep option by cicking the Hep icon in the upper right corner of NetIQ Admin Interface. The Hep section provides you with information on the specific section you are working on. After the instaation of NetIQ Server appiance and configuring an appicabe server mode, administrator is provided with a capabiity to configure NetIQ Server appiance through NetIQ Admin Interface. To configure NetIQ Server appiance, foow the steps: 1. Log in to NetIQ Admin Interface. 2. Add repository that wi be used for NetIQ authentication framework. a. Open the Reposit ories section. b. Cick the Add button. c. Fi in the Name, Base DN, User, Password, Confirmation text fieds. Seect an appicabe repository type from the LDAP type dropdown. d. Cick the Add server button. e. Specify server's address and port. Seect the SSL checkbox to use SSL technoogy (if appicabe). Cick the Save button next to server's credentias. Add additiona servers (if appicabe). 20
f. Cick Save at the bottom of the Repositories view to verify and save the specified credentias. 3. Configure appicabe authentication methods for NetIQ authentication framework. a. Open the M et hods section. The ist of avaiabe authentication methods wi be dispayed. b. Cick the Edit button next to an appicabe authentication method. c. Edit configuration settings for a specific authentication method. d. Cick Save at the bottom of the Methodsview to save changes. 4. Create new chains or edit existing ones that NetIQ authentication framework wi work with. The specified chains wi connect to events. 21
a. Open the Chains section. b. Cick the Edit button next to an appicabe authentication chain (or cick the Add button at the bottom of the Chains view to create a new authentication chain). c. Fi in the Name and Short name text fieds. d. Seect whether the current authentication chain is enabed or disabed by cicking the Isenabed togge button. e. Seect methods that wi be assigned to the chain. f. Specify groups that wi be aowed to use the current authentication chain in the Groups text fied. g. Cick Save at the bottom of the Chains view to save the configuration. 5. Configure and enabe authentication events for NetIQ authentication framework. Currenty the supported events are RADIUS Server, NAM and NCA. 22
a. Open the Event s section. b. Cick the Edit button next to an appicabe event. c. Seect whether the current event is enabed or disabed by cicking the Is enabed togge button. d. Seect methods that wi be assigned to the current event. e. If avaiabe, add cients assigned to the current event. f. Cick Save at the bottom of the Eventsview to save configuration. 6. Configure the poicies for NetIQ authentication framework. The configured poicies wi be appied for a servers. 23
a. Open the Poicies section. The ist of avaiabe authentication methods wi be dispayed. b. Cick the Edit button next to an appicabe poicy. c. Edit configuration settings for a specific poicy. d. Cick Save at the bottom of the Poicies view to save changes. 7. Specify the protoco that wi be used by NetIQ Server. By defaut the NetIQ Server uses an HTTP protoco. To switch to HTTPS mode, create a certificate fie (PEM or CRT) and appy the existing SSL certificate on the server. a. Open the Server Opt ions section. b. Cick the Choose Fie button and seect the new SSL certificate. c. Cick Upoad to upoad the seected SSL certificate. 8. Add the icense for NetIQ authentication framework. The temporary icense is active for 30 days and wi expire at the specified date. 24
a. Open the Licenses section. b. Cick the Choose Fie button and seect the vaid icense. c. Cick Upoad to upoad the icense. 25
Index A Authentication 1, 3-5 Authenticator 3, 5 C Create 12, 21 E Ed i t 21 F Fie 16, 24 L Logon 3 P Password 11, 15, 18, 20 R RADIUS 4, 22 Reference authenticator 5 S Server 3-4, 7-9, 11, 15, 20 T Test 11, 15 U User 20 26