Configuring authentication

By default, Guardium® user logins are authenticated by Guardium, independent of any other application.

For the Guardium admin user account, login is always authenticated by Guardium alone. For all other Guardium user accounts, authentication can be configured to use RADIUS, LDAP, or a smart card. Extra configuration information is required for connecting with the authentication server.

When using RADIUS or LDAP, all Guardium users must still be defined as users on the Guardium appliance. It is only the authentication that is performed by another application.

While user accounts and roles are managed by the accessmgr user, the authentication method used is managed by the admin user, which is a standard separation-of duties best practice.

In addition, you can also authenticate users with a smart card and for any authentication method, add a level of security with multi-factor authentication. For more information, see Enabling smart card authentication and Configuring multi-factor authentication.

To set up user authentication from the Portal:
  1. Browse to Setup > Tools and Views > Portal.
  2. From Authentication Configuration, select the type of authentication you want to use.
    Note: Local is the default.
  3. Configure the authentication type as required.

Configuring Guardium local authentication

Select Local (the default) to define logins and passwords for specific users from the access manager (that is, the accessmgr role on the Guardium accessmgr account). For more information about accessmgr, see Managing users.

When you define a username and password from the accessmgr role, the defined password per user is used to log in to the Guardium system.

To configure Guardium for local authentication, select Local and click Apply.

Configuring RADIUS authentication

Select RADIUS to allow login authentication through a Radius server. The Radius/RSA server is defined by using both a password and a SecurID token number. The SecurID token numeric password is displayed on a hardware token.

You can define the Radius/RSA server on either a Windows or UNIX server. The security RSA SecurID token is defined and stored on the Radius server. You do not need to download it for the Radius portal to work.

Guardium supports FreeRADIUS client software. To use FreeRADIUS, the client (Guardium server), username, and passwords are defined on the FreeRADIUS UNIX servers and used when the Radius Portal connection is defined.

  1. Select RADIUS in the Authentication Configuration page to display the RADIUS-specific fields. Enter the following information for RADIUS:
    1. Primary Server - The hostname or IP address of the primary RADIUS server.
    2. Secondary Server and Tertiary Server - Optionally enter the hostname or IP address of the secondary and tertiary RADIUS servers.
    3. Port The UDP port used (1812 or 1645) by RADIUS.
    4. Shared Secret - Enter the RADIUS server Shared Secret, twice.
    5. Timeout Seconds - The number of seconds before the server times out (the default is 120).
    6. Auth Type - Select an authentication type:
      • PAP - Password authentication protocol
      • CHAP - Challenge-handshake authentication protocol
      • MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication protocol
  2. Click Test to verify the configuration. You are informed of the results of the test. The configuration is also tested whenever you click Apply to save changes.
  3. Click Apply. Guardium attempts to authenticate a test user, and informs you of the results.

Configuring LDAP authentication

LDAP authentication allows login authentication when the password is defined and stored on a specified lightweight directory access protocol (LDAP) server. A user account name must be imported from the LDAP server to allow a user to use the LDAP portal and to log in.

Guardium supports multiple LDAP servers. The access manager defines the LDAP configurations, which display in the LDAP servers table under Authentication Configuration. For more information about defining the LDAP configurations, see Importing users from LDAP.

Note: Default User RDN Type defines the default value of User RDN Type. If you add a new LDAP server for user import, the User RDN Type attribute is populated with the value defined here.

If you configure Default User RDN Type with the <LDAP Attribute>=search, Guardium applies an additional filter (<LDAP Attribute>=<username>). Guardium searches for the user DN and then authenticates the user with the resultant DN.

For example, let's say that you configure User RDN Type as uid=search, when a user logs in (Hadrian Wall for example), Guardium applies the additional filter (uid="HadrianWall") and searches for the user DN in LDAP. If Guardium finds "HadrianWall," then Guardium uses the DN and the supplied password to authenticate with the LDAP server.
Note: If the user RDN type for your site is not uid, then work with your access manager to establish the user RDN. The access manager imports LDAP users and can tell you which RDN to use as the default.

After the access manager configures LDAP authentication, you can optionally choose to add or view trusted certificates or test the authentication. When you are done, click Apply to finish the set up, as described in step 4.

  1. Optional. To inspect one or more trusted certificates, click Trusted Certificates and follow the instructions in that window.
  2. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the instructions in that window.
    Note: If multiple LDAP servers use SSL, you need to add an SSL certificate for each server. However, if the certificates are signed by the same certificate authority, you can add only the root certificate.
  3. Optional. Click Test to verify the configuration and return the results. The configuration is also tested whenever you click Apply to save changes.
  4. Click Apply. Guardium attempts to authenticate a test user, and informs you of the results.

Enabling smart card authentication

You can configure Guardium smart card support that meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card authentication is supported for access to the web-based Guardium user interface (UI). For more information about smart card authentication, see Enabling smart card authentication.