Configuring authentication

By default, Guardium® user logins are authenticated by Guardium, independent of any other application.

For the Guardium admin user account, login is always authenticated by Guardium alone. For all other Guardium user accounts, authentication can be configured to use RADIUS, LDAP, or a smart card. Extra configuration information is required for connecting with the authentication server.

When using RADIUS or LDAP, all Guardium users must still be defined as users on the Guardium appliance. It is only the authentication that is performed by another application.

While user accounts and roles are managed by the accessmgr user, the authentication method used is managed by the admin user, which is a standard separation-of duties best practice.

In addition, you can also authenticate users with a smart card and for any authentication method, add a level of security with multi-factor authentication. For more information, see Enabling smart card authentication and Configuring multi-factor authentication.

To set up user authentication from the Portal:
  1. Browse to Setup > Tools and Views > Portal.
  2. From Authentication Configuration, select the type of authentication you want to use.
    Note: Local is the default.
  3. Configure the authentication type as required.

Configuring Guardium local authentication

Select Local (the default) to define logins and passwords for specific users from the access manager (that is, the accessmgr role on the Guardium accessmgr account). For more information about accessmgr, see Managing users.

When you define a username and password from the accessmgr role, the defined password per user is used to log in to the Guardium system.

To configure Guardium for local authentication, select Local and click Apply.

Configuring RADIUS authentication

Select RADIUS to allow login authentication through a Radius server. The Radius/RSA server is defined by using both a password and a SecurID token number. The SecurID token numeric password is displayed on a hardware token.

You can define the Radius/RSA server on either a Windows or UNIX server. The security RSA SecurID token is defined and stored on the Radius server. You do not need to download it for the Radius portal to work.

Guardium supports FreeRADIUS client software. To use FreeRADIUS, the client (Guardium server), username, and passwords are defined on the FreeRADIUS UNIX servers and used when the Radius Portal connection is defined.

  1. Select RADIUS in the Authentication Configuration page to display the RADIUS-specific fields. Enter the following information for RADIUS:
    1. Primary Server - The hostname or IP address of the primary RADIUS server.
    2. Secondary Server and Tertiary Server - Optionally enter the hostname or IP address of the secondary and tertiary RADIUS servers.
    3. Port The UDP port used (1812 or 1645) by RADIUS.
    4. Shared Secret - Enter the RADIUS server Shared Secret, twice.
    5. Timeout Seconds - The number of seconds before the server times out (the default is 120).
    6. Auth Type - Select an authentication type:
      • PAP - Password authentication protocol
      • CHAP - Challenge-handshake authentication protocol
      • MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication protocol
  2. Click Test to verify the configuration. You are informed of the results of the test. The configuration is also tested whenever you click Apply to save changes.
  3. Click Apply. Guardium attempts to authenticate a test user, and informs you of the results.

Configuring LDAP authentication

LDAP authentication allows login authentication when the password is defined and stored on a specified lightweight directory access protocol (LDAP) server. A user account name must be imported from the LDAP server to allow a user to use the LDAP portal and to log in. Use the User LDAP Import function available from the accessmgr account to define the LDAP location and then import the LDAP users. You do not need to upload the password.

  1. Select LDAP, and then enter the following information:
    • Server - Enter the hostname or IP address of the LDAP server.
    • In Port - Leave the default (636) for LDAP over SSL, or enter a different port.
    • User RDN Type - The relative distinguished name type (RDN) type. By default, the RDN Type=uid.
      Note: This attribute identifies a user for LDAP authentication. The access manager needs to know what attribute is used here, since the access manager imports the LDAP users. For more information, see Importing users from LDAP.

      If a user has a sAMAccountName as the RDN value, then you must specify =search or =[domain name] in the full name. For example,

      SamAccountName=search, SamAccountName=dom
    • User Base DN - The user's distinguished name (DN).
    • Use SSL - Select or clear as needed for your LDAP Server.
  2. Optional. To inspect one or more trusted certificates, click Trusted Certificates and follow the instructions in that window.
  3. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the instructions in that window.
    Note: If multiple LDAP servers use SSL, you need to add an SSL certificate for each server. However, if the certificates are signed by the same certificate authority, you can add only the root certificate.
  4. Optional. Click Test to verify the configuration and return the results. The configuration is also tested whenever you click Apply to save changes.
  5. Click Apply. Guardium attempts to authenticate a test user, and informs you of the results.

Enabling smart card authentication

You can configure Guardium smart card support that meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card authentication is supported for access to the web-based Guardium user interface (UI). For more information about smart card authentication, see Enabling smart card authentication.