By default, Guardium user logins are authenticated by Guardium, independent of any other application. For the Guardium admin user account, login is always authenticated by Guardium alone. For all other Guardium user accounts, authentication can be configured to use either RADIUS or LDAP. In the latter cases, additional configuration information for connecting with the authentication server is required.
When an alternative authentication method is used, all Guardium users must still be defined as users on the Guardium appliance. It is only the authentication that is performed by another application.
Note that while user accounts and roles are managed by the accessmgr user, the authentication method used is managed by the admin user. This is a standard "separation of duties" best practice.
To configure authentication, see the appropriate topic, above.
Select Administration Console > Portal.
Select the Guardium radio button in the Authentication Configuration panel.
Click Apply.
Select Administration Console > Portal.
Select the RADIUS radio button in the Authentication Configuration panel. Additional fields will appear in the panel.
In the Primary Server box, enter host name or IP address of the primary RADIUS server.
Optionally enter the host name or IP address of the secondary and tertiary RADIUS servers.
Enter the UDP Port used (1812 or 1645) by RADIUS.
Enter the RADIUS server Shared Secret, twice.
Enter the Timeout Seconds (the default is 120).
Select the Authentication Type:
PAP - password authentication protocol
CHAP - Challenge-handshake authentication protocol
MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication protocol
Optionally click the Test button to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click the Apply button to save changes (see below).
Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.
Select Administration Console > Portal.
Select the LDAP radio button in the Authentication Configuration panel.
In the Server box, enter the host name or IP address of the LDAP server.
Enter the Port number (the default is 636 for LDAP over SSL).
Enter the User RDN Type (relative distinguished name type) type, which is uid by default.
Enter the User Base DN (distinguished name).
Mark or clear the Use SSL checkbox, as appropriate for your LDAP Server.
6. Optional. To inspect one or more trusted certificates, click Trusted Certificates and follow the instructions in that panel.
Optional. To add a trusted certificate, click Add Trusted Certificates and follow the instructions in that panel.
Optional. Click the Test button to verify the configuration. You will be informed of the results of the test. The configuration will also be tested whenever you click the Apply button to save changes (see below).
Click Apply. Guardium will attempt to authenticate a test user, and inform you of the results.