Authentication Type
Use the Authentication Type page to configure the following:
Configure Authentication Type
GigaVUE‑FM supports and authenticates users against the following authentication methods:
- Local: Local database configured through the User Management page.
- External authentication servers: Includes LDAP, RADIUS, or TACACS+
- Third Party: External identity provider.
In earlier software versions, you can prioritize the authentication protocols, where in, if one of the authentication mechanism fails GigaVUE‑FM will automatically fallback to any of the other methods. Starting in software version 5.8.00, you can select only one of the authentication methods depending on your requirement. That is, you can select any one of the remote authentication methods or use the local authentication method or the external identity provider. This allows for enhanced security by maintaining the user names and passwords in a single location.
In case of remote authentication methods, you can configure fall back within the same scheme of AAA authentication. For example, for RADIUS authentication, you can add multiple RADIUS servers, so that, if the first server is not reachable, the second server is tried for accessibility and so on.
Note: If you cannot access GigaVUE‑FM due to failure in authentication, you can use the special access provided (https://<fm ip address/dns name>/admin). This access is applicable only for local users with super admin privileges. You can also access GigaVUE-FM through the Command Line Interface and locate the following log file to determine the reason for the failure in authentication: /var/log/shibboleth/idp-process.log
When upgrading to release 5.8.00, GigaVUE‑FM configures the authentication method that was configured with the highest priority in the previous release.
For Example:
In GigaVUE‑FM Release 5.7.00 and Previous |
In GigaVUE‑FM Release 5.8.00 and further |
RADIUS, TACACS+, LDAP are configured. RADIUS configured as first priority | RADIUS |
RADIUS, LDAP are configured. LDAP is configured as first priority | LDAP |
As part of software version 5.8.00, if authentication is done in the local server, then authorization is also performed locally. If authentication is done in the remote server, then authorization is also done at remote. Therefore, it is not required to configure extra roles for mapping purposes.
Configure Default User Group
For security reasons, the Default User Group option is not configured by default in GigaVUE‑FM. If required, you can configure the Default User Group option to specify how the local and externally authenticated users can be granted privileges in GigaVUE‑FM. If there are no valid GigaVUE‑FM specific groups configured in the remote server but if a default user group is configured in GigaVUE‑FM, then that group will be assigned. Otherwise, the user cannot login in to GigaVUE‑FM without groups being configured.
Note: You are responsible for configuring the groups at the remote server in the specified format for TACACS+ and RADIUS servers. For LDAP, you must configure the list of groups for Group Base DN in GigaVUE‑FM.
Groups Configured in GigaVUE‑FM Based on AuthMethod
The following table consists of examples with groups resolved in GigaVUE‑FM based on the AuthMethod field:
AuthMethod |
Logged in User |
MapDefaultUserGroup |
Remote Roles/Group Base DN (if configured) |
Expected Group |
Assigned Group |
Notes |
Local |
test |
- |
- |
fm_user |
fm_user |
The authMethod is 'LOCAL'. Therefore, the logged-in user's group will be assigned.
|
TACACS+ |
tacacsuser1 |
- |
fm_admin |
fm_admin |
fm_admin |
The role which has been assigned remotely will be assigned.
|
TACACS+ |
tacacsuser3 |
- |
fm_non_exist_group [specified group Does not match any roles in FM] |
- |
- |
If non-exist group is being assigned remotely, then that user cannot login into GigaVUE‑FM. GigaVUE‑FM will reject that user.
|
TACACS+ |
tacacsuser3 |
User Group |
fm_non_exist_group [specified group Does not match any roles in FM] |
User Group |
User Group |
If non-exist group is being assigned remotely, then GigaVUE‑FM will check if Default User Group has been configured. If Default User Group is configured, then it will assign the same and allow the user to log in to GigaVUE‑FM.
|
TACACS+ |
tacacsuser2 |
- |
- |
- |
- |
If there are no groups configured remotely and Default User Group is also not configured in GigaVUE‑FM, then that user cannot log in to GigaVUE‑FM. GigaVUE‑FM will reject that user.
|
RADIUS |
radiususer1 |
- |
fm_admin |
fm_admin |
fm_admin |
The role which has been assigned remotely will be assigned.
|
RADIUS |
radiususer3 |
- |
fm_non_exist_group [specified group Does not match any roles in FM] |
- |
- |
If non-exist group is being assigned remotely, then that user cannot log in to GigaVUE‑FM. GigaVUE‑FM will reject that user.
|
RADIUS |
radiususer3 |
User Group |
fm_non_exist_group [specified group Does not match any roles in FM] |
User Group |
User Group |
If non-exist group is being assigned remotely, then GigaVUE‑FM will check whether Default User Group has been configured; If Default User Group is configured, then it will assign the same and allow the user to log in to GigaVUE‑FM.
|
RADIUS |
radiususer2 |
- |
- |
- |
- |
If there are no groups configured remotely and Default User Group is also not configured in GigaVUE‑FM, then that user cannot log in to GigaVUE‑FM. GigaVUE‑FM will reject that user.
|
LDAP |
ldapuser1 |
- |
CN=FMQA-SSO,DC=hqdevtest,DC=com |
fm_admin |
fm_admin |
The mapped group for the provided Group Base DN will be assigned to the logged in user.
|
LDAP |
ldapuser2 |
- |
CN=FMQA-SSO,DC=hqdev,DC=com |
- |
- |
If there are no group mapped to the provided/associated GROUP BASE DN, then GigaVUE‑FM will reject the user and will not allow the user to log in as well.
|
LDAP |
ldapuser2 |
User Group |
CN=FMQA-SSO,DC=hqdev,DC=com |
User Group |
User Group |
If there are no group mapped to the provided/associated GROUP BASE DN, then GigaVUE‑FM will check whether Default User Group has been configured; If so, it will assign the same and allow the user to login to GigaVUE‑FM.
|
LDAP |
ldapuser3 |
- |
- |
- |
- |
If the LDAP user is not associated to any GROUP in LDAP and it does not return any group, then GigaVUE‑FM will reject the user and will not allow the user to login as well.
|
LDAP |
ldapuser3 |
User Group |
- |
User Group |
User Group |
If the LDAP user is not associated to any GROUP in LDAP and it does not return any group, then GigaVUE‑FM will check whether Default User Group has been configured; If so, it will assign the same and allow the user to log in to GigaVUE‑FM. |
Configure Authentication
Use the Authentication > Authentication Type to configure how user logins are authenticated in GigaVUE-FM.
To access the Authentication Type page:
- On the left navigation pane, click , select Authentication > Authentication Type. In the authentication type page that appears:
- Select the required Authentication Type. Refer to Configure Authentication Type section for more details.
- Set the Default User Group to one of the options: Refer to Configure Default User Group section for more details.
- Super Admin Group
- Admin Group
- User Group
- None
-
Click Save.