Configure External User Authentication

Users who belong to the external domain user group are authenticated outside of OCSDM by an external domain server. You can select either a RADIUS domain server or Active Directory (AD) domain controller:

• A RADIUS server provides centralized Authentication, Authorization, and Auditing/Accounting (AAA) security protocol management for users who connect and use a network service.
• An AD domain controller provides a directory service in a Windows domain type network using Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

An external domain user group must be mapped to an internal (local) user group in OCSDM so that this external domain user group and its users inherit the authorization privileges that are specific to the local user group.

Note:

Internal and external users are both supported simultaneously. However, external users do not have corresponding stored user records or username and password information.

Determine the RADIUS Group that Your Devices are Using

If you are using a RADIUS server for external authentication and authorization, there is an additional step that you may not have completed. The RADIUS server must be configured to send a user group attribute along with its accept message. This user group attribute contains a configured group policy. The default user group attribute name is Filter-Id, however the RADIUS server administrator may have used a different name for the user group attribute. If the user group attribute name used on your RADIUS server is different than the commonly used default (Filter-Id) user group attribute, you can change the default user group attribute name in SDM in the following Configure a RADIUS Server section.

To determine the name of the user group policy that was configured on your RADIUS server that you will use later to add and map a local SDM user group to the external domain user group, use the Test group membership tool in OCSDM. See the Find an External Domain User Group section for more information.

Configure a RADIUS Server

This task is used to configure a RADIUS server domain for external user authentication.

• The RADIUS server must be configured to use the same shared secret string for all cluster nodes.
• The RADIUS server must be configured to return one or more attribute values in the authentication response message to represent the groups to which a user belongs.

1. Expand the Security Manager slider and select User Management, Authentication.
2. In the External authentication pane, select the RADIUS radio button and click Add.
   The RADIUS servers table becomes available for use.
3. In the Add a radius server pane, complete the following fields:

   Address field	The IP address or DNS name of the RADIUS server.
   Port field	This field is pre-populated with the default RADIUS server listening port 1812. If you are using a different listening port on your RADIUS server, enter a new value.
   Shared secret field	Click Edit next to the field. In the Encrypted shared secret dialog box, enter the following parameters: Shared secret—The string assigned within the RADIUS server configuration to a given RADIUS client. Confirmed shared secret—The same shared secret string again to confirm your input.
   Password authentication mechanism drop-down list	PAP is chosen by default. The password authentication protocol (PAP) is an authentication protocol that uses a password in a point-to-point (PPP) session to validate users before allowing them to access server resources. Choose from the following options if you want to authenticate the user with another protocol: CHAP—The challenge-handshake authentication protocol (CHAP) authenticates a user or network host to an authentication entity to protect against replay attacks by the peer through the use of an incrementally changing identifier and a variable challenge value. MSCHAPV1—The Microsoft CHAP Version 1 (MS-CHAP v1) version of CHAP is used with RADIUS servers to authenticate wireless networks. In comparison with CHAP, MS-CHAPv1 is enabled by negotiating CHAP Algorithm 0x80 in the link control (authentication) protocol (LCP) option 3. LCP option 3 sends the Configure-Nack LCP packet type when all the LCP options are recognized, but the values of some options are not acceptable. Configure-Nack includes the offending options and their acceptable values). MS-CHAPv1 also provides an authenticator-controlled password change and authentication retry mechanisms, and defines failure codes, which are returned in the Failure packet message field. MSCHAPV2—The Microsoft CHAP Version 2 (MS-CHAPv2) uses the same authentication as MS-CHAPv1, except that CHAP Algorithm 0x81 is used instead of the CHAP Algorithm 0x80. EAPMD5—The extensible authentication protocol (EAP-MD5) offers minimal security and is used in wireless networks and point-to-point networks. EAP-MD5 enables a RADIUS server to authenticate a connection request by verifying an MD5 hash of a user password. The server sends the client a random challenge value, and the client proves its identity by hashing the challenge and its password with the MD5 hash. EAPMSCHAPV2—The protected extensible authentication protocol challenge-handshake authentication protocol (EAP-MSCHAPv2) allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory.
   Group attribute name field	This field is pre-populated with the attribute Filter-Id by default. Note: Change the default value if the RADIUS server's group attribute does not match. An attribute is necessary for the device to assign a user to a RADIUS group. This RADIUS attribute connects the user name with the attribute in order to place this user in a RADIUS group. The group attribute name is configured to be included in Access-Accept message that the RADIUS server returns to this device.

4. Click Apply.
   External users can now be authenticated by the RADIUS server. See the Add and Map a Local User Group to an External Domain User Group section of this chapter for more information.

Configure an Active Directory Domain Controller

This task is used to configure an active directory (AD) domain controller (domain server) for external user authentication.

• The Active Directory must be configured for LDAP over SSL if the Active Directory is enabled in Oracle Communications Session Delivery Manager.
• Active Directory must support version 5, if the Kerberos protocol is used.
• Each user object in your Active Directory must store the groups of each member using the memberOf attribute.
• Only child groups may be mapped to local groups when group nesting is in use. This limitation is due to the memberOf attribute not containing a recursive list of predecessors when nesting.

1. Expand the Security Manager slider and select User Management, Authentication.
2. In the External authentication pane, select the Active directory radio button and click Add.
   The Active Directory servers table becomes available for use.
3. In the Add a Domain Controller pane, complete the following fields:

   Address field	The IP address or DNS name of the domain controller.
   Domain field	The domain name for the domain controller.
   LDAP Port field	The listening port number of the LDAP service. The default is 389. Use port 636 if using SSL.
   Password security drop-down list	Select from the following protocols used to authenticate the user: Digest-MD5—The password cipher based on RFC 2831. LDAP over SSL—The SSL to encrypt all LDAP traffic. Kerberos—The Kerberos protocol to authenticate the user by specifying an existing krb5.conf file containing the information needed by the Kerberos V5 library. This includes information describing the default Kerberos realm, and the location of the Kerberos key distribution centers for known realms.
   LDAP Server field	Select the type of LDAP server. The following are supported LDAP server types: Oracle Unified Directory (OUD) Active Directory
   Bind-dn field	Enter the bind-dn values on which to apply validations, using the comma-separatedkey=value pairs format. The following are supported bind-dn types: CN - Common name (zero or more) DC - Domain component (one or more) If a value does not match an expected bind-dn pattern, the OCSDM displays an error.
   Bind-dn Password field	Enter and confirm a bind-dn password. Note: When there is a valid bind-dn, you must have a password configured. If bind-dn is empty, this value must also be empty.
   Base-dn field	Enter the base-dn values, using the comma-separatedkey=value pairs format. The following are supported base-dn types: CN - Common name (zero or more) OU - Organizational unit (zero or more) DC - Domain component (one or more) If a value does not match an expected base-dn pattern, the OCSDM displays an error.
   UserAccountNameStyle field	Specify the user account name style. The following are supported user style logins: sAMAccountName userPrincipalName Either (default)
   OrganizationalUnit field	Enter the organizational unit. You can add up to 5 unique values.
   MemberOf field	Enter a MemberOf value, using the comma-separatedkey=value pairs format. If a values does not match an expected MemberOf value, the OCSDM displays an error.

4. Click Apply.
   External users can now be authenticated by the AD domain controller. See the Map a Local User Group to an External Domain User Group section of this chapter for more information.

Find an External Domain User Group

Use the external membership tool to find the name of an external domain user group so that it can be later mapped to a local (internal) user group.

If you are using RADIUS for external authentication, you can use this tool to test external users once an external domain server is configured and returns a list of external domain user groups to which the external domain user was assigned. This makes finding the proper external domain user group names that you need to map to the local user group easier so that the external domain user group can inherit its authorization privileges. Once you find the external domain user group you want, see the Add and Map a Local User Group to an External Domain User Group section of this chapter to continue.

1. Expand the Security Manager slider and select User Management, Groups.
2. In the User Groups pane, select the local group name that you are using for the external RADIUS user group (for example, MyExternalRADIUSUserGroup) and click Edit.
3. In the Configuration tab, enter the external group name (for example, Domain Users) and click Apply and Test.
   The Test group membership dialog box displays with results for the external group with a list of domain controller group names.

   Figure 4-2 Example of Test Group membership results for an external group:

   

Add and Map a Local User Group to an External Domain User Group

Use this task to allow the external domain user belonging to the external domain user group to inherit the group-based authorization privileges of the local user group.

The external domain user is authenticated by a domain server, such as a RADIUS server or Active Directory domain controller. You must map the external domain user group to the local (internal) user group that was created for this purpose.

See the Find an External Domain User Group section for more information about finding the external domain user group name that you need for this task.

1. Under the User Management folder, select the Groups leaf node.
2. In the User Groups pane, click Add.
3. In the Add Group dialog box, complete the following fields:

   Group name field	The local user group name that you want to use for authorization privileges. For example, LocalUGforDomainUG. Use the following guidelines for naming this group: Use a minimum of three characters and maximum of 50. The name must start with an alphabetical character. You are allowed to use alphanumeric characters, hyphens, and underscores. The user group name is case insensitive. The user group must be unique.
   External group name field	For Active Directory (LDAP), the external domain user group name. For example, Domain UG. For RADIUS, the external group name should map to attribute 11 (Filter-ID), which is in the RADIUS reply. Note: You must have at least one external domain user group entry configured on the domain server in order for this field to be displayed in the dialog box.
   Group permissions copy from drop-down list	Choose from the following default user groups to copy their privileges: None—Manually configure privileges for this user group. administrators—This super user group is privileged to perform all operations. LIAdministrators—This user group is privileged to perform most operations including Lawful Intercept (LI) configuration changes. These privileges do not include changing the default administrator user credentials. For example, users assigned to the default LI administration group cannot enable or disable accounts, change passwords, or expiration dates for other users in the default LI administration and administration groups. provisioners—This group is privileged to configure Oracle Communications Session Delivery Manager and save and apply the configuration with the exception of a LI configuration. monitors—This group is privileged to view configuration data and other types of data only. This group cannot configure Oracle Communications Session Delivery Manager, and has the fewest privileges. Note: Upon installation of OCSDM, if R226 compliance is enabled, the Lawful Intercept and SIPREC features and their attributes are hidden from view and are not configurable.

4. Click OK.
5. In the success dialog box, click OK.
6. Log out and log back into the system with the external RADIUS user to test your external connection to Oracle Communications Session Delivery Manager.