• Network Security Manager 2.4.0
• Network Security Manager Overview
  • About Network Security Manager
  • Related Documents
  • API Support
  • Legal Information
  • Conventions
    • Guide Conventions
    • UI Conventions
• Dashboard
  • Summary
  • Network
  • Threat
• Firewalls
  • Device Inventory
    • Device Status
      • Management Status
      • System Details
      • License Details
      • Zero Touch Status
      • Template and Firmware Versions
    • Managing Devices
      • Editing Device Settings
      • Multi-device Firmware Upgrade
      • Upgrading Firmware
      • Synchronizing Firewall Configuration with NSM
      • Creating Backup of Device Configuration
      • Manual Firewall Acquisition
    • Firewall View
  • Device Groups
    • Working with Device Groups
      • Creating Device Groups
      • Editing Device Groups
      • Creating Backup of Device-Group Configuration
      • Deleting Device Groups
  • Device Backups
    • Scheduling Backups
    • Archiving TSR
    • Archiving EXP
• Templates and Variables
  • Templates
    • Templates Inventory
    • Creating Templates
    • Editing Templates
    • Viewing Template Configuration
    • Creating Duplicate Template
    • Modifying Template Attributes
    • Applying Templates
    • View Template Status
    • Deleting Templates
  • Golden Template
  • Variable Data
    • Template Variables Overview
    • Add Variable
    • Edit Variable
    • Resolve Variable
    • Delete Variable
    • Using Template Variables
    • Creating Variables within Templates
• SonicWall Switch Configuration in Template
  • Add Switch
  • Edit Port
  • Switches
    • Network
    • Users
    • Static routes
    • 802.1x
    • Radius server
    • ARP
• Certificates
  • Navigating Certificates
  • New Signing Request
  • Commit and Deploy Certificate(s)
  • Configuring SCEP
  • Importing Certificates
  • Deleting Certificates
• Configuration Management
  • Approval Groups
    • Approval Workflow Settings
  • Approval Group Management
    • Searching the Approval Groups
    • Adding a New Approval Group
    • Editing an Approval Group
    • Deleting an Approval Group
    • Setting the Default Approval Group
  • Configuration Management Workflow
    • Committing and Deploying the Updates
      • Committing and Deploying Updates in the Firewall View
      • Committing and Deploying Updates to Device(s) in the Manager View
    • Viewing Pending Configuration Updates
    • Discarding Pending Configurations
    • Monitoring Commits
    • Managing Commits
      • Editing Commits
      • Redeploying Commits
      • Rescheduling Commits
      • Deleting Commits
    • Auditing Configuration Changes
• Tenants
• VPN Topology
  • IPsec VPN Topology
    • Topologies
      • Hub and Spoke Topology
      • Full Mesh Topology
      • Point to Point Topology
    • Security Associations
  • IPsec Monitor
  • Global Settings
• SD-WAN Topology
  • Configuring SD-WAN
  • Basic Information
  • Rules and Devices
    • Service Rule
    • Application Rule
    • Device Selection
• CSC Users
  • CSC User Status
  • Users
    • Sorting and Filtering
    • Editing CSC Users
  • Support Portal Users
  • Roles and Permissions
  • Authentication Servers
• Scheduled Reports
  • Managing the Schedules
    • Creating Scheduled Reports
    • Editing Schedule
    • Running Reports Manually
    • Setting the Report Date Range
  • Archived Reports
    • Downloading Archived Reports
• System Events
  • Configuring Log Settings
  • Alerts and Notifications
  • Configuring Twilio Setting for SMS
  • Viewing System Events
• SonicWall Support
  • About This Document

Authentication Servers

This feature is specific to On-premises solution where you can add the authentication types like Active Directory, LDAP, RADIUS and, Digital Certificate.

To add authentication servers

1. Click Add to add new authentication servers.

2. Authentication Type - There are four options to choose - Active Directory, LDAP, RADIUS and, Digital Certificate. This indicates the type of the Remote Authentication Server if it is an LDAP server, a Windows Active Directory, a RADIUS Server or a Digital Certificate. The configuration values for Active Directory and LDAP are same.

Add Authentication Server - Settings

• Name - Enter the name to identify the authentication server.

• IP/FQDN - The hostname or the IP address of the Remote authentication server. Example: [mydc.example.com], [X.X.X.X] (ip address), [company.com].

• Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.
• Protocol Version - Choose a protocol version from the list. This is the LDAP protocol version on which the remote LDAP/AD server is running on
• Base Distinguished Name - A distinguished name, that is, a globally unique name for a user. The base DN for a directory (say example.com) should be written in the form: [dc=example,dc=com].
• Use SSL - Toggle this option to specify whether to use SSL for binding to the remote server. This is strongly recommended. For this, the remote server's CA certificate or the root certificate of the CA that signed the server's certificate should be present in KeyStore of SGMS as trusted CAs.
• SSL Port - The default value is 636 in case of LDAP/AD servers.
• Anonymous Login - Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (MS AD generally does not), then you could select this option.
• Login User Distinguished Name - Distinguished name is used to authenticate to Directory Server when performing a bind. The value for this field should be specified as a DN (Distinguished Name). Example: [uid=xyz, ou=People, dc=example, dc=com] , [cn=jdoe, cn=users, dc=sv, dc=company, dc=com]
• Login Password - Enter the password for the login user DN.
• Connection Timeout (msecs) - Timeout period(in milliseconds). After this period of time, the connection attempt with the remote server will be given up if it is not successful.

Authentication Type - RADIUS

PRIMARY RADIUS SERVER

• IP/FQDN - The hostname or the IP address of the Remote authentication server. Example: [mydc.example.com], [X.X.X.X] (ip address), [company.com].
• Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.
• Shared Secret - The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
• Authentication Protocol - From the drop down list, choose the RADIUS Authentication Protocol to be used for authentication.
• Radius Timeout (seconds) - The allowed range is 1-60 seconds with a default value of 5.
• Max Retries - Enter the number of times SonicOS will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, with a recommended setting of 3 RADIUS server retries.

BACKUP RADIUS SERVER

• IP/FQDN

• Port - The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389, but you can select from the Standard port choices drop-down menu for more options. If you are using a custom listening port on your LDAP server, specify it here.

• Shared Secret - The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.

Authentication Type - Digital Certificate

• Name - Enter the name to identify the authentication server.

• CA Certificate - From the drop down list, choose any existing certificates. To add a new certificate, click Edit icon and select Add CA Certificate.

  

• Select Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file.

• Next, enter the Certificate Name and the Certificate Management Password (the password you defined when creating the .pfx file). Click Import.

• Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file

• Click Add File and browse to locate and open your Certificate .pfx file. Click Import to import the selected certificate.

Add Authentication Server - Schema

User Directory LDAP Schema

• LDAP Schema - From the list choose the desired option. Selecting any of the predefined schemas will automatically populate the fields used by that schema with their correct values. Selecting User defined will allow you to specify your own values – use this only if you have a specific or proprietary LDAP schema configuration.

USER OBJECTS

• Object Class - Select the attribute that represents the individual user account. The name of one of the standard object classes that the users belong to.
• Login Name Attribute - The attribute name on the LDAP/AD server which represents the user id. This is the attribute on the LDAP server whose value would be used as the user id on the SGMS Login Page. Example: uid, sAMAccountName etc.
• First Name Attribute - The attribute name on the LDAP server which represents First Name. Example: givenName.
• Last Name Attribute - The attribute name on the LDAP server which represents Last name. Example: sn.
• Email Attribute - The attribute name on the LDAP server which represents email id. Example: mail.
• Telephone Attribute - The attribute name on the LDAP server which represents Telephone number. Example: telephoneNumber.

USER DIRECTORY LDAP SCHEMA

• Allow Only AD Group Members - Toggle the button to allow or deny AD Group Members. When enabled, it allows only those users that are members of the specified Active Directory Groups to login into NSM. With this option, it is also necessary to select the Host Type as [Active Directory] on the Settings Panel.

• Active Directory Group(s) - Specify the AD Group names, members of which should be allowed to login into NSM. Multiple AD Groups can be specified as semicolon delimited. Example: [NSMUsers], [ADGroup1;AD group2;NSM Users;Group4]