You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your users with the XTM device. LDAP is an open-standard protocol for using online directory services, and it operates with Internet transport protocols, such as TCP. Before you configure your XTM device for LDAP authentication, make sure you check the documentation from your LDAP vendor to see if your installation supports the memberOf (or equivalent) attribute. When you configure your primary and backup LDAP server settings, you can select whether to specify the IP address or the DNS name of your LDAP server.
If your users authenticate with the LDAP authentication method, their distinguished names (DN) and passwords are not encrypted. To use LDAP authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP client on your XTM device and your LDAP server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the LDAP server certificate, which prevents man-in-the-middle attacks. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server. The standard LDAPS port is 636. For Active Directory Global Catalog queries, the SSL port is 3269.
When you configure the LDAP authentication method, you set a search base to specify where in the authentication server directories the XTM device can search for an authentication match. For example, if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name is example.com, your search base is ou=accounts,dc=example,dc=com.
If you also have user group objects are in another OU you refer to as groups,with your user accounts in an OU (organizational unit) you refer to as accounts, and your domain name is example.com, your search base is dc=example,dc=com.
If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more than one OU, and find that the default Group String setting of memberOf does not return correct group information for your users, you can instead configure the XTM device to use another group attribute. To manage user groups, you can add the object classes member, memberUID, or gidNumber. For more information about these object classes, see RFC 2256 and RFC 2307.
If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported Certificate Authority (CA) certificate. If you select to validate the LDAP server certificate, you must import the root CA certificate from the CA that signed the LDAP server certificate, so your XTM device can use the CA certificate to validate the LDAP server certificate. When you import the CA certificate, make sure to select the IPSec, Web Server, Other option. For more information about how to import certificates, see Manage XTM Device Certificates.
PhoneFactor authentication is a multiple-factor authentication system that uses phone calls to determine the identity of users. Because it uses more than one out-of-band method (phone calls, text messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for users and a single multiple-factor platform to manage.
If you use PhoneFactor authentication with your LDAP server, you can configure the timeout value in the LDAP authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.
From Fireware XTM Web UI:
This attribute string holds user group information on the LDAP server. On many LDAP servers, the default group string is uniqueMember; on other servers, it is member. For user groups on an OpenLDAP server without memberOf overlay support, you can also specify the attributes member, memberUID, or gidNumber.
You can add any user DN with the privilege to search LDAP/Active Directory, such as an administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com.
The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid. If you use uid, the DN of Searching User and the Password of Searching User text boxes can be empty.
After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not try this server until it is marked as active again.
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings in
For more information, see Use Active Directory or LDAP Optional Settings.
To make sure that your XTM device can connect to your LDAP server and successfully authenticate your users, you can test the connection to your authentication server. You can also use this feature to determine if a specific user is authenticated and to get authentication group information for that user.
You can test the connection to your authentication server from the Authentication Servers page for your server, or you can navigate directly to the Server Connection page in Fireware XTM Web UI.
To navigate to the Server Connection page from the Authentication Servers page:
For instructions to navigate directly to the Server Connection page in Fireware XTM Web UI, see Server Connection.
About Third-Party Authentication Servers