External Authentication

IACBOX External Authentication configuration provides various backends for guest and WebAdmin User authentication.

General

The module External Authentication allows Surf-LAN users to use the default Ticket Login box on the Login Page to authenticate with credentials, which are available on external sources. The supported authentication methods are:

  • Active Directory
  • LDAP
  • MS SQL
  • MySQL
  • PostgreSQL
  • Radius
  • iPass
  • Local Database

For Microsoft Azure AD, please checkout the Business Accounts manual.

The Local Database is always available, even if the module External Authentication is not licensed. The usage of the Local Database relates to the Local Users which can be created in the WebAdmin menu Users/Tickets/Users.

Define a Ticket Template

If the External Authentication is used for the Login Page, a Ticket Template must be configured for this module. After activating the External Authentication in the WebAdmin menu Login methods/External authentication, navigate to Users/Tickets/Templates. Select a desired template to edit or create a new one and configure the restrictions according to requirements. Before saving the Ticket Template, activate the checkbox for Authentication, which can be found in the section Modules.

image

Activate User Template

If the External Authentication is being used to authenticate WebAdmin users, a User Template must be activated for this module. Therefore switch to the WebAdmin menu System/WebAdmin user and create a new User Group which can be used for WebAdmin users to authenticate via the External Authentication.

image

Configure any External Authentication as Use for WebAdmin and assign the User Group called ExtAuth to it.

Active Directory / LDAP

As explained further up, a ticket template must be configured.

image

MySQL / MSSQL / PostgreSQL

The SQL backends of the External Authentication can use custom SQL statements to authenticate users on either the Login Page or the WebAdmin of the IACBOX.

image

In this screenshot the SQL query is not only interpreting user_id as username and passwd_md5 as password, but also checking the table columns for the boolean return value of enabled=1 and valid_to >= CURRENT_DATE.

Note that the external SQL server must be able to understand variables like CURRENT_DATE. If in doubt, check the according SQL documentation of the server or provider.

Radius

The External Authentication with Radius can be used for authentication on the Login Page and on the WebAdmin login page. Depending if used for Login Page or for WebAdmin login page, the configuration may be slightly different.

  • Force Message Authentication: If checked Radius responses need to have the Message-Authenticator attribute set, otherwise they will be rejected. This helps to mitigate the Blast-Radius attack.

image

iPass

The External Authentication with iPass can be used for authentication on the Login Page and on the WebAdmin login page. Depending if used for Login Page or for the WebAdmin login page, the configuration may be slightly different.

image

← Password Login