External Authentication
IACBOX External Authentication configuration provides various backends for guest and WebAdmin User authentication.
General
The login method External Authentication allows Surf-LAN users to use the default Ticket Login box on the Login Page to authenticate with credentials, which are available on external sources. The supported authentication methods are:
- Active Directory
- LDAP
- MS SQL
- MySQL
- PostgreSQL
- Radius
- iPass
- Local Database
For Microsoft Azure AD, please checkout the Business Accounts manual.
The Local Database is always available, even if the login method External Authentication is not licensed. The usage of the Local Database relates to the Local Users which can be created in the WebAdmin menu Users/Tickets/Users.
Define a Ticket Template
If the External Authentication is used for the Login Page, a Ticket Template must be configured for this login method. After activating the External Authentication in the WebAdmin menu Login methods/External authentication, navigate to Users/Tickets/Templates. Select a desired template to edit or create a new one and configure the restrictions according to requirements. Before saving the Ticket Template, activate the checkbox for Authentication, which can be found in the section Login methods.
Activate User Template
If the External Authentication is being used to authenticate WebAdmin users, a User Template must be activated for this login method. Therefore switch to the WebAdmin menu System/WebAdminuser and create a new User Group which can be used for WebAdmin users to authenticate via the External Authentication.
Configure any External Authentication as Use for WebAdmin and assign the User Group called ExtAuth to it.
Active Directory / LDAP
As explained further up, a ticket template must be configured.
MySQL / MSSQL / PostgreSQL
The SQL backends of the External Authentication can use custom SQL statements to authenticate users on either the Login Page or the WebAdmin of the IACBOX.
In this screenshot the SQL query is not only interpreting user_id
as
username and passwd_md5
as password, but also checking the
table columns for the boolean return value of enabled=1
and valid_to >= CURRENT_DATE
.
Note that the external SQL server must be able to understand variables like CURRENT_DATE
.
If in doubt, check the according SQL documentation of the server or provider.
Radius
The External Authentication with Radius can be used for authentication on the Login Page and on the WebAdmin login page. Depending if used for Login Page or for WebAdmin login page, the configuration may be slightly different.
- Force Message Authentication: If checked Radius responses need to have the Message-Authenticator attribute set, otherwise they will be rejected. This helps to mitigate the Blast-Radius attack.
iPass
The External Authentication with iPass can be used for authentication on the Login Page and on the WebAdmin login page. Depending if used for Login Page or for the WebAdmin login page, the configuration may be slightly different.