...
Info | ||
---|---|---|
| ||
Each of the authentication methods require there own Perl Modules - you can install them with the cpan command and the module name e.g. "cpan Net::LDAP" or you can check if a module is installed with e.g. "cpan -D Net::LDAP" |
Method | Description |
---|---|
apache | Apache will perform authentication and provide an authenticated user to NMIS, which will have authorisation policies applied. |
htpasswd | NMIS will use the users defined in the NMIS Users file, by default /usr/local/nmis8/conf/users.dat |
ldap | NMIS will use the configured LDAP server to perform authentication Requires Optional Perl Module: Net::LDAP Config: |
ldaps (secure) | NMIS will use the configured LDAP server to perform authentication Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS auth_ldaps_server => 'host[:port]' |
ms-ldap | NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication Requires Optional Perl Module: Net::LDAP Config: |
auth_ms_
ldap_dn_acc => '' # the |
DomainName\account to bind with | |
ms-ldaps (secure) | NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS Config: |
DomainName\account to bind with |
NMIS will use the configured radius server (Cisco ACS or Steel Belted Radius for example)
Requires Optional Perl Modules: Authen::Simple::RADIUS
Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret'
NMIS will use the configured Tacacs+ server (Cisco ACS for example)
Requires Optional Perl Modules: Authen::TacacsPlus
Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"
Configuration of the External Authentications
In the NMIS configuration you can configure multiple methods which are used for auth failure, so if ms-ldap fails, it will fail back to htpasswd for example. This means if you set auth_method_1 to be ldap and auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.
It is important to change your default passwords if you expect any level of security.
Default Privilege Level for Authenticated Users
When accessing NMIS, you have a choice on how to handle authenticated users who do not have authorisations defined, you can reject them, or you can allow them default access.
This is so that you do not have to define every user in the system if the authentication system is providing a reduced list of users, to have the users become an operator or guest by default and be able to see all groups of devices, the following would apply.
'auth_default_privilege' => 'guest',
'auth_default_groups' => 'all',
To prevent default authorisation, simply define them as blank, which is the default in the NMIS8 Install configuration.
Locking accounts after N failed login attempts
In NMIS versions 8.5.12G and newer you can configure optional account locking. This feature is not enabled by default as it could be abused for denial-of-service attacks.
If you set the configuration option auth_lockout_after
to a positive number N
, then the account in question will be locked after N
consecutive failed login attempts. If the optional configuration item server_admin
holds an email address, a notification email will be sent to the given administrator address.
Locked accounts can be re-enabled from the GUI: visit the System -> System Configuration -> Users page, and click on the option "reset login count" for the locked account.
From the command line re-enabling is also possibly: simply remove the file /usr/local/nmis8/var/nmis_system/auth_failures/<accountname>.json
.
NMIS Single Sign On
NMIS 8.5 and newer support Single Sign On for NMIS installations spanning a whole organisation (or subdomain).
In version 8.6.3G we've added support for Single Sign On between NMIS and Opmantek applications, either for a single installation or spanning an organisation.
...
If an internal CA is used for the AD server's SSL that CA's root certificate should be imported for SSL trust. | |
pam | Available in NMIS versions 8.6.8G and newer.
|
radius | NMIS will use the configured radius server (Cisco ACS or Steel Belted Radius for example) Requires Optional Perl Modules: Authen::Simple::RADIUS
Config: |
tacacs | NMIS will use the configured Tacacs+ server (Cisco ACS for example) Requires Optional Perl Modules: Authen::TacacsPlus Config: |
ConnectWise |
|
Configuration of the External Authentications
In the NMIS configuration you can configure multiple methods which are used for auth failure, so if ms-ldap fails, it will fail back to htpasswd for example. This means if you set auth_method_1 to be ldap and auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in. The limit for different auth_method variables is 3.
It is important to change your default passwords if you expect any level of security.
Default Privilege Level for Authenticated Users
When accessing NMIS, you have a choice on how to handle authenticated users who do not have authorisations defined, you can reject them, or you can allow them default access.
This is so that you do not have to define every user in the system if the authentication system is providing a reduced list of users, to have the users become an operator or guest by default and be able to see all groups of devices, the following would apply.
'auth_default_privilege' => 'guest',
'auth_default_groups' => 'all',
To prevent default authorisation, simply define them as blank, which is the default in the NMIS8 Install configuration.
Locking accounts after N failed login attempts
In NMIS versions 8.5.12G and newer you can configure optional account locking. This feature is not enabled by default as it could be abused for denial-of-service attacks.
If you set the configuration option auth_lockout_after
to a positive number N
, then the account in question will be locked after N
consecutive failed login attempts. If the optional configuration item server_admin
holds an email address, a notification email will be sent to the given administrator address.
Locked accounts can be re-enabled from the GUI: visit the System -> System Configuration -> Users page, and click on the option "reset login count" for the locked account.
From the command line re-enabling is also possibly: simply remove the file /usr/local/nmis8/var/nmis_system/auth_failures/<accountname>.json
.
NMIS Single Sign On
NMIS 8.5 and newer support Single Sign On for NMIS installations spanning a whole organisation (or subdomain).
In version 8.6.3G we've added support for Single Sign On between NMIS and Opmantek applications, either for a single installation or spanning an organisation.
Configuring SSO: NMIS to Opmantek Applications (8.6.3G and newer)
Compatility Aspects
A number of problematic corner-cases were discovered and fixed in May 2018, which have unfortunately required certain changes that are not backwards-compatible.
The following table lists the scenarios:
NMIS | Opmantek Apps | NMIS-Opmantek SSO |
---|---|---|
before 8.6.3G | any version | not available |
8.6.3 or 8.6.4 | only application releases before 22.5.2018 present on your system | available but not perfectly robust in certain circumstances |
8.6.5 and newer | only releases older than 22.5.2018 present | not available |
8.6.5 and newer | at least one application release newer than 22.5.2018 present | available |
SSO between NMIS and OMK Applications on one system
...
Both the Cookie Type (or flavour) and Authentication Secret (or key) settings can be changed using the Basic Setup dialog, or the NMIS Configuration dialog (they're in section "authentication").
To gather the Opmantek application secret, you can either open /usr/local/omk/conf/opCommon.nmisjson
with an editor (look for omkd_secrets
), or you can ask the patch_config tool for the value of that setting, like in the following example:
Code Block |
---|
$ /usr/local/omk/bin/patch_config.exe -r /usr/local/omk/conf/opCommon.nmisjson /omkd/omkd_secrets[0] CHANGE_ME_askdfal2332lkwjflk |
...
Using the menu access "System -> System Configuration -> Users", select "add" from the top right, and then complete the form, specifying the User which matches the user added using htpasswd, specify Privilege and Groups, using "all" if all groups are permitted, multiple groups can be selected.