Remote authentication
The Administration > Account Management > Remote Authentication page specifies the sequence in which NetProfiler checks authentication sources when a user logs in. It also provides tabs for setting up authentication and authorization using RADIUS, TACACS+ or SAML 2.0.
Types of authentication and authorization
NetProfiler authenticates and authorizes user logins in three ways:
-
Authenticated and authorized by NetProfiler - The user has an account on NetProfiler. This account specifies their login credentials and their user role. If NetProfiler can authenticate their login credentials in its local user database, it logs the user in and authorizes permissions based on the user role assigned to their account.
-
Authenticated remotely, authorized by NetProfiler - The user has an account on NetProfiler. This account specifies their user role, but not their login credentials. It specifies that their credentials are to be authenticated remotely. If NetProfiler can authenticate their login credentials using a remote authentication server, it logs the user in and authorizes permissions based on the user role assigned to their account.
-
Authenticated and authorized remotely - The user does not have an account on NetProfiler. When the user attempts to log in, NetProfiler uses a remote authentication server to both authenticate their login credentials and authorize permissions based on their user role.
Authentication sequence
When NetProfiler is in the SAML 2.0 authentication mode, it does not log a user on unless the user can be authenticated by a SAML Identity Provider (IdP). Users cannot be authenticated locally or by RADIUS or TACACS+ when SAML authentication is enabled.
When NetProfiler is not in the SAML 2.0 authentication mode, it logs a user on if the user can be authenticated locally or by RADIUS or TACACS+. The authentication sequence when NetProfiler is not in the SAML 2.0 authentication mode proceeds as follows.
NetProfiler checks its local database first to authenticate a user's login credentials. If it cannot authenticate the user locally, it attempts to authenticate the credentials using the protocol specified in the Authentication Sequence section of the page. You can specify that NetProfiler is to check RADIUS servers or TACACS+ servers, or first one and then the other, or neither (that is, use only local authentication).
NetProfiler attempts to contact the first authentication server in its list of configured servers. If that server is unreachable, it checks the next authentication server in the list. It continues until it succeeds in connecting to an authentication server.
When searching for RADIUS authentication, NetProfiler contacts RADIUS servers in the order in which they are listed on the RADIUS tab. When searching for TACACS+ authentication, NetProfiler contacts TACACS+ servers in the order in which they are listed on the TACACS+ tab.
When it succeeds in connecting and receives a valid message back from an authentication server, NetProfiler stops searching for authentication servers, regardless of whether the message is a pass/success or a "user not found" or other failure message. If authentication and authorization succeed, NetProfiler logs the user in. If either authentication or authorization fail, NetProfiler displays an error message and records an unsuccessful login attempt in the audit logs.
Configuring remote authentication