External Authentication

Note

Unless indicated otherwise, instructions here are to be performed in the Management Console.

Overview

This section discusses the available user authentication methods available with Micetro.

In addition to Local User Authentication, Micetro currently supports two methods of AD user authentication using the Windows Active Directory user database and authentication through a RADIUS server.

Active Directory User Authentication

The Active Directory (AD) User Authentication mechanism allows you to have users authenticate themselves in the AD login system before allowing them to login to Micetro. In large installations, this system has obvious benefits as the users do not have to maintain their passwords in multiple locations. The password rules (password expiry, minimum password length, etc.) that have been applied within the organization automatically apply to Micetro.

Active Directory User Authentication vs. Local User Authentication

Even when you are using AD User Authentication, you must create users in the Management Console and assign privileges to them using the Men&Mice access system. The only difference between AD vs. local user authentication is that when AD user authentication is used, users are authenticated using the AD User Authentication system before they can access the Management Console. When AD User Authentication is used, the user password is not stored in the Men&Mice software.

Note

Only one authentication method can be used per user, but different users can have different authentication methods. That means you can have some users log in using AD user authentication, while other users log in using local user authentication.

Enabling AD User Authentication Using Active Directory

AD user authentication using Active Directory is only possible when you run Men&Mice Central on a Windows machine. The machine running Men&Mice Central must be a member in an Active Directory domain or forest. No specific configuration is needed for Men&Mice Central for user authentication using Active Directory.

Configuring Users for AD Authentication

To configure a user to use AD user authentication, do the following:

  1. From the menu, select Tools ‣ User management.

  2. Select the applicable user from the list. If the desired user is not shown, the user must be added to the application. Refer to Users.

  3. When the Properties dialog box display, move to the Authentication field, click the drop-down list, and select the applicable authentication method. (If Men&Mice Central is not running on a Windows machine, only the Micetro authentication method displays.)

  4. Click OK.

Note

When the AD authentication method is selected, the Password field is disabled, since the password is not stored in Micetro.

Active Directory Single Sign-on

../../../_images/console_ad_sso.png

You can enable the Single Sign-on so that Active Directory users do not have to authenticate when logging in through the Management Console.

To enable Active Directory Single Sign-on, do the following:

  1. From the menu bar, select Tools ‣ System Settings.

  2. In the System Settings dialog box, click the General Settings tab.

  3. Select the Allow Single Sign-on option.

  4. Click OK.

Web Interface

When single sign-on is enabled, it is possible to enable sign-on in the web interface if the web application is running on a Microsoft Windows Server.

To enable single sign-on in the web application, make sure that Single Sign-on and Single Sign-on for web is enabled in Micetro.

Application Log In

Logging into Micetro will not change when AD user authentication is used and Single Sign-on is disabled. The only thing to keep in mind is that the user name that is entered must match the user name stored in Micetro. If a distinguished user name is used, it must be entered in the same way when logging in.

Group Level Active Directory User Authentication

The Group Level Active Directory (AD) User Authentication mechanism allows you to set user access privileges by group membership in the AD. In large installations, this system has obvious benefits as the users do not have to maintain their passwords in multiple locations. The password rules (i.e., password expiry, minimum password length, etc.) that have been applied within the organization automatically apply to Micetro.

The login sequence is as follows for users with Group Level AD authentication:

  1. The user enters his/her user name and password in Micetro

  2. Micetro uses the AD authentication mechanism to validate the user name and password. If the user name and password is correct, Micetro retrieves the group membership of the user from the AD.

  3. The AD group list of the user is compared (by group name) to the local group list in Micetro. If a match is found, the user is logged in with the privileges specified in the local group list. If no match is found, the login fails.

To allow a user to log in to Micetro, you must create a group in the AD that has the same name as a group in Micetro and place the AD user in that group. You may create multiple groups in the AD that match group names in Micetro.

Configuring Groups for AD Group Level Authentication

When using AD Group level authentication, you must specify which groups in Micetro should be used to verify group membership.

  1. From the menu, select Tools ‣ User Management. The Users and groups management dialog box displays.

  2. Click the Groups tab.

  3. Select the group to which you want to configure AD and click the Edit button. If the desired group is not shown, you will need to add the group. See Groups.

../../../_images/console_ad_groups_auth.png
Group Name

Ensure that the group name is prefixed with the name of the owning domain name. Example: The Active Directory domain “MYDOMAIN” contains the group “MM-ReadOnly”. The group name must then be “MYDOMAIN\MM-ReadOnly”.

  1. Click the checkbox for Active Directory Integrated.

  2. Click OK.

Note

Group Level Active Directory user authentication is only possible when you run Men&Mice Central on a Windows machine. The machine running Men&Mice Central must be a member in an Active Directory domain or forest.

Configuring Users and Access Privileges

You do not have to create users in Micetro when the Group Level AD authentication is used. Instead, user access is controlled by the group membership of the user in the AD.

RADIUS User Authentication

Micetro can authenticate using an external RADIUS server. In large installations, this system has obvious benefits as the users do not have to maintain their passwords in multiple locations. The password rules (i.e., password expiry, minimum password length, etc.) that have been applied within the organization automatically apply to Micetro.

RADIUS User Authentication vs. Local User Authentication

Even when you are using RADIUS User Authentication, you must create users in the Management Console and assign privileges to them using the Men&Mice access system. The only difference between RADIUS vs. local user authentication is that when RADIUS user authentication is used, users are authenticated using the RADIUS User Authentication system before they can access the Management Console. When RADIUS User Authentication is used, the user password is not stored in the Men&Mice software.

Note

Only one authentication method can be used per user, but different users can have different authentication methods. That means you can have some users log in using RADIUS user authentication, while other users log in using local user authentication.

Enabling RADIUS User Authentication

To enable RADIUS authentication, you must add several properties to the Men&Mice Central configuration file preferences.cfg. This file is located in the data folder inside the Men&Mice Central data directory:

  • Windows: C:\Program Files\Men&Mice\Central\data

  • Mac OS X: /var/mmsuite/mmcentral

  • All others: set during installation. Usually /var/mmsuite/mmcentral or /chroot/var/mmsuite/mmcentral, where /chroot is the location used as a chroot jail for named.

The properties to be added are:

RADIUSServer

Defines the address of the RADIUS server that will do RADIUS authentication.

RADIUSPort

Defines the port that the RADIUS server is listening on. The default value is 1812, which is the port normally used by RADIUS.

RADIUSSharedSecret

The shared secret between the RADIUS server and Micetro.

RADIUSAuthentication

The type of authentication used. 0 = PAP, 1 = CHAP.

Example:

<RADIUSServer value="192.168.1.3"/><RADIUSPort value="1515"/><RADIUSSharedSecret value="MyBigSecret"/><RADIUSAuthentication value="1"/>

After editing the file, restart Men&Mice Central.

  • Windows: use Administration Tools ‣ Services to restart Men&Mice Central.

  • Mac OS X: Execute the following shell command in a Terminal window (/Applications/Utilities/Terminal):

    sudo /Library/StartupItems/mmSuite/mmcentral restart
    
  • All others: Execute the mmcentral init script with the ‘restart’ argument.

Configuring Users

To allow a user to log in to the Men&Mice system, the user must exist in the Men&Mice user database. If the user does not exist in the Men&Mice user database, they are not allowed to log in, even if they provide a valid user name and password in the RADIUS login system.

To configure a user to use AD user authentication, do the following:

  1. From the menu bar, select Tools ‣ User Management. The User and group management dialog box displays.

  2. To add a new user, click the Add button. Refer to Users. Follow the instructions with one exception: in the Authentication field, click the drop-down list and select RADIUS.

  3. To modify an existing user, double-click on the user’s name to display the user Properties dialog box, and in the Authentication field, click the drop-down list and select RADIUS.

Note

When the RADIUS authentication method is selected, the Password field is disabled, since the password is not stored in Micetro.

../../../_images/console_ad_sso_radius.png

Logging into Micetro

Logging in to Micetro will not change when RADIUS user authentication is used. The only thing to keep in mind is that the user name that is entered must match the user name stored in Micetro.