Array Remote Access Solution ------ AAA, SSO

1. Array Remote Access Solution ------ AAA, SSO

2. Role of AAA • The Array Remote Access solution gates access to the network it protects by identifying users and enforcing policies for these users. • The task of identifying users falls to the AAA module. AAA’s responsibilities are • Authentication: Identify users and validate their credentials (i.e. figure out who is accessing the system & ensure that they are who they claim to be) • Authorization: Get all policies configured for the user and supply it to the policy enforcement engine (Security Manager) • Accounting: Record user’s access attributes (e.g. time of access etc.)

3. Salient Features • Supports 4 ranks of authentication servers • Support separate authentication and authorization servers for each rank • Supports storage of authorization attributes on external servers (LDAP, RADIUS) as well as on local database • Co-operates with SSL to provide client certificate based authentication and authorization • Provides a local database to use in lieu of external authentication and/or authorization servers • Accounting is supported via RADIUS

4. Authentication Schemes • AAA supports the following authentication schemes • SecurID (native ACE as well as via RADIUS) • LDAP • SecurID+LDAP multifactor • Active Directory • RADIUS • Local Database (homegrown authentication database) • Client Certificates (single and dual factor)

5. Authorization Schemes • AAA supports the following authorization schemes • LDAP • LocalDB native • LocalDB group mapping • LocalDB default group for all users (localdefault) • RADIUS • Client certificates • Authorization schemes have to be paired with an authentication schemes. • Not all authorization schemes can be used with every authentication scheme.

6. General Facts • When multiple methods are ranked in AAA, AAAd will used the first ranked method to authenticate the user. If this method results in a failed authentication, then AAA will check to see if any other methods are ranked. If other methods are ranked, then AAA will try the next ranked method. • In case of a sourcenet mismatch, AAAd immediately returns a ”login reject”. It will not try the next ranked method • SecurID or SecurIDLDAP, if used, has to be the first ranked method • Certificate Challenge or Certificate Anonymous, if used, have to be the only ranked methods.. no other methods can be used at any ranks. • Bad ACLs will not be rejected by AAAd, however, the security manager, if it detects bad ACLs, will reject the user’s login.

7. General Facts (continued) • RSA admits that using native ACE with devices that have multiple interfaces is problematic. RSA supplies a free RADIUS interface to its services. We recommend that RADIUS be used for interfacing with RSA due to simplicity of configuration. There are no disadvantages to using RADIUS over native ACE for RSA SecurID. • LDAP, RADIUS and AD allow the configuration of 3 servers for redundancy. • Schema extension and group mapping cannot be used together. If they are used together then the values obtained from schema extensions will be discarded and the ones from group mapping will be used. • A comprehensive list of useful facts is available at projects.arraynetworks.net/Infrastructure/AAA/AAAD_facts.pdf

8. SSO – Single Sign On • SSO allows the SPX to automatically log the user in to services fronted by the SPX when the credentials required match the credentials used to log in to the SPX. • The SPX support SSO for HTTP transactions with the following access methods • Web • L4 (with the “clientapp backend protocol http” CLI enabled) • With either of the above methods, SSO is supported for the following http authentication mechanisms • Basic Auth • NTLM • POST