Configuring Authentication

Nutanix supports user authentication. To configure authentication types and directories and to enable client authentication or to enable client authentication only, do the following:

Caution: The web console (and nCLI) does not allow the use of the not secure SSLv2 and SSLv3 ciphers. To eliminate the possibility of an SSL Fallback situation and denied access to the web console, disable (uncheck) SSLv2 and SSLv3 in any browser used for access. However, TLS must be enabled (checked).
  1. In the gear icon  pull-down list of the main menu (see Main Menu Options), select Authentication.The Authentication Configuration window appears.

    Figure: Authentication Window

    Note: The following steps combine three distinct procedures, enabling authentication (step 2), configuring one or more directories for LDAP/S authentication (steps 3-5), and enabling client authentication (step 6). Perform the steps for the procedures you need. For example, perform step 6 only if you intend to enforce client authentication.
  2. To enable server authentication, click the Authentication Types tab and then check the box for either Local orDirectory Service (or both). After selecting the authentication types, click the Save button.The Local setting uses the local authentication provided by Nutanix (see User Management). This method is employed when a user enters just a login name without specifying a domain (for example, user1 instead ofuser1@nutanix.com). The Directory Service setting validates user@domain entries and validates against the directory specified in the Directory List tab. Therefore, you need to configure an authentication directory if you select Directory Service in this field.

    Figure: Authentication Window: Authentication Types

    Note: The Nutanix admin user can log on to the management interfaces, including the web console, even if the Local authentication type is disabled.
  3. To add an authentication directory, click the Directory List tab and then the New Directory button.A set of fields is displayed. Do the following in the indicated fields:
    1. Name: Enter a directory name.This is a name you choose to identify this entry; it need not be the name of an actual directory.
    2. Domain: Enter the domain name.Enter the domain name in DNS format, for example, nutanix.com.
    3. Directory URL: Enter the URL address to the directory.The URL format is as follows for an LDAP entry (the only type supported currently): ldap://host:ldap_port_num. The host value is either the IP address or fully qualified domain name. The default LDAP port number is 389. Nutanix also supports LDAPS (port 636) and LDAP/S Global Catalog (ports 3268 and 3269). The following are example configurations appropriate for each port option:
      Note: LDAPS support does not require custom certificates or certificate trust import.
      • Port 389 (LDAP). Use this port number (in the following URL form) when the configuration is single domain, single forest, and not using SSL.
        ldap://ad_server.mycompany.com:389
      • Port 636 (LDAPS). Use this port number (in the following URL form) when the configuration is single domain, single forest, and using SSL. This requires all Active Directory Domain Controllers have properly installed SSL certificates.
        ldaps://ad_server.mycompany.com:636
      • Port 3268 (LDAP – GC). Use this port number when the configuration is multiple domain, single forest, and not using SSL.
      • Port 3269 (LDAPS – GC). Use this port number when the configuration is multiple domain, single forest, and using SSL.
        Note: When constructing your LDAP/S URL to use a Global Catalog server, ensure that the Domain Control IP address or name being used is a global catalog server within the domain being configured. If not, queries over 3268/3269 may fail.
    4. Directory Type: Select Active Directory from the pull-down list.Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is the only option currently available.
      Note: Users with the “User must change password at next logon” attribute enabled will not be able to authenticate to the web console (or nCLI). Ensure users with this attribute first login to a domain workstation and change their password prior to accessing the web console. Also, if SSL is enabled on the Active Directory server, make sure that Nutanix has access to that port (open in firewall).
    5. Connection Type: Select LDAP from the pull-down list.Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services. It is the only option currently available.
    6. When all the fields are correct, click the Save button (lower right).This saves the configuration and redisplays the Authentication Configuration dialog box. The configured directory now appears in the Directory List tab.
    7. Repeat this step for each authentication directory you want to add.
    Note: All users in an authenticated directory are granted full administrator permissions by default. You can refine the granted permissions by specifying roles for the users in that directory (see Assigning Role Permissions).

    Figure: Authentication Window: Directory List

  4. To edit a directory entry, click the Directory List tab and then click the pencil icon  for that entry.After clicking the pencil icon, the Directory List fields reappear (see step 3). Enter the new information in the appropriate fields and then click the Save button.
  5. To delete a directory entry, click the Directory List tab and then click the X icon for that entry.After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
  6. To enable client authentication, do the following:
    1. Click the Client tab.
    2. Select the Configure Client Chain Certificate check box.

      Figure: Authentication Window: Client Tab (1)

    3. Click the Choose File button, browse to and select a client chain certificate to upload, and then click the Openbutton to upload the certificate.
      Note: Uploaded certificate files must be PEM encoded. The web console restarts after the upload step.

      Figure: Authentication Window: Client Tab (2)

    4. To enable client authentication, click Enable Client Authentication.
    5. To modify client authentication, do one of the following:
      Note: The web console restarts when you change these settings.
      • Click Enable Client Authentication to disable client authentication.
      • Click Remove to delete the current certificate. (This also disables client authentication.)

      Figure: Authentication Window: Client Tab (3)

    Client authentication enforces that the Nutanix cluster gets a valid certificate from the user. Normally, a one-way authentication process occurs where the server provides a certificate so the user can verify the authenticity of the server (see Installing an SSL Certificate). When client authentication is enabled, this becomes a two-way authentication where the server also verifies the authenticity of the user. A user must provide a valid certificate when accessing the console either by installing the certificate on his or her local machine or by providing it through a smart card reader.

    Note: The CA must be the same for both the client chain certificate and the certificate on the local machine or smart card.
    Note: Client authentication is not available on Prism Central (see Multi-Cluster Management).
  7. To specify a service account that the web console can use to log in to Active Directory and authenticate Common Access Card (CAC) users, select the Configure Service Account check box, and then do the following in the indicated fields:

    Figure: Common Access Card Authentication

    1. Directory: Select the authentication directory that contains the CAC users that you want to authenticate.This list includes the directories that are configured on the Directory List tab.
    2. Service Username: Enter the user name in the user name@domain.com format that you want the web console to use to log in to the Active Directory.
    3. Service Password: Enter the password for the service user name.
    4. Click Enable CAC Authentication.
      Note: The web console restarts after you change this setting.

    If you map a Prism role to a CAC user and not to an Active Directory group or organizational unit to which the user belongs, specify the EDIPI (User Principal Name, or UPN) of that user in the role mapping. A user who presents a CAC with a valid certificate is mapped to a role and taken directly to the web console home page. The web console login page is not displayed.

  8. Click the Close button to close the Authentication Configuration dialog box.

Assigning Role Permissions

When user authentication is enabled for a directory service (see Configuring Authentication), all authorized users have full administrator permissions by default. You can refine the authentication process by assigning a role (with associated permissions) to organizational units (OUs), groups, or individuals within a directory. To assign roles, do the following:

  1. In the gear icon  pull-down list of the main menu (see Main Menu Options), select Role Mapping.

    The Role Mapping window appears.

    Figure: Role Mapping Window

  2. To create a role mapping, click the New Mapping button.

    The Create Role Mapping window appears. Do the following in the indicated fields:

    1. Directory: Select the target directory from the pull-down list.

      Only directories previously defined when configuring authentication appear in this list. If the desired directory does not appear, add that directory to the directory list (see Configuring Authentication) and then return to this procedure.

    2. LDAP Type: Select the desired LDAP entity type from the pull-down list.

      The entity types are GROUP, USER, and OU.

    3. Role: Select the user role from the pull-down list.

      There are three roles from which to choose:

      • Viewer: This role allows a user to view information only. It does not provide permission to perform any administrative tasks.
      • Cluster Admin: This role allows a user to view information and perform any administrative task (but not create or modify user accounts).
      • User Admin: This role allows the user to view information, perform any administrative task, and create or modify user accounts.
    4. Values: Enter the case-sensitive entity names (in a comma separated list with no spaces) that should be assigned this role.

      The values are the actual names of the organizational units (meaning it applies to all users in those OUs), groups (all users in those groups), or users (each named user) assigned this role. For example, entering value “admin-gp,support-gp” when the LDAP type is GROUP and the role is Cluster Admin means all users in the admin-gpand support-gp groups should be assigned the cluster administrator role.

      Note: Do not include a domain in the value, for example enter just admin-gp, not admin-gp@nutanix.com. However, when users log into the web console, they need to include the domain in their user name (see Logging Into the Web Console).
    5. When all the fields are correct, click the Save button (lower right).This saves the configuration and redisplays the Role Mapping window. The new role map now appears in the list.
      Note: All users in an authorized service directory have full administrator permissions when role mapping is not defined for that directory. However, after creating a role map, any users in that directory that are not explicitly granted permissions through the role mapping are denied access (no permissions).
    6. Repeat this step for each role map you want to add.You can create a role map for each authorized directory. You can also create multiple maps that apply to a single directory. When there are multiple maps for a directory, the most specific rule for a user applies. For example, adding a GROUP map set to Cluster Admin and a USER map set to Viewer for select users in that group means all users in the group have administrator permission except those specified users who have viewing permission only.

    Figure: Create Role Mapping Window

  3. To edit a role map entry, click the pencil icon  for that entry.After clicking the pencil icon, the Edit Role Mapping window appears, which contains the same fields as the Create Role Mapping window (see step 2). Enter the new information in the appropriate fields and then click the Savebutton.
  4. To delete a role map entry, click the “X” icon for that entry.After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
  5. Click the Close button to close the Role Mapping window.

Be the first to comment

Leave a Reply

Your email address will not be published.


*