How To - Implement Clientless Single Sign On Authentication with Active Directory
Applicable Version: 10.00 onwards
Overview
Cyberoam Clientless Single Sign On Authentication
With Cyberoam Clientless Single Sign On authentication, user automatically logs on to Cyberoam when he/she logs on to Windows using his/her windows username and password, eliminating the need of multiple logins. Furthermore, it also eliminates the need to install SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation.
Cyberoam provides Clientless Single Sign On in the form of Cyberoam Transparent Authentication
Suite (CTAS). The CTA Suite consists of:
CTA Agent – It monitors user authentication requests and sends information to the Collector for
authentication.
CTA Collector – It collects the user authentication request from multiple agents, processes the
request and sends to Cyberoam for authentication.
How does Cyberoam CTAS work?
User Authentication Information Collection Process
User logs on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller authenticates user credentials.
The CTA Agent captures and communicates this authentication process to CTA Collector over default TCP port 5566 in real time.
CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default UDP port 6677.
Cyberoam queries Active Directory to determine user’s group membership and registers user in Cyberoam database
Based on data from CTA Agent, Cyberoam queries AD server to determine group membership, based on which access is granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated and are considered as “Unauthenticated” users. For users that are not logged into the domain, the Captive Portal prompting for a manual login will be displayed for further authentication.
Scenario
Implement Clientless Single Sign On (SSO) authentication with Active Directory integration in a Single Domain Controller Environment, as shown in the diagram below.
ADS Configuration
Login to your AD Server using Administrator profile and follow the steps below to install and configure CTAS.
Step 1: Download and Install CTAS
Download CTAS from http://www.cyberoam.com/cyberoamclients.html and install it in your AD Server.
Step 2: Configure CTAS in ADS
Once CTAS is installed, launch it from Start > All Programs > CTAS > Cyberoam Transparent
Authentication Suite or Desktop shortcut.
Configure CTA Collector
Switch to CTA Collector tab and configure parameters as given below.
Parameter Value Description
Cyberoam Appliances 192.168.1.121 Specify Cyberoam IP Address to which CTA
Collector has to forward user information.
Workstation Polling Settings WMI
Specify User Information Polling method. Available options:
WMI
Registry Read Access
Logoff Detection Settings Disabled
Enable if you want to monitor user logoff. If enabled, specify the Detection Method (Pinging the workstation or Polling through WMI or Registry Read Access)
Dead Entry Timeout 2
Specify if you want a user to be logged off from Cyberoam, after the mentioned time, even when the Logoff Detection for the users is disabled.
Listening to the Cyberoam Appliances on Port 6677
Specify the UDP port on which the CTA collector is to listen for requests from Cyberoam Appliance. Listening to the remote CTA
Agents (if any) on Port 5566
Note:
- Make sure that the AD Server has UDP port 6677 and TCP port 5566 open for communication between CTAS and Cyberoam, and CTA Collector and CTA Agent respectively.
- If you enable Logoff Detection Settings, ensure that firewall on all workstations are configured such that they allow traffic to and from the Domain Controller.
o If ping is selected as log off detection method, ensure that workstation firewall allows ping packets.
Configure CTA Agent
Switch to CTA Agent tab and configure parameters as given below.
Parameter Value Description
CTA Agent Mode EVENTLOG Select Workstation Communication Method
Monitored Networks 192.168.1.0/24 Specify the networks to be monitored for user
General Settings
Switch to the General tab and start the CTA Agent service.
Step 3: Enable Security Event Logging
Go to Start > Administrative Tools > Local Security Policy to view Security Settings. Traverse to
Security Settings > Local Policies > Audit Policy and double click on Audit account logon events
to view the Audit account logon events Properties window.
Cyberoam Configuration
After implementing CTAS on the AD Server, you can integrate it with Cyberoam by following the steps below.
Step 1: Configure Cyberoam to use Active Directory as Authentication Server.
Refer to the article How To – Integrate with Active Directory for details.Step 2: Configure Collector Port and Group in Cyberoam
Logon to Cyberoam CLI Console using Administrator password. Go to Option 4. Cyberoam Console.Execute the following commands to add collector IP and collector port, and create a collector group. console> cyberoam auth cta collector add collector-ip <ip-address> collector-port <port>
create-new-collector-group
Note:
For Cyberoam firmware version below 10.02.0 Build 473, add the collector IP and collector port
using the following command.
console> cyberoam auth cta collector add collector-ip <ipaddress> collector-port<port number>
This completes the configuration of Clientless SSO on your ADS and Cyberoam.