Authentication Tab

Path: Cache > Authentication

Figure 129

The Authentication tab lets you control access to proxy services by creating authentication profiles and assigning them to the services.

For more information, see Authentication Services.

Authentication Profiles: List of the authentication profiles you have configured on the appliance using the Authentication dialog box.


Authentication Dialog Box

Path: Cache > Authentication > Insert under the Authentication Profiles list

Figure 130

The Authentication dialog box lets you assign an authentication profile name and selected the desired authentication method.

For more information, see Authentication Services.

IMPORTANT:  Excelerator doesn't recognize case differences in profile names. MyProfile and myprofile are, effectively, the same profile name.

Also, Excelerator partially overwrites and concatenates previously created profiles without warning if a duplicate name is used. Therefore, if you create a profile named MyProfile and later create another profile named myprofile, Excelerator will remove the first name, concatenate parts the first profile with the second, and use the second name.

To avoid these problems, ensure that each profile has a unique name.

After selecting the authentication source, you must configure the source by clicking its respective Options button.


Mutual Authentication Options Dialog Box

Path: Cache > Authentication > Insert > Mutual Authentication > Mutual Authentication Options

Figure 131

Use the Mutual Authentication Options Dialog Box to create a mutual authentication profile.

List of Trusted Roots: Displays trusted root certificates already installed. Click Insert to add trusted root certificates; click delete to remove existing ceritifcates.

For more information regarding mutual authentication profiles, see Using Mutual (Certificate-Based) Authentication.


Import Trusted Root Dialog Box (Mutual Authentication)

Path: Cache > Authentication > Insert > Mutual Authentication > Mutual Authentication Options > Import Trusted Root

Figure 132

The Import Trusted Root dialog box lets you create a trusted root file that contains information identifying the Certificate Authority used by the server for the profile you are creating.

To create a trusted root file, see the instructions in Importing a Trusted Root to a Cache Device.


LDAP Options Dialog Box

Path: Cache > Authentication > Insert > LDAP Authentication > Options

Figure 133

Use the LDAP Options dialog box to configure the appliance for users who authenticate through an LDAP database.

LDAP Server Address: The IP address of the LDAP server.

LDAP Server Listening Port: The port number on which the LDAP server is listening for requests from LDAP clients. The default is 389 for normal access. Use 636 for secure access.

Enable Secure Access to LDAP Server: Causes the data sent between the LDAP client and the LDAP server to be sent using SSL.

LDAP Server Trusted Root File: The path to a trusted root file that contains the Certificate Authority (CA) used by the LDAP server in the profile you are creating.

Excelerator fills this field with information for the trusted root file you create using the Import Trusted Root button. See the instructions found in Import Trusted Root Dialog Box (LDAP Authentication).

If the LDAP server uses a CA for which you have previously created a trusted root file, you can manually type the path and filename in this field. For example, you might be using the same LDAP server for multiple authentication profiles.

Import Trusted Root: Opens the Import Trusted Root dialog box. See Import Trusted Root Dialog Box (LDAP Authentication).


LDAP Login Name Format

The contents of this box change depending on the option selected.


Use User's E-Mail

(See Figure 133.) Select this option to have users log in using their e-mail name field in the LDAP database. You must provide one or more contexts in which the LDAP server will search for the e-mail name.

This option is somewhat redundant with Use Field Name because the e-mail name is simply an LDAP field name. E-mail is offered separately because it is used so often.

LDAP Search Base: Click Insert to enter the context of one or more LDAP containers from which the search for the e-mail name should begin.

You must also provide authentication information for the appliance to access the LDAP server using one of the following options:


Use Distinguished Name

Figure 134

Select this option to allow users to authenticate using their LDAP usernames. Users can use either their fully distinguished LDAP (full LDAP contexts) usernames, or you can provide a list of LDAP contexts so users only need to type their usernames.

IMPORTANT:  Using this option with Netscape's LDAP server requires a special setup procedure. For more information, see Use Distinguished Name.

LDAP Contexts: Specific contexts in which the LDAP server will look for usernames. This provides a shortcut to authentication of users by allowing them to type only their LDAP usernames.

The appliance searches each context until it either locates the name or exhausts the search. If duplicate names exist in different contexts, the appliance searches until the correct name/password match is found.


Use Field Name

Figure 135

Select this option to require that users enter a specific LDAP field name.

Field Name: The LDAP field name (such as CN or UID) through which users can authenticate. If the field is left blank, the system automatically uses CN as the field name.

LDAP Search Base: Click Insert to enter the context of one or more LDAP containers. The appliance will perform a subtree search in all containers in the list. The subcontainers of the listed containers will also be searched.

Use Anonymous Bind for LDAP Search: Select this option if the appliance can authenticate to the LDAP server using anonymous bind.

Use User Name/Password Bind for LDAP Search: Select this option if anonymous bind is not enabled on the LDAP server > enter the username and password pair through which the appliance authenticates to use the LDAP server's authentication services.


LDAP Group Fields

LDAP Group Object Class Name: The mechanisms the target directory's schema uses to designate an LDAP group.

LDAP User Attribute Group Membership: The user object attribute used by the target directory to designate group membership.

For more information, see Enabling and Using LDAP Groups and Designating the Group Class and/or Attribute Name.


Import Trusted Root Dialog Box (LDAP Authentication)

Path: Cache > Authentication > Insert > LDAP Authentication > LDAP Options > Import Trusted Root

Figure 136

The Import Trusted Root dialog box lets you create a trusted root file that contains information identifying the Certificate Authority used by the LDAP server for the profile you are creating.

NOTE:  Importing a trusted root file using this dialog box does not affect the list of trusted roots available for mutual authentication profiles, which are imported using the dialog box explained in Import Trusted Root Dialog Box (Mutual Authentication).

For more information, see Importing a Trusted Root to a Cache Device.


RADIUS Options Dialog Box

Path: Cache > Authentication > Insert > RADIUS Authentication > Options

Figure 137

Use this dialog box to specify a RADIUS server the appliance can use for authentication. For more information regarding RADIUS authentication, see Using RADIUS Authentication.

RADIUS Server Address: The IP address of the RADIUS server.

RADIUS Server Listening Port: The port number on which the RADIUS server listens for incoming authentication requests.

RADIUS Shared Secret: The string the RADIUS server uses to verify that the appliance can request authentication of users.

RADIUS Shared Secret Confirmation: Confirmation string the system will compare with the RADIUS Shared Secret. The system compares the strings to ensure they match before accepting the configuration.

RADIUS Server Reply Time in Seconds: The total time the appliance will wait for a response from the RADIUS server before authentication fails. The default is 7 seconds.

RADIUS Re-send Time in Seconds: The interval in seconds between appliance requests to the RADIUS server. The default is 2 seconds. This means that the appliance could send three requests before the 7-second default limit expires and the authentication request fails.


NDS Options Dialog Box

Path: Cache > Authentication > Insert > NDS Authentication > Options

Figure 138

Use the NDS Options dialog box to configure the appliance for having users authenticate through an NDS database. For more information regarding NDS authentication, see Using NDS (eDirectory) Authentication.

NDS Server Address: The IP address of the NDS server.

Users' Default Context List: Displays the defined NDS context(s).

To add an NDS context, click Insert. The following dialog displays:

Figure 139

Enter the appropriate NDS context and tree name and click OK.


Basic Authentication Options Dialog

Path: Cache > Authentication > Insert > Basic Authentication > Basic Authentication Options

Figure 140

Use this dialog to set up basic authentication. With basic authentication, usernames and passwords are lightly encrypted (low security).

To use basic authentication, you must already have established an authentication method with at least one of the existing authentication options. Select the desired profile from the drop-down menu and click OK.

For more information regarding Basic authentication, see Using Basic Authentication.


NTLM Authentication Options Dialog Box

Path: Cache > Authentication > Insert > NTLM Authentication > Options

Figure 141

Use this dialog box to create NTLM-based authentication profiles for forward proxy services.

Address List: This list contains the IP address of the Domain Controller used by the profile.

For more information regarding NTLM authnentication profiles, see Using NTLM Authentication.