Figure 129
The Authentication tab lets you control access to proxy services by creating authentication profiles and assigning them to the services.
For more information, see Authentication Services.
Authentication Profiles: List of the authentication profiles you have configured on the appliance using the Authentication dialog box.
Path: Cache > Authentication > Insert under the Authentication Profiles list
Figure 130
The Authentication dialog box lets you assign an authentication profile name and selected the desired authentication method.
For more information, see Authentication Services.
IMPORTANT: Excelerator doesn't recognize case differences in profile names. MyProfile and myprofile are, effectively, the same profile name.
Also, Excelerator partially overwrites and concatenates previously created profiles without warning if a duplicate name is used. Therefore, if you create a profile named MyProfile and later create another profile named myprofile, Excelerator will remove the first name, concatenate parts the first profile with the second, and use the second name.
To avoid these problems, ensure that each profile has a unique name.
After selecting the authentication source, you must configure the source by clicking its respective Options button.
Path: Cache > Authentication > Insert > Mutual Authentication > Mutual Authentication Options
Figure 131
Use the Mutual Authentication Options Dialog Box to create a mutual authentication profile.
List of Trusted Roots: Displays trusted root certificates already installed. Click Insert to add trusted root certificates; click delete to remove existing ceritifcates.
For more information regarding mutual authentication profiles, see Using Mutual (Certificate-Based) Authentication.
Path: Cache > Authentication > Insert > Mutual Authentication > Mutual Authentication Options > Import Trusted Root
Figure 132
The Import Trusted Root dialog box lets you create a trusted root file that contains information identifying the Certificate Authority used by the server for the profile you are creating.
To create a trusted root file, see the instructions in Importing a Trusted Root to a Cache Device.
Path: Cache > Authentication > Insert > LDAP Authentication > Options
Figure 133
Use the LDAP Options dialog box to configure the appliance for users who authenticate through an LDAP database.
LDAP Server Address: The IP address of the LDAP server.
LDAP Server Listening Port: The port number on which the LDAP server is listening for requests from LDAP clients. The default is 389 for normal access. Use 636 for secure access.
Enable Secure Access to LDAP Server: Causes the data sent between the LDAP client and the LDAP server to be sent using SSL.
LDAP Server Trusted Root File: The path to a trusted root file that contains the Certificate Authority (CA) used by the LDAP server in the profile you are creating.
Excelerator fills this field with information for the trusted root file you create using the Import Trusted Root button. See the instructions found in Import Trusted Root Dialog Box (LDAP Authentication).
If the LDAP server uses a CA for which you have previously created a trusted root file, you can manually type the path and filename in this field. For example, you might be using the same LDAP server for multiple authentication profiles.
Import Trusted Root: Opens the Import Trusted Root dialog box. See Import Trusted Root Dialog Box (LDAP Authentication).
The contents of this box change depending on the option selected.
(See Figure 133.) Select this option to have users log in using their e-mail name field in the LDAP database. You must provide one or more contexts in which the LDAP server will search for the e-mail name.
This option is somewhat redundant with Use Field Name because the e-mail name is simply an LDAP field name. E-mail is offered separately because it is used so often.
LDAP Search Base: Click Insert to enter the context of one or more LDAP containers from which the search for the e-mail name should begin.
You must also provide authentication information for the appliance to access the LDAP server using one of the following options:
Figure 134
Select this option to allow users to authenticate using their LDAP usernames. Users can use either their fully distinguished LDAP (full LDAP contexts) usernames, or you can provide a list of LDAP contexts so users only need to type their usernames.
IMPORTANT: Using this option with Netscape's LDAP server requires a special setup procedure. For more information, see Use Distinguished Name.
LDAP Contexts: Specific contexts in which the LDAP server will look for usernames. This provides a shortcut to authentication of users by allowing them to type only their LDAP usernames.
The appliance searches each context until it either locates the name or exhausts the search. If duplicate names exist in different contexts, the appliance searches until the correct name/password match is found.
Figure 135
Select this option to require that users enter a specific LDAP field name.
Field Name: The LDAP field name (such as CN or UID) through which users can authenticate. If the field is left blank, the system automatically uses CN as the field name.
LDAP Search Base: Click Insert to enter the context of one or more LDAP containers. The appliance will perform a subtree search in all containers in the list. The subcontainers of the listed containers will also be searched.
Use Anonymous Bind for LDAP Search: Select this option if the appliance can authenticate to the LDAP server using anonymous bind.
Use User Name/Password Bind for LDAP Search: Select this option if anonymous bind is not enabled on the LDAP server > enter the username and password pair through which the appliance authenticates to use the LDAP server's authentication services.
LDAP Group Object Class Name: The mechanisms the target directory's schema uses to designate an LDAP group.
LDAP User Attribute Group Membership: The user object attribute used by the target directory to designate group membership.
For more information, see Enabling and Using LDAP Groups and Designating the Group Class and/or Attribute Name.
Path: Cache > Authentication > Insert > LDAP Authentication > LDAP Options > Import Trusted Root
Figure 136
The Import Trusted Root dialog box lets you create a trusted root file that contains information identifying the Certificate Authority used by the LDAP server for the profile you are creating.
NOTE: Importing a trusted root file using this dialog box does not affect the list of trusted roots available for mutual authentication profiles, which are imported using the dialog box explained in Import Trusted Root Dialog Box (Mutual Authentication).
For more information, see Importing a Trusted Root to a Cache Device.
Path: Cache > Authentication > Insert > RADIUS Authentication > Options
Figure 137
Use this dialog box to specify a RADIUS server the appliance can use for authentication. For more information regarding RADIUS authentication, see Using RADIUS Authentication.
RADIUS Server Address: The IP address of the RADIUS server.
RADIUS Server Listening Port: The port number on which the RADIUS server listens for incoming authentication requests.
RADIUS Shared Secret: The string the RADIUS server uses to verify that the appliance can request authentication of users.
RADIUS Shared Secret Confirmation: Confirmation string the system will compare with the RADIUS Shared Secret. The system compares the strings to ensure they match before accepting the configuration.
RADIUS Server Reply Time in Seconds: The total time the appliance will wait for a response from the RADIUS server before authentication fails. The default is 7 seconds.
RADIUS Re-send Time in Seconds: The interval in seconds between appliance requests to the RADIUS server. The default is 2 seconds. This means that the appliance could send three requests before the 7-second default limit expires and the authentication request fails.
Path: Cache > Authentication > Insert > NDS Authentication > Options
Figure 138
Use the NDS Options dialog box to configure the appliance for having users authenticate through an NDS database. For more information regarding NDS authentication, see Using NDS (eDirectory) Authentication.
NDS Server Address: The IP address of the NDS server.
Users' Default Context List: Displays the defined NDS context(s).
To add an NDS context, click Insert. The following dialog displays:
Figure 139
Enter the appropriate NDS context and tree name and click OK.
Path: Cache > Authentication > Insert > Basic Authentication > Basic Authentication Options
Figure 140
Use this dialog to set up basic authentication. With basic authentication, usernames and passwords are lightly encrypted (low security).
To use basic authentication, you must already have established an authentication method with at least one of the existing authentication options. Select the desired profile from the drop-down menu and click OK.
For more information regarding Basic authentication, see Using Basic Authentication.
Path: Cache > Authentication > Insert > NTLM Authentication > Options
Figure 141
Use this dialog box to create NTLM-based authentication profiles for forward proxy services.
Address List: This list contains the IP address of the Domain Controller used by the profile.
For more information regarding NTLM authnentication profiles, see Using NTLM Authentication.