HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Authentication
DrillDown Icon Customize Captive Portal in Cyberoam
DrillDown Icon Active Directory (AD) Authentication
DrillDown Icon Port Requirements in AD-DC local firewall for CTAS connectivity
DrillDown Icon Install Novell eDirectory Compatible CTAS
DrillDown Icon Implement Clientless SSO Authentication in Multiple Active Directory Domain Controller
DrillDown Icon Group Membership behavior in case of Tight Integration with Active Directory
DrillDown Icon Integrate Cyberoam with Active Directory
DrillDown Icon Implement Clientless SSO Authentication in Single AD Domain Controller Environment
DrillDown Icon Implement SSO Authentication with AD (English & Non-English Version)
DrillDown Icon Import AD OUs and Groups
DrillDown Icon I have removed certain users from my AD server. How do I synchronize Cyberoam’s User Database with it?
DrillDown Icon Does Cyberoam import AD users’ email addresses along with their credentials?
DrillDown Icon Is it possible to authenticate Remote Desktop Server users without Active Directory Integration with Cyberoam?
DrillDown Icon How to configure an External Authentication Server to authenticate L2TP/PPTP/IPSec users?
DrillDown Icon NTLM Authentication
DrillDown Icon Configure SSO for WLAN Users Authenticated by RADIUS Server
DrillDown Icon Integrate Cyberoam with Gemalto SA Server NPS Agent
DrillDown Icon How to Login in a Two Factor Authentication Environment?
DrillDown Icon Guest User Creation using Captive Portal
DrillDown Icon Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication
DrillDown Icon Configure Captive Portal URL Redirection
DrillDown Icon Integrate Cyberoam with RSA SecurID as a RADIUS Client
DrillDown Icon Integrate Cyberoam with ESET Secure Authentication Server
DrillDown Icon Allow Specific Websites without Authentication
DrillDown Icon Configure Cyberoam to use RADIUS Server for Authentication
DrillDown Icon Integrate Cyberoam with LDAP Server
DrillDown Icon Serve a Custom Page to unauthenticated users instead of Captive portal
DrillDown Icon How to customize the Default SMS sent to Guest Users?
DrillDown Icon Why is Captive Portal not displayed to users while trying to access Internet when a default Drop Policy is applied?
DrillDown Icon How to set authentication mechanism for L2TP or PPTP VPN users?
DrillDown Icon How to setup the Maximum Session Timeout globally for all users?
DrillDown Icon How do I configure Cyberoam to automatically logout inactive users?
DrillDown Icon Users and Groups
DrillDown Icon Implement Access Time Policy for a User/Group
DrillDown Icon Apply Surfing Quota Policy for User
DrillDown Icon Create a Data Transfer Policy
DrillDown Icon Implement BYOD Security with Cyberoam
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Visio Stencils for Cyberoam security appliances
DrillDown Icon Product Technical Support
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
 
Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
Applicable Version: 10.00 onwards
 
Overview
 
Cyberoam Clientless Single Sign On Authentication

With Cyberoam Clientless Single Sign On authentication, user automatically logs on to Cyberoam when he/she logs on to Windows using his/her windows username and password, eliminating the need of multiple logins. Furthermore, it also eliminates the need to install SSO clients on each workstation. Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation.

Cyberoam provides Clientless Single Sign On in the form of Cyberoam Transparent Authentication Suite (CTAS). The CTA Suite consists of:

CTA Agent It monitors user authentication requests and sends information to the Collector for authentication.

CTA Collector – It collects the user authentication request from multiple agents, processes the request and sends to Cyberoam for authentication.

How does Cyberoam CTAS work?

User Authentication Information Collection Process
 
·    User logs on to the Active Directory Domain Controller from any workstation in LAN. Domain Controller authenticates user credentials.
·    The CTA Agent captures and communicates this authentication process to CTA Collector over default TCP port 5566 in real time.
·    CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default UDP port 6677.
·    Cyberoam queries Active Directory to determine user’s group membership and registers user in Cyberoam database

Based on data from CTA Agent, Cyberoam queries AD server to determine group membership, based on which access is granted or denied. Users logged into a workstation directly i.e. locally but not logged into the domain will not be authenticated and are considered as “Unauthenticated” users. For users that are not logged into the domain, the Captive Portal prompting for a manual login will be displayed for further authentication.

 

Scenario

Implement Clientless Single Sign On (SSO) authentication with Active Directory integration in a Single Domain Controller Environment, as shown in the diagram below.
 
 
 

ADS Configuration

Login to your AD Server using Administrator profile and follow the steps below to install and configure CTAS.

Step 1: Download and Install CTAS

Download CTAS from http://www.cyberoam.com/cyberoamclients.html and install it in your AD Server.

Step 2: Configure CTAS in ADS

Once CTAS is installed, launch it from Start > All Programs > CTAS > Cyberoam Transparent Authentication Suite or Desktop shortcut.

Configure CTA Collector

Switch to CTA Collector tab and configure parameters as given below.
 

Parameter

Value

Description

Cyberoam Appliances

192.168.1.121

Specify Cyberoam IP Address to which CTA Collector has to forward user information.

Workstation Polling Settings

WMI

Specify User Information Polling method.

Available options:

WMI

Registry Read Access

Logoff Detection Settings

Disabled

Enable if you want to monitor user logoff. If enabled, specify the Detection Method (Pinging the workstation or Polling through WMI or Registry Read Access)

Dead Entry Timeout

2

Specify if you want a user to be logged off from Cyberoam, after the mentioned time, even when the Logoff Detection for the users is disabled.

Listening to the Cyberoam Appliances on Port

6677

Specify the UDP port on which the CTA collector is to listen for requests from Cyberoam Appliance.

Listening to the remote CTA Agents (if any) on Port

5566

Specify the TCP port on which the CTA collector is to listen for requests from Remote CTA Agents.

 

Note:


-   Make sure that the AD Server has UDP port 6677 and TCP port 5566 open for communication between CTAS and Cyberoam, and CTA Collector and CTA Agent respectively.
-   If you enable Logoff Detection Settings, ensure that firewall on all workstations are configured such that they allow traffic to and from the Domain Controller.
  o  If ping is selected as log off detection method, ensure that workstation firewall allows ping packets.
  o  If WMI Polling method is selected, ensure that workstation firewall allows traffic over UDP port 135.

Configure CTA Agent

Switch to CTA Agent tab and configure parameters as given below.
 

Parameter

Value

Description

CTA Agent Mode

EVENTLOG

Select Workstation Communication Method

Monitored Networks

192.168.1.0/24

Specify the networks to be monitored for user authentication. Multiple networks can be added.

 
 


General Settings

Switch to the General tab and start the CTA Agent service.
 
 

Step 3: Enable Security Event Logging

Go to Start > Administrative Tools > Local Security Policy to view Security Settings. Traverse to Security Settings > Local Policies > Audit Policy and double click on Audit account logon events to view the Audit account logon events Properties window.
 
Enable Audit of Success and Failure logon events, as shown in the screen below.  

 

Cyberoam Configuration

After implementing CTAS on the AD Server, you can integrate it with Cyberoam by following the steps below.

Step 1: Configure Cyberoam to use Active Directory as Authentication Server.

Refer to the article How To – Integrate with Active Directory for details.

Step 2: Configure Collector Port and Group in Cyberoam

   Logon to Cyberoam CLI Console using Administrator password.

   Go to Option 4. Cyberoam Console.

   Execute following command to enable Cyberoam Transparent Authentication.

     console> cyberoam auth cta enable
 
      

·    
Execute the following commands to add collector IP and collector port, and create a collector group.
 
    console> cyberoam auth cta collector add collector-ip  <ip-address> collector-port <port>

   create-new-collector-group

       

    Note:

    For Cyberoam firmware version below 10.02.0 Build 473, add the collector IP and collector port using the following command.

    console> cyberoam auth cta collector add collector-ip <ipaddress> collector-port<port number>
 
   



This completes the configuration of Clientless SSO on your ADS and Cyberoam.
 






                                                                                                                                                        Document Version: 2.8 – 5 August, 2014
Attachments
Related Articles

Article ID: 1629