Skip to main content
Versa Networks

Configure SD-WAN User and Device Authentication

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

You can create policies and rules to authenticate both the users and the devices that enter a secure SD-WAN network. You can authenticate the users and devices before the gateways route the traffic to internet or private applications.

When you create a policy, you define rules with match criteria that determine when to authenticate users. For the match criteria, you can select applications and URLs, source and destination traffic, IP addresses, and services. You can also create rules with match criteria for users who you do not want to authenticate.

You configure user and device authentication profiles to specify the authentication type for user authentication. You use the authentication profiles in user and authentication rules to specify the method to authenticate users who match the authentication rule criteria.

Configure User and Device Authentication Policies

To configure a user and device authentication policy for secure SD-WAN users and groups:

  1. In Tenant view, select Configure > Secure SD-WAN > User and Device Authentication > Policies.

    auth-policy-1.png

    The User and Device Authentication Policies screen displays.

    user-device-policy.png
  2. To create a new user and device authentication policy, click the + Add icon. The Add User and Device Authentication Policy screen displays.

    auth-policy-3.png
  3. Click Add User & Device Authentication Rule. The screen displays the workflow to create a rule, beginning with step 1, Applications and URLs. 

    authentication-flow.png

  4. By default, all applications, URLs, and reputations are included in the match criteria. You can include or exclude specific applications, application groups, application categories, URL categories and URL reputations. 

    To specify traffic for application groups, specific applications, application categories, and URL categories and reputations for the rule:

    1. Select the Applications > Application Groups tab.

    2. To select specific application groups to include or exclude in the rule, click User Defined Application Groups, Predefined Application Groups, or both. Then select the application groups for the rule to match. You can use the Search bar to find specific application groups.
    3. Select the Applications > Applications tab, and then select one or more user-defined and predefined applications for the rule to match. You can use the Search bar to find specific applications.
    4. Select the Applications > Application Category tab, and then select one or more user-defined and predefined application categories for the rule to match. You can use the Search bar to find specific application categories.
    5. Select the URLs and Reputations tab. The following screen displays.

    6. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
    7. In the Reputations field, click the down arrow, and then select one or more reputations to include in the rule:
      • High risk
      • Low risk
      • Moderate risk
      • Suspicious
      • Trustworthy
      • Undefined
  5. Click Next or select step 2, Source and Destination Traffic. 
  6. By default, traffic from all source and destination addresses and zones, and all sites, are included in the match criteria. You can include or exclude specific source and destination traffic to match the rule.

    To match traffic from specific source and destination addresses, zones, and sites:
    1. Select the Source Addresses tab.

    2. Select a source address group or address object for the rule to match, or use the search box to find a source address group or object. To exclude the source address or addresses, click Negate Source Address. 
      • To create an Address Group object, click the + icon. For more information, see Add Address Group.
      • To create an Address Object, click the + icon. For more information, see Add Address Object.
    3. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    4. Select the Destination Addresses tab.

    5. Select a destination address group or object for the rule to match, or use the search box to find a source address or object. To exclude the destination address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see Add Address Group.
      • To create an Address Object, click the + icon. For more information, see Add Address Object.
    6. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    7. Click the Enable Match Anycast Address to enable match on an anycast IP address, which is a shared default gateway IP address. 
    8. Select the Source Zones & Sites tab to specify source zones to include in the match criteria. Select one or more source zones or source sites from the lists. You can also select an ingress routing instance.

    9. Select the Destination Zones & Sites tab to specify destination zones to include in the match criteria. Select one or more destination zones or destination sites from the lists. You can also select an egress routing instance.

  7. Click Next or select step 3, Service and DSCP.
  8. By default, all services, service groups, and DSCPs are included in the match criteria. You can specify the services, service groups, and Differentiated Services Code Points (DSCPs) for the rule to match.

    To specify services, service groups, and DSCP for the rule:
    1. Select the Services tab.

      services-update.png
    2. Select the services to include in the match criteria. To filter the list, click All Services, and select Predefined or User Defined. You can also search by service name.
    3. Select the Service Groups tab.

      service-groups-update.png
    4. Select the service groups to include in the match criteria. You can search by service group name.
      • To create a service group object, click the + icon. For more information, see Add a Service Group.
    5. Select the DSCP tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.

    6. Select one or more DSCP decimal values. The value range is 0 to 63. You can use the search bar to locate values.
  9. Click Next to go to step 4, Action.
  10. By default, users are not authenticated for the match criteria that you selected in step 1, click Do Not Authenticate. If you want to use a profile to specify the authentication type, click Authenticate Using User and Group Profile, and then select a profile. For information on configuring profiles, see Configure User and Device Authentication Profiles, below.

    action-user-authentication.png
  11. Click Next to go to step 5, Review & Submit.
  12. In the General pane, enter information for the following fields.

    review-submit-rules.png
     
    Field Description
    Name (Required) Enter a name for the rule.
    Description Enter a description for the rule.
    Tags Enter one or more tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.
    Schedule

    Select a schedule to limit rule enforcement to specific times. To configure a new schedule, go to Configuration > Reusable Objects > Schedule. The schedule is automatically added to the Schedule drop-down list.
    Rule Enabled/Disabled

    To enable or disable the rule, click the toggle to display the Rule Enabled or Rule Disabled message. 

    Default: Enabled
    Logging Enabled/Disabled

    To enable or disable logging, click the toggle to display the Logging Enabled or Logging Disabled message.
    Logging Profile (Group of Fields)

    If you enable logging, configure the logging profile.
    • Use Default
    		 Click to use the default logging profile.
    • Custom
    		 Click to use a custom logging profile, and then select the profile from the Logging Profile field. To add a custom logging profile, select + Create New.
  13. Click Add User and Device Authentication Rule to save the rule. The Add User and Device Authentication Policy screen displays the saved rule.

    user-device-policy-list.png
  14. To add another rule, click + Add in the horizontal menu. You can also select an existing rule and perform the following operations: 
    • Clone clone-icon.png—Creates a copy of the rule. You can change the default name of the cloned rule, if desired. The cloned rule then appears in the list of traffic steering rules.
    • Reorder reorder-icon.png—Reorder the selected policy rule. 
    • Delete delete-icon.png—Delete the selected policy rule. 
  15. Click Next to go to step 2, Permissions.
  16. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  17. Click Next to go to step 3, Review and Submit. 
  18. In the General section, enter a name for the rule. enter a name for the policy. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    review-submit-basic.png
     
  19. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  20. To enable logging for the rule, click the Logging Enabled toggle.
  21. Click the Edit icon next to any section to make changes.
  22. Click Submit.

Configure User and Device Authentication Profiles

To specify the authentication type to use for user authentication, you configure user and device authentication profiles. For each enterprise, you can configure profiles for the following authentication methods:

  • Lightweight Directory Access Protocol (LDAP)—LDAP is a client–server protocol that allows a network device to access an LDAP server, which provides directory services that store descriptive attribute-based information. When an end user sends a request to access a webpage, the Versa Operating SystemTM (VOSTM) device accesses the LDAP server to validate the user. Based on the authentication result, the user is either authenticated or their authentication request is denied. You can configure either a user-based or group-based policy to allow or deny traffic.
  • Locad Database—With local database authentication, you upload lists of users and groups for authentication purposes, as well as add individual users and user groups.
  • RADIUS—RADIUS is a distributed client–server system that secures networks against unauthorized access. A RADIUS server provides an external database that you can use to authenticate users before allowing them to access a network, a device, or related services.
  • Security Assertion Markup Language (SAML)—SAML authenticates users so that they can access multiple services and applications. SAML is useful when you want to access multiple services or applications and have authentication for each service or application, for example, Google and its related services. SAML is a common standard for exchanging authentication between parties and is most commonly used for web browser-based single sign-on (SSO).
  • Versa Directory—With Versa directory authentication, you upload lists of users and groups for authentication purposes. You can also add individual users and groups using the GUI.

You can configure both an LDAP and a SAML profile for an enterprise, but for RADIUS and Versa Directory profiles, you can configure only one for each enterprise. You can configure user and device certificate-based profiles with each other, or with LDAP or SAML authentication profiles.

To configure a user and device authentication profile:

  1. Select Configure > Secure SD-WAN > User and Device Authentication > Profiles.

    auth-profile-1.png

    The User and Device Authentication Profiles screen displays.

    user+dev-prof.png
     
  2. To create a new profile, click the + icon. The Add User and Device Authentication Profile screen displays.

    add-user-device-authentication-profile-options-1.png

     
  3. Select the type of authentication to configure from these options: LDAP, SAML, RADIUS, Versa Directory, or Local Database.
  4. Click Get Started. The Add User and Device Authentication Profile workflow displays.

    auth-profile-flow.png
  5. In step 1, Settings, configure the settings for the selected authentication type:
    • For the LDAP authentication type, enter information for the following fields.

      ldap.png
       
      Field Description
      Server Type

      Select the server type:

      • Active Directory
      • Open LDAP
      Select Either FQDN or IP Address

      Click FQDN or IP Address, and then enter the FQDN or IP address of the Active Directory or LDAP server.

      Click + Add Secondary Server to add another server of the same type. In the Add Secondary Server popup window, enter the required information, and then click Add.

      add-secondary-server.png
      VPN Name Select the name of the tenant VPN to use to reach the LDAP server.
      Port

      Enter the listening port number on the LDAP server, which allows you to communicate with the LDAP directory service.

      Range: 0 through 65535

      Default: None
      Enable SSL

      Click the slider to enable SSL for the LDAP session.
       

      enable-SSL-border.png

      Click the slider again to disable SSL for the LDAP session.
       

      disable-SSL-border.png
      SSL Mode

      If you enable SSL, select the SSL mode for the LDAP session:

      • LDAPS—Use secure LDAP (LDAP over SSL)
      • STARTTLS—Use LDAP over TLS
      CA Certificate

      If you enable SSL, select the certificate authority (CA) certificate to use for the secure LDAP connection.
      Bind DN Enter the bind distinguished name (DN) to use when logging in to the LDAP server.
      Bind Password Enter the password that the bind DN uses when logging in to the LDAP server.
      Bind Timeout

      Enter the bind timeout period, in seconds.

      Default: 30 seconds
      Base DN Enter the base DN to use when an LDAP client initiates a search.
      Domain Name Enter the domain name to use for LDAP searches, for example, versa-networks.com.
      Base Domain  Enter the name of the base domain.
      Search Timeout

      Enter the search timeout period, in seconds.

      Default: 30 seconds

       
    • For the SAML authentication type, enter information for the following fields.

      saml.png
       
      Field Description
      Select SAML Type

      Select the SAML type:

      • Cisco Duo
      • Google IAM
      • Microsoft Entra ID
      • Office 365
      • Okta
      • Ping Identity
      • Other
      Single Sign-on URL (Required) Enter the URL of the identify provider (IdP) to use for single sign-on.
      Single Sign-out URL Enter the URL to point to for single sign-out.
      Service Provider Entity ID (Required) Enter the entity ID of the service provider.
      Service Provider Certificate Select the certificate that the service provider uses to authenticate.
      Identity Provider Entity ID (Required) Enter the entity ID that uniquely identifies the SAML IdP.
      Identity Provider Certificate (Required) Select the authentication certificate issued by the IdP.
      Prefix ID Enter the name of the external IdP.

       
    • For the RADIUS authentication type, enter information for the following fields.

      radius.png
       
      Field Description
      IP Address (Required) Enter the IP address of the RADIUS server.
      Port (Required) Enter the port number to use on the RADIUS server.
      VPN Name Select the VPN instance to use to connect to the RADIUS server.
      Shared Secret Enter the RADIUS shared secret (password) string.

       
    • For the Local Database authentication type, enter information for the following fields.

      local-database.png
       
      Field Description
      Cache Expiry Time

      Enter the time, in minutes, after which the cache for the authentication profile expires. On reaching the cache expiry time, the live user record expires and the user gets logged out. 

      Default: 10 minutes
      Cache Expiration Mode

      Select the mode to use to end a session:

      • Fixed Interval—Use the time specified in the cache expiration as the time interval to end a session.
      • Inactivity—Use the time specified in the cache expiration as the interval of inactivity after which to end a session.
      Caching Mode

      Select the caching mode:

      • Cookie Based—Set the cookie in the user's browser and do not store the user information on the device.
      • IP Based—Map users using their IP address as the key.
      Cookie Expiry Time

      Specifies the validity period of the authentication cookie, in minutes. When the cookie expires, it becomes invalid, requiring the user to log in again for the next connection request.

      Default: 720 minutes
      Concurrent Logins

      Enter the number of concurrent logins allowed.

      Range: 1 through 255

      Default: 1
    • For the Versa Directory authentication type, enter information for the following fields.

      versa-directory.png
       
      Field Description
      Cache Expiry Time

      Enter the time, in minutes, after which the cache for the authentication profile expires. On reaching the cache expiry time, the live user record expires and the user gets logged out. 

      Default: 10 minutes
      Concurrent Logins

      Enter the number of concurrent logins allowed.

      Range: 1 through 255

      Default: 1

       
  6. Click Next to go to step 2, User and Group Profile.
  7. Configure the users and groups for the selected authentication type.
    • For LDAP authentication, enter information for the following fields.

      ldap-2.png
       
      Field Description
      Group Object Class  Enter the group object class provided by your administrator.
      Group Name  Enter the group name provided by your administrator.
      Group Member Enter the group member provided by your administrator.
      User Object Class  Enter the user object class provided by your administrator.
      User Name  Enter the format of the username, for example, User Principal Name.
      Refresh Interval

      Enter how often to refresh the LDAP profile information, in seconds.

      Range: 60 through 86400 seconds

      Default: 21600 seconds

       
    • For SAML, RADIUS, Local Database and Versa Directory authentication, enter information for the following fields.

      saml-2.png
       
      Field Description
      User List Tab

      Click Upload File. In the popup window, select a user list file in CSV format to upload. Each line in the CSV file must be in the following format:

      • User Name (required), First Name, Last Name.
      + Add

      Click + Add to add a new user. In the Add User screen, enter the required information. When you select LDAP or SAML as the authentication type, the following screen displays:
       

      add-user.png

      For Versa Directory, the following screen displays:

      add-user-versa-directory.png

       
      Group List Tab

      Select the Group List tab and click Upload File. In the popup window, select a user group file in CSV format to upload. Each line in the CSV file must be in the following format:

      • Group Name (required), Description
      + Add

      Click + Add to add a new user group. In the Add User Group screen, enter the required information.
       

      add-user-group.png
  8. Click Next to go to step 3, Permissions.
  9. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  10. Click Next to go to step 4, Review and Submit. 
      review-submit-basic.png
  11. In the General section, enter a name for the profile. You can also enter a text description for the rule and one or more tags.
  12. For the remaining sections, review the selected settings. Click the pencil-icon-blue-on-white.pngEdit icon to change a setting, as needed.
  13. Click Submit to create the authentication profile.

Manage User and Device Authentication Policies

You can perform the following actions on user and device authentication policies:

  • Edit
  • Clone
  • Delete
  • View references
  • Propagate
  • Compare versions
  • View the audit log
  • Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information

Releases 13.1.1 and later support all content described in this article.