Skip to main content
Versa Networks

Configure SD-WAN User and Device Authentication

Versa-logo-release-icon.png For supported software information, click here.

You can create policies and rules to authenticate both the users and the devices that enter a secure SD-WAN network. You can authenticate the users and devices before the gateways route the traffic to internet or private applications.

To define rules for user and device authentication, you can select applications and URLs, source and destination traffic, IP addresses, and services as match criteria to decide when to authenticate users. You can also create rules with match criteria for users who you do not want to authenticate.

You configure user and device authentication profiles to specify the authentication type for user authentication. You use the authentication profiles in user and authentication rules to specify the method to authenticate users who match the authentication rule criteria.

Configure User and Device Authentication Policies

To configure a user and device authentication policy for secure SD-WAN users and groups:

  1. Go to Configure > Secure SD-WAN > Profile Elements > Policies > User and Device Authentication > Policy.

    user-device-authentication-policy-menu.png

    The User and Device Authentication Policy screen displays.

    user-device-authentication-policy-main.png
  2. To create a new user and device authentication policy, click + Add. The Add User and Device Authentication Rule displays the first step of the workflow.
  3. In Step 1, Applications and URLs, the Applications tab and the Application Group tab are selected. By default, all applications, URLs, and reputations are included in the match criteria.

    add-user-device-authentication-rule-1.png
  4. To select specific application groups to include in the match criteria, click User-Defined Application Groups, Predefined Application Groups, or both. Then select the application groups for the rule to match. Use the Search bar to find specific application groups.
  5. Select the Applications > Applications tab, and then select one or more user-defined or predefined applications for the rule to match. Use the Search bar to find specific applications.

    applications-tab.png
  6. Select the Applications > Application Category tab, and then select one or more predefined application categories for the rule to match.

    application-category-tab.png
  7. Select the URL Categories and Reputations tab. The following screen displays.

    url-categories-reputations-tab.png
  8. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
  9. In the Reputations field, click the down arrow, and then select one or more reputations for the rule to match:
    • High risk
    • Low risk
    • Moderate risk
    • Suspicious
    • Trustworthy
    • Undefined
  10. Click Next or select Step 2, Source and Destination Traffic. The following screen displays, and the Source Address tab is selected. By default, all source and destination traffic is included. You can specify which source and destination traffic to include in the match criteria.

    add-user-device-authentication-rule-2-source-address.png
  11. Select a source address group for the rule to match, or use the search box to find a source address group. You can click + Add Variable to create a variable for the source address. Enter a name for the variable, click the add-icon-white-on-black.png Plus icon, then click Add. You can add multiple variables before clicking the Add button.

    add-address-variable-v2 (2).png<
    You can also enter values in any of the following fields for the rule to match: IP Address or IP Range, IP Subnet, or IP Wildcard. You can click + Add Variable to create variables for these values, and you can add multiple variables for each one.
    • To add a variable for the IP address or IP range, select IPv4 Address, IPv4 Range, or IPv6 Address, click the add-icon-white-on-black.png Plus icon, and then click Add.

      add-IP-address-range-variable-v2-border.png
    • To add a variable for the IP subnet, select IP Subnet or IPv6 Subnet, click the Plus icon, and then click Add.

      add-IP-subnet-variable-v2-border.png
       
    • To add a variable for the IP wildcard, enter a name for the variable, click the Plus icon, and then click Add.

      add-address-variable-v2 (2).png
  12. Click the Destination Address tab, and then select a destination address group for the rule to match or use the search box to find a source address. Then, enter values in any of the following fields for the rule to match: IP Address or IP Range, IP Subnet, or IP wildcard. You can click + Add Variable to create variables for these values. For more information about adding variables, see Steps 13 and 14.

    destination-address-tab.png
  13. Select the Source Zones tab to specify source zones to include in the match criteria. Select one or more source zones from the list, or use the search box to find source zones. To create a variable for the source zone, click Add Variable.

    source-zones-tab.png
  14. Select the Destination Zones tab to specify destination zones to include in the match criteria. Select one or more destination zones from the list, or use the search box to find destination zones. To create a variable for the source zone, click Add Variable.

    destination-zones-tab.png
  15. Click Next or select Step 3, Service and DSCP. The following screen displays, and the Services tab selected. By default, all services, service groups, and DSCPs are included in the match criteria. You can specify the services, service groups, and Differentiated Services Code Points (DSCPs) for the rule to match.

    add-user-device-authentication-rule-3-services-tab.png
  16. To specify the services to include, do one or both of the following:
    • In the search box under Services, enter the service name.
    • Click All Services, and then select one of the following categories to filter the list:
      • Predefined
      • User Defined
  17. Select the Service Groups tab, and then select the user-defined and predefined service groups to which to apply security access control rules. Click thetoggle_arrow.png Row Expand icon next to the service group name to view the details for each service group.

    services-groups-tab.png
     
  18. Select the DSCP tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.

    dscp-tab.png
     
  19. Select one or more DSCP decimal values, or use the search to locate one or more values.
  20. Click Next to go to Step 4, Action.

    add-user-device-authentication-rule-4-do-not-authenticate.png
  21. If you do not want to authenticate users for the match criteria that you selected in Step 1, click Do Not Authenticate.
  22. If you want to use a profile to specify the authentication type, click Authenticate Using User and Group Profile, and then select a profile that you configured in Configure User and Device Authentication Profiles, below.

    add-user-device-authentication-rule-4.png
     
  23. Click Next to go to Step 5, Permissions.

    add-user-device-authentication-rule-5.png
  24. To change the permissions for a role, select Edit, Hide, or Read in the Permissions column.
  25. Click Next to go to Step 3, Review and Submit.

    add-user-device-authentication-rule-6.png
  26. In the General section, enter a name for the rule. Optionally, enter a description and add tags for the rule.
  27. By default, the rule is enabled. Toggle to disable the rule.
  28. To enable logging for the rule, slide the toggle to Enabled.
  29. Click the Edit icon next to any section to make changes.
  30. Click Save.

Configure User and Device Authentication Profiles

To specify the authentication type to use for user authentication, you configure user and device authentication profiles. For each enterprise, you can configure profiles for Lightweight Directory Access Protocol (LDAP), RADIUS, Security Assertion Markup Language (SAML), and Versa Directory. You can configure both an LDAP and a SAML profile for an enterprise, but for RADIUS and Versa Directory profile , you can configure only one for each enterprise. You can configure user and device certificate-based profiles with each other, or with LDAP or SAML authentication profiles.

LDAP is a client–server protocol that allows a network device to access an LDAP server, which provides directory services that store descriptive attribute-based information. When an end user sends a request to access a webpage, the Versa Operating SystemTM (VOSTM) device accesses the LDAP server to validate the user. Based on the authentication result, the user is either authenticated or their authentication request is denied. You can configure either a user-based or group-based policy to allow or deny traffic.

RADIUS is a distributed client–server system that secures networks against unauthorized access. A RADIUS server provides an external database that you can use to authenticate users before allowing them to access a network, a device, or related services.

SAML authenticates users so that they can access multiple services and applications. SAML is useful when you want to access multiple services or applications and have authentication for each service or application, for example, Google and its related services. SAML is a common standard for exchanging authentication between parties and is most commonly used for web browser-based single sign-on (SSO).

With Versa directory authentication, you upload lists of users and groups for authentication purposes. You can also add individual users and groups using the GUI.

To configure user and device authentication profiles:

  1. Configure > Secure SD-WAN > Profile Elements > Policies > User and Device Authentication > Profile.

    user-device-auth-menu.png
    The User and Device Authentication Profile screen displays.

    user-device-authentication-profile-main.png
  2. To create a new profile, click + Add. The Add User and Device Authentication Profile screen displays.

    add-user-device-authentication-profile-options.png
  3. Select the type of authentication to configure from these options: LDAP, RADIUS, SAML, or Versa Directory.
  4. Click Get Started.
  5. In Step 1, Settings, configure the settings for the selected authentication type:
    • For the LDAP authentication type, enter information for the following fields.

      add-ldap-authentication-profile-1.png
       
      Field Description
      Server Type

      Select the server type:

      • Active Directory
      • Open LDAP
      + Add Variable Click to create a variable for parameters. Enter a name for the variable, and then click Add. You can add multiple variables. The Add Variable screen is the same for all parameters.

      add-variable.png
      Select Either FQDN or IP Address

      Click FQDN or IP Address, and then enter the FQDN or IP address of the Active Directory or LDAP server.

      Click + Add Secondary Server to add another server of the same type. In the Add Secondary Server popup window, enter the required information, and then click Add.

      add-secondary-server.png

      VPN Name Select the name of the tenant VPN to use to reach the LDAP server.
      Port

      Enter the listening port number on the LDAP server, which allows you to communicate with the LDAP directory service.

      Range: 0 through 65535

      Default: None

      Enable SSL

      Click the slider to enable SSL for the LDAP session.
       

      enable-SSL-border.png

      Click the slider again to disable SSL for the LDAP session.
       

      disable-SSL-border.png

      SSL Mode

      If you enable SSL, select the SSL mode for the LDAP session:

      • LDAPS—Use secure LDAP (LDAP over SSL)
      • STARTTLS—Use LDAP over TLS
      CA Certificate

      If you enable SSL, select the certificate authority (CA) certificate to use for the secure LDAP connection. To add a new CA certificate, click + Add New, and the enter the required information.
       

      add-ca-certificate.png

      Bind DN Enter the bind distinguished name (DN) to use when logging in to the LDAP server.
      Bind Password Enter the password that the bind DN uses when logging in to the LDAP server.
      Base DN Enter the base DN to use when an LDAP client initiates a search.
      Domain Name Enter the domain name to use for LDAP searches, for example, versa-networks.com.
      Domain Base Enter the name of the base domain.
    • For the SAML authentication type, enter information for the following fields.

      add-saml-auth-profile-settings.png
       
      Field Description
      Select SAML Type

      Select the SAML type:

      • Azure Active Directory
      • Google IAM
      • Office 365
      • Okta
      • Other
      • PingIdentity
      + Add Variable Click to create a variable for parameters. Enter a name for the variable, and click Add. You can add multiple variables. The Add Variable screen is the same for all parameters.

      add-variable.png
      Device Host FQDN Enter the host FQDN of the user device.
      Single Sign-on URL (Required) Enter the URL of the identify provider (IdP) to use for single sign-on.
      Single Sign-out URL Enter the URL to point to for single sign-out.
      Service Provider Entity ID (Required) Enter the entity ID of the service provider.
      Service Provider Certificate Select the certificate that the service provider uses to authenticate.
      Identity Provider Entity ID (Required) Enter the entity ID that uniquely identifies the SAML IdP.
      Identity Provider Certificate (Required) Select the authentication certificate issued by the IdP.
      Prefix ID Enter the name of the external IdP.
      Cache Expiry Time

      Enter the time, in minutes, for cache expiry, after which the live user record expires. On reaching the cache expiry time, the user record expires and the user gets logged out.

      Default: 10 minutes

      Group Attribute Enter the SAML group attribute to identify group value from the SAML response.
    • For the RADIUS authentication type, enter information for the following fields.

      add-radius-authentictation-profile-settings.png
       
      Field Description
      IP Address (Required) Enter the IP address of the RADIUS server.
      Port (Required) Enter the port number to use on the RADIUS server.
      VPN Name Select the VPN instance to use to connect to the RADIUS server.
      Shared Secret Enter the RADIUS shared secret (password) string.
      Cache Expiry Time

      Enter the time, in minutes, after which cache for the authentication profile expires.

      Default: 10 minutes

    • For the Versa Directory authentication type, enter the time, in minutes, for cache expiry, after which the live user record expires. On reaching the cache expiry time, the user record expires and the user gets logged out. The default is 10 minutes.

      add-versa-directory-auth-profile-settings.png
  6. Click Next.
  7. In Step 2, User and Group Profile, configure the users and groups for the selected authentication type.
    • For LDAP authentication, enter information for the following fields.

      add-ldap-user-group-profile.png
       
      Field Description
      + Add Variable Click to create a variable for parameters. Enter a name for the variable, and click Add. You can add multiple variables. The Add Variable screen is the same for all parameters.

      add-variable.png
      Group Object Class (Required) Enter the group object class provided by your administrator.
      Group Name (Required) Enter the group name provided by your administrator.
      Group Member (Required) Enter the group member provided by your administrator.
      User Object Class (Required) Enter the user object class provided by your administrator.
      User Name (Required) Enter the format of the username, for example, User Principal Name.
      Refresh Interval

      Enter how often to refresh the LDAP profile information, in seconds.

      Range: 60 through 86400 seconds

      Default: 21600 seconds

      Password Last Set Enter the time when the user password was last set or updated.
      Password Max Ageimum Enter the validity period of the password.
    • For SAML, RADIUS, and Versa Directory authentication, enter information for the following fields.

      user-user-group.png
       
      Field Description
      User List Tab

      Click Browse. In the popup window, select a user list file in CSV format to upload. Each line in the CSV file must be in the following format:

      • User Name*, First Name, Last Name, Password*, Email*, Phone, Description, Group Name. (Note that fields marked with an asterisk (*) are mandatory.)
      + Add

      Click + Add to add a new user. In the Add User screen, enter the required information. When you select LDAP or SAML as the authentication type, the following screen displays
       

      add-user.png

      For Versa Directory, the following screen displays when you click + Add to add a user:

      add-user-versa-directory.png

      Click + Add New to add a new user group, as shown below in the Groups List tab.

      Group List Tab

      Select the Group List tab and click Browse. In the popup window, select a user group file in CSV format to upload. Each line in the CSV file must be in the following format:

      • Group Name*, Description


      group-list-tab.png

      + Add

      Click + Add to add a new user group. In the Add User Group screen, enter the required information.
       

      add-user-group.png

  8. Click Next.
  9. In Step 3, Permissions, set or update the permission for each role. The roles are Enterprise Administrator, Enterprise Operator, Service Provider Administrator, and Service Provider Operator. The permission for each role is selected by default, and you can update it. The role permissions are Edit, Hide, and Read. This screen is common for all authentication types.

    add-ldap-permissions-3.png
  10. Click Next to go to Step 4, Review and Submit. The following screen is common for all authentication types.
      review-submit.png
  11. In the General box, enter a name for the rule, and optionally, enter a text description for the rule and one or more tags.
  12. Review the selected settings. Click the pencil-icon-blue-on-white.pngEdit icon to change a setting, as needed.
  13. Click Save to create the authentication profile.

Supported Software Information

Releases 12.1.1 and later support all content described in this article.