Authentication March 2003 Authentication 1 Objectives When you have completed this module you will be able to the following: • Describe authentication options • Configure NTLM authentication • Configure Kerberos authentication • Add users • Create groups • Edit groups March 2003 Authentication 2 What is Authentication? • Authentication determines a user's identity • NetCache can authenticate Web requests • NetCache allows use of: – NetCache user database – RADIUS –LDAP – NTLM with Kerberos. • Authentication can be used in conjunction with access control to: – enforce local security domains – allocate resources – control bandwidth requirements – provide use records – enforce content control What is authentication? Authentication is the process of determining a user's identity so that the user becomes known to the system. NetCache allows you to require authentication for Web requests from clients using certain protocols, such as HTTP, FTP, NNTP and so on. NetCache also allows you to specify how that authentication is performed--for example, whether against the local NetCache user database, against a RADIUS database, or using the Microsoft Windows Kerberos protocol server. In addition to verifying a user's identity to prevent rogue clients from accessing the NetCache appliance, authentication can also be used in conjunction with access control to enforce local security domains, allocate resources, control bandwidth requirements, provide records used in protection against lawsuits (through logged data), and enable enforcement of values through content control. Authentication represents a class of functionality that is growing in demand among NetCache customers and prospects. It represents the ability of (often large) organizations to identify exactly what user is requesting what content. This information can then be used for a variety of purposes, from archival logging, to content filtering, to time and content-based access control. Traditionally, users accessing an authenticated cache must enter their user name and password at the beginning of each browser session. The name/password pair is then sent (usually unencrypted) to the proxy, which can then verify the user's identity locally or by consulting an LDAP or RADIUS server. March 2003 Authentication 3 Setup > Authentication > General Authentication – General You can specify which protocol requires authentication and the authentication database to be used. NetCache supports the following user databases: • NetCache local user and group database (on NetCache) • LDAP (Light Duty Authentication Protocol) • RADIUS (Remote Authentication Dial-In User Service) • NTLM (NT Lan Manager) with Kerberos Refer to Online Help for specific configuration information. March 2003 Authentication 4 Authentication Forwarding Setup > Authentication > General config.auth.forward = 192.56.19/24..CIDR or config.auth.forward = 192.56.19/255.255.255.0 or config.auth.forward = 192.56.19.0/255.255.255.0 March 2003 Authentication 5 Group Permissions Group Permissions Options on the Setup > Authentication > Groups page are used to add, edit, and delete groups. Additionally, these options enable you to specify authorization for access to some protocols but restrict access to others (for example, some groups can use HTTP and FTP but not Gopher). Note: System administrators cannot access the NetCache Manager utility unless the NetCache user database contains at least one user name and password. NetCache provides a default of admin for the user name and NetCache for the password. The default user name and password are case-sensitive. The NetCache group and user databases are maintained on the NetCache appliance. Refer to Online Help for specific configuration information. March 2003 Authentication 6 Defining New Groups The New Group button is used to create a group and add it to the NetCache user database. Refer to Online Help for specific configuration information. March 2003 Authentication 7 Add Users Newuser 123abc Add Users Options on the Setup > Authentication > NetCache Users page are used to configure the NetCache user database. These options are used to specify group memberships, edit existing users, and remove users from the database. Refer to Online Help for specific configuration information. March 2003 Authentication 8 Authentication Options • NetCache user (and group) database •LDAP •RADIUS • NTLM (NT LAN Manager) • Kerberos (Windows 2000) NetCache user database The native NetCache user database provides local authentication for users and administrators (clear-text authentication). LDAP authentication Lightweight Directory Access Protocol (LDAP) server databases are commonly used as employee directory databases. You can enable NetCache to retrieve user and group data from an existing LDAP server to perform clear-text authentication. RADIUS authentication Remote Authentication Dial-in User Service (RADIUS) server was originally used to authenticate people logging in to the network through a modem to remote points of presence (POPs). You can enable NetCache to retrieve user data from an existing RADIUS server to perform clear-text authentication. (RADIUS does not support groups.) NTLM (NT LAN NTLM supports NT domain access to the Microsoft Manager) Windows authentication environment. NTLM (in true mode) performs authentication using an encrypted challenge-and-response sequence between NetCache and a Windows domain controller. NTLM can be used for March 2003 Authentication 9 clear-text authentication when used with a browser other than Microsoft Internet Explorer. Kerberos (Windows 2000) Kerberos is the native authentication protocol for Windows 2000 domain access. Kerberos authentication is based on a shared secret key distribution model in which NetCache validates tickets presented by the client (user). March 2003 Authentication 10 LDAP Server • Can reduce workload of maintaining user accounts • Network load can add authentication delay • Can only authenticate to one server • Can only authenticate user, NOT administrators • Cannot use LDAP if you restrict type of requests (e.g., protocol specific) • NetCache 5.0 and later requires LDAP Version 3 Lightweight Directory Access Protocol (LDAP) server to authenticate users If you already have an LDAP server providing user authentication for your network, you can point NetCache to this server and use it to authenticate users for NetCache. Using an LDAP server to authenticate users for NetCache significantly reduces the workload of maintaining a user database for NetCache, especially if your network has several cooperating NetCache Appliances installed. Without LDAP, if you want user authentication, you must maintain a separate user database on each NetCache system. Authenticating NetCache users with an LDAP server delays a user's web request each time the user is authenticated (at most, once per hour). The amount of delay for the user depends on your network load. You can only authenticate users and groups through LDAP. Authentcating admin access locally ensures that the administrator will have access even when LDAP is down. March 2003 Authentication 11 How the NetCache LDAP client works If you enable protocol authentication for one or more protocols and point NetCache to use an LDAP server, NetCache restricts access for the authenticated protocols to those users authorized in the LDAP database. That is, all users in the LDAP database are authorized to use the NetCache authenticated protocols. If you need to configure NetCache to allow users to make only some types of requests, you must use the NetCache User Administration feature. If you configured your NetCache system to authenticate users with an LDAP server, NetCache prompts each user for a user name and password. When the user supplies the information, NetCache requests the LDAP server to authenticate the user. March 2003 Authentication 12 NTLM Authentication HTTP Internet Explorer NT or Media Player LM TP NetCache HT Origin SMB / NTLM Server NetScape WinNT, Win2K in non-native mode PDC NTLM (NT LAN Manager) Authentication Microsoft has created provisions for Microsoft Internet Explorer (MSIE) users to be authenticated by Microsoft Proxy Server (MSPS) without requiring the user to input a password every time a browser session is started. This is called “single sign-on.” Single sign-on depends upon Windows' tendency to maintain persistent password state about the user currently using the machine. When a user signs on to an NT domain, the user name and password are kept locally for later use. As applications encounter the need to prove the identity of the user to another machine, the application can request that the user name and password to transparently complete the log on process. The specifics of this technique as implemented by various versions of Windows are collectively known as NTLM (NT LAN Manager) challenge/response. The NTLM sign- on transaction normally happens when a user logs on to a workstation, or when a user signs on to a CIFS (Common Internet File System) share. It is also the same transaction used between the proxy server and PDC (Primary Domain Controller) when the proxy wants to authenticate someone. Netscape does not support NTLM authentication. MSIE running on Mac (or Unix) doesn't support it either. MSPS can be configured to accept "basic" (clear text) user/password pairs from these clients, and will then authenticate this with the PDC, using NTLM as before. March 2003 Authentication 13 Any browser can send a basic (clear text) credential to the cache, which will then turn