Authentication Servers

The Authentication Servers screen shows your existing integrations with authentication servers. Adding a server can be done by clicking on the Add server button.

Active Directory

You can integrate OT Security with your organization’s Active Directory. This enables users to log in to OT Security using their Active Directory credentials. The configuration involves setting up the integration and then mapping groups in your AD to User Groups in OT Security.

Note: The system comes with a set of pre-defined User Groups, which correspond to each of the available roles, Administrators User Group > Administrator role, Site Operators User Group > Site Operator role etc. For an explanation of the available roles, see Authentication Servers.

To configure Active Directory:

  1. Optionally, you can obtain a CA Certificate from your organization’s CA or Network Administrator and load it onto your local machine.

    Note: The system comes with a set of pre-defined User Groups, which correspond to each of the available roles, Administrators User Group > Administrator role, Site Operators User Group > Site Operator role etc. For an explanation of the available roles, see Authentication Servers.

  2. Under Local Settings, go to the Users and Roles > Authentication Servers screen.

  3. Click Add server.

    The Create Authentication Server side panel opens, with the Server Type pane displayed.

  4. Click Active Directory.

    The Active Directory configuration pane is displayed.

  5. In the Name field, enter the name to be used in the login screen.

  6. In the Domain Name field, enter the FQDN of the organizational domain (e.g. company.com).

    Note: If you are not aware of your Domain Name, you can find it by entering the command “set” in Windows CMD/Command Line. The value given for the “USERDNSDOMAIN” attribute is the Domain Name.

  7. In the Base DN field, enter the distinguished name of the domain. The format for this value is ‘DC={second-level domain},DC={top-level domain}’ (e.g. DC=company,DC=com).

  8. For each of the Groups that you would like to map from an AD group to a OT Security User Group, enter the DN of the AD group in the appropriate field. For example, to assign a group of users to the Administrators User Group, enter the DN of the Active Directory group to which you would like to assign Admin privileges in the Administrators Group DN field.

    Note: If you are not aware of the DN of the group that you would like to assign OT Security privileges, you can view a list of all groups configured in your Active Directory which contain users by entering the command “dsquery group -name Users*” in the Windows CMD/Command Line. The name of the group that you would like to assign should be entered into the field in the identical format in which it is shown (e.g. “CN=IT_Admins,OU=Groups,DC=Company,DC=Com”). The Base DN must be also be included at the end of each DN.
    Note: These fields are not mandatory. If a field is not filled in then no AD users will be assigned to that User Group. You can set up an integration with no groups mapped, but in that case no users will be able to access the system until you add at least one group mapping.

  9. In the Trusted CA section, click Browse and navigate to the file that contains your organization’s CA Certificate (which you obtained from you CA or Network Administrator). (Optional)

  10. Select the Enable Active Directory checkbox.

  11. Click Save.

    A pop-up window prompts you to restart the unit in order to activate the Active Directory.

  12. Click Restart.

    The unit restarts. Upon reboot, the Active Directory settings will be activated. Any user assigned to the designated groups can access the OT Security platform using his/her organizational credentials.

    Note: To log in using Active Directory, the User Principal Name (UPN) should be used on the login page. In some cases, this means simply adding @<domain>.com to the username.

LDAP

You can integrate OT Security with your organization’s LDAP. This enables users to log in to OT Security using their LDAP credentials. The configuration involves setting up the integration and then mapping groups in your AD to User Groups in OT Security.

To configure LDAP:

  1. Under Local Settings, go to the Users and Roles > Authentication Servers screen.

  2. Click Add Server.

    The Add Authentication Server side panel opens, with the Server Type pane displayed.

  3. Select LDAP.

    The LDAP Configuration pane is displayed.

  4. In the Name field, enter the name to be used in the login screen.

    Note: The login name should be distinctive and indicate that it is used for LDAP. In the event both LDAP and Active Directory are configured, only the login name will differentiate between the different configurations on the login screen.

  5. In the Server field, enter the FQDN or the login address.

    Note: If using a secure connection, it is recommended to use the FQDN and not an IP address to ensure that the secure Certificate provided will be verified.
    Note: If a hostname is used, it must be in the list of DNS Servers in the OT Security system. See System Configuration > DEVICE.

  6. In the Port field, enter 389 to use a non-secure connection, or 636 to use a secure SSL connection.

    Note: If Port 636 is chosen, a Certificate will be required to complete the integration.

  7. In the User DN field, enter the DN with parameters in DN format (e.g. for a server name of AD_1.qa.com, the user DN could be CN=Administrator,CN=Users,DC=qa,DC=com).

  8. In the Password field, enter the password of the User DN.

    Note: The OT Security configuration with LDAP will only continue to work as long as the User DN password is currently valid. Therefore, in the event that the User DN password changes or expires, the OT Security configuration must also be updated.

  9. In the User Base DN field, enter the base domain name in DN format (e.g. DC=qa,DC=com).

  10. In the Group Base DN field, enter the Group base domain name in DN format.

  11. In the Domain append field, enter the default domain that will be appended to the authentication request in the event the user did not apply a domain they are a member of.

  12. In the relevant group name fields, enter the Tenable group names for the user to use with the LDAP configuration.

  13. If using Port 636 for the configuration, under Trusted CA, click Browse, and navigate to a valid PEM certificate file.

  14. Click Save.

    The Server is started in Disabled mode.

  15. To apply the configuration, click the toggle switch to ON.

    The System Restart dialog is displayed.

  16. Click Restart Now to restart and apply the configuration immediately, or Restart Later to temporarily continue using the system without the new configuration.

    Note: Enabling/disabling LDAP configuration will not be completed until the system is restarted. If you do not restart the system immediately, click the Restart button on the banner at the top of the screen when you are ready to restart.