Authentication Servers

The Authentication Servers page shows your existing integrations with authentication servers. You can add a server by clicking the Add server button.

Active Directory

You can integrate OT Security with your organization’s Active Directory (AD). This enables users to log in to OT Security using their Active Directory credentials. The configuration involves setting up the integration and then mapping groups in your AD to User Groups in OT Security.

Note: The system comes with a set of pre-defined User Groups, which correspond to each of the available roles, Administrators User Group > Administrator role, Site Operators User Group > Site Operator role, and so on. For an explanation of the available roles, see Authentication Servers.

To configure Active Directory:

  1. Optionally, you can obtain a CA Certificate from your organization’s CA or Network Administrator and load it onto your local machine.

  2. Go to Local Settings >Users Management > Authentication Servers.

    The Authentication Servers window appears.

  3. Click Add server.

    The Create Authentication Server panel opens with the Server Type.

  4. Click Active Directory, then click Next.

    The Active Directory configuration pane appears.

  5. In the Name box, type the name to be used in the login screen.

  6. In the Domain box, type the FQDN of the organizational domain (for example, company.com).

    Note: If you are not aware of your Domain, you can find it by entering the command “set” in Windows CMD or Command Line. The value given for the “USERDNSDOMAIN” attribute is the Domain Name.

  7. In the Base DN box, type the distinguished name of the domain. The format for this value is ‘DC={second-level domain},DC={top-level domain}’ (for example DC=company,DC=com).

  8. For each of the Groups that you want to map from an AD group to a OT Security User Group, type the DN of the AD group in the appropriate box.

    For example, to assign a group of users to the Administrators User Group, type the DN of the Active Directory group to which you want to assign administrator privileges in the Administrators Group DN box.

    Note: If you are not aware of the DN of the group that you would like to assign OT Security privileges, you can view a list of all groups configured in your Active Directory which contain users by entering the command dsquery group -name Users* in the Windows CMD or Command Line. Type the name of the group that you want to assign in the identical format in which it is shown (for example “CN=IT_Admins,OU=Groups,DC=Company,DC=Com”). The Base DN must also be included at the end of each DN.
    Note: These fields are optional. If a field is empty, no AD users are assigned to that User Group. You can set up an integration with no groups mapped, but in that case no users can access the system until you add at least one group map ping.

  9. (Optional) In the Trusted CA section, click Browse and navigate to the file that contains your organization’s CA Certificate (which you obtained from your CA or Network Administrator).

  10. Select the Enable Active Directory check box.

  11. Click Save.

    A message prompts you to restart the unit to activate the Active Directory.

  12. Click Restart.

    The unit restarts. Upon reboot, OT Security activates the Active Directory settings. Any user assigned to the designated groups can access the OT Security platform using their organizational credentials.

    Note: To log in using Active Directory, the User Principal Name (UPN) must be used on the login page. In some cases, this means simply adding @<domain>.com to the username.

LDAP

You can integrate OT Security with your organization’s LDAP. This enables users to log in to OT Security using their LDAP credentials. The configuration involves setting up the integration and then mapping groups in your AD to User Groups in OT Security.

To configure LDAP:

  1. Go to Local Settings> User Management > Authentication Servers.

  2. Click Add Server.

    The Add Authentication Server panel opens with the Server Type.

  3. Select LDAP, then click Next.

    The LDAP Configuration pane appears.

  4. In the Name box, type the name to be used in the login screen.

    Note: The login name must be distinctive and indicate that it is used for LDAP. In the event both LDAP and Active Directory are configured, only the login name differentiates between the different configurations on the login screen.

  5. In the Server box, type the FQDN or the login address.

    Note: If using a secure connection, Tenable recommends using the FQDN and not an IP address to ensure that the secure Certificate provided is verified.
    Note: If a hostname is used, it must be in the list of DNS Servers in the OT Security system. See System Configuration > Device.

  6. In the Port box, type 389 to use a non-secure connection, or 636 to use a secure SSL connection.

    Note: If Port 636 is chosen, a Certificate is required to complete the integration.

  7. In the User DN box, type the DN with parameters in DN format. For example, for a server name of adsrv1.tenable.com, the user DN can be CN=Administrator,CN=Users,DC=adsrv1,DC=tenable,DC=com.

  8. In the Password box, type the password of the User DN.

    Note: The OT Security configuration with LDAP only continues to work as long as the User DN password is currently valid. Therefore, in the event that the User DN password changes or ages out, the OT Security configuration must also be updated.

  9. In the User Base DN box, type the base domain name in DN format. For example, for a server name of adsrv1.tenable.com, the User Base DN is OU=Users,DC=adsrv1,DC=tenable,DC=com.

  10. In the Group Base DN box, type the Group base domain name in DN format. For example, for a server name of adsrv1.tenable.com, the Group Base DN is OU=Groups,DC=adsrv1,DC=tenable,DC=com.

  11. In the Domain append box, type the default domain that is appended to the authentication request in the event the user did not apply a domain they are a member of.

  12. In the relevant group name boxes, type the Tenable group names for the user to use with the LDAP configuration.

  13. If using Port 636 for the configuration, under Trusted CA, click Browse, and navigate to a valid PEM certificate file.

  14. Click Save.

    OT Security starts the Server in Disabled mode.

  15. To apply the configuration, click the toggle switch to ON.

    The System Restart dialog appears.

  16. Click Restart Now to restart and apply the configuration immediately, or Restart Later to temporarily continue using the system without the new configuration.

    Note: Enabling/disabling LDAP configuration is not completed until the system is restarted. If you do not restart the system immediately, click the Restart button on the banner at the top of the screen when you are ready to restart.