12.2. Procedure – Creating a new authentication policy

Purpose: 

An authentication policy is a list of authentication methods that can be used in a connection. Connection definitions refer to an authentication policy to determine how the client can authenticate to the target server. Separate authentication methods can be used on the client and the server-side of the connection.

To create a new authentication policy, follow the steps below:

Steps: 

  1. Navigate to Telnet Control > Authentication Policies, and click .

    Figure 12.2. Telnet Control > Authentication Policies — Configuring Telnet authentication policies

    Telnet Control > Authentication Policies — Configuring Telnet authentication policies
  2. Enter a name for the policy into the Name field.

  3. Select the authentication method used on the client-side in the Client-side gateway authentication backend field. For the client-side connection, PSM can authenticate the client inband (within the Telnet protocol) using the following authentication methods:

    • LDAP: PSM will authenticate the client to the LDAP database set in the LDAP Server of the connection policy. To use LDAP authentication on the client side, select Client-side gateway authentication backend > LDAP.

      Note

      PSM will authenticate the client-side connection to the LDAP server configured in the connection policy. This is not necessarily the same as the LDAP server used to authenticate the users accessing the PSM web interface.

    • Local: Authenticate the client locally on the PSM gateway using a Local User database. Select the database to use in the Local User Database field. For details on creating a Local User Database, see Procedure 7.13, Creating a Local User Database.

    • RADIUS: PSM will authenticate the client to the specified RADIUS server. Select Client-side gateway authentication backend > RADIUS, enter the IP address or hostname of the RADIUS server into the Address field, the port number of the RADIUS server into the Port field, and the shared secret of the RADIUS server into the Shared secret field. Only password-authentication is supported (including one-time passwords), challenge-response based authentication is not.

      Use an IPv4 address.

      To add more RADIUS servers, click and fill in the respective fields.

    • None: Do not perform client-side authentication, the client will authenticate only on the target server.

      Warning

      Hazard of security breach! If the None authentication option is selected on the client side and PSM is configured to use public-key or certificate based authentication on the server, the user will not be authenticated at all unless gateway authentication is required for the connection.

  4. Click .

    Note
    • The client-side authentication settings apply for authenticating the user inband (that is, within the SSH protocol) to the PSM gateway, and is independent from the gateway authentication performed on the PSM web interface. The web-based gateway authentication is an out-of-band gateway authentication method that can be required by the connection policy. For details on out-of-band gateway authentication, see Procedure 18.2.1, Configuring out-of-band gateway authentication.

      Gateway authentication on the PSM web interface can be used together with authentication policies. In an extreme setting, this would mean that the user has to perform three authentications: a client-side gateway authentication within the SSH protocol to PSM, an out-of-band gateway authentication on the PSM web interface, and a final authentication on the target server.

    • The Connection Policy will ignore the settings for server-side authentication (set under Relayed authentication methods) if a Credential Store is used in the Connection Policy.