External authentication requirements using authentication server

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-08-0x
Audience
anonymous
Part Number
MK-97HM85028-11

Authentication servers support the following protocols:

  • LDAPv3 simple bind authentication (Note that Bind DN is used for authentication.)
  • RFC 2865-compliant RADIUS with PAP and CHAP authentication
  • Kerberos v5
Note: The authentication server needs to support TLS1.2 as a transfer protocol.

The following root certificate file formats to be set on Device Manager - Storage Navigator are available for LDAP server settings:

  • X509 DER format
  • X509 PEM format
    Note:

    The root certificate to be set on Storage Navigator must satisfy the following requirements:

    • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier

    The certificate to be set on the connected server must satisfy the following requirements:

    • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier
    • The public key of the server certificate must be RSA.
    • If no DNS server is used, the IP address of the authentication server must be specified for the common name of the certificate.

One of the following encryption types must be used for the Kerberos server:

Windows
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES3-CBC-SHA1
  • DES-CBC-CRC
  • DES-CBC-MD5
Solaris or Linux
  • DES-CBC-MD5
CAUTION:
  • Two authentication servers (one primary and one secondary) can be connected to a storage system. In this case, the server configurations must be the same, except for the IP address and the port. For the secondary server, use the same configuration settings as the primary server, except for the host name and the port number.
  • If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied. For RADIUS servers, you cannot use the SRV records.
    LDAP server conditions:
    • The environmental setting for the DNS server is completed at the LDAP server.
    • The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
    Kerberos server conditions:
    • The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
  • Because UDP/IP is used to access the RADIUS server, encrypted communications, including negotiation between processes, are not used. To access the RADIUS server in a secure environment, encryption in the packet level, such as IPsec, is required.