Configure External Authentication server for ACS login credentials

As a centralized management server, ACS allows integrating the external RADIUS/LDAP server for login authentication. This article demonstrates how to configure the external LDAP server.

 

This article will be divided into several parts:

Default setting of the External account

Since version 2.5.0, ACS accepts to use the different external server for each user group.
However, please notice the default setting of the user account which authenticate with the external server:

  • Default user role: View Only Operator
  • Default user group:
    • If the credentials are authenticated with the server of "All UserGroup" profile, the user will get  "User group expired" message when he attempts to login ACS for the first time.Thus, user might need to request the system administrator to assign the user group after 1st login.
    • If the credentials are authenticated with the server of the specific user group, the user will have the default user group when he attempts to login ACS for the first time.

Flowchart with different login URL

Basically, the ACS login URL is https://<IP>:<port>/web/#/login
ACS will authenticate with its MySQL database first. If it doesn't match, the authentication request will be sent to the external authentication server of All User group.

If we add the user group name in the URL, for example, https://<IP>:<port>/web/#/login/RootGroup
ACS will send the authentication request to the external server of RootGroup first. If it doesn't match, the request will be sent to the external server of All User group.

Configure the External Authentication Server


1. Login to ACS with the system administrator account and go to User > External authentication server page.
Select the user group which you'd like to enable the external authentication.

 

2. Configure the detail information of the external authentication server.
ACS supports AD/LDAP and RADIUS as authentication server type, you could also follow this article to use the Vigor router as RADIUS server.
However, it is recommended to use LDAP if your server is on the Internet for security consideration.
Once you finished the setting, press the Save button to save the profile.

3. Refer to Flowchart with different login URL, now we can log in ACS with the credentials of the external authentication server.

4. When login success, the system administrator will see a new account with:
- Default user role is View only operator
- Default user group is FAE user group because the credential has authenticated with the external server of "FAE" group.
has been created from the User > User Management page.

Published On: Dec 25, 2019 

Was this helpful?     


Related Articles