This article describes how to implement Clientless single sign on authentication with Active
Directory integration.
Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from Active
Directory for the purpose of authentication.
Prerequisites:
• NetBIOS Domain name
• FQDN Domain name
• Search DN
• Active Directory Server IP address
• Administrator Username and Password (Active Directory Domain)
• IP address of Cyberoam Interface connected to Active Directory server
• Import AD groups
• Configure Clientless SSO
For mapping the ADS user groups with the Cyberoam user groups, create all the ADS user groups
into Cyberoam before ADS users log on to Cyberoam for the first time. If the ADS groups are not
created in Cyberoam, all the users will be assigned to the Default group of Cyberoam.
If all the ADS user groups are created in Cyberoam before users log on to Cyberoam then user will
be automatically created in the respective group when they log on to Cyberoam.
One can import groups only after integrating and defining AD parameters into Cybeoam.
1
How To - Implement Clientless Single Sign On Authentication with Active Directory
Specify TCP/IP port number in Port field. It is the port on which ADS server listens for the
authentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your AD
server is using another port, specify port number in Port field.
2
How To - Implement Clientless Single Sign On Authentication with Active Directory
Specify NetBIOS Domain name. If you do not know NetBIOS name, refer to section ‘Determine
NetBIOS Name, FQDN and Search DN’.
• Loose Integration – With loose integration, Cyberoam does the Group management and
does not synchronize groups with AD when user tries to logon. By default, users will be the
member of Cyberoam default group irrespective of Active Directory group, administrator can
change the group membership. Cyberoam will use authentication attribute for authenticating
users with Active Directory.
Click “Test Connection” to check whether Cyberoam is able to connect to the Active Directory or
not. If Cyberoam is able to connect to the Active Directory, click Add to save the configuration.
3
How To - Implement Clientless Single Sign On Authentication with Active Directory
4
How To - Implement Clientless Single Sign On Authentication with Active Directory
5
How To - Implement Clientless Single Sign On Authentication with Active Directory
Username will be displayed on User>Manage Live Users page if user is able to log on to
Cyberoam successfully.
Import AD Groups
If you have deployed v 9.5.3 build 14 or above, import AD groups into Cyberoam using Import
Wizard before configuring for single sign on.
6
How To - Implement Clientless Single Sign On Authentication with Active Directory
With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to
Windows through his windows username and password. Hence, eliminating the need of multiple
logins and username & passwords.
But, Clientless Single Sign On not only eliminates the need to remember multiple passwords –
Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation.
Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering
operational costs involved in client installation.
CTA Collector – It collects the user authentication request from multiple agents, processes the
request and sends to Cyberoam for authentication.
1. User tries to log on to the Active Directory Domain Controller from any workstation in LAN.
Domain Controller tries to authenticate user credentials.
2. This authentication process is captured and communicated to CTA Collector over default port
5566 by CTA Agent real time.
3. CTA Collector registers user in the Local database and communicates user information to
Cyberoam over the default port 6060
4. Cyberoam queries Active Directory to determine user’s group membership and registers user
in Cyberoam database
Based on data from CTA Agent, Cyberoam queries AD server to determine group membership
and based on which access is granted or denied. Users logged into a workstation directly i.e.
locally but not logged into the domain will not be authenticated and are considered as
“Unauthenticated” or “Guest” user. For users that are not logged into the domain, the HTTP Login
screen prompting for a manual login will be displayed for further authentication.
7
How To - Implement Clientless Single Sign On Authentication with Active Directory
Check for “Cyberoam Transparent Authentication Suite” tab from “Start” > “All Programs”.
If installed successfully, “Cyberoam Transparent Authentication Suite” tab will be added.
Consider the below given hypothetical network example where single domain controller is
configured and follow the below given steps to configure Cyberoam Transparent Authentication:
8
How To - Implement Clientless Single Sign On Authentication with Active Directory
Step 7: Configure CTA Collector from CTA Collector Tab on Primary Domain Controller
If “logoff detection settings” is enabled and firewall is configured on the Workstation, please allow
the traffic to and from Domain controller. If ping is blocked, then Cyberoam will always detect user
as logged out.
Step 8. Configure Agent from CTA Agent Tab on Primary Domain Controller
9
How To - Implement Clientless Single Sign On Authentication with Active Directory
10
How To - Implement Clientless Single Sign On Authentication with Active Directory
Logon to CLI Console with default password, go to Option 4 Cyberoam Console and execute
following command at the prompt:
corporate>cyberoam cta enable
corporate>cyberoam cta collector add collector-ip <ipaddress> collector-port<port number>
Please make sure that you restart management services after enabling the CTA services.
11
How To - Implement Clientless Single Sign On Authentication with Active Directory
12
How To - Implement Clientless Single Sign On Authentication with Active Directory
13