Negotiate authentication policies
As with other types of authentication policies, a Negotiate authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.
In addition to standard authentication functions, the Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the command line, or by using the configuration utility.
Note: These instructions assume that you are already familiar with the LDAP protocol and have already configured your chosen LDAP authentication server.
To configure AAA to extract user information from a keytab file by using the command line interface
At the command prompt, type the appropriate command:
add authentication negotiateAction <name> [-keytab <string>]<!--NeedCopy-->
set authentication negotiateAction <name> [-keytab <string>]<!--NeedCopy-->
> set authentication negotiateAction negotiateAction-1 -keytab keytab-1 <!--NeedCopy-->
To configure AAA to extract user information from a keytab file by using the configuration utility
In the configuration utility, the term server is used instead of action, but refers to the same task.
- Navigate to Security > AAA - Application Traffic > Policies > Negotiate.
- In the details pane, on the Servers tab, do one of the following:
- If you want to create a new Negotiate action, click Add.
- If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.
- If you are creating a new Negotiate action, in the Name text box, type a name for your new action. The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.
- Under Negotiate, if the Use Keytab file check box is not already checked, check it.
- In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.
- In the Default authentication group text box, type the authentication group that you want to set as default for this user.
- Click Create or OK to save your changes.