Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Authentication Methods Overview

Use this topic to know about the authentication methods available in Routing Director to authenticate users and devices.

Username and Password Authentication

Routing Director can authenticate users by using different authentication methods.

You can use any of the authentication methods that are listed in this topic to log in to the Routing Director Web GUI.

Users can create a Routing Director account to access the Routing Director Web GUI.

In the username and password authentication, a user enters the log in credentials in the Login page of Routing Director. Routing Director authenticates the identity of users by verifying the login credentials (username and password) entered by the users against the information stored in Routing Director database. This ensures that only users with valid credentials access Routing Director. For more information, see User Activation and Login.

Single Sign-On

Routing Director can authenticate users by using single sign-on (SSO). SSO simplifies password management for users and administrators through centralized authentication by an identity provider (IdP) (for example, OpenLDAP, Microsoft Active Directory, and JumpCloud).

A superuser can configure IdP in the Organization Settings page and map default roles in Routing Director to the IdP user groups. Routing Director supports Secure Assertion Markup Language (SAML 2.0) for SSO authentication using IdPs and Lightweight Directory Access Protocol (LDAP). The IdP asserts a user's identity and allows the user to access the Web GUI based on the user's role.

To configure SSO in Routing Director:

  1. Add the IdP to Routing Director; see Manage Identity Providers.

  2. Map users logging in by using the IdP account credentials to the predefined roles in Routing Director; see Manage Roles.

After IdP is configured, superuser shares the SSO URL with the users.

An SSO login can be of two types: IdP-initiated and Service Provider (SP- initiated.

When using IdP-initiated login, a user must log in to the IdP and click or select the application they want to access. The IdP sends the authentication request as an XML-based SAML assertion to Routing Director. The user is logged in to Routing Director if Routing Director accepts the SAML assertion. Otherwise, the user's log in attempt to Routing Director fails.

When using SP-initiated login, the user accesses the Login page of Routing Director to enter their credentials. Routing Director redirects the authentication request to the IdP, to which the IdP responds with a SAML assertion. Routing Director accepts the SAML assertion from the IdP and logs in the user.

Note:

If SSO is enabled, ensure that you use IdP-initiated login to log in to Routing Director. Using SP-initiated login will result in an error.

To sign in using SSO for the first time:

  1. User must enter the SSO URL in a browser.

    The login screen of the IdP appears.

    IdP server authenticates the user based on the sign-in method configured. For example, an approval notification is sent to the user's registered device.

  2. After the IdP server successfully authenticates the user, the user is logged in to the Routing Director Web GUI. Routing Director enforces access control on the user based on the role that the Routing Director superuser previously assigned for the IdP user group to which the user belongs.

Once a user is successfully authenticated, the user can avoid the process of repeated logins to access the Routing Director Web GUI. The user remains signed in until the authentication session expires.

Device Authentication Options

Routing Director supports the following methods to authenticate login attempts on a device:

  • Local authentication—In local authentication, the credentials are stored and verified directly on the device without using external servers such as RADIUS or TACACS+.

    To configure local authentication on a device, select Local Authentication under the Device Authentication section of the Organization Settings page (Settings Menu > Organization Settings). During device onboarding with local authentication selected, Routing Director generates the outbound SSH command that includes commands to create a local user account. When you commit these commands on a device, a local user is created on the device and the device uses the credentials of the configured user to authenticate connections from Routing Director.

  • Device-managed authentication—In device-managed authentication, the device relies on external authentication servers, such as a RADIUS or TACACS+ server, to validate login attempts.

    To configure device-managed authentication on a device, select the Device Managed option under the Device Authentication section of the Organization Settings page (Settings Menu > Organization Settings). When you select Device Managed, the Configure RADIUS option determines whether:

    • Routing Director configures the RADIUS server on the device, or

    • The device uses an authentication configuration existing on the device.

If you enable Configure RADIUS, Routing Director generates outbound SSH commands, that include commands to configure a RADIUS server. RADIUS is configured when you commit these commands on the device. After the device connects to Routing Director during onboarding, the device uses the configured RADIUS server to authenticate login attempts from Routing Director.

If you disable Configure RADIUS, the device authenticates login attempts by using any of the authentication method configured on it.

To enable and configure a RADIUS server on a device through Routing Director, see Manage RADIUS Server Configurations.

Related Documentation