User Authentication

Overview

TOS supports these methods of user authentication (in the following order):

  • Local (the password is defined in TOS)
  • External server:
    • LDAP (Active Directory)
    • TACACS+
    • RADIUS
  • SSO Authentication Service:
    • SAML

TOS users do not need to use the same authentication methods because TOS recognizes different authentication methods for different users.

For authentication methods, Local, TACACS+, and RADIUS, usernames can contain all alphanumeric characters and these special characters: @ - + . _

When TOS is configured to use LDAP, TOS users defined in the LDAP are automatically imported to TOS, and use only LDAP authentication. Their permission types (Administrator or User) are also defined by their LDAP groups. Device permissions for Users are defined in TOS.

Other users are defined locally in TOS. For these users, you can define whether their authentication method is Local, RADIUS or TACACS+, as part of the user's configuration. Their permission types (Administrator or User) are defined in TOS, not in RADIUS or TACACS+.

RADIUS authenticated users can also be authorized based on a profile group given as the value of a Vendor Specific Attribute on the RADIUS response. To add a profile group to TOS, see Add a New Profile Group (for RADIUS users only).

To change the authentication method for a SecureTrack user (for example: from LDAP to RADIUS). manually delete the user from the SecureTrack repository and then reimport or recreate the user using the new authentication method. You will need to recreate any customized reports, saved Rule Viewer queries and any other user-specific assets.

Use External LDAP Authentication

Configure TOS to use Active Directory for LDAP Authentication, and use the automatically imported LDAP users

Create and Configure a Custom LDAP for External Authentication of TOS Users

See the Tech Note Configuring a new LDAP vendor for TOS.

Use External RADIUS or TACACS+ Authentication

Configure TOS to use RADIUS or TACACS+, and define users in TOS with the authentication method set to RADIUS or TACACS+.

RADIUS authentication for SSH users can be enabled in TufinOS, allowing you to add RADIUS authenticated users to TufinOS. This requires that you specify the correct interface IP in /etc/hosts.

Use SSO Authentication Service

TOS SSO authentication allows SecureChange users to be authenticated with LDAP, RADIUS, SAML, or TACACS+. Although users can be authenticated by any one of the external servers, authorization for SecureChange users is only possible through their LDAP profile. This means that after a user is externally authenticated, SecureChange must have access to their LDAP profile to authorize them and complete the login process.