User Authentication Methods and Modes
User authentication methods
Before establishing connections with server, Fudo One authorizes user using one of the following authorization method:
- Static password,
- SSH key,
- OATH,
- External authentication:
- CERB,
- RADIUS,
- Active Directory,
- LDAP
- External authentication servers CERB, RADIUS, LDAP and Active Directory require configuration. For more information, refer to the External authentication topic.
- RDP, SSH and VNC protocols support user authentication over RADIUS in challenge-response mode.
User authentication modes
After authenticating the user, Fudo proceeds with establishing connection with the target system using original user credentials or substituting them with values stored locally or fetched from a password vault.
Due to specifics of VNC protocol, which authenticates the user using password only, the login entered on the logon screen is ignored when establishing a VNC connection.
Authentication with original login and password
In this authentication mode, Fudo uses login and password provided by the user upon logon to authenticate the user on the target system.
Authentication with login and password substitution
In this authentication mode, Fudo substitutes user login and password with previously defined ones.
Authentication with login and password substitution enables precise identification of the person who connected to the server, in case a number of users use the same credentials to access the server.
Due to specifics of VNC protocol, which authenticates the user using password only, the login entered as the substitution string is ignored when establishing a VNC connection.
Two-fold authentication
In two-fold authentication mode user is asked for login and password twice. Once for authenticating against Fudo and once again to access the target system.
Authentication with password substitution
In this authentication mode, Fudo forwards login provided by user and substitutes the password when establishing connection with the target system.
Due to specifics of VNC protocol, which authenticates the user using password only, the login entered on the logon screen is ignored when establishing a VNC connection.
Authentication by target server
In this mode, Fudo One forwards login credentials to the target host, which verifies whether the user is authorized to access it. Verification status is returned to Fudo One, which establishes monitored connection. Authentication by the target server is available only when monitoring SSH connections or RDP with TLS + NLA security option enabled.
Administrator approves access
Fudo One can be configured so each connection to a monitored server will require approval from the administrator using the administration interface.
Updated about 2 years ago