The latest insights from the load balancing experts | Loadbalancer.org

How do I secure my load balancer with Active Directory, LDAP or RADIUS?

/ 4 min read / How-To's

I’ve noticed a lot more of our customers are asking to use their Active Directory login details with the load balancer appliance. And it can get a bit fiddly, so I wanted to write a blog to explain the process in more detail.

Why use centralized authentication?

Better security, for a start. But most people love the fact that they just have one username and password to remember.

Any form of central authentication has the following benefits:

  • Fewer logical accounts and physical devices to secure
  • Easy to block user access instantly to thousands of devices
  • Easy to create security groups with access profiles
  • Easier to achieve compliance with regulations, HIPAA etc

System administrators are well aware that unfortunately some network appliances don’t support central authentication, or make it difficult to achieve.

Hang on, isn’t the load balancer secure already?

Yes. The built-in load balancer authentication is enough for most people and certainly still the recommended solution. It is robust, secure, and tried and tested. Although we do recommend that you treat the appliance as a single user bastion host (just like you would a firewall).

OK, I’m interested - so how does this work?

You’ll need to map an administrator login from your AD Domain controller to a user account on the load balancer. Then your level of access will be controlled by the local load balancer account - but the password policy and lock-out is managed by your single chosen network login.

The Loadbalancer.org appliance has a built-in script to help you configure centralised authentication. You’ll soon be able to log in using your Active Directory Domain username and password, or use other external authentication methods such as LDAP or RADIUS.

Let’s get started

You’ll need console access to the load balancer - usually it's easiest to log in using SSH. Once you have opened an SSH session to your appliance, follow these simple steps:

  1. Type “lbauthconfig” and press Enter

  2. You should now see the following screen:

_1

In this example, I'm using Option 1 - Configure LDAP

  1. Next, you will be asked to input your LDAP FQDN or IP address:

_2

  1. Next you will need to specify your LDAP Port - typically these are Port 389 for LDAP & 3268 for the Global Catalog of Active Directory.

_3

  1. On the next option,you will need to specify your AD Username in the form of USER@DOMAIN - this does not need to be a privileged user.

_4

  1. Next you will be asked to enter the password for the above AD account:

_5

  1. Once you have entered your password, you will be required to enter NETBIOS DC domain name:

_6

  1. From the next menu, you can select the attribute to authenticate against. In my example I will use “samAccountName”.

  2. This will now prompt you for the first user and their password.

  3. Once this has been completed, you should now be able to open up your browser and type in the IP address of your appliance on port 9443 and it will prompt you for the username and password. This is where you can now log in using your Active Directory username and password:

AD-Auth-Screenshot-2

  1. Now that we've configured access to the domain controler for the first user, it's easy to add as many users as you like through the normal part of the web interface i.e. Maintenance > Passwords . Just make sure you tick the AD auth option for each one:

login

Hang on, I don’t like it - how do I turn AD authentication off again?

That's OK, we can part as friends:

  1. Simply open up a putty session to your loadbalancer appliance and log in as “root” credentials.

  2. Now type lbauthconfig and press “Enter”.

  3. You should now see a screen like below:

_7

  1. Now select option 3 and press enter.

  2. Once this runs through its process, you will then see the following message:

_8

  1. You can now log out of the cli shell. Then perform a Ctrl+F5 in your browser and you will be able to log in to the appliance as the default loadbalancer credentials.

So, should I use centralized authentication for my load balancers?

If your environment requires that extra level of security or you just like the sound of having a single login, then why not?

I’ve always thought that good technology should make your life easier, and this latest feature in the load balancer will certainly help to do that.

If you have any questions about the above, please don't hesitate to get in touch.

Found in

How-To's, Security

About the author

Neil Hosking-profile-image
Neil Hosking

Worked with 1st, 2nd & 3rd line technical support for the Royal Navy and corporate companies for over 20 years, Neil joined the Loadbalancer.org support team in September 2015 looking to develop his skill set across a wider variety of customer environments. When he’s not in the office Neil can be found cycling or visiting the cinema as well as watching his favorite TV shows including the Walking Dead.

Read More

Related posts

How-To's
How-To's
Things to keep in mind while choosing a load balancer for your object storage system Himakshi Goswami
Need your object storage system to be highly available, reliable and scalable? We've got you covered. Check out the most important things you need to know when load balancing your storage architecture.

3 min read

Read more
Amazon AWS
Amazon AWS
Hardware, virtual, or cloud: how we help customers migrate seamlessly across platforms Richard Halcrow
In this ever-evolving business world, flexibility is the key to long-term success. With the rise of digitalization in organizations, are you looking to migrate your IT infrastructure from the existing platform and try something new? Learn how we can help you in this, and beyond.

5 min read

Read more
News
News
Huawei root access is BAD! VERY, VERY BAD: Or, how we reasoned ourselves out of root access by default Malcolm Turnbull
As you probably know, the notorious Chinese tech company was blacklisted by Google on the instructions of the Trump administration. All this high-profile paranoia about security got me thinking about our approach to the subject as we prepare to release v8.3.7 of the load balancer appliance...

4 min read

Read more

Get started

Get in touch

Start a conversation about the right solution for your business.

Get in touch

Create your quote

Transparent pricing you can see straight away.

Create your quote

Download now

Try us free for 30 days – see why our customers love us.

Download now