WALLIX Access Manager

Trustelem Radius on Access Manager for AD users

Install Trustelem Connect

Start by installing Trustelem Connect.
This will give Trustelem the ability to process Radius authentications.
The documentation is the following:
https://trustelem-doc.wallix.com/books/trustelem-administration/page/ldap-radius-trustelem-connect
You don't need to read the chapter Setup an application to use Trustelem Connect, the specific instructions for an Access Manager application will be detailed in this chapter.
The common mistakes will be also detailed, but if the authentication is not working you should start by reading the Debug chapter in this LDAP-Radius - Trustelem Connect documentation.

On Trustelem admin page

Go on the tab Apps and create an Access Manager application
Let the root url / organization identifier / domain fields empty
Enable the Radius protocol
Go on the Service setup in the Install Trustelem Connect chapter
Click on Add an application + and select the Access Manager
Enable Radius protocol by clicking on the Radius button
- the listen address can be localhost, all existing IP address on the machine = *, or a specific IP = ...
- this will open the defined udp (Radius) or tcp (LDAP) port on the machine running Trustelem Connect on the IP 127.0.0.1 (localhost) OR on all local IPs (*) OR on a specific local IP (...)
- if you have a dedicated VM for the connector, choose *
- If you don't already have a Bastion using it, you can let the default port 1812. Otherwise, you can use 2812, 3812...
Click Save

On Access Manager admin page

Add a Radius Server on Access Manager: Configuration/RADIUS Servers
- Organization: select the organization where your AD users are
- Name: choose what you want
- Host: the IP/fqdn of the machine running Trustelem Connect
- Protocol: PAP
- Authentication Port: the port is defined on the Trustelem Service previously setup (should be 1812 or 2812)
- Connection Timeout: let de default value, unless you have latency on your network
- Login type: simple login
- Shared Secret: this secret can be found in the Trustelem Access Manager app model.
- NAS Identifier: empty
- Click on Test Connection then Save
Edit the Access Manager domain used for the authentication of your AD users --> Configuration > Domains > should be the Active Directory domain
In the field Associated Authenticators: Active Directory Authenticator Factor 1 - Radius Authenticator Factor 2

You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a Radius access rule set to 2nd factor only.

Note: for the user authentication, first provide the AD login and password then provide the Trustelem TOTP code, even if the name of the input is Password again.

Trustelem Radius on Access Manager for AM users

Install Trustelem Connect

On Trustelem admin page

Go on the tab Apps and create an Access Manager application
Let the root url / organization identifier / domain fields empty
Enable the Radius protocol
Go on the Service setup in the Install Trustelem Connect chapter
Click on Add an application + and select the Access Manager
Enable Radius protocol by clicking on the Radius button
- the listen address can be localhost, all existing IP address on the machine = *, or a specific IP = ...
- this will open the defined udp (Radius) or tcp (LDAP) port on the machine running Trustelem Connect on the IP 127.0.0.1 (localhost) OR on all local IPs (*) OR on a specific local IP (...)
- if you have a dedicated VM for the connector, choose *
- If you don't already have a Bastion using it, you can let the default port 1812. Otherwise, you can use 2812, 3812...
Click Save

On Access Manager admin page

Add a Radius Server on Access Manager: Configuration/RADIUS Servers
- Organization: select the organization where your AM users are
- Name: whatever you want
- Host: the IP/fqdn of the machine running Trustelem Connect
- Protocol: PAP
- Authentication Port: the port is defined on the Trustelem Service previously setup (should be 1812 or 2812)
- Connection Timeout: let de default value, unless you have latency on your network
- Login type: simple login
- Shared Secret: this secret can be found in the Trustelem Access Manager app model.
- NAS Identifier: empty
- Click on Test Connection then Save
Edit the Access Manager domain used for the authentication of your AM users --> Configuration > Domains > should be the local domain
In the field Associated Authenticators:
- if you want to keep AM user password: Local database Factor 1 - Radius Authenticator Factor 2
- if you want to use Trustelem password: Local database Factor Unused - Radius Authenticator Factor 1

Radius access rule set to 2nd factor only if you want to keep AM user password
--> first provide the local login and password then provide the Trustelem TOTP code, even if the name of the input is Password again
Radius access rule set to 2 factors if you want to use Trustelem password

Trustelem SAML on Access Manager for AD users

On Trustelem admin page

Go on the tab Apps and create an Access Manager application
Enter the root URL of your Access Manager (ex: https://wam.com/wabam)
Enter your organization identifier (you can find it in: Access Manager → Configuration → Organizations)
- The organization must have a Bastion configured
- The organization must not already have the needed domain used (see next point)--> a domain is unique in an organization.
Enter the correct domain value. This domain has to match the Authentication domain name of your Active Directory Authentication domain .
If on Access Manager you need different profiles for Users, click on the + at the end of the line Custom scripting
The point is to send the name of an Access Manager profile in a SAML attribute named profile :

//Define a default profile attribute which matches the name of the Access Manager profile
msg.setAttr("profile","User")
//Change the default profile depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change the default profile depending on Trustelem groups
for (let group in groups) {
  if(group=="Trustelem admin group name"){msg.setAttr("profile","Administrator")}
}

Save the modifications
Download the metadata file

On Access Manager admin page

Click on: Configuration → SAML Identity Providers → +Add
Select your organization (the one with the identifier used on Trustelem setup)
Choose a name, for the identity provider setup
In the tab Service Provider:
- In the field WALLIX-AM Entity ID, enter the value WALLIX-AM
- Turn OFF Sign Messages, Encrypt Messages
- Turn ON Signed Response, Signed Assertion
In the tab Identity Provider:
- Import the Trustelem metadata file
- Copy the Redirect Binding Uri and paste it in Redirect Logout Uri, replacing « sso » by « on_logout »
In the tab Domain:
- In the field Domain Name, enter the domain for federated users : still the same value used on the Bastion and on Trustelem setup
- Choose a Default Profile for new users.
  - Usually it is User
  - You can let No Default Profile if Trustelem is in charge of the profile.
- Click on the pen on the line Attributes, and enter the following attributes:
  Login → uid
  Display Name Attribute → displayname
  Email Attribute → email
  Language Attribute → lang Profile Attribute → let this field empty, or enter profile depending on if Trustelem provides this attribute or not

Trustelem SAML on Access Manager for Trustelem users

On Trustelem admin page

Go on the tab Apps and create an Access Manager application
Enter the root URL of your Access Manager (ex: https://wam.com/wabam)
Enter your organization identifier (you can find it in: Access Manager → Configuration → Organizations)
- The organization must have a Bastion configured
- The organization must not already have the needed domain used (see next point)--> a domain is unique in an organization.
Enter the correct domain value. This domain has to match the Authentication domain name of your Trustelem Active Directory Authentication domain .
If on Access Manager you need different profiles for Users, click on the + at the end of the line Custom scripting
The point is to send the name of an Access Manager profile in a SAML attribute named profile :

//Define a default profile attribute which matches the name of the Access Manager profile
msg.setAttr("profile","User")
//Change the default profile depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change the default profile depending on Trustelem groups
for (let group in groups) {
  if(group=="Trustelem admin group name"){msg.setAttr("profile","Administrator")}
}

Save the modifications
Download the metadata file

On Access Manager admin page

Click on: Configuration → SAML Identity Providers → +Add
Select your organization (the one with the identifier used on Trustelem setup)
Choose a name, for the identity provider setup
In the tab Service Provider:
- In the field WALLIX-AM Entity ID, enter the value WALLIX-AM
- Turn OFF Sign Messages, Encrypt Messages
- Turn ON Signed Response, Signed Assertion
In the tab Identity Provider:
- Import the Trustelem metadata file
- Copy the Redirect Binding Uri and paste it in Redirect Logout Uri, replacing « sso » by « on_logout »
In the tab Domain:
- In the field Domain Name, enter the domain for federated users : still the same value used on the Bastion and on Trustelem setup
- Choose a Default Profile for new users.
  - Usually it is User
  - You can let No Default Profile if Trustelem is in charge of the profile.
- Click on the pen on the line Attributes, and enter the following attributes:
  Login → email
  Display Name Attribute → displayname
  Email Attribute → email
  Language Attribute → lang Profile Attribute → let this field empty, or enter profile depending on if Trustelem provides this attribute or not

Debug

If the Radius authentication is not working:

Read the debug chapter of LDAP-Radius Trustelem Connect
Verify if the protocol is set to PAP
Reminder: if the password is not handle by Trustelem, the authentication is login + password (AD, local...) then Trustelem TOTP even if the input name is Password again.

If the SAML authentication is not working:

Verify if the setup is correct: there is a lot of information to copy and paste, and an error can quickly happen.
Verify the time on Access Manager: SAML assertion are valid for a short period.
Verify if the user doesn't already exist. For instance if the SAML domain was used before for LDAP authentication, the users may already exist. In these case the authentication will not work and it has to be deleted first.
Verify the attributes mapped in Access Manager
--> reminder: a local Trustelem user must have an uid set to email
Verify if the domain used in the SAML setup is the same used on the Bastion for the Authentication domain name

If after that you still you don't have a working SAML authentication, you can try 2 things:

Download the browser plugin SAML tracer. This plugin will show you the certificate and the attributes send by Trustelem to the Access Manager.
Activate Access Manager logs: Settings > Application Settings > Configuration > SAML enabled at DEBUG level
Try to authenticate again, then download the logs on the Access Manager logs setting page.
The files can help you to understand the issue, but they are not easy to read.

WALLIX Access Manager

Contents

Trustelem Radius on Access Manager for AD users

Trustelem Radius on Access Manager for AM users

Trustelem SAML on Access Manager for AD users

Trustelem SAML on Access Manager for Trustelem users

Debug