WALLIX Bastion

Contents

Install Trustelem Connect

Start by installing Trustelem Connect.
This will give Trustelem the ability to process LDAP and Radius authentications.
The documentation is the following:
https://trustelem-doc.wallix.com/books/trustelem-administration/page/ldap-radius-trustelem-connect
You don't need to read the chapter Setup an application to use Trustelem Connect, the specific instructions for a Bastion application will be detailed in the next chapters.
The common mistakes will be also detailed, but if the authentication is not working you should start by reading the Debug chapter in this LDAP-Radius - Trustelem Connect documentation.

Trustelem LDAP on Bastion

On Trustelem admin page

On the Bastion admin page

You now have a working LDAP authentication, with access to targets based on Trustelem groups.
/!\ Trustelem users will not be found by the Bastion before having an access rule (1 or 2 factors)
The documentation to defined the access rules is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a LDAP access rule set to 1 factor if it will be conbined with a Radius authentication or 2 factors if not.

What if I want to encrypt my LDAP flows?

The best way to encrypt the LDAP flows is simply to check startTLS on the Bastion. As Trustelem is compatible, flows are automatically encrypted.

The alternative is to implement LDAPS. To do this, there are several steps:
1/ Configure the connector.
On the Trustelem Connect folder, add a config.ini file and provide the following information
(adapted to your own repository and your own certifiates):

tls_cert = "C:\Program Files (x86)\Trustelem\connector.crt"
tls_cert_key = "C:\Program Files (x86)\Trustelem\connector.key"

Then, restart the connector service on your Virtual machine.
2/ Enable LDAPS on the Trustelem service.
3/ Enable SSL on the Bastion
4/ Optionally, add to the Bastion the authority certificate associated with the certificates used in step 1.

Trustelem Radius on Bastion for AD users

On Trustelem admin page

On the Bastion admin page

You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a Radius access rule set to 2nd factor only If you want to skip the 2nd factor step for some users, you can select for them the rule Always allow instead on Trustelem.

If the authentication doesn't work correctly:

Trustelem Radius on Bastion for Bastion users

On Trustelem admin page

On the Bastion admin page

You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a Radius access rule set to 2 factors

If the authentication doesn't work correctly:

Trustelem Radius on Bastion for Trustelem users

On Trustelem admin page

On the Bastion admin page

You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a Radius access rule set to 2nd factor only If you want to skip the 2nd factor step for some users, you can select for them the rule Always allow instead on Trustelem.

If the authentication doesn't work correctly:


Revision #27
Created 1 July 2022 08:49:51 by WALLIX Admin
Updated 12 November 2024 08:11:55 by WALLIX Admin