2. Authentication Modes¶
NexLog DX-Series has four authentication modes available for configuration.
Local Recorder Authentication
Network File Share (SMB)
Lightweight Directory Access Protocol (LDAP)
Microsoft Active Directory (AD)
Security Assertion Markup Language 2.0 (SAML)
Table 2.1: Authentication Mode Comparison lists each mode and the noteable differences between them.
Local | SMB | LDAP | Active Directory | SAML | |
|---|---|---|---|---|---|
Directory Password | • | • | • | • | |
Directory Groups | • | • | • | ||
Single Sign-On | • | • | |||
Change Password | • | ||||
Password Expiration | • | ||||
Secure Transmission | • | • | • | • | |
Account Expirations | • | • | • | • | • |
Account Deactivation | • | • | • | • | • |
Automatic User Creation | • | • | • | ||
License Required | • | • | • |
- Local Recorder Authentication
This authentication mode is the default on any new NexLog DX-Series installation. Users and groups are managed directly on the NexLog DX-Series recorder.
- Network File Share
This mode requires that users and groups be manually created using the NexLog DX-Series web configuration manager. When a user logs in, their credentials are tested against the network share for read access. If the user can read the contents of the network share, they will be authenticated.
- Lightweight Directory Access Protocol
This mode interfaces with a Microsoft Windows Active Directory or OpenLDAP server. Groups created on the NexLog DX-Series must be mapped to a group on the LDAP server. Users are added to the LDAP group. When a user logs in, the recorder validates their login credentials and queries LDAP for their group memberships.
- Active Directory
This mode functions the same as LDAP, but only works with Microsoft Windows Active Directory. The primary difference is that this mode allows automatic login by Single Sign-On (SSO).
- Security Assertion Markup Language 2.0
This mode interfaces with a SAML 2.0 compliant Identity Provider (IdP). Groups created on the NexLog DX-Series must be passed as part of the assertion from the IdP. The
SAML attribute mapconfiguration file on the recorder must be updated to appropriately map claims in the assertion to user attributes (e.g. username, email, first name, last name). When a user logs in, the recorder uses the claim mapped to username to create the account and update permissions based on the group mapping. If the user already exists, permissions are updated on each login based on the groups.
2.1. Choosing the Right Mode¶
Selecting the correct authentication mode required for a NexLog DX-Series installation can reduce unnecessary setup and deployment time. The right mode can only be determined by a system administrator who is familiar with the users and operating environment.
Reference Table 2.1: Authentication Mode Comparison for a simple feature comparison of each mode.
If the NexLog DX-Series recorder is installed on a network without directory services, or you do not wish to sync users or passwords to an external source, Local Recorder Authentication should be used.
If the desire is for users to use the same password as other systems, and user creation and permissions can be done on the recorder, Network File Share (SMB) Authentication should be used.
If user accounts and their passwords should be maintained in a central directory, LDAP Authentication should be used.
If the central directory uses advanced authentication methods, like smart cards, and automatic login via Single Sign-On is desired, Active Directory Authentication must be used.
2.2. Setting the Authentication Mode¶
Fig. 2.1 Authentication Mode Selection - Unlicensed¶
The authentication mode can be set by logging into the web configuration manager, and navigating to .
For details on accessing the web configuration manager, consult the NexLog DX-Series system User Manual.
As seen in Figure 2.1, LDAP and Active Directory authentication require a license to enable.