Remote user authentication and role based access control (RBAC) is an important requirement when deploying new systems in an organization, particularly in the networking world. For that matter, systems typically leverage RADIUS or Active Directory (AD) servers, to name a few.
NSX-T integrates with VMware Identity Manager (vIDM) to get the following benefits related to user authentication:
- Support for extensive AAA Systems, including
- AD-based LDAP, OpenLDAP
- SmartCards / Common Access Cards
- RSA Secure ID
- Enterprise Single Sign-On
- Common authentication platform across multiple VMware solutions
- Seamless single sign-on experience
This blog post covers the main steps required to integrate NSX-T with vIDM and to configure roles that grant different privileges to different users. It does not cover deployment and hardening of VMware Identity Manager (vIDM). At the end of the post, there is a link to a demo showing how to do the configuration and several role-based access tests.
Assuming that both NSX-T Manager and vIDM appliances are deployed, powered on and configured with the basic management details (IP address, admin users, etc.), the integration requires the following steps:
- Creating a OAuth client ID for the NSX-T Manager in vIDM
- Getting the vIDM appliance thumbprint
- Registering NSX-T Manager with vIDM using the client created
- Adding an Active Directory (AD) server to vIDM
- Configuring different roles in NSX-T for the users retrieved from AD via vIDM
Creating a OAuth client ID for the NSX-T Manager in vIDM
The first step is to create an OAuth client ID entry for NSX-T in vIDM. This will allow to later register NSX-T and to establish the communication channel between both components.
To create the OAuth client ID for NSX-T (you may need vIDM administrator privileges):
- Access vIDM admin console at https://vIDM_FQDN
- Click on the small triangle in the Catalog tab and select Settings on the drop-down menu
- On the left menu, select Remote App Access and then click on the Create Client button:
- On the Create Client window:
- Select Access Type = Service Client Token
- In Client ID, enter a meaningful name that should allow to identify the NSX-T manager when reviewing the list of clients in vIDM
- Click on the triangle close to Advanced
- Click on Generate Shared Secret
- Leave all other parameters with default values or modify them to match your needs
- When finished, click on Add
Note: write down the Client ID and Shared Secret as they will be required at a later step
- A new window with the configuration details of the client will be presented. Click on Back to Clients List
- On the clients list there will be a new entry for the NSX-T Manager. Its status will show Not Activated. That is expected and normal behaviour.
Get the VMware Identity Manager appliance certificate thumbprint
vIDM thumbprint is required for configuring the integration from the NSX-T console. In order to retrieve it:
- Access the vIDM CLI with the sshuser ID
- Obtain root privileges
- Move to the /usr/local/horizon/conf directory
- Issue the following command openssl x509 -in vidm.corp.local_cert.pem -noout -sha256 -fingerprint
Note: write down the vIDM fingerprint as it will be required at a later step
Registering NSX Manager with vIDM using the client just created
Once we have the OAuth Client ID, its Shared Secret and the vIDM thumbprint, we can proceed to the NSX-T Manager console to register NSX with vIDM. For that:
- On the left menu, select System and then Users
- Once on the Users window, select the Configuration tab and click on the EDIT link in the top right corner
- On the window that pops-up:
- Enable VMware Identity Manager Integration
- Enter the FQDN of the vIDM appliance
- Enter the OAuth Client ID created in vIDM previously
- Enter the Shared Secret associated with the OAuth Client ID
- Enter the SHA-256 thumbprint of the vIDM appliance obtained previously
- Enter the FQDN of the NSX-T Manager appliance
- Click on Save
Note: What is entered on the NSX Manager Appliance field must be used for accessing NSX after the integration. If you enter the FQDN but then try to access the NSX Manager through its IP address, remote user authentication will fail with a “Must provide a matching redirect uri” error message.
- Back on the Configuration window, vIDM connection shows as Up and vIDM Integration as Enabled.
- At this stage, there is successful communication between the NSX-T Manager and the VMware Identity Manager appliance.
Adding an Active Directory (AD) server to vIDM
We are assuming we are using a newly deployed vIDM appliance. As such, it does not have any directory configuration yet. Let’s see how to register vIDM with Active Directory, which is one of the most popular options.
Back on the vIDM admin console:
- Click on the Identity & Access Management tab
- Then click on the Add Directory button and select Add Active Directory over LDAP/IWA from the drop-down menu
- On the next screen:
- Provide a meaningful Directory Name, to identify the AD server
- If your directory supports DNS Service Location, leave the option checked. Otherwise, uncheck it and enter the server IP address and port.
- Provide Bind User Details and click on Test Connection to check if communication is successful
- Once it is OK, click on Save & Next
- On the new screen, select the domains you want to work with and click Next.
- On the next step you can choose to modify the mapping of user attributes. Defaults should work for most of the cases, so you can click Save.
Note: By default, vIDM requires User name, First name, Last name and e-mail fields in order to sync AD users. These settings can be modified in vIDM under Identity & Access Management > Setup > User Attributes, as shown below (Thanks to my colleague Hany Michael (Senior Staff Architect) for sharing this!!)
- After that, specify the Distinguished Name (DN) of the groups to be synchronized and click on Find Groups.
- The system will return the list of groups that match the DN entered. You can either select all of them of specify which ones to sync. Click Next once done. In the example below, there is only the nsx-users
- The screen that follows allows you to synchronize users which are part not of the previous groups. You can specify any or leave it blank.
- Finally, you are presented a summary of the Active Directory users and groups that are about to be sync’d by vIDM. In the example below, one group containing 3 users will be synchornized. If you agree with the information, click on Sync Directory.
- Directory synchronization starts. Click on Refresh Page to get updated information. Wait until you get a green checkmark, indicating that synchronization has been successful
- As a last step, navigate to the Users & Groups tab and confirm the users you expected to sync are visible.
Configuring different roles in NSX for the users retrieved from AD via vIDM
Once VMware Identity Manager has retrieved the specified users from Active Directory, we can assign them different roles in NSX. For that:
- On the NSX-T Manager web console, navigate to System -> Users, and select the Role Assignments Click on the + ADD button:
- On the window that pops-up, select one user or group to be assigned a role. A minimum of 3 characters are required, NSX will then autocomplete the possible names. Once the right user/group is selected, assign it one or more roles from the list below. Click Save when finished.
- Repeat the process to assign roles to more users and/or groups
Note: Privileges are calculated per feature. Users with no explicit role assigned will inherit the role(s) of their group. Users with explicit roles assigned enjoy the highest privileges of any of them. A detailed list of Roles and Permissions is available on the NSX-T Admin Guide https://docs.vmware.com/en/VMware-NSX-T/2.0/com.vmware.nsxt.admin.doc/GUID-26C44DE8-1854-4B06-B6DA-A2FD426CDF44.html
- Log out from the NSX web interface.
- After integration with vIDM, the NSX-T login page offers and option for remote user authentication. Select it and enter your user ID.
- Then you will be redirected to vIDM for entering the user password.
- Once authentication is successful, the user is taken to the NSX home screen
- Take some time to explore the different access levels for each user. Depending on their roles, they will or will not be able to add/delete/modify logical switches, logical routers and/or firewall rules.
Finally, the video below shows the step-by-step configuration of how to integrate NSX-T with VMware Identity Manager, including some tests to check the different user privileges. I hope you find it interesting!
NSX-T 2.1 Update
Starting in NSX-T 2.1, username and password fields have been removed from the NSX login page when Remote User is selected. This has been done to keep the user experience consistent, because VMware Identity Manager supports different authentication methods, not all of which require a username. In order to be redirected to the vIDM login page, users simply need to click on the LOG IN button:
And once on the vIDM login page they can enter their remote user credentials:
Alternatively, they can select Node-Local User on the drop-down menu:
This will redirect them to the local NSX Manager log-in page, where only local users are allowed:
VMware Identity Manager Documentation: https://docs.vmware.com/en/VMware-Identity-Manager/index.html
VMware NSX-T Documentation: https://docs.vmware.com/en/VMware-NSX-T/index.html
All VMware Documentation: https://docs.vmware.com
VMware NSX YouTube Channel: https://www.youtube.com/VMwareNSX
VMware Official Site: https://www.vmware.com/
VMware News and Customer Stories: https://www.vmware.com/radius/