Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Preparing Policy Manager for LDAP and SQL Authentication Sources

This section describes how to prepare Policy Manager for LDAP Authentication Source Configuration and SQL Authentication Source Configuration.

LDAP Authentication Source Configuration

Policy Manager can perform NTLM/MSCHAPv2, PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure./GTC Generic Token Card. GTC is a protocol that can be used as an alternative to MSCHAPv2 protocol. GTC allows authentication to various authentication databases even in cases where MSCHAPv2 is not supported by the database., and certificate-based authentications against any LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.-compliant directory (for example, Novell eDirectory, OpenLDAP, and Sun Directory Server). LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. and Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed.-based server configurations are similar. You can retrieve role-mapping attributes by using filters. To configure Generic LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication sources in Policy Manager:

1. Navigate to the Configuration > Authentication > Sources page. The Authentication Sources > General page opens. The General page labels the authentication source and defines session details.

2. Click Add. The Add Authentication Source page opens.

Figure 1 Adding a Generic LDAP Authentication Database

3. Enter the values for these parameters as described in Table 1.

Table 1: General Page Parameters for Generic LDAP Database

Parameter	Action/Description
Name	Enter the name of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication source.
Description	Provide the additional information that helps to identify the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication source.
Type	Select Generic LDAP.
Use for Authorization	When Use for Authorization is enabled, Policy Manager can use this authentication source to fetch role-mapping attributes. This option is enabled by default.
Backup Servers Priority	To add a backup server in the event the main server goes down, click Add Backup. NOTE: Aruba recommends setting up one or more backup servers.
Authorization Sources	Specifies additional sources from which role-mapping attributes may be fetched. 1. Select a previously configured authentication source from the drop-down list. 2. To add authentication source to the list of authorization sources, click Add. To remove the authentication source from the list, click Remove. If Policy Manager authenticates the user or device from this authentication source, it also fetches role mapping attributes from these additional authorization sources.
Cache Timeout	Policy Manager caches attributes fetched for an authenticating entity. This parameter controls the duration in number of seconds for which the attributes are cached. The default is 36000 seconds (one hour).
Backup Servers Priority	To add a backup server, click Add Backup. If the Backup 1 tab appears, you can specify connection details for a backup server. To remove a backup server, select the server name and click Remove. To change the server priority of the backup servers, select Move Up or Move Down. This is the order in which Policy Manager attempts to connect to the backup servers when the primary server is unreachable.

3. When satisfied with these settings, click Next. The Authentication SourcesPrimary page opens.

Figure 2 Primary Page: Generic LDAP Authentication Database

Table 2: Primary Parameters for an LDAP Authentication Source

Parameter	Action/Description
Hostname	Enter the name or IP address of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server you’re going to use for authentication. Note that most domain controllers are also LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers. Policy Manager uses LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. to talk to the domain controller.
Connection Security	Set Connection Security to: LDAP over SSL. This enables the secure sockets layer (SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.) cryptographic protocol to connect to your Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed.. Selecting LDAP over SSL automatically populates the Port field to 636. NOTE: In a production environment, security is a concern because when Policy Manager binds to an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, it submits the username and password for that account over the network under clear text unless you protect it using Connection Security and set the port to 636. NOTE: To ensure successful authentication, be sure to add the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server to the Certificate Trust List.
Port	Specify the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port at which the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server is listening for connections. For a single domain LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Domain Service: Default port for LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.: 389 Default port for LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.: 636 When you set the Connection Security field to AD over SSL, this port is automatically set to 636. For a multi-domain LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Domain Service forest, the default ports for the global catalog are: Default port without SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.: 3268 Default port with SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.: 3269
Verify Server Certificate	Enable this option to verify the Server Certificate for a secure connection.
Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.	Enter the Distinguished Name of the node in your directory tree from which to start searching for records. The Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. text box specifies the full distinguished name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.), including common name (CN Common Name. CN is the primary name used to identify a certificate. ), of an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. user account that has privileges to search for users (usually the Administrator account). For example: CN=Administrator,CN=Users,DC=mycompany,DC=com This user account must have at least domain user privileges. The Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. user, such as Administrator, is the username associated with the Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. user account. For a single domain LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Domain Service, the Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. entry must be located in the same branch and below the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.. For a multi-domain LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Domain Service forest, because you leave the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. text box empty, the restrictions that apply for a single domain do not apply for a multi-domain forest. Policy Manager fills in the domain portion of the Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.. Policy Manager also populates the Base DN, and the NetBIOS Domain Name fields. For related information, see Preparing Policy Manager for LDAP and SQL Authentication Sources. NOTE: You may need to get the Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. from the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. administrator.
Bind Password	This is the text box for the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. password for the account that can search for users. Enter the Bind password. NOTE: The Bind password is the same password used in association with the Bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. user account.
NetBIOS Network Basic Input/Output System. A program that lets applications on different computers communicate within a LAN. Domain Name	Specify the DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. (Distinguised Name) of the administrator account. Policy Manager uses this account to access all other records in the directory. NOTE: For Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the bind DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. can also be in the administrator@domain format (for example, administrator@acme.com).
Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.	For a single domain Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Domain Service, this is the text box for the Distinguished Name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) of the starting point for directory server searches. For example:DC=mycompany,DC=com. The LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server starts from this DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. to create master lists from which you can later filter out individual users and groups. NOTE: The Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. value that is automatically populated in this instance is not the best practice Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. value. Aruba recommends that you narrow down the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. as far as possible to reduce the load on the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. For example, if all your users are in the AD Users and Computer Users folder, then set the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. to search in the Users folder. 1. To browse the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. directory hierarchy, click Search Base DN.The LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Browser opens. 2. Navigate to the DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. you want to use as the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.. 3. To select a node as a Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate., click the appropriate node in the tree structure. For a multi-domain Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Domain Service (AD DS Differentiated Services. The DS specification aims to provide uninterrupted quality of service by managing and controlling the network traffic, so that certain types of traffic get precedence. ) forest, the appropriate action is to leave the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. text box blank. NOTE: This is also one way to test the connectivity to your LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. directory. If the values entered for the primary server attributes are correct, you should be able to browse the directory hierarchy by clicking Search Base DN.
Search Scope	Search scope is related to the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.. The search scope defines how LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. will search for your objects. Select one of the foloiwng Search Scope types. Subtree Search: Searches every object and sub-object in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. directory. One-Level Search: Looks directly under the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.. Base Object: Searches any object under the Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate..
LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Referrals	Aruba does not recommend enabling the "Follow Referrals" check box. This function directs the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server to find a specific user in its tree, but it’s possible for the user to be included on another LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, which can cause a search loop.
Bind User	Enable this option to allow a bind operation using the user password. For clients to be authenticated by using the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. bind method, Policy Manager must receive the password in clear text.
Password Attribute	Enter the name of the attribute in the user record from which the user password can be retrieved.
Password Type	Specify the password type: Cleartext, NT Hash, LM Hash, SHA1, SHA256, MD5.
Password Header	Oracle's LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. implementation prepends a header to a hashed password string. If you are using Oracle LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., enter the header in this field so the hashed password can be correctly identified and read.
User Certificate	Leave the value that is automatically populated in this field as the default unless your LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. administrator has a different attribute for storing the user certificate.
Always use NetBIOS Network Basic Input/Output System. A program that lets applications on different computers communicate within a LAN. name	Check this option to always use the NetBIOS Network Basic Input/Output System. A program that lets applications on different computers communicate within a LAN. name instead of the domain part in the username for authentication. NOTE: This field is available only if you select Active Directory as an authentication source.

4. When satisfied with these settings, click Next. The Summary page is displayed, which shows all the settings you have entered for the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication source.

SQL Authentication Source Configuration

Policy Manager can perform MSCHAPv2 and PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure./GTC Generic Token Card. GTC is a protocol that can be used as an alternative to MSCHAPv2 protocol. GTC allows authentication to various authentication databases even in cases where MSCHAPv2 is not supported by the database. authentication against any Open Database Connectivity (ODBC) compliant SQL database such as Microsoft SQL Server, Oracle, or PostgrSQL.

You can specify a stored procedure to query the relevant tables and retrieve role-mapping attributes by using filters.

You can configure the primary and backup servers, session details, filter query, and role mapping attributes to fetch the generic SQL authentication sources.

Configuring a Generic SQL Authentication Source

To configure a generic SQL authentication source:

1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page opens.

2. Click Add. The Authentication Sources > General page opens. The General page labels the authentication source and defines session details.

Figure 3 General Page: Generic SQL Authentication Database

3. Enter the information for each of the required parameters as described in Table 1.

Table 3: General Page Parameters for Generic SQL Database

Parameter	Action/Description
Name	Enter the name of the SQL authentication source.
Description	Provide the additional information that helps to identify the authentication source.
Type	Select Generic SQL DB.
Use for Authorization	Leave the Use for Authorization setting enabled. When Use for Authorization is enabled, Policy Manager can use this authentication source to fetch role-mapping attributes. This option is enabled by default.
Backup Servers Priority	To add a backup server in the event the main server goes down, click Add Backup. NOTE: Aruba recommends setting up one or more backup servers.
Authorization Sources	Specify additional sources from which role-mapping attributes can be fetched. Select a previously configured authentication source from the drop-down list. To add authentication source to the list of authorization sources, click Add. To remove the authentication source from the list, click Remove. If Policy Manager authenticates the user or device from this authentication source, it also fetches role mapping attributes from these additional authorization sources.
Cache Timeout	Specify the number of seconds for the Cache Timeout. Policy Manager caches attributes fetched for an authenticating entity. This parameter controls the duration in number of seconds for which the attributes are cached.
Backup Servers Priority	To add a backup server, click Add Backup. If the Backup 1 tab appears, you can specify connection details for a backup server. To remove a backup server, select the server name and click Remove. To change the server priority of the backup servers, select Move Up or Move Down. This is the order in which Policy Manager attempts to connect to the backup servers when the primary server is unreachable.

4. When satisfied with these settings, click Next. The Authentication Sources Primary page opens.

Figure 4 Primary Page: Generic SQL Authentication Source

5. Enter the information for each of the required parameters as described in Table 4.

Table 4: Primary Page Parameters for Generic SQL Database

Parameter	Action/Description
Server Name	Enter the name or IP address of the Generic SQL server you’re going to use for authentication.
Port	Optionally, you can specify a port value to override the default port.
Database Name	Enter the name of the database from which records can be retrieved.
Login Username	Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Password	Enter the password for the user account entered in the Login Username field.
Timeout	Enter the duration in seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers (in the order in which they are configured).
ODBC Driver	Select the ODBC driver to connect to the database. PostgreSQL Oracle 11g MariaDB MSSQL NOTE: MySQL is no longer supported for ClearPass 6.7.x and later. MySQL has been replaced by Maria-DB Connector (MariaDB). If you connect to a Microsoft SQL server using Integrated Authentication, the login username in the authentication source, formatted as either domain/username or UPN (User Principal Name), the following characters are supported: Backslash ( \ ) At-sign (@) Hyphen Underscore
Password Type	Specify how the user password is stored in the database: Cleartext : Password is stored as clear, unencrypted text. NT Hash: Password is stored with an NT hash using MD4 Message Digest 4. MD4 is an earlier version of MD5 and is an algorithm used to verify data integrity through the creation of a 128-bit message digest from data input. . LM Hash : Password is stored with a LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. Manager Hash using DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.. SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. : Password is stored with a Secure Hash Algorighm (SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. ) hash. SHA256: Password is stored with an SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -256 hash function. MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input.

6. When satisfied with the Primary page settings, click Next. The Attributes page appears. The Attributes page defines the SQL database query filters and the attributes to be fetched when using those filters.

Figure 5 Attributes Page: Generic SQL Authentication Source

7. Enter the information for each of the required parameters as described in Table 5.

Table 5: Attributes Page Parameters for Generic SQL Database

Parameter	Action/Description
Filter Name	Displays the name of the filter.
Attribute Name	Specifies the name of the SQL database attributes defined for this filter.
Alias Name	Specifies an alias name for each attribute name selected for the filter.
Enabled As	Optionally, indicates whether the filter is enabled as a role or an attribute type. This option can also be blank.
Add More Filters	Click this button to open the Configure Filter page (for details, see the next section, Defining a Filter Query). Use this page to define a filter query and the related attributes to be fetched from the SQL DB store.

8. When satisfied with the Attribute page settings, click Next. The Summary page appears.

Defining a Filter Query

The Configure Filter page allows you to define a filter query and the related attributes to be fetched from the SQL DB store.

To define a filter query:

1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page opens.

a. If you're defining a new filter for an existing authentication source, click the name of the authentication source, then select the Attributes tab.

b. If you're defining a new filter query for a newly configured authentication source, follow the steps described in the previous section.

2. From the Attributes page, click Add More Filters. The Configure Filter page opens.

Figure 6 Configure Filter Page: Generic SQL Authentication Source

3. Enter the information for each of the required parameters as described in Table 6.

Table 6: Configure Filter Page Parameters for Generic SQL Database

Parameter	Action/Description
Filter Name	Enter the name of the new filter.
Filter Query	Specify an SQL query to fetch the attributes from the user or device record in the database.
Name	Select Click to add to specify the name of the attribute.
Alias Name	Specify the alias name for the attribute. By default, this is the same value as the attribute name.
Data Type	Specify the data type for this attribute, such as String, Integer, or Boolean.
Enabled As	Specify whether this value is to be used directly as a role or an attribute in an Enforcement Policy. This option bypasses having to assign a role in Policy Manager through a Role Mapping Policy.

4. When satisfied with the Configure Filter page settings, click Save.