Web: Example for Configuring HTTPS Web Login (RADIUS Server Authentication+Administrator Account Not on the Local Device)

This section provides an example for configuring HTTPS web login on the web UI. The administrator account is stored on the RADIUS server, and the FW authenticates the administrator through the RADIUS server.

Networking Requirements

As shown in Figure 1, the FW connects to the RADIUS server to authenticate and authorize the administrator.

Figure 1 Networking diagram for configuring HTTPS web login

Data Planning

Item	Data	Description
Administrator	User name/Password: radiusadmin/Admin@123 Level: 3	The account name and password should be easy to remember.
RADIUS server	Name: myradius IP address: 10.2.0.155 Shared key: Admin@123 Port: 1812	Ensure that the configuration on the RADIUS server is consistent with that on the RADIUS server.
Port:	Interface: GigabitEthernet 0/0/2 IP address: 10.2.0.1/24 Security zone: DMZ	Interface for communicating with the RADIUS server
Port:	Interface: GigabitEthernet 0/0/3 IP address: 172.16.0.1/24 Security zone: Trust	Interface for communicating with the administrator's PC.

Configuration Roadmap

Configure FW interfaces and security policies.
Configure the web service on the device and enable the HTTPS service on interfaces so that the administrator can log in to the web UI through HTTPS.
Configure the RADIUS server, authentication domain, and authorization scheme.
Create an administrator on the RADIUS server and specify the administrator level.

Procedure

Configure the FW.
1. Configure interfaces.
  1. Choose Network > Interface.
  2. On the Interface List tab, click in the line of GE0/0/2. Configure parameters as follows.
    Security Zone
    
    dmz
    
    IPv4
    
    Connection Type
    
    Static IP
    
    IP Address
    
    10.2.0.1/24
  3. Click OK.
  4. Repeat the preceding steps to configure GE0/0/3.
    
    If the default configuration of the management interface is used for login, skip this step.
    
    The default IP address of the management interface is 192.168.0.1. The interface is assigned to the Trust zone. The administrator is allowed to log in the FW through HTTPS.
    
    Zone
    
    trust
    
    IPv4
    
    Connection Type
    
    Static IP
    
    IP Address
    
    172.16.0.1/24
    
    Management Access
    
    HTTPS
2. Configure security policies for the FW.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add to configure a security policy as follows:
    
    Configure a security policy from the Local zone to the DMZ so that the FW can proactively communicate with the RADIUS server.
    
    Name
    
    policy02
    
    Source Zone
    
    local
    
    Destination Zone
    
    dmz
    
    Destination Address/Region
    
    10.2.0.155/24
    
    Action
    
    Allow
  3. Click OK.
3. Enable the HTTPS service and set the service port and timeout period of the web service.
  
  By default, the HTTPS service is enabled, and the default port number of the HTTPS service is 8443.
  1. Choose System > Administrator > Service Settings.
  2. Select HTTPS Service and set the service port.
  3. Set Web Service Timeout to 10 minutes.
  4. Click Apply.
4. Configure the RADIUS server.
  1. Choose Object > Authentication Server > RADIUS.
  2. Click Add and set RADIUS server parameters.
  3. Click Test and then OK in the dialog box that is displayed. Then enter the account name and password obtained from the RADIUS server. Then click Start Checking to check the connectivity to the RADIUS server.
    If the connectivity check succeeds, click Cancel.
  4. Click OK.
5. Configure an authentication domain, reference the RADIUS server template, and allow administrator access.
  1. Choose Object > User > Authentication Domain.
  2. Click Add to create an authentication domain.
  3. Click radius and set parameters as follows:
6. Configure an authorization scheme and authentication domain.
  # Configure the RADIUS authorization scheme.
```
[FW] aaa
[FW-aaa]  authorization-scheme radius   //Configure authorization scheme radius.
[FW-aaa-author-radius] authorization-mode radius   //Set the authorization mode to RADIUS.
[FW-aaa-author-radius] quit
```
  # Configure the RADIUS authentication domain.
```
[FW-aaa] domain radius
[FW-aaa-domain-radius] authorization-scheme radius   //Bind the authentication domain and authorization scheme radius.
[FW-aaa-domain-radius] quit
[FW-aaa] quit
```
Configure the RADIUS server. For the configuration methods of the RADIUS server you use, refer to related documents.

Security Zone	dmz
IPv4
Connection Type	Static IP
IP Address	10.2.0.1/24

Zone	trust
IPv4
Connection Type	Static IP
IP Address	172.16.0.1/24
Management Access	HTTPS

Name	policy02
Source Zone	local
Destination Zone	dmz
Destination Address/Region	10.2.0.155/24
Action	Allow

Verification

User administrator password/password radiusadmin@radius/Admin@123 to log in to the FW through HTTPS. The login succeeds.

Run the display manager-user online-user command on the FW. The command output shows the administrator information is correct.

<FW> display manager-user online-user
 ----------------------------------------------------------------------------
  UserID            : 26
  Username          : radiusadmin@radius
  IP address        : 172.16.0.100
  Access-type       : web
  User-level        : 3
  Authen method     : RADIUS
  Author method     : RADIUS
  Login time        : 2017/03/27 09:55
 ----------------------------------------------------------------------------

Configuration Scripts

Only the configuration scripts related to the FW are provided.

#
web-manager security version tlsv1 tlsv1.1 tlsv1.2                       
 web-manager enable                                                             
 web-manager security enable                                                    
 web-manager timeout 10 
#                                                                               
radius-server template myradius
 radius-server shared-key cipher %^%#o5p{1IGxT2jTqPVB}16AdbG@.7x>a@l>k+E%^%     
#                                                                               
 radius-server authentication 10.2.0.155 1812 weight 100                        
 radius-server group-filter class                                               
#                                                                               
aaa                                                                             
 authentication-scheme admin_radius                                             
  authentication-mode radius                                                     
 authorization-scheme radius                                                    
  authorization-mode radius                                                      
 domain radius                                                                  
  authentication-scheme admin_radius                                            
  authorization-scheme radius                                                   
  radius-server myradius                                                        
  service-type administrator-access                                             
  internet-access mode password                                                 
#                                                                               
interface GigabitEthernet0/0/2               
 ip address 10.2.0.1 255.255.255.0                                             
#                                                                               
interface GigabitEthernet 0/0/3              
 ip address 172.16.0.1 255.255.255.0                                            
 service-manage https permit                                                    
# 
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet 0/0/3          
#                                                                               
firewall zone dmz                                                               
 set priority 50                                                                
 add interface GigabitEthernet0/0/2            
#                                                                               
security-policy                                                                 
  rule name policy02                                                    
  source-zone local                                                             
  destination-zone dmz                                                          
  destination-address 10.2.0.155 mask 255.255.255.0                             
  action permit
#