Overview of Authentication Server
Make sure you are familiar with the basic concepts and mechanisms of the server on your site to ensure normal communication between the FW and the server.
To prevent data transmission risks between the FW and the RADIUS server or HWTACACS server, you are advised to deploy the FW and servers in a security domain.
This section provides a brief description of the servers and protocols used for the communication between FWs and the authentication servers. For detailed information, refer to the documents delivered with the servers.
RADIUS Server
RADIUS runs between a FW and a RADIUS server over UDP. RADIUS supports retransmission and standby servers, which ensure high reliability. The FW and RADIUS server use shared keys to encrypt transmitted packets, which is quite safe.
RADIUS is easy to implement and enables an authentication server to perform multithreaded transactions effectively in the case of a large number of users.
The FW uses RADIUS to connect to the SecurID server. You need to select the RADIUS server for the connection.
HWTACACS Server
HWTACACS is a Huawei proprietary enhanced version of TACACS and runs between a FW and an HWTACACS server to implement authentication, authorization, and accounting on users.
Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is a better means of security control. Table 1 compares HWTACACS and RADIUS.
HWTACACS |
RADIUS |
|---|---|
Uses TCP for reliable transmission. |
Uses UDP, which is less reliable than TCP. |
Encrypts the whole packets except HWTACACS headers. |
Encrypts only the password fields in packets. |
Authentication and authorization are separate. |
Authentication and authorization are implemented together. |
Applies to security control. |
Applies to accounting. |
Supports command-specific authorization. |
Does not support command-specific authorization. |
The HWTACACS protocol and the TACACS+ protocol supported by other vendors support authentication, authorization, and accounting. The authentication processes and implementations of HWTACACS and TACACS+ are the same. HWTACACS is completely compatible with TACACS+.
LDAP Server
The FW and LDAP server use LDAP for communication. LDAP is a protocol for accessing online directory services based on TCP/IP. LDAP is typically used to store user information and authenticate and authorize users before their logins. The LDAP directory service is based on a Client/Server model, with all directory information stored on an LDAP server.
A directory is a particular group of objects that share the same attributes and are organized according to a logical hierarchy. An entry is a collection of attributes that have distinguished names (DNs). An attribute consists of a type and multiple values. The top of the LDAP directory is the root with the DN Base DN.
When you use an LDAP Client, an LDAP directory consists of entries that are organized in tree structure. For example, the svn.com domain managed by an LDAP server provides OU ou_test that contains entries aa, bb, dd, and ff. The DN of entry aa is "CN=aa,OU=ou_test,dc=svn,dc=com".
The basic LDAP authentication process is as follows:
- The LDAP client binds the DN of a user that has permissions to access directory resources (usually the DN of an LDAP server administrator) to the LDAP server so as to obtain the query permission.
- The LDAP client uses the user name to be authenticated as the query condition and searches for the user in the specified root directory on the LDAP server to obtain the user DN.
- The LDAP client binds the user DN and password to the LDAP server to verify the user password.
AD Server
AD is a component that provides directory services in a Windows Server domain environment and can be considered as a method of implementing directory services on the Microsoft platform.
AD integrates login user authentication and directory access control to ensure security. An administrator can manage scattered directory data and organizations and allow only authorized users to access network resources.
The cce.com domain managed by an AD server contains departments research and marketing. The DN of the research department is "OU=research,DC=cce,DC=com".
AD server authentication is the same as LDAP server authentication except that AD server authentication contains the Kerberos authentication and standard LDAP authentication processes, whereas LDAP server authentication contains only the LDAP authentication process.
Agile Controller Server
The Agile Controller server provides terminal access authentication and terminal security management functions. The Policy Center and Agile Controller are Agile Controller products of Huawei. They are called Agile Controller servers.
The Agile Controller server stores information about the departments of an enterprise and displays them in a tree structure. Each department contains multiple users.
A FW imports information about departments and users from the Agile Controller server and performs Single Sign-On (SSO) on the authenticated users. Agile Controller-authenticated users do not need a second identity authentication.