< Home

Web: Example for Enabling Mobile Employees to Access the Headquarters Through SSL VPN Tunnels (MAC Address Authentication)

Networking Requirements

On the enterprise network shown in Figure 1, mobile employees access resources at the headquarters through SSL VPN tunnels. The mobile employees are required to use the specified devices to access resources at the headquarters, which prevents unauthorized devices from accessing the enterprise network. To meet the requirement, the network administrator at the headquarters needs to configure MAC address authentication on the virtual gateway to authenticate the MAC addresses of user devices.

Figure 1 Networking diagram for configuring MAC address authentication for mobile employees to access the headquarters through SSL VPN tunnels

Procedure

  1. Configure an interface.
    1. Choose Network > Interface.
    2. Click of GigabitEthernet 0/0/1 and set required parameters.

      Security zone

      untrust

      IPv4

      IP address

      1.1.1.1/24

    3. Click OK.
    4. Configure GigabitEthernet 0/0/2 based on the preceding step.

      Security zone

      trust

      IPv4

      IP address

      10.2.0.1/24

  2. Configure users and authentication.
    1. Choose Object > User > default and set required parameters.

      The user group of user user0001 is /default/group1, User Location is local authentication, and Password is Password@123.

    2. Click Apply.
  3. Configure the SSL VPN gateway.
    1. Choose Network > SSL VPN > SSL VPN.
    2. Click Network and set required parameters as follows.

    3. Click Next.
  4. Set the SSL version, encryption suite, as well as session timeout duration and lifecycle. You can use the default values. Click Next.
  5. Select Network Extension and click Next.

    MAC address authentication can be used in multiple service scenarios, such as web proxy, file sharing, port forwarding, and network extension. Which services users access is not the focus of this section. In this section, network extension is used as an example.

  6. Configure network extension.
    1. In Accessible Private Network Segment List, click Add. Set required parameters.

    2. Click Next.
  7. Configure SSL VPN role authorization/users.
    1. In List of Authorized Roles, click Add and set role authorization parameters according to the following figure. Then click OK.

    2. Return to the Role Authorization/User page and click OK.
  8. Configure MAC address authentication.
    1. Choose Network > SSL VPN > SSL VPN.
    2. Click of virtual gateway gateway.
    3. Select MAC Authentication.

    4. Click Enable to enable MAC authentication.
    5. Click Add Configure a MAC address group and associate it with the user group of employee user0001. Then click OK.

    6. Return to the MAC address authentication configuration page and click OK.
  9. Configure a security policy to allow mobile employees to access resources at the headquarters.
    1. Configure a security policy for traffic from the Internet to the FW to allow mobile employees to access the SSL VPN gateway.

      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add and configure security policy policy01 based on the following parameters:

        Name

        policy01

        Source Zone

        untrust

        Destination zone

        local

        Destination Address/Region

        1.1.1.1/24

        Services

        https

        Action

        Permit
      3. Click OK.

    2. Configure a security policy for traffic from the FW to the intranet to allow mobile employees to access resources at the headquarters.

      1. Choose Policy > Security Policy > Security Policy.
      2. Click add and configure security policy policy02 based on the following parameters:

        Name

        policy02

        Source Zone

        untrust

        Destination zone

        trust

        Destination Address/Region

        10.2.0.0/24

        Action

        Permit
      3. Click OK.

Verifying the Configuration

  1. Enter https://1.1.1.1:443 in the address box of the browser to access the SSL VPN login page.

    Upon the first access, install the controls as prompted.

  2. On the login page, enter the user name and password and click Login.

    If you use the specified device with MAC address 286e-xxxx-xxxx for login, the login succeeds.

    If you use an authorized device whose MAC address is not 286e-xxxx-xxxx for login, the system displays MAC address authentication failed.

Configuration Scripts

#
aaa
 authentication-scheme default     
 authorization-scheme default
 domain default 
  service-type ssl-vpn       
  internet-access mode password    
  reference user current-domain    
#  
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0  
#  
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0 
#  
firewall zone trust          
 set priority 85
 add interface GigabitEthernet0/0/2
#  
firewall zone untrust        
 set priority 5 
 add interface GigabitEthernet0/0/1
#****BEGIN***gateway**1****# 
v-gateway gateway
 basic
  ssl version tlsv11 tlsv12
  ssl timeout 5
  ssl lifecycle 1440
  ssl ciphersuit custom aes256-sha aes128-sha
 service
  network-extension enable
  network-extension keep-alive enable
  network-extension keep-alive interval 120
  network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0
  netpool 172.16.1.1 default
  network-extension manual-route 10.2.0.0 255.255.255.0
 security
  policy-default-action permit vt-src-ip
  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn
  certification cert-anonymous filter-policy permit-all
  certification cert-challenge cert-field user-filter subject cn
  certification user-cert-filter key-usage any
  undo public-user enable
  mac-authentication enable
  mac-group mac-group
   mac-address 286e-d488-dc67
  bind user-group /default/group1 mac-group mac-group
 hostchecker
 cachecleaner
 role
 role default
  role default condition all
 role role
  role role condition all
  role role network-extension enable
#****END****#   
#  
security-policy 
 rule name policy01          
  source-zone untrust        
  destination-zone local     
  service https
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit 
 rule name policy02          
  source-zone untrust          
  destination-zone trust     
  destination-address 10.2.0.0 mask 255.255.255.0  
  action permit  
# The following configurations are stored in the database, not described in the configuration file.
 user-manage user user0001 domain default
 password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$
  parent-group /default/group1
 v-gateway gateway
  vpndb
   group /default/group1
  role
   role role1 group /default/group1
Parent Topic: Configuring MAC Address Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >