Configuring an Authentication Domain

This section describes how to configure the authentication mode and new user options in an authentication domain and how to assign network parameters to users in the authentication domain.

Context

Authentication domains have different functions for users with different authentication modes. For details, see Authentication Domain.

Only the New User Authentication Option setting in the authentication domain takes effect on SSO users.

Procedure

Access the AAA view from the system view.
aaa
Configure an authentication scheme.
1. Create an authentication scheme and access the authentication scheme view.
  authentication-scheme scheme-name
2. Configure an authentication mode.
  authentication-mode { ad | hwtacacs | ldap | local | radius } ^*
  
  If multiple authentication methods are configured in an authentication scheme, the authentication methods take effect in the sequence in which they were configured. During the authentication, next authentication mode is adopted only when the current one does not respond. If the current authentication mode can respond properly but account information (user name/password) is incorrect, the next authentication mode will not be used.
Optional: Configure a RADIUS accounting scheme.
The RADIUS accounting scheme applies only to user-defined portal authentication, SSL VPN access, L2TP/L2TP over IPSec, IPSec access, administrator access, and 802.1x access scenarios in which the firewall participates in user authentication.
1. Create an accounting scheme and access the accounting scheme view.
  accounting-scheme scheme-name
2. Create a RADIUS accounting mode.
  accounting-mode radius
Optional: Configure a RADIUS authorization scheme.The RADIUS authorization scheme applies only to user-defined portal authentication, SSL VPN access, L2TP/L2TP over IPSec, IPSec access, administrator access, and 802.1x access scenarios in which the firewall participates in user authentication.
1. Create an authorization scheme and access the authorization scheme view.
  authorization-scheme scheme-name
2. Create a RADIUS authorization mode.
  authorization-mode radius
Return to the AAA view.
quit
Optional: Configure the service scheme used by remote access users.
1. Create a service scheme.
  service-scheme service-scheme-name
  
  The service scheme is used to assign IP addresses and DNS server parameters to VPN access users.
2. Configure an address pool.
  ip-pool pool-name [ move-to new-position ]
  
  The referenced pool-name is the address pool created by executing the ip pool command in the system view.
3. Configure a DHCP server group.
  dhcp-server group group-name
4. Configure the DNS.
  dns ip-address [ secondary ]
5. Configure the NBNS.
  nbns ip-address [ secondary ]
Access the authentication domain view.
domain domain-name
Configure the access control of the authentication domain function.
service-type { administrator-access | dot1x | internetaccess | ike | l2tp | ssl-vpn } ^*

To implement user name-based policy control on access users, the internetaccess parameter must be specified.
Configure the authentication scheme used by the authentication domain.
authentication-scheme scheme-name

The authentication scheme is configured in 2.

By default, authentication scheme default is used in the authentication domain, and the authentication mode is local authentication.
Configure the RADIUS accounting scheme used by the authentication domain.
accounting-scheme scheme-name

The accounting scheme is configured in 3.

By default, accounting scheme default is used in the authentication domain, the accounting mode is non-accounting, and realtime accounting is disabled.
Configure the RADIUS authorization scheme used by the authentication domain.
authorization-scheme scheme-name

The authorization scheme is configured in 4.

By default, authorization scheme default is used in the authentication domain, and the authorization mode is local authorization.
Optional: Configure an authentication server for the authentication domain.
You can select an authentication server according to the authentication mode specified in 2.
- Configure a RADIUS authentication server.
  
  radius-server template-name
- Configure an HWTACACS authentication server.
  
  hwtacacs-server template-name
- Configure an AD authentication server.
  
  ad-server template-name
- Configure an LDAP authentication server.
  
  ldap-server template-name
Enable the function of reporting user traffic statistics.
statistic enable

After this function is enabled, the FW reports traffic statistics about IPSec VPN access users and L2TP VPN access users to the RADIUS server, so that the server can charge the users according to their traffic statistics. Traffic statistics can be reported only to the RADIUS server.

To use this function, the access control of the authentication domain must contain internetaccess and an authentication policy is required.
Optional: Configure the service scheme used by the authentication domain.
service-scheme service-scheme-name

The service scheme is configured in 6.
Optional: Configure the maximum number of users allowed for the authentication domain.
access-limit max-number
Optional: Configure the authentication option for new users in an authentication domain.
The new user option does not take effect for user-defined Portal authentication (the FW participates in user authentication).

For the users passing the server authentication or SSO but do not exist on the FW, their permissions are controlled by the authentication option for new users.

User names on the FW should not contain any slashes (/), commas (,), double quotation marks ("), question marks (?), or at signs (@). If a new user name contains a slash (/), comma (,), double quotation mark ("), question mark (?), or at sign (@), it cannot be added to the temporary user group on the FW.

AD SSO does not apply to the user names contain a dollar sign ($).

new-user { add-temporary group group-name [ auto-import policy-name ] | deny-authentication }

No default authentication option is configured for new users. The FW processes new users as follows:
- Internet access online user list: The FW does not allow new users to log in.
- Remote access online user list: New users can go online for VPN access. However, the FW cannot complete user-based policy control. To implement user-based policy control, you must configure new user options so that the users going online are included in the online user list.
If an authentication option is configured, the authentication option takes effect on both Internet access and remote access online user lists.
- If new user authentication is set to deny-authentication, the FW rejects a new user's login requests regardless of whether the authentication server has authenticated this user.
- If new user authentication is set to add-temporary group group-name, new users are considered temporary users and are not added to the local user list, but they have the Internet access permissions of local user group group-name.
- If new user authentication is set to add-temporary group group-name auto-import policy-name, new users are considered temporary users and are not added to the local user list. The new users will preferentially use the permissions of the user groups on the server based on the specified server import policy. The configured import policy is used to obtain the user's organizational structure on the server. The new users will use the permissions of the specified local user group only when the user group on the server does not exist on the FW.
  
  User groups and security groups on the FW cannot contain certain special characters. For details, see Restrictions and Precautions. After the FW obtains the user group and security group based on the import policy, if the user group name and security group name contain invalid characters, the FW converts these characters into underscores (_) and checks whether the converted user group and security group exist locally.
  
  If a new user logs in as a temporary user and the parent group of this user changes when the user is online, the parent group in the online user list will not be immediately updated. The local existing parent group of the temporary user will be updated only when all users using the IP address of this temporary user log out and log in again.
  
  If a dynamic security group is used, the add-temporary group group-name auto-import policy-name command must be used to configure new users.
  
  In the scenario where the authentication server and import server are separated (for details, see User Permission Control), import policies of the specified AD/LDAP server are supported.The FW controls user permissions through the organizational structure of the import server. Note that the import type of the import policy must contain the user.
  
  In the scenario where the authentication server is separated from the import server (for details, see User Permission Control), when the new user authentication option is set to add-temporary group group-name auto-import policy-name, the FW updates user organizational structures based on the organizational structures on the import server if the users and their organizational structures exist on the local device and the import policy is configured to override existing users (configured using the import-override enable command).
  
  In the scenario where the authentication server is separated from the import server (for details, see User Permission Control) and users are controlled based on dynamic security groups, you can run the user-manage dynamic-user cache enable command to enable the dynamic user cache function, which helps improve the efficiency in querying dynamic security groups.
  
  To ensure the user login efficiency, consider new users as temporary users and do not add them to the local user list.
To manage new users based on security groups, run the following command:

new-user parent-security-group parent-security-group-name

The FW manages security groups by more means, such as adding new users to a local security group, automatically importing security groups on the server, and preferentially using the permissions of the security groups on the server.