< Home

CLI: Example for Configuring Local Authentication on Remote Access Users Using SSL VPN

This section provides an example for configuring local authentication on remote access users using SSL VPN when a FW works as a VPN access gateway.

Networking Requirements

An enterprise has deployed a FW as the VPN access gateway that connects the intranet to the Internet, as shown in Figure 1. Employees on the move connect to the FW using SSL VPN to access network resources.

Figure 1 Local authentication on remote access users using SSL VPN

The user management and authentication mechanisms of the FW must allow employees on the move to connect to the headquarters and identify their IP addresses as users to implement user-specific behavior control and permission assignment. Information about users and departments is saved on the FW and can be referenced by policies and SSL VPNs.

Configuration Roadmap

This example describes only how to configure user management and authentication. For details on certificate authentication, see SSL VPN related sections.

  1. Create user groups and users and set passwords for the users.
  2. Configure a default authentication domain.

Data Planning

Item Data Description

R&D employee on the move

Group

  • Name: research

  • Parent Group: /default

User

  • Login Name: user_0002

  • Display Name: Tom

  • Parent Group: /default/research

  • Password/Confirm Password: Admin@123

  • Prohibit Users from Sharing This Account

Add the R&D employee on the move to group research.

You can repeat the operations in this example to configure multiple user accounts.

Marketing employee on the move

Group

  • Name: marketing

  • Parent Group: /default

User

  • Login Name: user_0003

  • Display Name: Jack

  • Parent Group: /default/marketing

  • Password/Confirm Password: Admin@123

  • Prohibit Users from Sharing This Account

Add the marketing employee on the move to group marketing.

You can repeat the operations in this example to configure multiple user accounts.

Authentication domain

  • Name: default

  • Access Control: Allow SSL VPN Access and Allow Online Behavior Management

The default authentication domain is used during authentication. No authentication domain is required in the entered user names of the employees on the move.

Procedure

  1. Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/2. You can configure other interfaces based on the networking diagram. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

  2. Create a user group object and a user object for an R&D employee. 

    [FW] user-manage group /default/research
[FW-usergroup-/default/research] quit
[FW] user-manage user user_0002
[FW-localuser-user_0002] alias Tom
[FW-localuser-user_0002] parent-group /default/research
[FW-localuser-user_0002] password Admin@123
[FW-localuser-user_0002] undo multi-ip online enable
[FW-localuser-user_0002] quit

  3. Create a user group object and a user object for a marketing employee. 

    [FW] user-manage group /default/marketing
[FW-usergroup-/default/marketing] quit
[FW] user-manage user user_0003
[FW-localuser-user_0003] alias Jack
[FW-localuser-user_0003] parent-group /default/marketing
[FW-localuser-user_0003] password Admin@123
[FW-localuser-user_0002] undo multi-ip online enable
[FW-localuser-user_0003] quit

  4. Configure the authentication domain.

    For mobile employees that use the network extension service, if user name-specific permission control is required, configure ssl-vpn and internetaccess in service-type; if user name-specific permission control is not required, configure ssl-vpn only. For mobile employees that do not use the network extension service, configure ssl-vpn only. In this case, permission control can be implemented using the role-based authorization function of SSL VPN.

    The internetaccess option enables the FW to record the mapping between IP addresses and user names.

    [FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] service-type internetaccess ssl-vpn
[FW-aaa-domain-default] quit
[FW-aaa] quit

  5. Configure an authentication policy. 

    [FW] auth-policy
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-address range 10.2.0.2 10.2.0.15
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit
[FW-policy-auth] quit

    To configure user-specific policies for VPN access users, you need to configure authentication policies for private IP addresses after VPN decapsulation. For example, addresses in the network extension address pool are 10.2.0.2-10.2.0.15.

  6. After the configuration is complete, you can configure service authorization.

    • Network extension service: Configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
    • Web proxy, file sharing, and port forwarding services: Reference the user and user group objects in the role module of the SSL VPN.

Verification

  • An R&D employee on the move accesses the authentication web page of the SSL VPN virtual gateway and enters user name user_0002 and password Admin@123 for authentication. After being authenticated, the employee on the move can access network resources.
  • A marketing employee on the move accesses the authentication web page of the SSL VPN virtual gateway and enters user name user_0003 and password Admin@123 for authentication. After being authenticated, the employee on the move can access network resources.
  • Run the display user-manage online-user command on the FW to display information about online users that using network extension service.
    <FW> display user-manage online-user verbose            
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------                                      
 IP Address: 10.2.0.8                                                        
 Login Time: 2015-01-21 14:58:36  Online Time: 00:00:49                         
 State: Active  TTL: 00:30:00  Left Time: 00:29:59                              
 Access Type: ssl vpn                                                             
 Authentication Mode: Password (Local)                                          
 <--packets: 0 bytes: 0  -->packets: 0 bytes: 0                                 
 User Name: user_0002 Parent Group: /default/research 
--------------------------------------------------------------------------------

Configuration Scripts

#
 sysname FW
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
aaa 
 #
 domain default
  service-type internetaccess ssl-vpn
 #
#
auth-policy
 rule name auth_policy_service
  source-address range 10.2.0.2 10.2.0.15 
  action exempt-auth

# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage group /default/research
user-manage group /default/marketing
user-manage user user_0002
 alias Tom
 parent-group /default/research
 password *********
 undo multi-ip online enable
user-manage user user_0003
 alias Jack
 parent-group /default/marketing
 password *********
 undo multi-ip online enable
Parent Topic: Example for Configuring Remote Access User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >