CLI: Example for Configuring Local Authentication on Remote Access Users Using L2TP VPN in Automatic LAC Dial-up Mode
This section provides an example for configuring local authentication on remote access users using L2TP VPN in automatic LAC dial-up mode when a FW works as a VPN access gateway.
Networking Requirements
As shown in Figure 1, FWs are deployed at the network borders of the headquarters and branch office of an enterprise. FW_A at the headquarters works as an LNS, and FW_B at the branch office works as a LAC. An L2TP tunnel is established between the LAC and the LNS in automatic LAC dial-up mode. Branch office users can access intranet resources at the headquarters based on IP addresses.
In automatic LAC dial-up mode, the LNS authenticates the LAC only, but not employees in branch offices. Therefore, security is not ensured. The user management and authentication mechanisms of FW_A must allow branch office users to connect to the headquarters and identify users based on their IP addresses to implement user-specific behavior control and permission assignment. Requirements are as follows:
- Information about users and departments is saved on the FW_A (the LNS) and can be referenced by policies and L2TP VPNs.
- The R&D and marketing employees at the branch office must be authenticated by the LNS. If multiple services exist on the network, configure user-initiated authentication. In this case, a user employs a browser to access http://10.3.0.1:8887 and enters the user name and password for authentication.
Configuration Roadmap
This example describes only how to configure user management and authentication.
If source NAT is configured to translate the IP addresses of all users into one address on the LAC when L2TP in automatic dialup mode is configured, the FW authenticates users based on the NATed address and consider the users as one user. In this case, user-based policy control in this example cannot be implemented.
- On FW_A (the LNS), create an authentication domain to implement authentication on FW_B (the LAC) during L2TP tunnel establishment. Then configure a default authentication domain to implement authentication on the R&D and marketing employees at the branch office.
- Create user group objects and user objects and set passwords for the user objects on FW_A (the LNS). User object lac is used only in identity authentication on the LAC during L2TP tunnel establishment.
- On FW_A, configure an authentication policy to authenticate the R&D and marketing employees at the branch office before they access the Internet.
- On the FW, configure a security policy to allow Internet access users to access authentication web pages to trigger user-initiated authentication.
Data Planning
Item |
Data |
Description |
|---|---|---|
Automatic LAC dial-up |
|
The user name used by a LAC to establish an L2TP tunnel to an LNS applies only in identity authentication on the LAC. |
R&D employee at the branch office |
Group
User
|
Add the R&D employee at the branch office to group research. You can repeat the operations in this example to configure multiple user accounts. |
Marketing employee at the branch office |
Group
User
|
Add the marketing employee at the branch office to group marketing. You can repeat the operations in this example to configure multiple user accounts. |
Authentication domain |
Authentication domain for automatic LAC dial-up
|
FW_A identifies the authentication domain in the user name used by a LAC for establishing an L2TP tunnel and implements authentication on the LAC based on the authentication domain. |
Authentication domain for the R&D and marketing employees
|
The default authentication domain is used during authentication. No authentication domain is required in the entered user names of the R&D and marketing employees at the branch office. |
|
Authentication policy |
|
Authentication is implemented on the R&D employee, marketing employee at the branch office who meets matching conditions. The R&D employee, marketing employee can access network resources only after being authenticated by a FW_A. |
Procedure
- Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit
- Configure the authentication domain.
[FW_A] aaa [FW_A-aaa] domain auth_domain_01 [FW_A-aaa-domain-auth_domain_01] service-type l2tp [FW_A-aaa-domain-auth_domain_01] quit [FW_A-aaa] domain default [FW_A-aaa-domain-default] service-type internetaccess [FW_A-aaa-domain-default] quit [FW_A-aaa] quit
- Configure a user object for a LAC.
[FW_A] user-manage user lac [FW_A-localuser-lac] parent-group /auth_domain_01 [FW_A-localuser-lac] password Admin@123 [FW_A-localuser-lac] undo multi-ip online enable [FW_A-localuser-lac] quit
- Configure a user group object and a user object for an R&D employee at the branch office.
[FW_A] user-manage group /default/research [FW_A-usergroup-/default/research] quit [FW_A] user-manage user user_0002 [FW_A-localuser-user_0002] alias Tom [FW_A-localuser-user_0002] parent-group /default/research [FW_A-localuser-user_0002] password Admin@123 [FW_A-localuser-user_0002] undo multi-ip online enable [FW_A-localuser-user_0002] quit
- Configure a user group object and a user object for a marketing employee at the branch office.
[FW_A] user-manage group /default/marketing [FW_A-usergroup-/default/marketing] quit [FW_A] user-manage user user_0003 [FW_A-localuser-user_0003] alias Jack [FW_A-localuser-user_0003] parent-group /default/marketing [FW_A-localuser-user_0003] password Admin@123 [FW_A-localuser-user_0003] undo multi-ip online enable [FW_A-localuser-user_0003] quit
- Configure an authentication policy.
[FW_A] auth-policy [FW_A-policy-auth] rule name auth_policy_service [FW_A-policy-auth-rule-auth_policy_service] source-address 10.4.0.0 16 [FW_A-policy-auth-rule-auth_policy_service] action auth [FW_A-policy-auth-rule-auth_policy_service] quit
- Configure a security policy.
[FW_A] security-policy [FW_A-policy-security] rule name policy_sec_01 [FW_A-policy-security-rule-policy_sec_01] destination-zone local [FW_A-policy-security-rule-policy_sec_01] source-address 10.4.0.0 16 [FW_A-policy-security-rule-policy_sec_01] service protocol tcp destination-port 8887 [FW_A-policy-security-rule-policy_sec_01] action permit [FW_A-policy-security-rule-policy_sec_01] quit
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
- An R&D employee at the branch office accesses http://10.3.0.1:8887 and enters user name user_0002 and password Admin@123 for authentication. The employee can access intranet resources at the headquarters after being authenticated.
- A marketing employee at the branch office accesses http://10.3.0.1:8887 and enters user name user_0003 and password Admin@123 for authentication. The employee can access intranet resources at the headquarters after being authenticated.
- Run the display user-manage online-user command on the FW to display information about online users.
<FW_A> display user-manage online-user verbose Current Total Number: 1 -------------------------------------------------------------------------------- IP Address: 10.4.0.8 Login Time: 2015-01-21 14:58:36 Online Time: 00:00:49 State: Active TTL: 00:30:00 Left Time: 00:29:59 Access Type: local Authentication Mode: Password (Local) <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 User Name: user_0002 Parent Group: /default/research --------------------------------------------------------------------------------
Configuration Scripts
# sysname FW_A # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # aaa # domain auth_domain_01 service-type l2tp domain default service-type internetaccess # # auth-policy rule name auth_policy_service source-address 10.4.0.0 16 action auth # security-policy rule name policy_sec_01 destination-zone local source-address 10.4.0.0 16 service protocol tcp destination-port 8887 action permit # The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage group /default/research user-manage group /default/marketing user-manage user user_0002 alias Tom parent-group /default/research password ********* undo multi-ip online enable user-manage user user_0003 alias Jack parent-group /default/marketing password ********* undo multi-ip online enable user-manage user lac parent-group /auth_domain_01 password ********* undo multi-ip online enable