Configuring User Authentication in the Online Behavior Management Scenario

This section describes how to configure online behavior management and user authentication.

Context

SSO configuration is global. Modifying SSO configuration in an authentication domain modifies the SSO configuration in the other authentication domains.

Procedure

Select an authentication domain to be configured.
Select Online behavior management.
Select an authentication mode and configure an authentication policy.
- Portal authentication: includes local authentication and server authentication. Click Configure Authentication Policy to create an authentication policy and specify a data flow for portal authentication and set the action to Portal authentication for the policy.
  To use user-defined Portal authentication, you need to complete configurations in section Configuring User-defined Portal Authentication.
- SSO authentication: Click Configure Authentication Policy to create an authentication policy and specify a data flow for SSO authentication and set the action to Authentication exemption for the policy.
- Authentication exemption: Click Configure Authentication Policy to create an authentication policy and specify a data flow for authentication-exempt and set the action to Authentication exemption for the policy.
Configure user information.
Configure user information on the FW based on the locations and organizational structure of users.
- Users on the local device
  
  Create users in the following ways:
  - In User/User Group/Security Group Management List, click Add. On the page that is displayed, manually create users, user groups, and security groups.
  - Import users, user groups, and security groups through the CSV files. For details, see Importing Users and User Groups from a CSV File and Importing Security Groups from a CSV File.
- Users on the server
  1. Select an existing authentication server or add a new one. For details on how to add an authentication server, see Configuring Authentication Servers Using the Web UI.
  2. Import the organizational structure of the server to the FW for user-specific policy control.
    
    AD/LDAP/Agile Controller server: Select an existing import policy or add a new one to import users, user groups, and security groups. For details on how to create an import policy, see Importing Users, User Groups, or Security Groups from a Server.
    
    RADIUS/HWTACACS server: does not support any import policy. Manually create users and import user information through a CSV file on the FW. For details on how to import user information through a CSV file, see Importing Security Groups from a CSV File.
In authentication-exempt, bind IP addresses/MAC addresses and users locally so that users can access network resources without entering any password.

User/User Group/Security Group Management List shows the users, user groups, and security groups in the current authentication domain. If you are accustomed to the tree structure, click Manage Users by Organizational Structure. On the page that is displayed, manage users as required.
Optional: Configure a RADIUS accounting scheme and a RADIUS authorization scheme.
The RADIUS accounting scheme and the RADIUS authorization scheme apply only to user-defined portal authentication, SSL VPN access, L2TP/L2TP over IPSec, IPSec access, administrator access, and 802.1x access scenarios in which the firewall participates in user authentication.
Optional: Configure SSO.
If SSO authentication is selected, configure SSO parameters. For details, see Configuring AD SSO, Configuring RADIUS SSO, and Configuring Agile Controller SSO.

Expand New User Authentication Options (New users are users who do not already exist on the device) and set user authentication options for the authentication domain.

For the users passing the server authentication or SSO but do not exist on the FW, their permissions are controlled by the authentication item for new users.

The new user option does not take effect for user-defined Portal authentication (the FW participates in user authentication).

User names on the FW should not contain any slashes (/), commas (,), double quotation marks ("), question marks (?), or at signs (@). If a new user name contains a slash (/), comma (,), double quotation mark ("), question mark (?), or at sign (@), it cannot be added to the temporary user group on the FW.

AD SSO does not apply to the user names contain a dollar sign ($).

Parameter	Description
Prohibit new user login	After this option is selected, the FW deletes the new user option configuration and restores the new user option to the default state. No default authentication option is configured for new users. The FW processes new users as follows: Internet access online user list: The FW does not allow new users to log in. Remote access online user list: New users can go online for VPN access. However, the FW cannot complete user-based policy control. To implement user-based policy control, you must configure new user options so that the users going online are included in the online user list. NOTE: This function is supported in V600R007C20SPC500 and later versions.
Consider new users as temporary users and do not add them to the local user list	After new users are authenticated, they are considered as temporary users and are not added to the local user list. However, these temporary users have the same network access as the specified local user group or security groups. Click Select at the right side of Inherit Permissions of User Group and select a user group. Click Select at the right side of Inherit Permissions of Security Group. In the dialog box that is displayed, add the selected security group to Selected in Available and click OK. This parameter is optional. If you do not select this parameter, security group-based management is not implemented on new users. For AD/LDAP/Agile Controller server, preferentially use the user groups and security groups of these users on the server to manage policies. Select Preferentially use user and security groups on the server for policy management and select a server import policy. The selected import policy is used to obtain the organizational structure and security group of a user on the server. If the organizational structure and security group of the user exist on the FW, the network access permission of the user group and security group on the server is used. If the organizational structure and security group of the user do not exist on the FW, use the network access permission specified in Inherit Permissions of User Group and Inherit Permissions of Security Group. User groups and security groups on the FW cannot contain certain special characters. For details, see the user management and authentication restrictions and precautions. After the FW obtains the user group and security group based on the import policy, if the user group name and security group name contain invalid characters, the FW converts these characters into underscores (_) and checks whether the converted user group and security group exist locally. NOTE: If a new user logs in as a temporary user and the parent group of this user changes when the user is online, the parent group in the online user list will not be immediately updated. The local existing parent group of the temporary user will be updated only when all users using the IP address of this temporary user log out and log in again. In the scenario where the authentication server and import server are separated (for details, see User Permission Control), import policies of the specified AD/LDAP server are supported. The FW controls user permissions through the organizational structure of the import server. Note that the import type of the import policy must contain the user. In the scenario where the authentication server is separated from the import server(for details, see User Permission Control), when Preferentially use user and security groups on the server for policy management is selected and the server import policy is selected, the FW updates user organizational structures based on the organizational structures on the import server if the users and their organizational structures exist on the local device and the import policy is configured to override existing users (configured using the import-override enable command). To ensure the user login efficiency, consider new users as temporary users and do not add them to the local user list.

Parameter

Description

Prohibit new user login

After this option is selected, the FW deletes the new user option configuration and restores the new user option to the default state.

No default authentication option is configured for new users. The FW processes new users as follows:

Internet access online user list: The FW does not allow new users to log in.
Remote access online user list: New users can go online for VPN access. However, the FW cannot complete user-based policy control. To implement user-based policy control, you must configure new user options so that the users going online are included in the online user list.

NOTE:

This function is supported in V600R007C20SPC500 and later versions.

Consider new users as temporary users and do not add them to the local user list

After new users are authenticated, they are considered as temporary users and are not added to the local user list. However, these temporary users have the same network access as the specified local user group or security groups.

Click Select at the right side of Inherit Permissions of User Group and select a user group.
Click Select at the right side of Inherit Permissions of Security Group. In the dialog box that is displayed, add the selected security group to Selected in Available and click OK. This parameter is optional. If you do not select this parameter, security group-based management is not implemented on new users.

For AD/LDAP/Agile Controller server, preferentially use the user groups and security groups of these users on the server to manage policies. Select Preferentially use user and security groups on the server for policy management and select a server import policy. The selected import policy is used to obtain the organizational structure and security group of a user on the server. If the organizational structure and security group of the user exist on the FW, the network access permission of the user group and security group on the server is used. If the organizational structure and security group of the user do not exist on the FW, use the network access permission specified in Inherit Permissions of User Group and Inherit Permissions of Security Group.

User groups and security groups on the FW cannot contain certain special characters. For details, see the user management and authentication restrictions and precautions. After the FW obtains the user group and security group based on the import policy, if the user group name and security group name contain invalid characters, the FW converts these characters into underscores (_) and checks whether the converted user group and security group exist locally.

NOTE:

If a new user logs in as a temporary user and the parent group of this user changes when the user is online, the parent group in the online user list will not be immediately updated. The local existing parent group of the temporary user will be updated only when all users using the IP address of this temporary user log out and log in again.

In the scenario where the authentication server and import server are separated (for details, see User Permission Control), import policies of the specified AD/LDAP server are supported. The FW controls user permissions through the organizational structure of the import server. Note that the import type of the import policy must contain the user.

In the scenario where the authentication server is separated from the import server(for details, see User Permission Control), when Preferentially use user and security groups on the server for policy management is selected and the server import policy is selected, the FW updates user organizational structures based on the organizational structures on the import server if the users and their organizational structures exist on the local device and the import policy is configured to override existing users (configured using the import-override enable command).

To ensure the user login efficiency, consider new users as temporary users and do not add them to the local user list.

Click Apply.

Follow-up Procedure

After creating an organizational structure, adjust it as follows in User/User Group/Security Group Management List or by clicking Manage Users by Organizational Structure:

Modify use attributes in batches.

If multiple users share the same attribute, you can select Modify to modify the attribute for the users.
Copy user information.

If the user to be created has similar attributes as an existing user, select the existing user and click Copy. Then create the user based on the copied information.
Activate or deactivate users.

Users are automatically activated after creation. To temporarily cancel the network access permission of a user, you can deactivate the user without deleting it. If you set the status of an online user to deactivated, the online user is logged out.

Select or clear the check boxes of the users to be activated or deactivated, and then click OK.
Move users or user groups.

You can click Move to move a user or user group to a different parent group.
1. Click Manage Users by Organizational Structure.
2. Select the users or user groups and click Move.
In addition, you can also modify the parent group of a user or user group.
Export user information.

You can export user information into a CSV file and save the file in an external storage drive for backup. You can also import the user information to other FW to create users and user groups in batches.

If the free space of a CF card on the FW is smaller than 4 MB, do not export user information into a CSV file.

Export user information in either of the following ways:
- In User/User Group/Security Group Management List, click Export User to export users, user groups, and security groups of a specific authentication domain or all authentication domains.
  
  Security groups can be exported only in this way.
- Click Manage Users by Organizational Structure, select the parent user group of users to be exported, and click Export User.
If a user group contains no user, this group cannot be exported independently.
Maximize the display of User/User Group/Security Group Management List

You can click Maximize to maximize the display of User/User Group/Security Group Management List so that you can view user information in the FW with ease.
Delete All Queried Users/User Groups/Security Groups

After querying desired users/user groups/security groups through the Advanced Search or Search function, you can use the function to delete all queried users/user groups/security groups.

If many users need to be deleted, you are advised to perform this operation when the device is idle.