Configuring SSL VPN User Authentication

This section describes how to configure SSL VPN user authentication.

Context

This section describes how to configure SSL VPN local authentication and server authentication only. For details on certificate authentication, see related sections.

This section describes how to configure SSL VPN user access authentication only. To implement user-specific policy control for network extension user, you need to select SSL VPN access and Online behavior management, configure authentication policy, and import user information from the server to the local device.

Procedure

Select an authentication domain to be configured.
Select SSL VPN access.
Configure user information.
Configure user information on the FW based on the locations and organizational structure of users.
- Users on the local device
  
  Create users in the following ways:
  - In User/User Group/Security Group Management List, click Add. On the page that is displayed, manually create users, user groups, and security groups.
  - Import users, user groups, and security groups through the CSV files. For details, see Importing Users and User Groups from a CSV File and Importing Security Groups from a CSV File.
- Users on the server
  1. Select an existing authentication server or add a new one. For details on how to add an authentication server, see Configuring Authentication Servers Using the Web UI.
  2. Import the organizational structure of the server to the FW for user-specific policy control.
    
    AD/LDAP/Agile Controller server: Select an existing import policy or add a new one to import users, user groups, and security groups. For details on how to create an import policy, see Importing Users, User Groups, or Security Groups from a Server.
    
    RADIUS/HWTACACS server: does not support any import policy. Manually create user information and import user information through a CSV file on the FW. For details on how to import users through a CSV file, see Importing Security Groups from a CSV File.
User/User Group/Security Group Management List shows the users, user groups, and security groups in the current authentication domain. If you are accustomed to the tree structure, click Manage Users by Organizational Structure. On the page that is displayed, manage users as required.
Optional: Configure a RADIUS accounting scheme and a RADIUS authorization scheme.
The RADIUS accounting scheme and the RADIUS authorization scheme apply only to user-defined portal authentication, SSL VPN access, L2TP/L2TP over IPSec, IPSec access, administrator access, and 802.1x access scenarios in which the firewall participates in user authentication.
Click Apply.

Follow-up Procedure

After creating an organizational structure, adjust it as follows in User/User Group/Security Group Management List or by clicking Manage Users by Organizational Structure:

Modify use attributes in batches.

If multiple users share the same attribute, you can select Modify to modify the attribute for the users.
Copy user information.

If the user to be created has similar attributes as an existing user, select the existing user and click Copy. Then create the user based on the copied information.
Activate or deactivate users.

Users are automatically activated after creation. To temporarily cancel the network access permission of a user, you can deactivate the user without deleting it. If you set the status of an online user to deactivated, the online user is logged out.

Select or clear the check boxes of the users to be activated or deactivated, and then click OK.
Move users or user groups.

You can click Move to move a user or user group to a different parent group.
1. Click Manage Users by Organizational Structure.
2. Select the users or user groups and click Move.
In addition, you can also modify the parent group of a user or user group.
Export user information.

You can export user information into a CSV file and save the file in an external storage drive for backup. You can also import the user information to other FW to create users and user groups in batches.

If the free space of a CF card on the FW is smaller than 4 MB, do not export user information into a CSV file.

Export user information in either of the following ways:
- In User/User Group/Security Group Management List, click Export User to export users, user groups, and security groups of a specific authentication domain or all authentication domains.
  
  Security groups can be exported only in this way.
- Click Manage Users by Organizational Structure, select the parent user group of users to be exported, and click Export User.
If a user group contains no user, this group cannot be exported independently.
Maximize the display of User/User Group/Security Group Management List.

You can click Maximize to maximize the display of User/User Group/Security Group Management List so that you can view user information in the FW with ease.
Delete All Queried Users/User Groups/Security Groups

After querying desired users/user groups/security groups through the Advanced Search or Search function, you can use the function to delete all queried users/user groups/security groups.

If many users need to be deleted, you are advised to perform this operation when the device is idle.