< Home

CLI: Example for Configuring RADIUS SSO for Internet Access Users (RADIUS Attribute as a Security Group)

In this example, the FW serves as the egress gateway of an enterprise. Users who pass the authentication of the RADIUS authentication system directly pass the FW's authentication. The FW can parse RADIUS attributes and use the parsed attribute as the security group.

Networking Requirements

An enterprise has deployed a FW as the egress gateway at the network border to connect the intranet and Internet, as shown in Figure 1. Details are as follows:

  • Internet access users use the NAS to access the Internet.
  • The NAS sends user credentials to the RADIUS server for user authentication. The RADIUS server stores user and user group information.
Figure 1 Networking for configuring RADIUS SSO for Internet access users (RADIUS attribute as a security group)

The enterprise network administrator wants to use the user management and authentication mechanism provided by the FW to identify intranet IP addresses as users to control network behavior and assign network permissions. Requirements are as follows:

  • The vendor-defined attribute in the RADIUS accounting packet contains sub-attribute 60. The FW parses the sub-attribute and uses the parsed sub-attribute as the user's security group. Using this method, the FW assigns users to corresponding security groups.
  • Security group information is stored on the FW. This information can be referenced in policies.
  • After passing the authentication by entering correct RADIUS accounts and passwords, internal users can access network resources without further authentication. The identity of an internal user is the user name used for RADIUS authentication

Configuration Roadmap

This example describes only the user configuration related to authentication.

  1. Configure interfaces and security policies on the FW.
  2. Configure security groups.
  3. Configure RADIUS SSO parameters and new user authentication options in the default authentication domain.
  4. On the FW, configure the timeout period of online users longer than the interval for updating RADIUS accounting packets. In this example, the timeout period of online users is set to 480 minutes to prevent online user entries from being deleted. Once user entries are deleted, users cannot access services.
  5. On the FW, configure an authentication policy for user service traffic. Set the action to no-authentication.
  6. As the FW is deployed between the NAS and RADIUS server, packets exchanged between the NAS and RADIUS server pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the packets destined for the RADIUS server.

Data Planning

Item Data Description

RADIUS SSO

  • RADIUS SSO: Enable

  • Working mode: In-line
  • Receiving Interface: GigabitEthernet 0/0/3
  • Traffic to be analyzed by RADIUS SSO: 10.2.0.50:1813 (IP address of the RADIUS server: accounting port)
  • RADIUS Attribute Type: Vendor-defined
  • RADIUS Attribute ID: 60
  • Security Group Separator: ,

Set SSO parameters on the FW, so that the FW can analyze RADIUS accounting packets passing by to obtain user-IP address mappings.

In addition, the FW can parse sub-attribute 60 of the vendor-specified attribute and use the parsed sub-attribute as the user's security group.

New User Authentication Options
  • Temporary user
  • User group: /default/newuser

In this example, user information is not imported to the FW. Users log in as temporary users.

You can control user permissions based on parsed security groups. If the parsed security group does not exist on the FW, the user group configured in this field can be used to control user permissions.

Procedure

  1. Set IP addresses and assign interfaces to security zones. The following part uses GigabitEthernet 0/0/3 as an example to describe the configuration. Configure other interfaces as the data in the networking diagram. 

    <FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

  2. Configure security policies.

    Configure a security policy between the Trust zone (users and NAS) and DMZ (RADIUS server) for users to get authenticated by the RADIUS server.

    [FW] security-policy
[FW-policy-security] rule name policy_sec_radius
[FW-policy-security-rule-policy_sec_radius] source-zone trust
[FW-policy-security-rule-policy_sec_radius] destination-zone dmz
[FW-policy-security-rule-policy_sec_radius] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy_sec_radius] action permit
[FW-policy-security-rule-policy_sec_radius] quit

  3. Create a security group on the FW. 

    [FW] user-manage security-group rch
[FW-securitygroup-rch] security-group-type static
[FW-securitygroup-rch] quit
[FW] user-manage security-group mkt
[FW-securitygroup-mkt] security-group-type static
[FW-securitygroup-mkt] quit

  4. Create a group for new users on the FW. 

    [FW] user-manage group /default/newuser
[FW-usergroup-/default/newuser] quit

  5. Configure RADIUS SSO parameters on the FW. 

    [FW] user-manage single-sign-on radius
[FW-sso-radius] mode in-path
[FW-sso-radius] interface GigabitEthernet 0/0/3
[FW-sso-radius] traffic server-ip 10.2.0.50 port 1813
[FW-sso-radius] user-manage radius-attribute-id vendor-specific 60 define-as security-group delimiter ,
[FW-sso-radius] enable
[FW-sso-radius] quit

  6. Set the new user authentication option for the default authentication domain. 

    [FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] service-type internetaccess
[FW-aaa-domain-default] new-user add-temporary group /default/newuser
[FW-aaa-domain-default] quit
[FW-aaa] quit

  7. Set the online user timeout duration to 480 minutes. 

    [FW] user-manage online-user aging-time 480

  8. Set the action for users to access the RADIUS server to no-authentication, so that the users' authentication packets can go through the FW to the RADIUS server. Set the authentication policy action to no-authentication for user service traffic. The FW uses SSO to obtain user information. 

    [FW] auth-policy
[FW-policy-auth] rule name auth_policy_radius
[FW-policy-auth-rule-auth_policy_radius] source-zone trust
[FW-policy-auth-rule-auth_policy_radius] destination-zone dmz
[FW-policy-auth-rule-auth_policy_radius] destination-address 10.2.0.50 32
[FW-policy-auth-rule-auth_policy_radius] action none 
[FW-policy-auth-rule-auth_policy_radius] quit
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit

    If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

  9. After the configuration is complete, reference the security group or user group when configuring the security policy, policy-based routing, quota control policy, proxy policy, audit policy, and traffic policy.

Verification

  • Internal users can access network resources after successful logins to the NAS using RADIUS accounts and passwords.
  • Run the display user-manage online-user command on the FW to view information about online users.
    <FW> display user-manage online-user verbose            
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------                                      
 IP Address: 10.3.0.2                                                        
 Login Time: 2018-01-21 14:58:36  Online Time: 00:00:49                         
 State: Active  TTL: 00:30:00  Left Time: 00:29:59                              
 Access Type: local                                                             
 Authentication Mode: Single Sign-on                                          
 Access Device Type: unknown
 <--packets: 0 bytes: 0  -->packets: 0 bytes: 0                                 
 Build ID: 0
 User Name: user_0002 Parent User Group: /default/newuser
 Parent Security Group: rch
--------------------------------------------------------------------------------

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on radius
  enable
  mode in-path 
  interface GigabitEthernet0/0/3
  traffic server-ip 10.2.0.50 port 1813
  user-manage radius-attribute-id vendor-specific 60 define-as security-group delimiter ,
# 
security-policy
 rule name sec_policy_radius
  source-zone trust 
  destination-zone dmz
  destination-address 10.2.0.0 24
  action permit

#
auth-policy
 rule name auth_policy_radius
  source-zone trust
  destination-zone dmz 
  destination-address 10.2.0.50 32
  action none
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
# 
aaa
 domain default   
  service-type internetaccess
  new-user add-temporary group /default/newuser
# The following configuration is a one-time operation and is not saved in the configuration file.
 user-manage group /default/newuser
Parent Topic: Example for Configuring Internet Access User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >