Web: Example for Configuring RADIUS SSO for Internet Access Users (RADIUS Attribute as a Security Group)

In this example, the FW serves as the egress gateway of an enterprise. Users who pass the authentication of the RADIUS authentication system directly pass the FW's authentication. The FW can parse RADIUS attributes and use the parsed attribute as the security group.

Networking Requirements

An enterprise has deployed a FW as the egress gateway at the network border to connect the intranet and Internet, as shown in Figure 1. Details are as follows:

Internet access users use the NAS to access the Internet.
The NAS sends user credentials to the RADIUS server for user authentication. The RADIUS server stores user and user group information.

Figure 1 Networking for configuring RADIUS SSO for Internet access users (RADIUS attribute as a security group)

The enterprise network administrator wants to use the user management and authentication mechanism provided by the FW to identify intranet IP addresses as users to control network behavior and assign network permissions. Requirements are as follows:

The vendor-defined attribute in the RADIUS accounting packet contains sub-attribute 60. The FW parses the sub-attribute and uses the parsed sub-attribute as the user's security group. Using this method, the FW assigns users to corresponding security groups.
Security group information is stored on the FW. This information can be referenced in policies.
After passing the authentication by entering correct RADIUS accounts and passwords, internal users can access network resources without further authentication. The identity of an internal user is the user name used for RADIUS authentication

Configuration Roadmap

This example describes only the user configuration related to authentication.

Configure interfaces and security policies on the FW.
Configure security groups.
Configure RADIUS SSO parameters and new user authentication options in the default authentication domain.
On the FW, configure the timeout period of online users longer than the interval for updating RADIUS accounting packets. In this example, the timeout period of online users is set to 480 minutes to prevent online user entries from being deleted. Once user entries are deleted, users cannot access services.
On the FW, configure an authentication policy for user service traffic. Set the action to no-authentication.
As the FW is deployed between the NAS and RADIUS server, packets exchanged between the NAS and RADIUS server pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the packets destined for the RADIUS server.

Data Planning

Item	Data	Description
RADIUS SSO	RADIUS SSO: Enable Working mode: In-line Receiving Interface: GigabitEthernet 0/0/3 Traffic to be analyzed by RADIUS SSO: 10.2.0.50:1813 (IP address of the RADIUS server: accounting port) RADIUS Attribute Type: Vendor-defined RADIUS Attribute ID: 60 Security Group Separator: ,	Set SSO parameters on the FW, so that the FW can analyze RADIUS accounting packets passing by to obtain user-IP address mappings. In addition, the FW can parse sub-attribute 60 of the vendor-specified attribute and use the parsed sub-attribute as the user's security group.
New User Authentication Options	Temporary user User group: /default/newuser	In this example, user information is not imported to the FW. Users log in as temporary users. You can control user permissions based on parsed security groups. If the parsed security group does not exist on the FW, the user group configured in this field can be used to control user permissions.

Item

Data

Description

RADIUS SSO

RADIUS SSO: Enable
Working mode: In-line
Receiving Interface: GigabitEthernet 0/0/3
Traffic to be analyzed by RADIUS SSO: 10.2.0.50:1813 (IP address of the RADIUS server: accounting port)
RADIUS Attribute Type: Vendor-defined
RADIUS Attribute ID: 60
Security Group Separator: ,

Set SSO parameters on the FW, so that the FW can analyze RADIUS accounting packets passing by to obtain user-IP address mappings.

In addition, the FW can parse sub-attribute 60 of the vendor-specified attribute and use the parsed sub-attribute as the user's security group.

New User Authentication Options

Temporary user
User group: /default/newuser

In this example, user information is not imported to the FW. Users log in as temporary users.

You can control user permissions based on parsed security groups. If the parsed security group does not exist on the FW, the user group configured in this field can be used to control user permissions.

Procedure

Choose Network > Interface, set IP addresses for interfaces, and assign the interfaces to security zones.
The following part uses GigabitEthernet 0/0/3 as an example to describe the configuration. Configure other interfaces as the data in the networking diagram.

Zone

trust

IP Address

10.3.0.1/24
Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
Configure a security policy between the Trust zone (users and NAS) and DMZ (RADIUS server) for users to get authenticated by the RADIUS server.

Name

policy_sec_radius

Source Zone

trust

Destination Zone

dmz

Destination Address

10.2.0.0/24

Action

Permit
Configure security groups.
Ensure that the FW has the parsed security group (parsed attribute). Otherwise, the parsed security group will not be recorded in the online user table. In this example, the parsed security groups are rch and mkt.
1. Choose Object > User > default.
2. In User/User Group/Security Group Management List, choose Add > Add Security Group.
  
  Name
  
  rch and mkt
  
  Security Group Type
  
  Static
Choose Object > User > default and perform the following configuration.
1. Select the scenario and Internet access mode and use the newly created user group newuser for new users.
2. Configure RADIUS SSO parameters.
3. Configure new user authentication options.
Choose Object > User > Authentication Option > Global Configuration, set the online user timeout duration to 480 minutes.
Choose Object > User > Authentication Policy, click Add to configure authentication policies. Configure the action in the authentication policy for users to access the RADIUS server as no-authentication so that the users' authentication packets can go through the FW to the RADIUS server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.

Name

auth_policy_radius

Source Zone

trust

Destination Zone

dmz

Destination Address/Region

10.2.0.50/32

Action

No authentication

Name

auth_policy_service

Source Zone

trust

Source Address/Region
10.3.0.0/24

Action

Authentication exemption

If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.
After the configuration is complete, reference the security group or user group when configuring the security policy, policy-based routing, quota control policy, proxy policy, audit policy, and traffic policy.

Zone	trust
IP Address	10.3.0.1/24

Name	policy_sec_radius
Source Zone	trust
Destination Zone	dmz
Destination Address	10.2.0.0/24
Action	Permit

Name	rch and mkt
Security Group Type	Static

Name	auth_policy_radius
Source Zone	trust
Destination Zone	dmz
Destination Address/Region	10.2.0.50/32
Action	No authentication

Name	auth_policy_service
Source Zone	trust
Source Address/Region	10.3.0.0/24
Action	Authentication exemption

Verification

Internal users can access network resources after successful logins to the NAS using RADIUS accounts and passwords.
On the FW, choose Object > User > Online User to view information about online users.

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on radius
  enable
  mode in-path 
  interface GigabitEthernet0/0/3
  traffic server-ip 10.2.0.50 port 1813
  user-manage radius-attribute-id vendor-specific 60 define-as security-group delimiter ,
# 
security-policy
 rule name sec_policy_radius
  source-zone trust 
  destination-zone dmz
  destination-address 10.2.0.0 24
  action permit
 #
auth-policy
 rule name auth_policy_radius
  source-zone trust
  destination-zone dmz 
  destination-address 10.2.0.50 32
  action none
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
# 
aaa
 domain default   
  service-type internetaccess
  internet-access mode single-sign-on
  new-user add-temporary group /default/newuser
 
# The following configuration is a one-time operation and is not saved in the configuration file.
 user-manage group /default/newuser