CLI: Example for Configuring RADIUS SSO for Internet Access Users (Out-of-Path Mode)

This section provides an example for configuring RADIUS Single Sign On (SSO) for Internet access users when a FW works as an egress gateway.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

Internet access users use the NAS to access the Internet.
The NAS sends user credentials to the RADIUS server for user authentication. The RADIUS server stores user and user group information.
Internet access users include R&D employees and marketing employees.

Figure 1 Networking diagram of configuring RADIUS SSO for Internet access users (Out-of-Path Mode)

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

Information about users and departments is saved on the FW and can be referenced by policies.
After passing the authentication by entering correct RADIUS accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for RADIUS authentication.
If the RADIUS accounts of new employees have been created on a RADIUS server but not stored on a FW, the FW considers them as temporary users and assigns them permissions of the specified group.

Configuration Roadmap

This example describes only how to configure user management and authentication.

Export user information on a RADIUS server into a CSV file in the specified format and import the CSV file into a FW to create users and user groups in a batch.
Set RADIUS SSO parameters on the FW.
Set a new user authentication item for the default authentication domain. After a new user is authenticated, the user adopts the permission of the newuser group to access network resources.
To prevent users from frequently log in to and log off from the FW, you are advised to set users' online duration to a larger value than the update interval of RADIUS accounting packets on the FW. In the example, the online duration is set to 480 minutes.
On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.
In this deployment mode, configure the NAS to send the accounting start packet to the RADIUS server and the firewall at the same time. The firewall parses the accounting start packet and responds to the NAS.

Data Planning

Item	Data	Description
Parent group of new users	Name: newuser Parent Group: /default	As a temporary user, and use permission of this group newuser.
RADIUS SSO	RADIUS SSO: Enable Working mode: In-line Shared key: Test@123 Receiving Interface: GigabitEthernet 0/0/3 Traffic to be analyzed by RADIUS SSO: 10.3.0.1:1813 (IP address of the RADIUS server: accounting port)	Set SSO parameters on the FW for the FW to analyze RADIUS accounting packets sent by the NAS to obtain mappings between users and IP addresses.

Item

Data

Description

Parent group of new users

Name: newuser
Parent Group: /default

As a temporary user, and use permission of this group newuser.

RADIUS SSO

RADIUS SSO: Enable
Working mode: In-line
Shared key: Test@123
Receiving Interface: GigabitEthernet 0/0/3
Traffic to be analyzed by RADIUS SSO: 10.3.0.1:1813 (IP address of the RADIUS server: accounting port)

Set SSO parameters on the

for the

to analyze RADIUS accounting packets sent by the NAS to obtain mappings between users and IP addresses.

Procedure

Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet 0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet 0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure a security policy to allow users to access the Internet.

[FW] security-policy
[FW-policy-security] rule name policy_sec 
[FW-policy-security-rule-policy_sec] source-zone trust 
[FW-policy-security-rule-policy_sec] source-address 10.3.0.0 24 
[FW-policy-security-rule-policy_sec] destination-zone untrust 
[FW-policy-security-rule-policy_sec] action permit 
[FW-policy-security-rule-policy_sec] quit 
[FW-policy-security] quit

Import users and user groups from a CSV file on the FW.
1. Choose Object > User > User Import > Local Import.
2. In User Import, click Download CSV Template and download the CSV template to your PC.
3. Write user information on the RADIUS server into a CSV file according to the template.
  Read the instructions on the CSV template and fill in user information. The following figure shows a complete CSV file.
4. Upload the CSV file to FW using SFTP.
5. Import the CSV file.
```
[FW] user-manage user-import demo.csv auto-create-group override
```

Create a parent group for new users on the FW.

[FW] user-manage group /default/newuser
[FW-usergroup-/default/newuser] quit

Set RADIUS SSO parameters on the FW.

[FW] user-manage single-sign-on radius
[FW-sso-radius] mode out-of-path
[FW-sso-radius] shared-key Test@123
[FW-sso-radius] interface GigabitEthernet 0/0/3
[FW-sso-radius] traffic server-ip 10.3.0.1 port 1813
[FW-sso-radius] enable
[FW-sso-radius] quit

In out-of-path mode, the NAS sends accounting packets to the FW. In this case, the FW also functions as a RADIUS server. Therefore, set the server IP address to the IP address of the FW interface that receives accounting packets.

Set the new user option for the default authentication domain on the FW.

[FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] service-type internetaccess
[FW-aaa-domain-default] new-user add-temporary group /default/newuser
[FW-aaa-domain-default] quit
[FW-aaa] quit

Set the online user timeout duration to 480 minutes.
```
[FW] user-manage online-user aging-time 480
```
Configure the action of the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.
```
[FW] auth-policy 
[FW-policy-auth] rule name auth_policy_service 
[FW-policy-auth-rule-auth_policy_service] source-zone trust 
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24 
[FW-policy-auth-rule-auth_policy_service] action exempt-auth 
[FW-policy-auth-rule-auth_policy_service] quit
```
If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.
Configure the NAS to send RADIUS accounting packets to the FW. The encryption key configured on the NAS must be the same as the shared key configured for RADIUS SSO on the FW. Otherwise, the FW cannot correctly parse the RADIUS accounting packets sent by the NAS or encrypt the RADIUS accounting response packet (Accounting-Response) sent to the NAS.
After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
R&D employees can access network resources after successful logins to the NAS using RADIUS accounts and passwords.
Marketing employees can access network resources after successful logins to the NAS using RADIUS accounts and passwords.

Run the display user-manage online-user command on the FW to display information about online users.

<FW> display user-manage online-user verbose            
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------                                      
 IP Address: 10.3.0.2                                                        
 Login Time: 2015-01-21 14:58:36  Online Time: 00:00:49                         
 State: Active  TTL: 00:30:00  Left Time: 00:29:59                              
 Access Type: local                                                             
 Authentication Mode: Single Sign-on                                          
 Access Device Type: unknown
 <--packets: 0 bytes: 0  -->packets: 0 bytes: 0                                 
 Build ID: 0
 User Name: user_0002 Parent User Group: /default/research 
--------------------------------------------------------------------------------

Configuration Scripts

#
sysname FW
# 
user-manage online-user aging-time 480
user-manage single-sign-on radius
 enable
 mode out-of-path 
 shared-key %^%#o3Z7,b[Ox7Sc#r-f+WDC:D=s%^%#
 interface GigabitEthernet 0/0/3
 traffic server-ip 10.3.0.1 port 1813
# 
security-policy 
 rule name policy_sec
  source-zone trust 
  source-address 10.3.0.0 24      
  destination-zone untrust 
  action permit
#
auth-policy 
 rule name auth_policy_service 
  source-zone trust 
  source-address 10.3.0.0 24 
  action exempt-auth
#
interface GigabitEthernet 0/0/3
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 add interface GigabitEthernet 0/0/3
# 
aaa
 domain default   
  service-type internetaccess
  new-user add-temporary group /default/newuser

# The following configuration is used to perform a one-time operation and not stored in the configuration profile. 
 user-manage user-import demo.csv auto-create-group override
 user-manage group /default/newuser