CLI: Example for Configuring Local Authentication on Internet Access Users
This section provides an example for configuring local authentication on Internet access users when a FW works as an egress gateway.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.
Internet access users include R&D employees, marketing employees, and guests. All of them dynamically obtain IP addresses.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:
- Information about users and departments is saved on the FW and can be referenced by policies.
- R&D employees and marketing employees must be authenticated by the FW.
- Guests must be authenticated by the FW and can only use the specified guest accounts to access network resources.
- Redirected authentication is implemented on guests. When a guest uses a browser to access a web page, the FW redirects the guest to an authentication page. After the guest is authenticated, the Internet Explorer displays the requested web page.
Configuration Roadmap
The configuration roadmap is as follows:
- Create user groups and users and set passwords for the users.
- Create authentication policies and configure matching conditions and actions.
- Configure the default authentication domain.
- Configure a security policy to allow users to access authentication web pages.
Data Planning
Item |
Data |
Description |
|---|---|---|
R&D employee |
Group User |
Add the R&D employee to group research. You can repeat the operations in this example to configure multiple user accounts. |
Marketing employee |
Group User |
Add the marketing employee to group marketing. You can repeat the operations in this example to configure multiple user accounts. |
Guest |
Group Name: /default User |
All guests use the guest account for authentication. |
Authentication policy |
Authentication is implemented on the R&D employee, marketing employee, or guest who meets matching conditions. The R&D employee, marketing employee, or guest can access network resources only after being authenticated by a FW. |
|
Authentication domain |
The default authentication domain is used during authentication. No authentication domain is required in the user names entered by R&D employees, marketing employees, and guests. |
Procedure
- Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Create a user group object and a user object for an R&D employee.
[FW] user-manage group /default/research [FW-usergroup-/default/research] quit [FW] user-manage user user_0001 [FW-localuser-user_0001] alias Tom [FW-localuser-user_0001] parent-group /default/research [FW-localuser-user_0001] password Admin@123 [FW-localuser-user_0001] undo multi-ip online enable [FW-localuser-user_0001] quit
- Create a user group object and a user object for a marketing employee.
[FW] user-manage group /default/marketing [FW-usergroup-/default/marketing] quit [FW] user-manage user user_0002 [FW-localuser-user_0002] alias Jack [FW-localuser-user_0002] parent-group /default/marketing [FW-localuser-user_0002] password Admin@123 [FW-localuser-user_0002] undo multi-ip online enable [FW-localuser-user_0002] quit
- Create a user object for a guest.
[FW] user-manage user guest [FW-localuser-user_guest] parent-group /default [FW-localuser-user_guest] password Admin@123 [FW-localuser-user_guest] quit
- Configure the redirect from the authentication page to the previously accessed page after authentication.
[FW] user-manage redirect - Configure an authentication policy.
[FW] auth-policy [FW-policy-auth] rule name policy_auth_01 [FW-policy-auth-rule-policy_auth_01] source-zone trust [FW-policy-auth-rule-policy_auth_01] source-address 10.3.0.0 24 [FW-policy-auth-rule-policy_auth_01] action auth [FW-policy-auth-rule-policy_auth_01] quit [FW-policy-auth] quit
- Configure the authentication domain.
[FW] aaa [FW-aaa] domain default [FW-aaa-domain-default] service-type internetaccess [FW-aaa-domain-default] quit [FW-aaa] quit
- Configure security policies.
- Configure a security policy to allow users to access the Internet.
[FW-policy-security] rule name policy_sec_02 [FW-policy-security-rule-policy_sec_02] source-zone trust [FW-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_02] destination-zone untrust [FW-policy-security-rule-policy_sec_02] action permit [FW-policy-security-rule-policy_sec_02] quit
Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.
- Configure a security policy to allow users to access the Internet.
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
Verify that the following conditions are true:
- The R&D employee Tom uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The R&D employee then enters user name user_0001 and password Admin@123 for authentication. After the R&D employee is authenticated, the Internet Explorer displays the web page of www.example.org.
- The marketing employee Jack uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The marketing employee then enters user name user_0002 and password Admin@123 for authentication. After the marketing employee is authenticated, the Internet Explorer displays the web page of www.example.org.
- The guest uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The guest then enters user name guest and password Admin@123 for authentication. After the guest is authenticated, the Internet Explorer displays the web page of www.example.org.
- Before accessing non-HTTP servers, such as FTP servers, employees and guests need to access the authentication page at https://10.3.0.1:8887 for authentication. The IP address of the authentication page must be that of the interface on the FW and must be reachable to users.
- Run the display user-manage online-user command on the FW to display information about online users.
<FW> display user-manage online-user verbose Current Total Number: 3 -------------------------------------------------------------------------------- IP Address: 10.3.0.2 Login Time: 2015-01-21 14:58:36 Online Time: 00:00:49 State: Active TTL: 00:30:00 Left Time: 00:29:59 Access Type: local Authentication Mode: Password (Local) Access Device Type: unknown <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 Build ID: 0 User Name: user_0001 Parent User Group: /default/research IP Address: 10.3.0.5 Login Time: 2015-01-21 14:58:54 Online Time: 00:00:31 State: Active TTL: 00:30:00 Left Time: 00:30:17 Access Type: local Authentication Mode: Password (Local) Access Device Type: unknown <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 Build ID: 0 User Name: user_0002 Parent User Group: /default/marketing IP Address: 10.3.0.10 Login Time: 2015-01-21 14:58:36 Online Time: 00:00:49 State: Active TTL: 00:30:00 Left Time: 00:29:59 Access Type: local Authentication Mode: Password (Local) Access Device Type: unknown <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 Build ID: 0 User Name: guest Parent User Group: /default --------------------------------------------------------------------------------
Configuration Scripts
# sysname FW # user-manage redirect # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # aaa # domain default service-type internetaccess # # security-policy rule name policy_sec_01 source-zone trust source-address 10.3.0.0 24 destination-zone local service protocol tcp destination-port 8887 action permit rule name policy_sec_02 source-zone trust source-address 10.3.0.0 24 destination-zone untrust action permit rule name policy_sec_03 source-zone trust source-address 10.3.0.0 24 destination-zone dmz action permit # auth-policy rule name policy_auth_01 source-zone trust source-address 10.3.0.0 24 action auth # The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage group /default/research user-manage group /default/marketing user-manage user user_0001 alias Tom parent-group /default/research password ********* undo multi-ip online enable user-manage user user_0002 alias Jack parent-group /default/marketing password ********* undo multi-ip online enable user-manage user guest parent-group /default password *********