< Home

Web: Example for Configuring Local Authentication on Internet Access Users

This section provides an example for configuring local authentication on Internet access users when a FW works as an egress gateway.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

Internet access users include R&D employees, marketing employees, and guests. All of them dynamically obtain IP addresses.

Figure 1 Local authentication on Internet access users

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

  • Information about users and departments is saved on the FW and can be referenced by policies.
  • R&D employees and marketing employees must be authenticated by the FW.
  • Guests must be authenticated by the FW and can only use the specified guest accounts to access network resources.
  • Redirected authentication is implemented on guests. When a guest uses a browser to access a web page, the FW redirects the guest to an authentication page. After the guest is authenticated, the Internet Explorer displays the requested web page.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create authentication policies and configure matching conditions and actions.
  2. Configure the access control for authentication domain default as online behavior management.
  3. Create user groups and users and set passwords for the users.
  4. Configure a security policy to allow users to access authentication web pages.

Data Planning

Item

Data

Description

R&D employee

Group

  • Name: research

  • Parent Group: /default

User

  • Login Name: user_0001

  • Display Name: Tom

  • Parent Group: /default/research

  • Password/Confirm Password: Admin@123

  • Prohibit Users from Sharing This Account

Add the R&D employee to group research.

You can repeat the operations in this example to configure multiple user accounts.

Marketing employee

Group

  • Name: marketing

  • Parent Group: /default

User

  • Login Name: user_0002

  • Display Name: Jack

  • Parent Group: /default/marketing

  • Password/Confirm Password: Admin@123

  • Prohibit Users from Sharing This Account

Add the marketing employee to group marketing.

You can repeat the operations in this example to configure multiple user accounts.

Guest

Group

Name: /default

User

  • Login Name: guest

  • Parent Group: /default

  • Password/Confirm Password: Admin@123

  • Allow Users to Share This Account

All guests use the guest account for authentication.

Authentication policy

  • Name: policy_auth_01

  • Source Zone: Trust

  • Destination Zone: any

  • Source Address/Region: 10.3.0.0/24

  • Destination Address/Region: any

  • Action: Portal authentication

Authentication is implemented on the R&D employee, marketing employee, or guest who meets matching conditions.

The R&D employee, marketing employee, or guest can access network resources only after being authenticated by a FW.

Authentication domain

  • Name: default

  • Access Control: Online behavior management

The default authentication domain is used during authentication. No authentication domain is required in the user names entered by R&D employees, marketing employees, and guests.

Procedure

  1. Choose Network > Interface, set IP addresses for interfaces and assign the interfaces to security zones.

    The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    Zone

    trust

    IP Address

    10.3.0.1/24

  2. Choose Object > User > Authentication Policy, click Add to create an authentication policy.

    Name

    policy_auth_01

    Source Zone

    Trust

    Source Address/Region

    10.3.0.0/24

    Action

    Portal authentication

  3. Choose Object > User > default, configure local authentication.

    Click Add and create user groups and users.

    1. Choose Add Group, create a user group object for an R&D employee.

    2. Choose Add a User, create a user object for an R&D employee.

    3. Repeat the previous steps to create the user group/user account (marketing/user_0002) of the marketing department and a guest account (guest).
    4. Click Apply.
  4. Choose Object > User > Authentication Option > Local Portal, configure the redirect from the authentication page to the previously accessed page after authentication.

    Set Redirection Setting After Successful Authentication as Redirect to the latest Web page, and click Apply.

  5. Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
    1. Configure a security policy to allow users to access the authentication page.

      Name

      policy_sec_01

      Source Zone

      trust

      Destination Zone

      local

      Source Address

      10.3.0.0/24

      Service

      Create user-defined service (TCP/8887)

      Action

      Permit

    2. Configure a security policy to allow users to access the Internet.

      Name

      policy_sec_02

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address

      10.3.0.0/24

      Action

      Permit

      Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.

    3. Configure a security policy to allow users to access the server cluster.

      Name

      policy_sec_03

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address

      10.3.0.0/24

      Action

      Permit

  6. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

  • Verify that the following conditions are true:

    • The R&D employee Tom uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The R&D employee then enters user name user_0001 and password Admin@123 for authentication. After the R&D employee is authenticated, the Internet Explorer displays the web page of www.example.org.
    • The marketing employee Jack uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The marketing employee then enters user name user_0002 and password Admin@123 for authentication. After the marketing employee is authenticated, the Internet Explorer displays the web page of www.example.org.
    • The guest uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The guest then enters user name guest and password Admin@123 for authentication. After the guest is authenticated, the Internet Explorer displays the web page of www.example.org.
  • Before accessing non-HTTP servers, such as FTP servers, employees and guests need to access the authentication page at https://10.3.0.1:8887 for authentication. The IP address of the authentication page must be that of the interface on the FW and must be reachable to users.
  • On the FW, choose Object > User > Online User to see information about online users.

Configuration Scripts

#
 sysname FW
#
 user-manage redirect
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
aaa 
 #
 domain default
  service-type internetaccess 
  internet-access mode password
 #
# 
security-policy 
 rule name policy_sec_01
  source-zone trust 
  source-address 10.3.0.0 24
  destination-zone local 
  service protocol tcp destination-port 8887
  action permit          
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone untrust
  action permit
 rule name policy_sec_03    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone dmz
  action permit
#
auth-policy
 rule name policy_auth_01
  source-zone trust
  source-address 10.3.0.0 24
  action auth

# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage group /default/research
user-manage group /default/marketing
user-manage user user_0001
 alias Tom
 parent-group /default/research
 password *********
 undo multi-ip online enable
user-manage user user_0002
 alias Jack
 parent-group /default/marketing
 password *********
 undo multi-ip online enable
user-manage user guest
 parent-group /default
 password *********
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >