CLI: Example for Configuring Authentication Exemption for Internet Access Users (Bidirectionally Binding Users to IP and MAC Addresses)
This section describes how to configure authentication exemption for top executives and implement user-specific permission management when the FW serves as an egress gateway.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment.
Top executives use the fixed IP address (10.3.0.2). To improve efficiency, top executives are exempted from authentication, but for security considerations, the accounts used by top executives must be bound to IP addresses and MAC addresses. This ensures that top executives can only use the specified IP and MAC addresses to access network resources.
Configuration Roadmap
The configuration roadmap is as follows:
- Create group and user objects for top executives and bidirectionally bind the user objects to IP and MAC addresses.
- Create an authentication policy and configure the matching conditions and authentication action (authentication exemption).
- Configure the default authentication domain.
- Configure security policies.
Data Planning
| Item | Data | Description |
|---|---|---|
Top executive |
Group User |
Add the top executive to the group manager and configure bidirectional binding for the top executive and the IP and MAC addresses. No password is required for the top executive. A FW implements authentication on the top executive based on the bound IP and MAC addresses. You can repeat the operations in this example to configure multiple user accounts. |
Authentication policy |
The top executive who meets matching conditions can access network resources without being authenticated. |
|
Authentication domain |
- |
Procedure
- Set IP addresses for interfaces and assign the interfaces
to security zones. The following example describes how to configure
interface GigabitEthernet 0/0/3. You can configure
other interfaces based on the networking diagram.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Create a user group object and a user object for a top
executive.
[FW] user-manage group /default/manager [FW-usergroup-/default/manager] quit [FW] user-manage user user_0001 [FW-localuser-user_0001] alias Supervisor [FW-localuser-user_0001] parent-group /default/manager [FW-localuser-user_0001] undo multi-ip online enable [FW-localuser-user_0001] bind mode bidirectional [FW-localuser-user_0001] bind ipv4 10.3.0.2 mac aaaa-bbbb-cccc [FW-localuser-user_0001] quit
- Configure an authentication policy.
[FW] auth-policy [FW-policy-auth] rule name policy_auth_01 [FW-policy-auth-rule-policy_auth_01] source-zone trust [FW-policy-auth-rule-policy_auth_01] source-address 10.3.0.2 32 [FW-policy-auth-rule-policy_auth_01] action exempt-auth [FW-policy-auth-rule-policy_auth_01] quit [FW-policy-auth] quit
If you need to configure an authentication policy for common employees, ensure that the authentication exemption policy for subnet 10.3.0.2/32 is configured prior to that for subnet 10.3.0.2/24. Otherwise, top executives cannot match the authentication exemption policy.
- Configure an authentication domain.
[FW] aaa [FW-aaa] domain default [FW-aaa-domain-default] service-type internetaccess [FW-aaa-domain-default] quit [FW-aaa] quit
- Configure security policies.
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
- The top executive A can access network resources without authentication. Other users cannot use the user name of the top executive to access network resources because their IP addresses are not 10.3.0.2 and their MAC addresses are not aaaa-bbbb-cccc.
- Run the display user-manage online-user command
on the FW to display
information about online users.
<FW> display user-manage online-user verbose Current Total Number: 1 -------------------------------------------------------------------------------- IP Address: 10.3.0.2 Login Time: 2015-01-23 14:38:41 Online Time: 00:24:38 State: Active TTL: 00:30:00 Left Time: 00:29:23 Access Type: local Authentication Mode: Authentication Exemption (IP/MAC Bind User) Bind Mode: Bidirectional Access Device Type: unknown <--packets: 12 bytes: 720 -->packets: 0 bytes: 0 Build ID: 0 User Name: user_0001 Parent User Group: /default/manager --------------------------------------------------------------------------------
Configuration Scripts
# sysname FW # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # aaa # domain default service-type internetaccess # # security-policy rule name policy_sec_02 source-zone trust source-address 10.3.0.0 24 destination-zone untrust action permit rule name policy_sec_03 source-zone trust source-address 10.3.0.0 24 destination-zone dmz action permit # auth-policy rule name policy_auth_01 source-zone trust source-address 10.3.0.2 32 action exempt-auth #The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage group /default/manager user-manage user user_0001 alias Supervisor parent-group /default/manager undo multi-ip online enable bind mode bidirectional bind ipv4 10.3.0.2 mac aaaa-bbbb-cccc