< Home

Web: Example for Configuring AD SSO for Internet Access Users (the FW Monitoring AD Authentication Packets)

This section provides an example for configuring AD Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. In this example, no additional program is required. The FW obtains user login information from AD authentication packets.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

  • The AD identity authentication mechanism is enabled on the intranet, and information about users and user group is saved on an AD server.
  • Internet access users on the intranet include R&D employees and marketing employees.
Figure 1 AD SSO for Internet access users (the FW monitoring AD authentication packets)

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

  • Information about users and departments is saved on the FW and can be referenced by policies.
  • R&D employees and marketing employees use domain accounts to log in to AD domains and access network resources. R&D employees and marketing employees are identified by the user names they use to log in to AD domains.
  • If the domain accounts of new employees have been created on an AD server but not stored on a FW, after being authenticated, these users go online as temporary users in the organization structure on the AD server.
  • For security, no program can be installed on the AD server.

Configuration Roadmap

This example describes only how to configure user management and authentication.

In this mode, the FW cannot obtain user logout messages. Users go offline only when their connections time out.

In the example, both users and user groups on the AD server are imported to the FW. If there are a large number of users on a live network, you can import only user groups and control user permissions by user groups.

The configuration roadmap is as follows:

  1. On a FW, set the parameters for communication with an AD server.
  2. Configure an authentication domain on the FW. The domain name must be the same as that on the AD server.
  3. Configure a policy to import user information from the AD server to the FW.
  4. Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the user goes online as a temporary user in the organization structure on the AD server.

  5. Set SSO parameters for the FW to listen to authentication results sent from the AD server to PCs.

    In this example, authentication packets do not pass through the FW. Therefore, the authentication results must be mirrored to the FW.

  6. Configure an authentication policy whose action is authentication exemption on the FW.
  7. To prevent repeated login to the domain for authentication because of frequent timeouts during the working hours (8 hours), you need to set the user online timeout duration to 480 minutes.
  8. Configure the port mirroring function on the switch to mirror authentication packets to the FW.

Data Planning

Item

Data

Description

AD server

  • Name: auth_server_ad

  • Primary Authentication Server IP: 10.3.0.251

  • Port: 88

  • Primary Server Host Name: ad.cce.com

  • Base DN/Port DN: dc=cce, dc=com

  • LDAP Port: 389

  • Administrator DN: cn=administrator,cn=users

  • Administrator Password: Admin@123

On a FW, set the parameters for communication with an AD server.

The parameter settings on the FW must be consistent with those on the AD server.

User information import policy

  • Name: policy_import

  • Server Type: AD

  • Server Name: auth_server_ad

  • Import Type: Import both users and user groups

  • Target User Group: /cce.com

  • Incremental Synchronization: 120 minutes

  • Overwrite local user records when the current user exists

Import users from the AD server to the FW.

AD SSO

  • AD SSO: Enable

  • Mode: Monitoring AD authentication packets
  • Interface for receiving mirrored authentication packets: GigabitEthernet 0/0/4

  • Server IP address/port: 10.3.0.251:88

Set SSO parameters on the FW and configure the FW to receive the user login information from the AD server.

Procedure

  1. Choose Network > Interface, set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3 and GigabitEthernet 0/0/4. You can configure other interfaces based on the networking diagram.

    GigabitEthernet 0/0/3

    Zone

    trust

    IP Address

    10.3.0.1/24

    GigabitEthernet 0/0/4

    Zone

    trust

    Mode

    Switch

    Connection Type

    Trunk

    Trunk VLAN ID

    2-4094

    GigabitEthernet 0/0/4 is used to receive mirrored packets from the switch and must work in switching mode.

  2. Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
    1. Configure security policies between the Trust (AD server) and Local zone to ensure the communication among the FW and AD server.

      Name

      local_policy_ad_01

      Source Zone

      local

      Destination Zone

      trust

      Destination Address

      10.3.0.251/32

      Action

      Permit

      Name

      local_policy_ad_02

      Source Zone

      trust

      Destination Zone

      local

      Source Address

      10.3.0.251/32

      Action

      Permit

    2. Configure a security policy to allow users to access the Internet.

      Name

      policy_sec_02

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address

      10.3.0.0/24

      Action

      Permit

    3. Configure a security policy to allow users to access the server cluster.

      Name

      policy_sec_03

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address

      10.3.0.0/24

      Action

      Permit

  3. On a FW, choose Object > Authentication Server > AD, click Add to set the parameters for communication with an AD server.

    The parameter settings on the FW must be consistent with those on the AD server.

    For the V600R007C20 version, whether to enable SSL for AD authentication cannot be configured on the web UI. When you configure the AD server on the web UI, SSL (ldap-over-ssl) is enabled by default. In this mode, LDAP over SSL must also be enabled on the AD server. For details, see the operating system guide of the AD server. To disable SSL (no-ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ad-server authentication 10.3.0.251 88 no-ssl command in the corresponding AD server template view. The following uses no-ssl as an example.

    Click Detect. In the dialog box that is displayed, click OK and enter the user name and password that are configured on the AD server. Click Start Checking to check the connectivity to the AD server.

    If you are unfamiliar with the AD server and cannot provide the server name or Base DN values, you can use the AD Explorer software downloaded from Internet to connect to the AD server to query the attribute values. The mappings between the server attributes and parameters on the FW are as follows.

  4. On a FW, choose Object > User > Authentication Domain, click Add to create an authentication domain.

  5. On a FW, choose Object > User > User Import > Server Import, click Add to configure a policy to import user information from the AD server to the FW.

    • If the server has many users or user groups, some users or user groups under the basedn may not be imported to the FW because the number of users or user groups exceeds the FW's specification. Therefore, you are advised to click Select on the right of Server Import Location to select an import range.

    • In this example, users and user groups are imported to the FW. The user and user group filtering conditions in this example use the default values (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)).

  6. Choose Object > User > cce.com, configure AD SSO and click Apply.

    Click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups and users on the AD server are displayed in User/User Group/Security Group Management List.

    If Receive a copy of authentication packets is selected and a mirroring interface is specified on the FW, the interface parses only AD authentication packets and discards other packets. When both authentication packets and service packets are mirrored by the switch to the FW deployed in bypass mode, do not specify this parameter.

  7. Choose Object > User > Authentication Policy, click Add to create an authentication policy.

    Name

    auth_policy_service

    Source Zone

    Trust

    Source Address/Region

    10.3.0.0/24

    Action

    Authentication exemption

    If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

    To implement SSO when the AD Domain Controller is deployed in the DMZ, ensure that the authentication policy on the FW does not authenticate the authentication packets sent by users to the AD server. You can choose Object > User > Authentication Policy to check the authentication policy.

    In addition, the authentication packets must pass the security check of the security policy. Therefore, the administrator needs to configure the following security policy on the FW:

    • Source Zone: trust
    • Destination Zone: dmz
    • Destination Address/Region: The IP address of the AD server
    • Action: Permit

  8. Choose Object > User > Authentication Option, set the online user timeout duration to 480 minutes.
  9. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
  10. Configure the port mirroring function on the switch.

    This example uses Huawei S9700 to describe how to configure the port mirroring function. For the configurations of other functions, refer to the product documents of the S9700.

    1. Configure GigabitEthernet 0/0/2 as the observing interface.

      <Switch> system-view
[Switch] observe-port 1 interface GigabitEthernet 0/0/2

    2. Configure GigabitEthernet 0/0/1 as the mirroring port to mirror incoming traffic.

      [Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
[Switch-GigabitEthernet0/0/1] quit

Verification

  • Verify that the following conditions are true:

    • R&D employees use domain accounts to log in to AD domains and access network resources through the FW. They can access network resources only after successful logins.
    • Marketing employees use domain accounts to log in to AD domains and access network resources through the FW. They can access network resources only after successful logins.
  • On the FW, choose Object > User > Online User to see information about online users.

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on ad
  mode no-plug-in
  no-plug-in interface GigabitEthernet0/0/4
  no-plug-in traffic server-ip 10.3.0.251 port 88
  enable
#            
ad-server template auth_server_ad
 ad-server authentication 10.3.0.251 88 no-ssl
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name ad.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
#        
security-policy
 rule name local_policy_ad_01
  source-zone local
  destination-zone trust 
  destination-address 10.3.0.251 32 
  action permit  
 rule name local_policy_ad_02 
  source-zone trust   
  destination-zone local  
  source-address 10.3.0.251 32  
  action permit   
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone untrust
  action permit
 rule name policy_sec_03    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone dmz
  action permit
#
auth-policy
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/4
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
 add interface GigabitEthernet0/0/4
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#            
 user-manage import-policy policy_import from ad
 server template auth_server_ad  
 server basedn dc=cce,dc=com
 server searchdn ou=marketing,dc=cce,dc=com                                     
 server searchdn ou=research,dc=cce,dc=com 
 destination-group /cce.com    
 user-attribute sAMAccountName   
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
 group-filter (|(objectclass=organizationalUnit)(ou=*))
 import-type user-group     
 import-override enable    
 sync-mode incremental schedule interval 120
#
aaa
 domain cce.com
  service-type internetaccess
  internet-access mode single-sign-on
  new-user add-temporary group /cce.com auto-import policy_import

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 execute user-manage import-policy policy_import
 test-aaa testname testpassword ad-template auth_server_ad
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >