< Home

CLI: Example for Configuring RADIUS SSO for Internet Access Users

This section provides an example for configuring RADIUS Single Sign On (SSO) for Internet access users when a FW works as an egress gateway.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1.

  • Internet access users use the NAS to access the Internet.
  • The NAS sends user credentials to the RADIUS server for user authentication. The RADIUS server stores user and user group information.
  • Internet access users include R&D employees and marketing employees.
Figure 1 RADIUS SSO for Internet access users

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

  • Information about users and departments is saved on the FW and can be referenced by policies.
  • After passing the authentication by entering correct RADIUS accounts and passwords, R&D employees and marketing employees can access network resources. R&D employees and marketing employees are identified by the user names they use for RADIUS authentication.
  • If the RADIUS accounts of new employees have been created on a RADIUS server but not stored on a FW, the FW considers them as temporary users and assigns them permissions of the specified group.

Configuration Roadmap

This example describes only how to configure user management and authentication.

  1. Export user information on a RADIUS server into a CSV file in the specified format and import the CSV file into a FW to create users and user groups in a batch.
  2. Set RADIUS SSO parameters on the FW.
  3. Set a new user authentication item for the default authentication domain. After a new user is authenticated, the user adopts the permission of the newuser group to access network resources.
  4. To prevent users from frequently log in to and log off from the FW, you are advised to set users' online duration to a larger value than the update interval of RADIUS accounting packets on the FW. In the example, the online duration is set to 480 minutes.
  5. On the FW, configure an authentication policy for users' service traffic and set the action to authentication exemption.
  6. Because the FW is deployed between the NAS and RADIUS server, authentication packets pass through the FW. Therefore, to implement SSO, configure an authentication policy to disable the FW from authenticating the authentication requests destined for the RADIUS server and configure security policies to ensure normal communication between the FW and RADIUS server.

Data Planning

Item

Data

Description

Parent group of new users

  • Name: newuser

  • Parent Group: /default

As a temporary user, and use permission of this group newuser.

RADIUS SSO

  • RADIUS SSO: Enable

  • Working mode: In-line
  • Receiving Interface: GigabitEthernet 0/0/3
  • Traffic to be analyzed by RADIUS SSO: 10.2.0.50:1813 (IP address of the RADIUS server: accounting port)

Set SSO parameters on the FW for the FW to analyze the RADIUS accounting packets passing by to obtain user-IP address mappings.

Procedure

  1. Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    <FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

  2. Configure security policies.
    1. Configure a security policy between the Trust zone (users and NAS device) and DMZ (RADIUS server) for users to get authenticated by the RADIUS server.

      [FW] security-policy
[FW-policy-security] rule name policy_sec_radius
[FW-policy-security-rule-policy_sec_radius] source-zone trust
[FW-policy-security-rule-policy_sec_radius] destination-zone dmz
[FW-policy-security-rule-policy_sec_radius] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy_sec_radius] action permit
[FW-policy-security-rule-policy_sec_radius] quit

    2. Configure a security policy to allow users to access the Internet.

      [FW-policy-security] rule name policy_sec_02
[FW-policy-security-rule-policy_sec_02] source-zone trust
[FW-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_02] destination-zone untrust
[FW-policy-security-rule-policy_sec_02] action permit
[FW-policy-security-rule-policy_sec_02] quit
[FW-policy-security] quit

  3. Import users and user groups from a CSV file on the FW.
    1. Choose Object > User > User Import > Local Import.
    2. In User Import, click CSV Template Download and download the CSV template to your PC.
    3. Write user information on the RADIUS server into a CSV file according to the template.

      Read the instructions on the CSV template and fill in user information. The following figure shows a complete CSV file.

    4. Upload the CSV file to FW using SFTP.
    5. Import the CSV file.

      [FW] user-manage user-import demo.csv auto-create-group override

  4. Create a parent group for new users on the FW.

    [FW] user-manage group /default/newuser
[FW-usergroup-/default/newuser] quit

  5. Set RADIUS SSO parameters on the FW.

    [FW] user-manage single-sign-on radius
[FW-sso-radius] mode in-path
[FW-sso-radius] interface GigabitEthernet 0/0/3
[FW-sso-radius] traffic server-ip 10.2.0.50 port 1813
[FW-sso-radius] enable
[FW-sso-radius] quit

  6. Set the new user option for the default authentication domain on the FW.

    [FW] aaa
[FW-aaa] domain default
[FW-aaa-domain-default] service-type internetaccess
[FW-aaa-domain-default] new-user add-temporary group /default/newuser
[FW-aaa-domain-default] quit
[FW-aaa] quit

  7. Set the online user timeout duration to 480 minutes.

    [FW] user-manage online-user aging-time 480

  8. Configure the action in the authentication policy for users to access the RADIUS server as no-authentication so that the users' authentication packets can go through the FW to the RADIUS server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.

    [FW] auth-policy
[FW-policy-auth] rule name auth_policy_radius
[FW-policy-auth-rule-auth_policy_radius] source-zone trust
[FW-policy-auth-rule-auth_policy_radius] destination-zone dmz
[FW-policy-auth-rule-auth_policy_radius] destination-address 10.2.0.50 32
[FW-policy-auth-rule-auth_policy_radius] action none 
[FW-policy-auth-rule-auth_policy_radius] quit
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit

    If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

  9. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

  • Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
  • R&D employees can access network resources after successful logins to the NAS using RADIUS accounts and passwords.
  • Marketing employees can access network resources after successful logins to the NAS using RADIUS accounts and passwords.
  • Run the display user-manage online-user command on the FW to display information about online users.
    <FW> display user-manage online-user verbose            
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------                                      
 IP Address: 10.3.0.2                                                        
 Login Time: 2015-01-21 14:58:36  Online Time: 00:00:49                         
 State: Active  TTL: 00:30:00  Left Time: 00:29:59                              
 Access Type: local                                                             
 Authentication Mode: Single Sign-on                                          
 Access Device Type: unknown
 <--packets: 0 bytes: 0  -->packets: 0 bytes: 0                                 
 Build ID: 0
 User Name: user_0002 Parent User Group: /default/research 
--------------------------------------------------------------------------------

Configuration Scripts

#
 sysname FW
# 
 user-manage online-user aging-time 480
 user-manage single-sign-on radius
  enable
  mode in-path 
  interface GigabitEthernet0/0/3
  traffic server-ip 10.2.0.50 port 1813
# 
security-policy
 rule name sec_policy_radius
  source-zone trust 
  destination-zone dmz
  destination-address 10.2.0.0 24
  action permit
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone untrust
  action permit 
#
auth-policy
 rule name auth_policy_radius
  source-zone trust
  destination-zone dmz 
  destination-address 10.2.0.50 32
  action none 
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
# 
aaa
 domain default   
  service-type internetaccess
  new-user add-temporary group /default/newuser

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 user-manage user-import demo.csv auto-create-group override
 user-manage group /default/newuser
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >