CLI: Example for Configuring an LDAP Server to Implement Authentication on Internet Access Users
This section provides an example for configuring a Sun ONE LDAP server to implement authentication on Internet access users when a FW works as an egress gateway.
Networking Requirements
An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1. Details are as follows:
- The intranet has a Sun ONE LDAP server that stores information about users, departments, and groups (named static groups on the LDAP server).
- Internet access users on the intranet include R&D employees and marketing employees.
The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:
- Information about users and departments is saved on the FW and can be referenced by policies.
- An LDAP server implements authentication on Internet access users.
- Before accessing network resources, R&D employees and marketing employees must be authenticated by the Portal of FW.
- If the domain accounts of new employees have been created on an LDAP server but not stored on a FW, the employees go online as temporary users in the organization structure on the server.
Configuration Roadmap
This example describes only how to configure user management and authentication.
Information about users, departments, and groups (static groups) on the LDAP server needs to be imported to the FW. Select the import type as required. For example, when a large number of users exist on the LDAP server, you can import departments and groups and implement department- and group-specific permission control.
- Set parameters for the FW to communicate with the LDAP server and configure the FW to work as a client of the LDAP server by sending user names and passwords to the LDAP server for authentication.
- Configure an authentication scheme and set the authentication mode to LDAP.
- Configure an authentication domain on the FW. The domain name must be the same as that on the LDAP server.
Configure a policy to import user information from the LDAP server to the FW.
User groups on the FW correspond to departments on the LDAP server, and security groups on the FW correspond to static groups on the LDAP server.
- Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the user goes online as a temporary user in the organization structure on the server.
- Configure an authentication policy to authenticate users before they access the Internet.
- Configure security policies on the FW to allow Internet access users to access authentication web pages to trigger user-initiated authentication and the FW to communicate with the LDAP server.
Data Planning
Item |
Data |
Description |
|---|---|---|
LDAP server |
On a FW, set the parameters for communication with an LDAP server. The parameter settings on the FW must be consistent with those on the LDAP server. |
|
User information import policy |
Import users from the LDAP server to the FW. |
|
Authentication domain |
The cce.com authentication domain is used during authentication. |
|
Authentication policy |
The R&D employee and marketing employee can access network resources only after being authenticated by a FW. |
Procedure
- Set interface IP addresses and assign interfaces to security zones on the FW. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Configure security policies.
- Configure a security policy to allow users to access the Internet.
[FW-policy-security] rule name policy_sec_02 [FW-policy-security-rule-policy_sec_02] source-zone trust [FW-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_02] destination-zone untrust [FW-policy-security-rule-policy_sec_02] action permit [FW-policy-security-rule-policy_sec_02] quit
Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.
- Configure a security policy to allow users to access the Internet.
- Set the parameters for communication with an LDAP server.
[FW] ldap-server template auth_server_ldap [FW-ldap-auth_server_ldap] ldap-server authentication 10.2.0.50 389 no-ssl [FW-ldap-auth_server_ldap] ldap-server authentication base-dn dc=cce,dc=com [FW-ldap-auth_server_ldap] ldap-server authentication manager uid=admin_test Admin@123 [FW-ldap-auth_server_ldap] ldap-server group-filter ou [FW-ldap-auth_server_ldap] ldap-server user-filter uid [FW-ldap-auth_server_ldap] ldap-server server-type sun-one [FW-ldap-auth_server_ldap] test-aaa testname testpassword ldap-template auth_server_ldap [FW-ldap-auth_server_ldap] quit
The parameter settings on the FW must be consistent with those on the LDAP server.
- Configure an authentication scheme.
[FW] aaa [FW-aaa] authentication-scheme ldap [FW-aaa-authen-ldap] authentication-mode ldap [FW-aaa-authen-ldap] quit
- Create an authentication domain.
[FW-aaa] domain cce.com [FW-aaa-domain-cce.com] authentication-scheme ldap [FW-aaa-domain-cce.com] ldap-server auth_server_ldap [FW-aaa-domain-cce.com] service-type internetaccess [FW-aaa-domain-cce.com] quit [FW-aaa] quit
The domain name must be the same as that on the LDAP server.
- Configure a policy to import user information from the LDAP server to the FW.
[FW] user-manage import-policy policy_import from ldap [FW-import-policy_import] server template auth_server_ldap [FW-import-policy_import] server basedn dc=cce,dc=com [FW-import-policy_import] destination-group /cce.com [FW-import-policy_import] user-attribute uid [FW-import-policy_import] import-type all [FW-import-policy_import] import-override enable [FW-import-policy_import] sync-mode incremental schedule interval 120 [FW-import-policy_import] quit
- Execute the import policy to import users to the FW.
[FW] execute user-manage import-policy policy_import - Set the new user option for the authentication domain on the FW.
[FW] aaa [FW-aaa] domain cce.com [FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import [FW-aaa-domain-cce.com] quit [FW-aaa] quit
- Configure an authentication policy.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_service [FW-policy-auth-rule-auth_policy_service] source-zone trust [FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_service] action auth [FW-policy-auth-rule-auth_policy_service] quit
- After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.
Verification
- Run the display user-manage user and display user-manage group commands on the FW to display information about users and user groups.
- The R&D employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The R&D employee then enters user name and password for authentication. After the R&D employee is authenticated, R&D employee can access network resources.
- The marketing employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The marketing employee then enters user name and password for authentication. After the marketing employee is authenticated, marketing employee can access network resources.
- The new employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The new employee then enters user name and password for authentication. After the new employee is authenticated, new employee can access network resources.
- Before accessing non-HTTP servers, such as FTP servers, employees need to access the authentication page at https://10.3.0.1:8887 for authentication. The IP address of the authentication page must be that of the interface on the FW and must be reachable to users.
- Run the display user-manage online-user command on the FW to display information about online users.
<FW> display user-manage online-user verbose Current Total Number: 1 -------------------------------------------------------------------------------- IP Address: 10.3.0.2 Login Time: 2015-01-30 17:24:16 Online Time: 00:01:58 State: Active TTL: 00:30:00 Left Time: 00:30:00 Access Type: local Authentication Mode: Password (LDAP) Access Device Type: unknown <--packets: 0 bytes: 0 -->packets: 0 bytes: 0 Build ID: 0 User Name: user_0002@cce.com Parent User Group: /cce.com/research --------------------------------------------------------------------------------
Configuration Scripts
# sysname FW # ldap-server template auth_server_ldap ldap-server authentication 10.2.0.50 389 no-ssl ldap-server authentication base-dn dc=cce,dc=com ldap-server authentication manager uid=admin_test %$%$>884X|-geW:1_*O\(6EI+|sj%$%$ %$%$>884X|-geW:1_*O\(6EI+|sj%$%$ ldap-server group-filter ou ldap-server user-filter uid ldap-server server-type sun-one # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # aaa authentication-scheme ldap authentication-mode ldap # domain cce.com authentication-scheme ldap ldap-server auth_server_ldap service-type internetaccess new-user add-temporary group /cce.com auto-import policy_import # user-manage import-policy policy_import from ldap server template auth_server_ldap server basedn dc=cce,dc=com destination-group /cce.com user-attribute uid user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(uid=*)) group-filter (|(objectclass=organizationalUnit)(ou=*)) security-group-filter (&(objectclass=groupofuniquenames)(!(memberURL=*))) import-type all import-override enable sync-mode incremental schedule interval 120 # auth-policy rule name auth_policy_service source-zone trust source-address 10.3.0.0 24 action auth # security-policy rule name policy_local_01 source-zone trust destination-zone local source-address 10.3.0.0 24 service protocol tcp destination-port 8887 action permit rule name policy_local_02 source-zone local destination-zone dmz destination-address 10.2.0.50 32 action permit rule name policy_sec_02 source-zone trust source-address 10.3.0.0 24 destination-zone untrust action permit rule name policy_sec_03 source-zone trust source-address 10.3.0.0 24 destination-zone dmz action permit # The following configuration is used to perform a one-time operation and not stored in the configuration profile. user-manage user-import demo.csv auto-create-group override test-aaa testname testpassword ldap-template auth_server_ldap