< Home

Web: Example for Configuring an LDAP Server to Implement Authentication on Internet Access Users

This section provides an example for configuring a Sun ONE LDAP server to implement authentication on Internet access users when a FW works as an egress gateway.

Networking Requirements

An enterprise has deployed a FW as the egress gateway to connect the intranet to the Internet, as shown in Figure 1. Details are as follows:

  • The intranet has a Sun ONE LDAP server that stores information about users, departments, and groups (named static groups on the LDAP server).
  • Internet access users on the intranet include R&D employees and marketing employees.
Figure 1 LDAP server deployed to authenticate Internet access users

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

  • Information about users and departments is saved on the FW and can be referenced by policies.
  • An LDAP server implements authentication on Internet access users.
  • Before accessing network resources, R&D employees and marketing employees must be authenticated by the Portal of FW.
  • If the domain accounts of new employees have been created on an LDAP server but not stored on a FW, the employees go online as temporary users in the organization structure on the server.

Configuration Roadmap

This example describes only how to configure user management and authentication.

Information about users, departments, and groups (static groups) on the LDAP server needs to be imported to the FW. Select the import type as required. For example, when a large number of users exist on the LDAP server, you can import departments and groups and implement department- and group-specific permission control.

  1. Set parameters for the FW to communicate with the LDAP server and configure the FW to work as a client of the LDAP server by sending user names and passwords to the LDAP server for authentication.
  2. Configure an authentication policy to authenticate users before they access the Internet.
  3. Configure an authentication domain on the FW. The domain name must be the same as that on the LDAP server.

  4. Configure a policy to import user information from the LDAP server to the FW.

    User groups on the FW correspond to departments on the LDAP server, and security groups on the FW correspond to static groups on the LDAP server.

  5. Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the employees go online as temporary users in the organization structure on the server.
  6. Configure security policies on the FW to allow Internet access users to access authentication web pages to trigger user-initiated authentication and the FW to communicate with the LDAP server.

Data Planning

Item

Data

Description

LDAP server

  • Name: auth_server_ldap

  • Primary Authentication Server IP: 10.2.0.50

  • Port: 389

  • Server Type: Sun ONE LDAP

  • Base DN: dc=cce, dc=com

  • LDAP Port: 389

  • Administrator DN: uid=admin_test

  • Administrator Password: Admin@123

On a FW, set the parameters for communication with an LDAP server.

The parameter settings on the FW must be consistent with those on the LDAP server.

User information import policy

  • Name: policy_import

  • Server Type: LDAP

  • Server Name: auth_server_ldap

  • Import Type: all

  • Target User Group: /cce.com

  • Incremental Synchronization: 120 minutes

  • Overwrite local user records when the current user exists

Import users from the LDAP server to the FW.

Authentication domain

  • Name: cce.com

  • Access Control: Online behavior management

  • Authentication Server: auth_server_ldap

  • New User Authentication Option: the employees go online as temporary users in the organization structure on the server.

The cce.com authentication domain is used during authentication.

Authentication policy

  • Name: policy_auth_service

  • Source Zone: Trust

  • Source Address/Region: 10.3.0.0/24

  • Action: auth

The R&D employee and marketing employee can access network resources only after being authenticated by a FW.

Procedure

  1. Choose Network > Interface, set IP addresses for interfaces and assign the interfaces to security zones.

    The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    Zone

    trust

    IP Address

    10.3.0.1/24

  2. Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
    1. Configure a security policy to allow users to access the authentication page.

      Name

      policy_local_01

      Source Zone

      trust

      Destination Zone

      local

      Source Address

      10.3.0.0/24

      Service

      Create user-defined service (TCP/8887)

      Action

      Permit

    2. Configure a security policy to allow the FW to communicate with the LDAP server.

      Name

      policy_local_02

      Source Zone

      local

      Destination Zone

      dmz

      Destination Address

      10.2.0.50/32

      Action

      Permit

    3. Configure a security policy to allow users to access the Internet.

      Name

      policy_sec_02

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address

      10.3.0.0/24

      Action

      Permit

      Enable the DNS service for the Trust -> Untrust interzone to allow HTTP domain name resolution packets through.

    4. Configure a security policy to allow users to access the server cluster.

      Name

      policy_sec_03

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address

      10.3.0.0/24

      Action

      Permit

  3. Choose Object > Authentication Server > LDAP, click Add to set the parameters for communication with an LDAP server.

    The parameters on the FW must be consistent with those on the LDAP server.

    For the V600R007C20 version, whether to enable SSL for LDAP authentication cannot be configured on the web UI. When you configure the LDAP server on the web UI, no SSL (no-ssl) is enabled by default. To enable SSL (ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ldap-server authentication 10.2.0.50 389 ssl command in the corresponding LDAP server template view. When ssl is deployed, it must also be enabled on the LDAP server. For details, see the operating system guide of the LDAP server. From V600R007C20SPC100, you can configure whether to enable SSL for LDAP authentication on the Web UI. The following uses no-ssl as an example.

    Click Detect. In the dialog box that is displayed, click OK and enter the user name and password that are configured on the LDAP server. Click Start Checking to check the connectivity to the LDAP server.

  4. Choose Object > User > Authentication Policy, click Add to configure authentication policies.

    Name

    auth_policy_service

    Source Zone

    trust

    Source Address/Region

    10.3.0.0/24

    Action

    Portal authentication

    Portal Authentication Template

    Disable

  5. Choose Object > User > Authentication Domain, click Add to create an authentication domain.

    The domain name must be the same as that on the LDAP server.

  6. On a FW, choose Object > User > User Import > Server Import, click Add to configure a policy to import user information from the LDAP server to the FW.

  7. Choose Object > User > cce.com, configure LDAP server authentication and click Apply.

    Click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups and users on the LDAP server are displayed in User/User Group/Security Group Management List.

  8. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user and user group objects.

Verification

  • The R&D employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The R&D employee then enters user name and password for authentication. After the R&D employee is authenticated, R&D employee can access network resources.
  • The marketing employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The marketing employee then enters user name and password for authentication. After the marketing employee is authenticated, marketing employee can access network resources.
  • The new employee uses the Internet Explorer to access www.example.org and is redirected to an authentication page. The new employee then enters user name and password for authentication. After the new employee is authenticated, new employee can access network resources.
  • Before accessing non-HTTP servers, such as FTP servers, employees need to access the authentication page at https://10.3.0.1:8887 for authentication. The IP address of the authentication page must be that of the interface on the FW and must be reachable to users.
  • On the FW, choose Object > User > Online User to see information about online users.

Configuration Scripts

#
 sysname FW
#         
ldap-server template auth_server_ldap 
 ldap-server authentication 10.2.0.50 389 no-ssl            
 ldap-server authentication base-dn dc=cce,dc=com          
 ldap-server authentication manager uid=admin_test %$%$>884X|-geW:1_*O\(6EI+|sj%$%$ %$%$>884X|-geW:1_*O\(6EI+|sj%$%$ 
 ldap-server group-filter ou 
 ldap-server user-filter uid 
 ldap-server server-type sun-one
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
aaa 
 authentication-scheme ldap
  authentication-mode ldap
 #
 domain cce.com
  authentication-scheme ldap
  ldap-server auth_server_ldap
  service-type internetaccess 
  internet-access mode password
  new-user add-temporary group /cce.com auto-import policy_import
#
user-manage import-policy policy_import from ldap
 server template auth_server_ldap  
 server basedn dc=cce,dc=com     
 destination-group /cce.com
 user-attribute uid
 user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(uid=*))
 group-filter (|(objectclass=organizationalUnit)(ou=*))
 security-group-filter (&(objectclass=groupofuniquenames)(!(memberURL=*)))
 import-type all
 import-override enable
 sync-mode incremental schedule interval 120
#
auth-policy
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action auth
#         
security-policy                
 rule name policy_local_01       
  source-zone trust          
  destination-zone local     
  source-address 10.3.0.0 24
  service protocol tcp destination-port 8887
  action permit              
 rule name policy_local_02       
  source-zone local          
  destination-zone dmz    
  destination-address 10.2.0.50 32 
  action permit
 rule name policy_sec_02       
  source-zone trust
  source-address 10.3.0.0 24
  destination-zone untrust    
  action permit
 rule name policy_sec_03       
  source-zone trust
  source-address 10.3.0.0 24
  destination-zone dmz    
  action permit

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 user-manage user-import demo.csv auto-create-group override
 test-aaa testname testpassword ldap-template auth_server_ldap
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >