CLI: Example for Configuring AD SSO for Internet Access Users (Multiple AD Servers + ADSSO_Setup.exe)

This section provides an example for configuring AD Single Sign On (SSO) for Internet access users when a FW works as an egress gateway. In this example, the ADSSO_Setup.exe must be installed on the AD monitor (any computer in the AD domain, including the AD domain controller) and the login and logout scripts need to be set on the AD domain controller and delivered to PCs.

Networking Requirements

As shown in Figure 1, an enterprise has deployed the FW as the egress gateway at the network border to connect the intranet and Internet. Details are as follows:

Multiple AD servers are deployed for identity authentication in a domain of the intranet (in this example, three Figure 1s are deployed). These AD servers have established synchronization relationships.
Internet access users on the intranet include R&D employees and marketing employees.

Figure 1 Networking diagram for configuring AD SSO for Internet access users (multiple AD servers + ADSSO_Setup.exe)

The user management and authentication mechanisms of the FW must identify IP addresses on the intranet as users to implement user-specific behavior control and permission assignment. Requirements are as follows:

Information about users and departments is saved on the FW and can be referenced by policies.
R&D employees and marketing employees use domain accounts to log in to AD domains and access network resources. R&D employees and marketing employees are identified by the user names they use to log in to AD domains.
If the domain accounts of new employees have been created on an AD server but not stored on a FW, after being authenticated, these users go online as temporary users in the organization structure on the AD server.

ADSSO_Setup.exe has two working mode: the mode of receiving messages from PCs and the mode of querying security logs of the AD server. In the mode of querying security logs of the AD server, only user login messages can be obtained, but user logout messages cannot be obtained. In the mode of receiving messages from PCs, user logout messages can be obtained, ADSSO_Setup.exe needs to be installed, and login & logout scripts need to be deployed on the AD domain controller, and the login PCs can only be Windows systems. Set the working mode of ADSSO_Setup.exe as required.

Configuration Roadmap

This example describes only how to configure user management and authentication.
When AD SSO is enabled, install the AD SSO service program (ADSSO_Setup.exe) on the AD monitor (any computer in the AD domain, including the AD domain controller). The program can obtain the relevant user information upon user login and logout and send the information to the FW. In this example, ADSSO_Setup.exe is installed on the AD domain controller.
In the example, both users and user groups on the AD server are imported to the FW. If there are a large number of users on a live network, you can import only user groups and control user permissions by user groups.

On the FW, set IP addresses for interfaces and assign the interfaces to security zones.
Configure security policies on the FW.
Configure the AD server on theFW, and ensure normal communication between the FW and AD server.
Configure an authentication domain on the FW and set the name of the authentication domain to the domain name on the AD server.
Configure a server import policy on the FW to import the user and user group information in the AD server to the FW.
Configure the new user option of the authentication domain. If an authenticated user does not exist on the FW, the user goes online as a temporary user in the organization structure on the AD server.
Configure an authentication policy on the FW and set the action to authentication-free.
Configure AD SSO parameters on the FW to receive user login and logout messages from the AD monitor.
Prolong users' online durations (480 minutes in this example) accordingly on the FW to prevent the FW from deleting users' online monitoring entries before they log out.
Enable the AD SSO service (by installing ADSSO_Setup.exe) on the AD monitor, configure the login and logout scripts on the AD domain controller, and deliver the scripts using group policies.

Data Planning

Item	Data	Description
AD server	Name: auth_server_ad Primary Authentication Server IP: 10.3.0.251 Port: 88 Primary Server Host Name: ad.cce.com Base DN/Port DN: dc=cce, dc=com LDAP Port: 389 Administrator DN: cn=administrator,cn=users Administrator Password: Admin@123	On a FW, set the parameters for communication with an AD server. The parameter settings on the FW must be consistent with those on the AD server. NOTE: Configure any of the AD servers that have established synchronization relationships. In this example, the AD server with IP address 10.3.0.251 is used as an example.
User information import policy	Name: policy_import Server Type: AD Server Name: auth_server_ad Import Type: Import both users and user groups Target User Group: /cce.com Incremental Synchronization: 120 minutes Overwrite local user records when the current user exists	Import users from the AD server to the FW.
AD SSO (FW)	AD SSO: Enable Mode: Installing AD SSO program Shared Key: Admin@234	Set SSO parameters on the FW and configure the FW to receive the user login and logout information from the AD monitor.
AD SSO service (ADSSO_Setup.exe program, installed on the AD monitor)	AD Server Parameter AD server address: IP address of each AD server Administrator Account: cce.com\administrator Password: Admin@123	Set the parameters of the AD server on the AD monitor for the AD monitor to connect to the AD server for checking user information after receiving user login/logout messages from the client computer.
	FW Gateway Parameter Gateway Address: 10.3.0.1 Gateway Listening Port of the AD SSO service: 8000 Gateway Shared Key: Admin@234	Enable the AD SSO service on the AD monitor, configure the AD monitor to listen to information about user login and logout, and send the information to the FW. The parameters must be the same as those on the FW.
	Client Communication Parameter Service Listening Port of the AD SSO service: 12345 Client Shared Key: Admin@123 Anti-Replay Time Window: 0s	The service listening port is an open port of the AD monitor and is used to receive user login/logout information from client computers. The client shared key is the shared key for encrypting the communication packets between the client computer and AD monitor and must be the same as the key configured on the AD domain controller when login/logout scripts are configured. The anti-replay time is the time that the AD monitor used to check unauthorized client login. If the interval between the last client login recorded on the AD domain controller and the last login that the AD monitor receives from the client exceeds the anti-replay time, the AD monitor considers the client login unauthorized and does not send the client login/logout information to the FW.
AD domain controller (the login and logout scripts)	IP Address: 10.3.0.254 Listening Port: 12345 Client Shared Key: Admin@123	Run the login and logout scripts on an AD domain controller. If a group policy is used to control the user login and logout, run the login and logout scripts respectively and send the login and logout information to the AD SSO service. The parameters must be the same as those on the ADSSO_Setup.exe.

Procedure

Configure IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure security policies.

# Configure an interzone policy from the Trust zone where the AD server resides to the Local zone where the AD monitor resides so that the FW can properly communicate with the AD server and AD monitor.

[FW] security-policy
[FW-policy-security] rule name local_policy_ad_01
[FW-policy-security-rule-local_policy_ad_01] source-zone local
[FW-policy-security-rule-local_policy_ad_01] destination-zone trust
[FW-policy-security-rule-local_policy_ad_01] destination-address 10.3.0.0 24
[FW-policy-security-rule-local_policy_ad_01] action permit
[FW-policy-security-rule-local_policy_ad_01] quit
[FW-policy-security] rule name local_policy_ad_02
[FW-policy-security-rule-local_policy_ad_02] source-zone trust
[FW-policy-security-rule-local_policy_ad_02] destination-zone local
[FW-policy-security-rule-local_policy_ad_02] source-address 10.3.0.0 24
[FW-policy-security-rule-local_policy_ad_02] action permit
[FW-policy-security-rule-local_policy_ad_02] quit

Configure a security policy to allow users to access the server cluster.

[FW-policy-security] rule name policy_sec_03
[FW-policy-security-rule-policy_sec_03] source-zone trust
[FW-policy-security-rule-policy_sec_03] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_03] destination-zone dmz
[FW-policy-security-rule-policy_sec_03] action permit
[FW-policy-security-rule-policy_sec_03] quit
[FW-policy-security] quit

Set AD server parameters on the FW.

The parameters set here must be consistent with those set on the AD server.

[FW] ad-server template auth_server_ad             
[FW-ad-auth_server_ad] ad-server authentication 10.3.0.251 88 no-ssl       
[FW-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
[FW-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users Admin@123
[FW-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
[FW-ad-auth_server_ad] ad-server authentication ldap-port 389      
[FW-ad-auth_server_ad] ad-server user-filter sAMAccountName         
[FW-ad-auth_server_ad] ad-server group-filter ou

If you are unfamiliar with the AD server and cannot provide the server name or Base DN, use the AD Explorer software to connect to the AD server to query the attribute values. The AD server attributes and mappings between the server attributes and parameters on the FW are as follows.

Use an existing AD server account and password to test the connectivity.

[FW-ad-auth_server_ad] test-aaa testname testpassword ad-template auth_server_ad
[FW-ad-auth_server_ad] quit

Configure an authentication domain on the FW.

[FW] aaa
[FW-aaa] domain cce.com
[FW-aaa-domain-cce.com] service-type internetaccess
[FW-aaa-domain-cce.com] quit
[FW-aaa] quit

Configure a server import policy on the FW.

[FW] user-manage import-policy policy_import from ad 
[FW-import-policy_import] server template auth_server_ad
[FW-import-policy_import] server basedn dc=cce,dc=com
[FW-import-policy_import] server searchdn ou=marketing,dc=cce,dc=com
[FW-import-policy_import] server searchdn ou=research,dc=cce,dc=com
[FW-import-policy_import] destination-group /cce.com
[FW-import-policy_import] import-type user-group         
[FW-import-policy_import] import-override enable 
[FW-import-policy_import] sync-mode incremental schedule interval 120
[FW-import-policy_import] quit

In this example, users and user groups are imported to the FW. The user and user group filtering conditions in this example use the default values (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change them, run the user-filter and group-filter commands.

Apply the import policy to import users/user groups to the FW.
```
[FW] execute user-manage import-policy policy_import
```

# On the FW, configure the new user option of the authentication domain.

[FW] aaa
[FW-aaa] domain cce.com
[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
[FW-aaa-domain-cce.com] quit
[FW-aaa] quit

Configure an authentication policy.
```
[FW] auth-policy
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit
[FW-policy-auth] quit
```
If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

If the packets exchanged between the user and the AD server, between the user and the AD monitor, and between the AD monitor and the AD server pass through the FW, ensure that the authentication policy on the FW does not authenticate these packets and the security policy allows them through. You can run the display auth-policy command to check the authentication policy.

Configure AD SSO parameters on the FW.

[FW] user-manage single-sign-on ad
[FW-sso-ad] plug-in enhanced shared-key Admin@234
[FW-sso-ad] mode plug-in
[FW-sso-ad] enable
[FW-sso-ad] quit

Set the online user timeout duration to 480 minutes.
```
[FW] user-manage online-user aging-time 480
```
Visit Huawei technical support website, download the AD SSO program to your PC, decompress the program package, and copy ADSSO_Setup.exe to the AD monitor.
Enable the AD SSO service on the AD monitor.

When the ADs in a domain establish synchronization relationships, only one SSO service program (ADSSO_Setup.exe) needs to be deployed.

In this example, ADSSO_Setup.exe is deployed on the AD server with IP address 10.3.0.254.

You must use an account that belongs to the Administrators group to log in to the AD monitor (AD server with IP address 10.3.0.254 in this example) and perform the following operations:
1. Double-click ADSSO_Setup.exe. In the dialog box that is displayed, select English as the installation wizard language and click OK. The installation wizard is then displayed in English.
2. Click Next and specify an installation directory, click Install.
3. Start the ADSSO Agent program.
4. Configure AD SSO parameters.
  
  Perform step 2 in the following figure several times to add all AD servers in the domain.
  1. Configure the parameters for the AD SSO program to receive messages from PCs and the shared key used by the AD SSO program to communicate with the FW.
    
    In this example, one AD SSO program monitors the login messages of multiple AD servers, and therefore Anti-replay Time needs to be set to 0 to disable the anti-replay function. The anti-replay function detects the different between the time when the AD SSO service program receives a user login message and the time when the user actually logs in to the AD server. If the time difference exceeds the anti-replay time, the user is disabled from going online from the FW. In the scenario with multiple AD servers, users are authenticated by different AD servers. The AD SSO service program obtains the user login time from these AD servers one by one. In this case, the time difference exceeds the Anti-replay Time value. Therefore, the anti-replay function needs to be disabled.
    
    Make sure that the port (port 12345 in this example) you intend to use is not occupied by other services. Choose Start > Run on the AD domain controller, enter cmd, and run netstat -ano|findstr 12345. If no information is returned, port 12345 is not occupied by other services. Otherwise, the system displays a message indicating the process ID of the service occupying the port. You are advised to release this port or specify another idle port for the AD SSO service.
  2. Add AD servers.
    
    Click Add several times to add all AD servers in the domain.
    
    The AD SSO program supports a maximum of 16 AD servers. It can connect to multiple AD servers to query login user information until it queries required information.
  3. Add FWs.
    
    The SSO program supports a maximum of five FWs and sends user login/logout messages to the FWs.
    
    When the FWs work in hot standby scenarios, you need to set Device Address to the virtual IP address of the VRRP group where the interfaces reside, so that the SSO service can send user login messages to the standby device during an active/standby FW switchover.
  4. Start the SSO service.
    
    You can right-click the AD SSO icon in the system tray on your desktop to start or stop the AD SSO service. Alternatively, click Show Log on the home page to view program operating logs and SSO service logs.
    
    You can also set the encoding style of the AD SSO program on the web UI. Ensure that the AD SSO program and the FW have the same encoding style. The default encoding style of the FW is GBK. If you have switched the encoding style to UTF-8, set the encoding style to UTF-8 here. Otherwise, keep the default setting.

On the AD domain controller, add script ReportLogin.exe to the logon script (Logon.exe) and logoff script (Logoff.exe) respectively, and set the parameters of the logon and logoff scripts so that the AD SSO service can monitor the logon and logoff operations of domain users. You can obtain script file ReportLogin.exe from the Script folder in the installation directory of the AD SSO on the AD monitor.

When the ADs in a domain establish synchronization relationships, only one set of login/logout scripts needs to be deployed on one AD server. The login/logout scripts will be automatically synchronized to other AD servers.

You must use an account that belongs to the Administrators group to log in to the AD domain controller. In this example, the Windows Server 2003 and Windows 2008 Server are used as an AD domain controller.

Access the group policy configuration page and find the login/logout script. The procedures for accessing the group policy configuration pages of Windows 2003 Server, Windows 2008 Server, and Windows 2012 Server are different, and the login/logout script paths are different on these configuration pages.
Windows 2003 Server
1. Choose Start > All Programs > Administrator Tools > Active Directory Users and Computers. Then run the Active Directory Users and Computers tool.
2. Right-click the domain (cce.com as an example) that requires SSO and select ProPerties. In the dialog box that is displayed, click the Group Policy tab.
3. Double-click Default Domain Policy to open the domain policy configuration window.
4. Choose User Configuration > Windows Settings > Scripts(Logon/Logoff),.
Windows 2008 Server and Windows 2012 Server
1. Choose Start > Administrative Tools > Group Policy Management.
2. Right-click Default Domain Policy under the domain to which SSO authentication is to be applied, and choose Edit.
3. Choose User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
Double-click Logon to access the login script configuration window.
In the login script configuration window, click ShowFiles... and copy ReportLogin.exe to the directory that is displayed. Then close the directory.

In the login script configuration window, click Add, add login script ReportLogin.exe, and set the script parameters, as shown in Table 1. Then click OK.

When adding the user login script, click Browse and select ReportLogin.exe in the directory displayed in 13.c.

**Table 1** script parameters
Script Name	Script Parameters
ReportLogin.exe	10.3.0.254 12345 0 3 Admin@123 NOTE: The parameters are separated by spaces. In the example, the IP address of the AD SSO service is the IP address (10.3.0.254) of the AD monitor. The service port must the same as the Port value specified in 12 when you install ADSSO_Setup.exe. The port number in this example is 12345. 0 indicates a login script. To configure a logout script, set this parameter to 1. 3 indicates maximum number of allowed retransmissions. The client shared key must the same as the Client Key value specified in 12 when you install ADSSO_Setup.exe. The Password in this example is Admin@123.

Configure the logout script by referring to steps 13.b and 13.d. The login and logout scripts are both ReportLogin.exe but are saved in different folders.
Choose Start > Run, enter cmd to open the CLI, and run gpupdate to apply the policy.

Reference the user groups when configuring a security policy, quota control policy, proxy policy, audit policy, PBR, and traffic policy.

Verification

R&D employees can use domain accounts and passwords to log in to the AD domain and access network resources.
Marketing employees can use domain accounts and passwords to log in to the AD domain and access network resources.

Run the display user-manage online-user command on the FW to display online user information.

<FW> display user-manage online-user verbose
 Current Total Number: 1                                                        
--------------------------------------------------------------------------------
 IP Address: 10.3.0.2                                                           
 Login Time: 2017-08-17 09:47:36  Online Time: 05:25:25                         
 State: Active  TTL: 08:00:00  Left Time: 02:34:35                              
 Access Type: local                                                             
 Authentication Mode: Single Sign-on                                            
 Access Device Type: unknown                                                    
 Downlink Packets: 0 Bytes: 0    Uplink Packets: 0 Bytes: 0                     
 Downlink Rate: 0 Kbps    Uplink Rate: 0 Kbps                                   
 Build ID: 0                                                                    
 User Name: user_0001@cce.com  Parent User Group: /cce.com/research                      
--------------------------------------------------------------------------------

Configuration Scripts

#
 sysname FW
#  
 user-manage online-user aging-time 480
 user-manage single-sign-on ad
  enable
  plug-in enhanced shared-key %$%$B2N*$eJ0;'Nn'#ATC]t+Rri`%$%$
#  
ad-server template auth_server_ad             
 ad-server authentication 10.3.0.251 88 no-ssl       
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name ad.cce.com
 ad-server authentication ldap-port 389       
 ad-server user-filter sAMAccountName         
 ad-server group-filter ou  
#        
security-policy
 rule name local_policy_ad_01
  source-zone local
  destination-zone trust 
  destination-address 10.3.0.0 24
  action permit
 rule name local_policy_ad_02
  source-zone trust   
  destination-zone local  
  source-address 10.3.0.0 24  
  action permit   
 rule name policy_sec_03    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone dmz
  action permit
#
auth-policy
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#  
 user-manage import-policy policy_import from ad 
 server template auth_server_ad
 server basedn dc=cce,dc=com
 server searchdn ou=marketing,dc=cce,dc=com                                     
 server searchdn ou=research,dc=cce,dc=com 
 destination-group /cce.com
 user-attribute sAMAccountName
 group-filter (|(objectclass=organizationalUnit)(ou=*)) 
 import-type user-group
 import-override enable 
 sync-mode incremental schedule interval 120
#
aaa
 domain cce.com
  service-type internetaccess
  new-user add-temporary group /cce.com auto-import policy_import

# The following configuration takes effect only one time and is not saved into the configuration file.
 execute user-manage import-policy policy_import
 test-aaa testname testpassword ad-template auth_server_ad