CLI: Example for Configuring Portal Authentication for Internet Access Users (the FW Participates in User Authentication)
This section provides an example for configuring the FW that serves as an egress gateway to complete user authentication with the Agile Controller. Users can directly access HTTP services. The FW redirects HTTP requests to the Portal authentication page of the Agile Controller. The Agile Controller sends authentication requests to the FW. The user can access desired services after the authentication succeeds.
Networking Requirements
As shown in Figure 1, an enterprise has deployed the FW as the egress gateway at the network border to connect the intranet and Internet.
- The intranet Portal server (a component of the Agile Controller) provides a Portal authentication page. The FW redirects users' HTTP requests to the authentication page of the Portal server.
- The intranet RADIUS server (a component of the Agile Controller) stores user information and completes user authentication.
- Intranet users include R&D employees and marketing employees.
The enterprise network administrator wants to use the user management mechanism provided by the FW to identify intranet IP addresses as users to control users' network behavior and assign network permissions.
- R&D employees and marketing employees can access HTTP services without proactively accessing the portal authentication page of the Portal server, because their HTTP requests will be automatically redirected to the portal authentication page.
- R&D employees and marketing employees can access network resources only after being authenticated by the RADIUS server.
- The FW saves security group information, not user information. The permissions of authenticated users are controlled on the basis of the groups they belong to.
Configuration Roadmap
This example describes how to configure only users and user authentication.
- Configure user information, authorization information, Portal server information, and RADIUS server information on the Agile Controller so that the Agile Controller can interwork with the FW.
- Configure interfaces and security policies on the FW.
- Configure the RADIUS server.
- Configure authentication, authorization, and accounting schemes.
- Configure an authentication domain and reference the authentication, authorization, and accounting schemes.
- Configure Portal2.0 authentication.
- Configure the portal authentication page.
- Configure an authentication policy.
Data Planning
Item |
Data |
Description |
|---|---|---|
Agile Controller |
R&D user information:
Marketing user information:
|
When a user is redirected to the Portal authentication page of the Portal server, the user needs to enter the account and password for authentication. |
RADIUS parameters:
|
The RADIUS parameters configured on the Agile Controller must be consistent with those on the FW. |
|
Portal authentication parameters:
|
The Portal parameters configured on the Agile Controller must be consistent with those on the FW. |
|
FW |
RADIUS server:
|
The RADIUS server parameters configured on the FW must be consistent with those on the Agile Controller. |
Portal server:
|
The Portal server parameters configured on the FW must be consistent with those on the Agile Controller. |
|
FW listening port: 2000 |
The port must be set on both the Agile Controller and FW. The port is the one for Portal authentication on the Agile Controller. |
Procedure
- Configure user information, authorization information, Portal server information, and RADIUS server information on the Agile Controller.
- Choose to create a role.
- Choose to create a user and associate the user with the role.
- Choose to configure the authorization result. The attribute value research is the security group of the user and must the same as that on the 7.
- Choose to configure an authorization rule. Reference the authorization result and role in the rule and associate the authorization result and role.
The process for configuring marketing user information and authorization information is similar to the process for configuring R&D user and authorization information.
- Choose to add a device and configure the Portal server and RADIUS server.
Parameter
Description
IP address
The interface on the FW must be able to communicate with the Agile Controller.
RADIUS parameter
Authentication and accounting key
The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authentication server and accounting server.
Authorization key
The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authorization server.
Realtime account period
This parameter is optional.
Device series
Use the default value.
Portal authentication parameters
Port
The port must be the same as the listening port configured in 8.
Portal key
The key must be the shared key configured in 8.
- Choose to create a role.
- Specify interface IP addresses and assign the interfaces to security zones on the FW. The following example describes how to configure GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Configure security policies on the FW.
- Configure a security policy for the Trust (intranet users) -> DMZ (Portal server) for users to access the Portal authentication page of the Portal server.
[FW] security-policy [FW-policy-security] rule name sec_policy_tsm [FW-policy-security-rule-sec_policy_tsm] source-zone trust [FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24 [FW-policy-security-rule-sec_policy_tsm] destination-zone dmz [FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.0 24 [FW-policy-security-rule-sec_policy_tsm] action permit [FW-policy-security-rule-sec_policy_tsm] quit
If the URL of the authentication page is a domain name and a DNS server for resolving the URL is deployed in the DMZ, you need to enable the DNS server from the Trust zone to DMZ.
- Configure a security policy for the Trust (intranet users) -> DMZ (Portal server) for users to access the Portal authentication page of the Portal server.
- Configure the RADIUS server on the FW. The parameters must be consistent with those on the RADIUS server.
# Configure IP addresses and ports for the RADIUS authentication and accounting servers and the shared key used by the FW to communicate with the authentication and accounting servers.
[FW] radius-server template auth_server_radius [FW-radius-auth_server_radius] radius-server authentication 10.2.0.50 1812 [FW-radius-auth_server_radius] radius-server accounting 10.2.0.50 1813 [FW-radius-auth_server_radius] radius-server shared-key cipher Admin@123 [FW-radius-auth_server_radius] test-aaa testname testpassword radius-template auth_server_radius [FW-radius-auth_server_radius] quit
# Configure an IP address for the RADIUS authorization server and the shared key used by the FW to communicate with the authorization server.
[FW] radius-server authorization 10.2.0.50 shared-key cipher Admin@123 - Configure authentication, authorization, and accounting schemes.
# Configure an authentication scheme and set the authentication mode to RADIUS.
[FW] aaa [FW-aaa] authentication-scheme radius //Configure authentication scheme radius. [FW-aaa-authen-radius] authentication-mode radius [FW-aaa-authen-radius] quit
# Configure an authorization scheme and set the authorization mode to RADIUS.
[FW] aaa [FW-aaa] authorization-scheme radius //Configure authorization scheme radius. [FW-aaa-author-radius] authorization-mode radius [FW-aaa-author-radius] quit
# Configure an accounting scheme and set the accounting mode to RADIUS.
[FW] aaa [FW-aaa] accounting-scheme radius //Configure accounting scheme radius. [FW-aaa-accounting-radius] accounting-mode radius [FW-aaa-accounting-radius] quit
- Configure an authentication domain and reference the RADIUS server template and authentication, authorization, and accounting schemes.
[FW-aaa] domain default [FW-aaa-domain-default] authentication-scheme radius //The authentication domain is bound with authentication scheme radius. [FW-aaa-domain-default] authorization-scheme radius //The authentication domain is bound with authorization scheme radius [FW-aaa-domain-default] accounting-scheme radius //The authentication domain is bound with accounting scheme radius [FW-aaa-domain-default] radius-server auth_server_radius //The authentication domain is bound with the server template. [FW-aaa-domain-default] service-type internetaccess [FW-aaa-domain-default] quit [FW-aaa] quit
- Configure the security group to which the Internet access user belongs.
[FW] user-manage security-group research [FW-securitygroup-research] security-group-type static [FW-securitygroup-research] quit [FW] user-manage security-group marketing [FW-securitygroup-marketing] security-group-type static [FW-securitygroup-marketing] quit
- Configure Portal2.0 authentication.
# Configure the Portal server template and create Portal server information in the Portal server template.
[FW] web-auth-server default [FW-web-auth-server-default] server-ip 10.2.0.50 [FW-web-auth-server-default] port 50100 [FW-web-auth-server-default] shared-key cipher Admin@123 [FW-web-auth-server-default] server-detect interval 100 max-times 5 action log [FW-web-auth-server-default] user-sync interval 300 max-times 5 [FW-web-auth-server-default] quit
# Configure a listening port for Portal2.0 enable the device to transparently transmit the user authentication information from the RADIUS server to the Portal server.
[FW] web-auth-server listening-port 2000 [FW] web-auth-server reply-message
# Configure the Portal access template and bind the Portal server template.
[FW] portal-access-profile name default [FW-portal-acces-profile-default] web-auth-server default [FW-portal-acces-profile-default] quit
# Configure the authentication template and bind the Portal access template. In this example, authentication template portal_authen_default is created.
[FW] authentication-profile name portal_authen_default [FW-authen-profile-portal_authen_default ] portal-access-profile default [FW-authen-profile-portal_authen_default ] quit
# Configure Loopback 0 and apply the authentication template to Loopback 0. Currently, the authentication template can be bound only to Loopback 0, and only authentication template portal_authen_default can be bound to Loopback 0.
[FW] interface loopback 0 [FW-LoopBack0] authentication-profile portal_authen_default [FW-LoopBack0] quit
- Configure the Portal authentication page and ensure that the Portal URL is the same as the authentication page used by the Portal server.
[FW] user-manage portal-template portal [FW-portal-template-portal] portal-url http://10.2.0.50:8080/portal [FW-portal-template-portal] portal-url push information [FW-portal-template-portal] server-detect web-auth-server default [FW-portal-template-portal] quit
- Configure the action in the authentication policy for users to access the Portal server to no-authentication so that the users' authentication packets can go through the FW to the Portal server. Set the action in the authentication policy for users to access other services to Portal authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_tsm [FW-policy-auth-rule-auth_policy_tsm] source-zone trust [FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz [FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.50 32 [FW-policy-auth-rule-auth_policy_tsm] action none [FW-policy-auth-rule-auth_policy_tsm] quit [FW-policy-auth] rule name auth_policy_service [FW-policy-auth-rule-auth_policy_service] source-zone trust [FW-policy-auth-rule-auth_policy_service] destination-zone untrust [FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_service] action auth portal-template portal
- After completing the preceding configurations, reference the security group when configuring a security policy, PBR, proxy policy, audit policy and quota control policy.
Verification
- Access extranet resources as an R&D employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Access extranet resources as a marketing employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Run the display user-manage online-user verbose command on the firewall to view online user information.
<sysname> display user-manage online-user verbose Current Total Number: 1 -------------------------------------------------------------------------------- IP Address: 10.3.0.10 Login Time: 2017-05-16 12:03:13 Online Time: 00:00:10 State: Active TTL: 00:30:00 Left Time: 00:30:00 Access Type: Portal Authentication Mode: Password (RADIUS) Access Device Type: unknown <--packets: 8 bytes: 1590 -->packets: 8 bytes: 1389 Downlink Rate: 23 kbps Uplink Rate: 750 kbps Build ID: 0 User Name: user_0001 Parent User Group: /default Parent Security Group: research --------------------------------------------------------------------------------
Configuration Scripts
sysname FW # authentication-profile name portal_authen_default portal-access-profile default # user-manage portal-template portal portal-url push information portal-url http://10.2.0.50:8080/portal server-detect web-auth-server default # security-policy rule name sec_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.0 24 action permit rule name local_policy_01 source-zone local destination-zone dmz action permit rule name local_policy_02 source-zone dmz destination-zone local action permit # radius-server template auth_server_radius radius-server shared-key cipher %^%#H**3(i3_k%ugc;,fvZG!,-:|*=(A5(y4Q_2t'3P%^% # radius-server authentication 10.2.0.50 1812 weight 80 radius-server accounting 10.2.0.50 1813 weight 80 radius-server group-filter class radius-server authorization 10.2.0.50 shared-key cipher %^%#K}(^&0opP~Q%fMUr3k*( 59%N:,+H$*!(Vs%%^%# # web-auth-server default server-ip 10.2.0.50 port 50100 shared-key cipher %^%#/.6y+B[H{Q'wPG"lpVK,bx*Yg9C*5VEC;'-K7~Z%^%# server-detect interval 100 max-times 5 action log user-sync max-times 5 # portal-access-profile name default web-auth-server default # aaa authentication-scheme radius authentication-mode radius authorization-scheme radius authorization-mode radius accounting-scheme radius accounting-mode radius domain default authentication-scheme radius accounting-scheme radius authorization-scheme radius radius-server auth_server_radius service-type internetaccess internet-access mode password # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # interface LoopBack0 authentication-profile portal_authen_default # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 mask 255.255.255.0 destination-address 10.2.0.50 mask 255.255.255.255 action none rule name auth_policy_service source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action auth portal-template portal # return