Web: Example for Configuring Portal Authentication for Internet Access Users (the FW Participates in User Authentication)
This section provides an example for configuring the FW that serves as an egress gateway to complete user authentication with the Agile Controller. Users can directly access HTTP services. The FW redirects HTTP requests to the Portal authentication page of the Agile Controller. The Agile Controller sends authentication requests to the FW. The user can access desired services after the authentication succeeds.
Networking Requirements
As shown in Figure 1, an enterprise has deployed the FW as the egress gateway at the network border to connect the intranet and Internet.
- The intranet Portal server (a component of the Agile Controller) provides a Portal authentication page. The FW redirects users' HTTP requests to the authentication page of the Portal server.
- The intranet RADIUS server (a component of the Agile Controller) stores user information and completes user authentication.
- Intranet users include R&D employees and marketing employees.
The enterprise network administrator wants to use the user management mechanism provided by the FW to identify intranet IP addresses as users to control users' network behavior and assign network permissions.
- R&D employees and marketing employees can access HTTP services without proactively accessing the portal authentication page of the Portal server, because their HTTP requests will be automatically redirected to the portal authentication page.
- R&D employees and marketing employees can access network resources only after being authenticated by the RADIUS server.
- The FW saves security group information, not user information. The permissions of authenticated users are controlled on the basis of the groups they belong to.
Configuration Roadmap
This example describes how to configure only users and user authentication.
- Configure user information, authorization information, Portal server information, and RADIUS server information on the Agile Controller so that the Agile Controller can interwork with the FW.
- Configure interfaces and security policies on the FW.
- Configure the RADIUS server.
- Configure authentication, authorization, and accounting information on the RADIUS server.
- Configure an authentication domain.
- Configure the security group to which the Internet access user belongs.
- Configure Portal2.0 authentication.
- Configure an authentication policy.
Data Planning
Item |
Data |
Description |
|---|---|---|
Agile Controller |
R&D user information:
Marketing user information:
|
When a user is redirected to the Portal authentication page of the Portal server, the user needs to enter the account and password for authentication. |
RADIUS parameters:
|
The RADIUS parameters configured on the Agile Controller must be consistent with those on the FW. |
|
Portal authentication parameters:
|
The Portal parameters configured on the Agile Controller must be consistent with those on the FW. |
|
FW |
RADIUS server:
|
The RADIUS server parameters configured on the FW must be consistent with those on the Agile Controller. |
Portal server:
|
The Portal server parameters configured on the FW must be consistent with those on the Agile Controller. |
|
FW listening port: 2000 |
The port must be set on both the Agile Controller and FW. The port is the one for Portal authentication on the Agile Controller. |
Procedure
- Configure user information, authorization information, Portal server information, and RADIUS server information on the Agile Controller.
- Choose to create a role.
- Choose to create a user and associate the user with the role.
- Choose to configure the authorization result. The attribute value research is the security group of the user and must the same as that on the 6.
- Choose to configure an authorization rule. Reference the authorization result and role in the rule and associate the authorization result and role.
The process for configuring marketing user information and authorization information is similar to the process for configuring R&D user and authorization information.
- Choose to add a device and configure the Portal server and RADIUS server.
Parameter
Description
IP address
The interface on the FW must be able to communicate with the Agile Controller.
RADIUS parameters
Authentication and accounting key
The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authentication server and accounting server.
Authorization key
The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authorization server.
Realtime account period
This parameter is optional.
Device series
Use the default value.
Portal authentication parameters:
Port
The port must be the same as the listening port configured in 7.
Portal key
The key must be the shared key configured in 7.
- Choose to create a role.
- Choose . Specify interface IP addresses and assign the interfaces to security zones.
The following example describes how to configure GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.
Security zone
trust
IP address
10.3.0.1/24
- Choose . Click Add to configure a security policy.
- Configure a security policy for the Trust (intranet users) -> DMZ (Portal server) for users to access the Portal authentication page of the Portal server.
Name
sec_policy_tsm
Source zone
trust
Destination zone
dmz
Source address
10.3.0.0/24
Destination address
10.2.0.0/24
Action
Permit
If the URL of the authentication page is a domain name and a DNS server for resolving the URL is deployed in the DMZ, you need to enable the DNS server from the Trust zone to DMZ.
- Configure a security policy for the Trust (intranet users) -> DMZ (Portal server) for users to access the Portal authentication page of the Portal server.
- Configure authentication, authorization, and accounting information on the RADIUS server.
- Choose . Click Add to configure the RADIUS server.
Configure IP addresses and ports for the RADIUS authentication and accounting servers and the shared key used by the FW to communicate with the authentication and accounting servers. The parameters must be consistent with those on the RADIUS server.
- Choose . Click Add to configure the RADIUS server.
- Configure an authentication domain.
- Choose .
- Set required parameters.
- Configure the security group to which the Internet access user belongs.
- Configure Portal2.0 authentication.
- Choose .
- Set required parameters.
- Choose . Click Add to configure an authentication policy.
- After completing the preceding configurations, reference the security group when configuring a security policy, PBR, proxy policy, audit policy and quota control policy.
Verification
- Access extranet resources as an R&D employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- Access extranet resources as a marketing employee. The HTTP request is redirected to the authentication page. After entering the Agile Controller account and password, you can continue to access network resources.
- On the FW, choose to view online user information.
Configuration Scripts
sysname FW # authentication-profile name portal_authen_default portal-access-profile default # user-manage portal-template portal portal-url push information portal-url http://10.2.0.50:8080/portal server-detect web-auth-server default # security-policy rule name sec_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.0 24 action permit rule name local_policy_01 source-zone local destination-zone dmz action permit rule name local_policy_02 source-zone dmz destination-zone local action permit # radius-server template auth_server_radius radius-server shared-key cipher %^%#H**3(i3_k%ugc;,fvZG!,-:|*=(A5(y4Q_2t'3P%^% # radius-server authentication 10.2.0.50 1812 weight 80 radius-server accounting 10.2.0.50 1813 weight 80 radius-server group-filter class radius-server authorization 10.2.0.50 shared-key cipher %^%#K}(^&0opP~Q%fMUr3k*( 59%N:,+H$*!(Vs%%^%# # web-auth-server default server-ip 10.2.0.50 port 50100 shared-key cipher %^%#/.6y+B[H{Q'wPG"lpVK,bx*Yg9C*5VEC;'-K7~Z%^%# server-detect interval 100 max-times 5 action log user-sync max-times 5 # portal-access-profile name default web-auth-server default # aaa authentication-scheme radius authentication-mode radius authorization-scheme radius authorization-mode radius accounting-scheme radius accounting-mode radius domain default authentication-scheme radius accounting-scheme radius authorization-scheme radius radius-server auth_server_radius service-type internetaccess internet-access mode password # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # interface LoopBack0 authentication-profile portal_authen_default # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 mask 255.255.255.0 destination-address 10.2.0.50 mask 255.255.255.255 action none rule name auth_policy_service source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action auth portal-template portal # return