< Home

CLI: Example for Enabling Remote Users to Access the Headquarters through SSL VPN (RADIUS Two-Factor Authentication + Local Authorization)

Networking Requirements

Figure 1 shows the network topology. Mobile users can access resources at the headquarters using SSL VPNs. The enterprise has higher security requirements on user authentication. Therefore, use the RADIUS two-factor authentication mode to authenticate access users.

Requirements are as follows:

  • Top executives on the move or working at home can obtain IP addresses and access the intranet smoothly and securely. They can also access the Webmail and ERP systems using a browser.
  • Employees on the move or working at home can access the Webmail and ERP systems using a browser.
Figure 1 Mobile users accessing the headquarters using SSL VPNs

Procedure

  1. Set an IP address for each interface and assign the interfaces to security zones.

    # Set interface IP addresses.

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24 
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 16
[FW-GigabitEthernet0/0/2] quit

    # Assign interfaces to security zones.

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1 
[FW-zone-untrust] quit
[FW] firewall zone trust 
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

  2. Configure security policies.

    # Configure a security policy to allow users to set up SSL VPN tunnels with the FW.

    [FW] security-policy
[FW-policy-security] rule name policy_sslvpn_1
[FW-policy-security-policy_sslvpn_1] source-zone untrust
[FW-policy-security-policy_sslvpn_1] destination-zone local
[FW-policy-security-policy_sslvpn_1] destination-address 1.1.1.1 32
[FW-policy-security-policy_sslvpn_1] service https
[FW-policy-security-policy_sslvpn_1] action permit
[FW-policy-security-policy_sslvpn_1] quit

    # Configure a security policy to allow the FW to interact with the Webmail and ERP systems.

    [FW-policy-security] rule name policy_sslvpn_2
[FW-policy-security-policy_sslvpn_2] source-zone local
[FW-policy-security-policy_sslvpn_2] destination-zone trust
[FW-policy-security-policy_sslvpn_2] destination-address 10.2.0.10 32
[FW-policy-security-policy_sslvpn_2] destination-address 10.2.0.11 32
[FW-policy-security-policy_sslvpn_2] action permit
[FW-policy-security-policy_sslvpn_2] quit

    # Configure a security policy to allow network extension users to access intranet resources.

    [FW-policy-security] rule name policy_sslvpn_3
[FW-policy-security-policy_sslvpn_3] source-zone untrust
[FW-policy-security-policy_sslvpn_3] destination-zone trust
[FW-policy-security-policy_sslvpn_3] source-address range 172.16.1.1 172.16.1.100
[FW-policy-security-policy_sslvpn_3] destination-address 10.2.0.0 16
[FW-policy-security-policy_sslvpn_3] action permit
[FW-policy-security-policy_sslvpn_3] quit

    # Configure a security policy to allow the FW to communicate with the RADIUS server.

    [FW-policy-security] rule name policy_radius_server
[FW-policy-security-policy_radius_server] source-zone local
[FW-policy-security-policy_radius_server] destination-zone trust
[FW-policy-security-policy_radius_server] destination-address 10.2.0.155 32
[FW-policy-security-policy_radius_server] action permit
[FW-policy-security-policy_radius_server] quit

  3. Set parameters for interconnection between the FW and RADIUS server.

    [FW] radius-server template radiusserver
[FW-radius-radiusserver] radius-server authentication 10.2.0.155 1812
[FW-radius-radiusserver] radius-server shared-key cipher Admin@1234
[FW-radius-radiusserver] undo radius-server user-name domain-included

    If the RADIUS server does not support user names in user name@authentication domain name format, you must run the undo radius-server user-name domain-included command on the FW. Otherwise, authentication will fail.

    # Test the connectivity between the FW and RADIUS server.

    [FW-radius-radiusserver] test-aaa user0001 123456 radius-template radiusserver
[FW-radius-radiusserver] quit

    The user name and password for testing server connectivity can be different from those specified on the server. The user name can be any user name, and the password cannot contain any space, question mark (?), or double quotation mark (").

  4. Configure an authentication domain.

    [FW] aaa
[FW-aaa] authentication-scheme radius
[FW-aaa-authen-radius] authentication-mode radius
[FW-aaa-authen-radius] quit
[FW-aaa] domain sslvpn
[FW-aaa-domain-sslvpn] authentication-scheme radius
[FW-aaa-domain-sslvpn] radius-server radiusserver 
[FW-aaa-domain-sslvpn] service-type ssl-vpn internetaccess 
[FW-aaa-domain-sslvpn] reference user current-domain
[FW-aaa-domain-sslvpn] new-user add-temporary group /sslvpn
[FW-aaa-domain-sslvpn] quit
[FW-aaa] quit

  5. Use a CSV file to import users/user groups.

    # Log in to the Web UI of the device, choose Object > User > User Import > Local Import to download a CSV template.

    # Fill the user information stored on the RADIUS server in the CSV file template.

    The first level of the "group path" in the CSV file is the authentication domain name. Therefore, the "login name" does not contain "@domain-name." In this example, the user name on the RADIUS server is user0002@sslvpn. Therefore, the group path is /sslvpn and the login name is user0002 in the CSV file.

    # Use FTP or SFTP to upload the CSV file to the FW.

    # Import users/user groups. In this example, the CSV file name is demo.csv.

    [FW] user-manage user-import demo.csv auto-create-group override
 Now importing user information......successfully.

  6. Configure an SSL VPN virtual gateway.

    # Create an SSL VPN virtual gateway.

    [FW] v-gateway example interface GigabitEthernet 0/0/1 private example.huawei.com
[FW-example] quit

    # Configure the maximum number of users and maximum number of concurrent users allowed by the virtual gateway.

    [FW] v-gateway example max-user 150
[FW] v-gateway example cur-max-user 100

    # Bind the virtual gateway to the authentication domain.

    [FW] v-gateway example authentication-domain sslvpn

    If the virtual gateway is bound to an authentication domain, the user name entered for a login should not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the string following the at sign (@) as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain sslvpn, you should enter user0001, not user0001@sslvpn, as the user name.

  7. Configure the web proxy function.

    # Enable the web proxy function.

    [FW] v-gateway example
[FW-example] service
[FW-example-service] web-proxy enable

    # Add web proxy resources Webmail and ERP.

    [FW-example-service] web-proxy link-resource Webmail http://10.2.0.10 show-link
[FW-example-service] web-proxy link-resource ERP http://10.2.0.11 show-link

  8. Configure the network extension function.

    # Enable the network extension function.

    [FW-example-service] network-extension enable

    # Configure the network extension address pool.

    [FW-example-service] network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0

    # Set the network extension routing mode to manual.

    [FW-example-service] network-extension mode manual

    # Configure the intranet subnet accessible to network extension users.

    [FW-example-service] network-extension manual-route 10.2.0.0 255.255.0.0
[FW-example-service] quit

  9. Configure SSL VPN role authorization/users.

    # Add user groups director and employee to the virtual gateway.

    [FW-example] vpndb
[FW-example-vpndb] group /sslvpn/director
[FW-example-vpndb] group /sslvpn/employee
[FW-example-vpndb] quit

    # Create roles director and employee.

    [FW-example] role
[FW-example-role] role director
[FW-example-role] role employee

    # Bind the roles to corresponding user groups.

    [FW-example-role] role director group /sslvpn/director
[FW-example-role] role employee group /sslvpn/employee

    # Configure functions for the roles. Enable web proxy and network extension for role director and web proxy for role employee.

    [FW-example-role] role director web-proxy network-extension enable
[FW-example-role] role employee web-proxy enable

    # Associate the roles with web proxy resources.

    [FW-example-role] role director web-proxy resource Webmail
[FW-example-role] role director web-proxy resource ERP
[FW-example-role] role employee web-proxy resource Webmail
[FW-example-role] role employee web-proxy resource ERP
[FW-example-role] quit
[FW-example] quit

Verifying the Configuration

  1. Enter example.huawei.com or https://1.1.1.1 in the address box of the browser to access the SSL VPN login page using the teleworker account. Upon initial login, install the controls as instructed by the browser.

    Virtual gateways of different versions require Active controls of different versions to be installed on the client. When a client is used to access virtual gateways of different versions. Delete the old Active control and install a new one for accessing a new virtual gateway. Otherwise, the browser will be stuck at the control loading page.

    If the client is on a PC, run the following command to delete a control:

    PC> regsvr32 SVNIEAgt.ocx -u -s 
PC> del %systemroot%\SVNIEAgt.ocx /q 
PC> del %systemroot%\"Downloaded Program Files"\SVNIEAgt.inf /q 
PC> cd %appdata% 
PC> rmdir svnclient /q /s
  2. Enter the user name and PIN code on the login page to log in to the SSL VPN gateway.

    The Enter the Verifying the Configuration code dialog box is displayed if the user name and PIN code pass authentication. Enter the SMS Verifying the Configuration code or token ID and click Submit.

  3. After logging in to the SSL VPN gateway using the top executive account user0001, you can use the web proxy and network extension service. You can click Webmail and ERP to use corresponding services. Click Start to automatically install the virtual network adapter to obtain a virtual IP address. After that, you can use various services just as you are on a LAN.

  4. Use common employee account user0002 to log in to the SSL VPN gateway. You can use only the web proxy service. You can click Webmail and ERP to use corresponding services.

Configuration Scripts

#         
radius-server template radiusserver 
 radius-server shared-key %$%$73pu<+^]XV9mn=*qd}_,r3*!%$%$
 radius-server authentication 10.2.0.155 1812
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.0.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
v-gateway example interface GigabitEthernet0/0/1 private example.huawei.com
v-gateway example authentication-domain sslvpn
v-gateway example max-user 150
v-gateway example cur-max-user 100
#
aaa 
 authentication-scheme radius
  authentication-mode  radius
 #
 domain sslvpn
  authentication-scheme  radius 
  radius-server radiusserver 
  service-type ssl-vpn internetaccess 
  reference user current-domain
  new-user add-temporary group /sslvpn
#
v-gateway example
 service
  web-proxy enable
  web-proxy web-link enable
  web-proxy proxy-resource Webmail http://10.2.0.10 show-link
  web-proxy proxy-resource ERP http://10.2.0.11 show-link
  network-extension enable
  network-extension keep-alive enable
  network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0
  network-extension mode manual
  network-extension manual-route 10.2.0.0 255.255.0.0
 role
  role director condition all
  role director network-extension enable
  role director web-proxy enable
  role director web-proxy resource ERP
  role director web-proxy resource Webmail
  role employee condition all
  role employee web-proxy enable
  role employee web-proxy resource ERP
  role employee web-proxy resource Webmail
#
security-policy
 rule name policy_sslvpn_1
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.1 32
  service https
  action permit
 rule name policy_sslvpn_2
  source-zone local
  destination-zone trust
  destination-address 10.2.0.10 32
  destination-address 10.2.0.11 32
  action permit
 rule name policy_sslvpn_3
  source-zone untrust
  destination-zone trust
  source-address range 172.16.1.1 172.16.1.100
  destination-address 10.2.0.0 16
  action permit
 rule name policy_radius_server
  source-zone local
  destination-zone trust
  destination-address 10.2.0.155 32
  action permit

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
  user-manage user-import demo.csv auto-create-group override
# The following configuration is stored in the database, but not in the configuration profile.
 v-gateway example
  vpndb
   group /sslvpn/director
   group /sslvpn/employee
  role
   role director group /sslvpn/director
   role director group /sslvpn/employee
Parent Topic: Configuring Server Authentication and Authorization
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >