< Home

CLI: Example for Configuring Authentication on Users at the Headquarters and Branch Offices Using an AD Server

This section provides an example for configuring authentication on Internet access users and remote access users when a FW works as an egress gateway and VPN access gateway.

Networking Requirements

As shown in Figure 1, FWs are deployed at the network borders of the headquarters and branch office of an enterprise. Details are as follows:

  • The AD identity authentication mechanism is enabled for the enterprise, and information about users and user groups are saved on an AD server. The enterprise has top executives, R&D employees, and marketing employees. The R&D and marketing employees work in the headquarters and branch offices.
  • The top executives, R&D employees, and marketing employees in the headquarters must be authenticated by FW_A before accessing network resources.
    • Top executives use the fixed IP address (10.3.0.2). To improve efficiency, top executives are exempted from authentication, but for security considerations, the accounts used by top executives must be bound to IP addresses and MAC addresses.
    • R&D employees and marketing employees use domain accounts to log in to AD domains and access network resources.
  • An IPSec tunnel is established between the headquarters and a branch office. Employees in the branch office must be authenticated by FW_A before accessing the resources in the headquarters.
  • The R&D and marketing employees on the move can connect to FW_A using SSL VPN to access network resources.
Figure 1 Authentication on users at the headquarters and branch offices using an AD server

Configuration Roadmap

This example describes only how to configure user management and authentication.

  1. On the FW_A, set the parameters for communication with an AD server.
  2. Configure an authentication domain on the FW_A. The domain name must be the same as that on the AD server.
  3. Configure a policy to import user group information from the AD server to the FW_A.

  4. Set a new user authentication item for the authentication domain. If a user passes the authentication but does not exist on FW_A, the user is a temporary user and is granted the permission of its parent group.

    In this example, only the organizational unit on the AD server is imported. Therefore, all users are new to FW_A. When you configure a new user authentication item, the user is not added to the local user list. Its parent group is obtained based on the server import policy, and the user is granted the permission of its parent group.

  5. Configure authentication for headquarters employees.

    • Configure authentication exemption for top executives.

      Create group and user objects for top executives and bidirectionally bind the user objects to IP and MAC addresses. Create an authentication policy and set the authentication action to no authentication.

    • Configure AD SSO.

      Employees are required to pass FW_A authentication after AD domain authentication. Therefore, configure AD SSO on FW_A to ensure that FW_A can monitor the authentication result packets that the AD server sends to the employees' PCs.

  6. Configure authentication on branch employees and the employees on the move.
    1. Configure an authentication scheme and set the authentication mode to AD.
    2. Configure an authentication policy for branch employees connected to the headquarters over IPSec tunnels to be authenticated by FW_A before accessing network resources.

Data Planning

Item

Data

Description

AD server

  • Name: auth_server_ad

  • Primary Authentication Server IP: 10.2.0.50

  • Port: 88

  • Primary Server Host Name: ad.cce.com

  • Base DN/Port DN: dc=cce, dc=com

  • LDAP Port: 389

  • Administrator DN: cn=administrator,cn=users

  • Administrator Password: Admin@123

On a FW_A, set the parameters for communication with an AD server.

The parameter settings on the FW_A must be consistent with those on the AD server.

Authentication domain

  • Name: cce.com

  • Access Control: SSL VPN Access and Internet behavior management

  • Authentication Server: auth_server_ad

  • Authentication scheme: ad

  • New User Authentication Item: New users preferentially use the permissions of their parent groups on the server. If their parent groups do not exist on the server, users use the permission of the /cce.com group.

The domain name must be the same as that on the AD server.

User information import policy

  • Name: policy_import

  • Server Type: AD

  • Server Name: auth_server_ad

  • Import Type: Import user groups

  • Target User Group: /cce.com

  • Incremental Synchronization: 120 minutes

  • Overwrite local user records when the current user exists

Import users from the AD server to the FW_A.

AD SSO

  • AD SSO: Enable

  • Mode: Monitoring AD authentication packets

  • Server IP address/port: 10.2.0.50:88

Set SSO parameters on the FW_A and configure the FW_A to receive the user login information from the AD server.

Top executive

Group

  • Name: manager

  • Parent Group: /cce.com

User

  • Login Name: user_0001

  • Display Name: Top executive A

  • Parent Group: /cce.com/manager

  • Prohibit Users from Sharing This Account

  • IP/MAC Binding: Bidirectional binding

  • IP/MAC Address: 10.3.0.2/aaaa-bbbb-cccc

Add the top executive to the group manager and configure bidirectional binding for the top executive and the IP and MAC addresses. No password is required for the top executive. A FW_A implements authentication on the top executive based on the bound IP and MAC addresses.

You can repeat the operations in this example to configure multiple user accounts.

Authentication policy for top executives

  • Name: policy_auth_01

  • Source Zone: trust

  • Destination Zone: any

  • Source Address/Region: 10.3.0.2/32

  • Destination Address/Region: any

  • Action: exempt-auth

Authentication is not implemented on the top executive who meets matching conditions. FW_A identifies the top executive based on the bound IP and MAC addresses.

The top executive can access network resources without entering any user name and password.

Authentication policy for branch office

  • Name: policy_auth_02

  • Source Zone: untrust

  • Destination Zone: any

  • Source Address/Region: 10.4.0.0/16

  • Destination Address/Region: any

  • Action: auth

Employees in the branch office must pass the authentication before accessing the resources in the headquarters.

Procedure

  1. Set IP addresses for interfaces and assign the interfaces to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet0/0/3] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit

  2. Configure security policies.
    1. Configure security policies between the DMZ (AD server) and Local zone to ensure the communication among the FW and AD server.

      [FW_A] security-policy
[FW_A-policy-security] rule name local_policy_ad_01
[FW_A-policy-security-rule-local_policy_ad_01] source-zone local
[FW_A-policy-security-rule-local_policy_ad_01] destination-zone dmz
[FW_A-policy-security-rule-local_policy_ad_01] destination-address 10.2.0.50 32
[FW_A-policy-security-rule-local_policy_ad_01] action permit
[FW_A-policy-security-rule-local_policy_ad_01] quit
[FW_A-policy-security] rule name local_policy_ad_02
[FW_A-policy-security-rule-local_policy_ad_02] source-zone dmz
[FW_A-policy-security-rule-local_policy_ad_02] destination-zone local
[FW_A-policy-security-rule-local_policy_ad_02] source-address 10.2.0.50 32
[FW_A-policy-security-rule-local_policy_ad_02] action permit
[FW_A-policy-security-rule-local_policy_ad_02] quit

    2. Configure a security policy to allow users to access the server cluster.

      [FW_A-policy-security] rule name policy_sec_02
[FW_A-policy-security-rule-policy_sec_02] source-zone trust
[FW_A-policy-security-rule-policy_sec_02] destination-zone dmz
[FW_A-policy-security-rule-policy_sec_02] source-address 10.3.0.0 24  
[FW_A-policy-security-rule-policy_sec_02] action permit
[FW_A-policy-security-rule-policy_sec_02] quit
[FW_A-policy-security] quit

    3. Configure a security policy to allow branch office employees to access the authentication page.

      [FW_A-policy-security] rule name policy_sec_03
[FW_A-policy-security-rule-policy_sec_03] destination-zone local
[FW_A-policy-security-rule-policy_sec_03] service protocol tcp destination-port 8887
[FW_A-policy-security-rule-policy_sec_03] action permit
[FW_A-policy-security-rule-policy_sec_03] quit

  3. On a FW_A, set the parameters for communication with an AD server.

    The parameter settings on the FW must be consistent with those on the AD server.

    [FW_A] ad-server template auth_server_ad             
[FW_A-ad-auth_server_ad] ad-server authentication 10.2.0.50 88 no-ssl       
[FW_A-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
[FW_A-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users Admin@123
[FW_A-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
[FW_A-ad-auth_server_ad] ad-server authentication ldap-port 389      
[FW_A-ad-auth_server_ad] ad-server user-filter sAMAccountName         
[FW_A-ad-auth_server_ad] ad-server group-filter ou
[FW_A-ad-auth_server_ad] test-aaa testname testpassword ad-template auth_server_ad
[FW_A-ad-auth_server_ad] quit

  4. Create an authentication domain.

    [FW_A] aaa
[FW_A-aaa] domain cce.com
[FW_A-aaa-domain-cce.com] service-type internetaccess ssl-vpn
[FW_A-aaa-domain-cce.com] quit
[FW_A-aaa] quit

  5. Configure a policy to import user group information from the AD server to the FW_A
    1. Configure a policy to import user group information from the AD server.

      [FW_A] user-manage import-policy policy_import from ad 
[FW_A-import-policy_import] server template auth_server_ad
[FW_A-import-policy_import] server basedn dc=cce,dc=com
[FW_A-import-policy_import] destination-group /cce.com
[FW_A-import-policy_import] user-attribute sAMAccountName
[FW_A-import-policy_import] import-type group         
[FW_A-import-policy_import] import-override enable 
[FW_A-import-policy_import] sync-mode incremental schedule interval 120
[FW_A-import-policy_import] quit

    2. Execute the import policy to import users to the FW_A.

      [FW_A] execute user-manage import-policy policy_import

  6. Set the new user option for the authentication domain on the FW_A.

    [FW_A] aaa
[FW_A-aaa] domain cce.com
[FW_A-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
[FW_A-aaa-domain-cce.com] quit
[FW_A-aaa] quit

  7. Set the online user timeout duration to 480 minutes.

    [FW_A] user-manage online-user aging-time 480

  8. Configure authentication exemption for top executives.
    1. Create a user group object and a user object for a top executive.

      [FW_A] user-manage group /cce.com/manager
[FW_A-usergroup-/cce.com/manager] quit
[FW_A] user-manage user user_0001
[FW_A-localuser-user_0001] alias Supervisor
[FW_A-localuser-user_0001] parent-group /cce.com/manager
[FW_A-localuser-user_0001] undo multi-ip online enable
[FW_A-localuser-user_0001] bind mode bidirectional
[FW_A-localuser-user_0001] bind ipv4 10.3.0.2 mac aaaa-bbbb-cccc 
[FW_A-localuser-user_0001] quit

    2. Configure authentication policies.

      [FW_A] auth-policy
[FW_A-policy-auth] rule name policy_auth_01
[FW_A-policy-auth-rule-policy_auth_01] source-zone trust
[FW_A-policy-auth-rule-policy_auth_01] source-address 10.3.0.2 32
[FW_A-policy-auth-rule-policy_auth_01] action exempt-auth
[FW_A-policy-auth-rule-policy_auth_01] quit
[FW_A-policy-auth] quit

  9. Configure AD SSO for headquarters employees.
    1. Set SSO parameters on the FW_A.

      [FW_A] user-manage single-sign-on ad
[FW_A-sso-ad] mode no-plug-in
[FW_A-sso-ad] no-plug-in traffic server-ip 10.2.0.50 port 88
[FW_A-sso-ad] enable
[FW_A-sso-ad] quit

      In this example, AD SSO is configured in monitoring AD authentication packets mode. For configuration in installing AD SSO service program mode, see CLI: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to Receive Messages from PCs).

    2. Configure authentication policies. Configure the action in the authentication policy for users to access the AD server as no-authentication so that the users' authentication packets can go through the FW to the AD server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.

      [FW] auth-policy
[FW-policy-auth] rule name auth_policy_ad
[FW-policy-auth-rule-auth_policy_ad] source-zone trust
[FW-policy-auth-rule-auth_policy_ad] destination-zone dmz 
[FW-policy-auth-rule-auth_policy_ad] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_ad] destination-address 10.2.0.50 32
[FW-policy-auth-rule-auth_policy_ad] action none
[FW-policy-auth-rule-auth_policy_ad] quit
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action exempt-auth
[FW-policy-auth-rule-auth_policy_service] quit

      If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

  10. Configure authentication for branch employees and the employees on the move.
    1. Configure an authentication scheme, set the authentication mode to AD authentication, and reference an AD server.

      [FW_A] aaa
[FW_A-aaa] authentication-scheme ad
[FW_A-aaa-authen-ad] authentication-mode ad
[FW_A-aaa-authen-ad] quit
[FW_A-aaa] domain cce.com
[FW_A-aaa-domain-cce.com] authentication-scheme ad
[FW_A-aaa-domain-cce.com] ad-server auth_server_ad
[FW_A-aaa-domain-cce.com] quit
[FW_A-aaa] quit

    2. Configure an authentication policy for branch employees.

      [FW_A] auth-policy
[FW_A-policy-auth] rule name policy_auth_02
[FW_A-policy-auth-rule-policy_auth_02] source-zone untrust
[FW_A-policy-auth-rule-policy_auth_02] source-address 10.4.0.0 16
[FW_A-policy-auth-rule-policy_auth_02] action auth
[FW_A-policy-auth-rule-policy_auth_02] quit
[FW_A-policy-auth] quit

  11. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user group objects.

Verification

  • Run the display user-manage group commands on the FW_A to display information about user groups.
  • The top executive user_0001 can access network resources without authentication. Other users cannot use the user name of the top executive to access network resources because their IP addresses are not 10.3.0.2 and their MAC addresses are not aaaa-bbbb-cccc.
  • Employees in the headquarters can use domain accounts and passwords to log in to the AD domain and access network resources.
  • An employee in the branch office accesses https://10.3.0.1:8887 and enters the user name and password for authentication. After the authentication succeeds, the employee can access the network resources in the headquarters.
  • An employee on the move accesses the authentication page of the SSL VPN virtual gateway and enters the user name and password for authentication. After the authentication succeeds, the employee can access the network resources in the headquarters.
  • Run the display user-manage online-user command on the FW_A to display information about online users.

Configuration Scripts

#
 sysname FW_A
#
 user-manage online-user aging-time 480
 user-manage single-sign-on ad
  mode no-plug-in
  no-plug-in traffic server-ip 10.2.0.50 port 88
  enable
#
ad-server template auth_server_ad
 ad-server authentication 10.2.0.50 88 no-ssl
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name ad.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
# 
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#        
security-policy
 rule name local_policy_ad_01
  source-zone local
  destination-zone dmz
  destination-address 10.2.0.50 32 
  action permit  
 rule name local_policy_ad_02 
  source-zone dmz 
  destination-zone local  
  source-address 10.2.0.50 32  
  action permit   
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone dmz
  action permit
 rule name policy_sec_03    
  destination-zone local
  service protocol tcp destination-port 8887
  action permit
#
 user-manage import-policy policy_import from ad
  server template auth_server_ad  
  server basedn dc=cce,dc=com     
  destination-group /cce.com    
  user-attribute sAMAccountName   
  user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
  group-filter (|(objectclass=organizationalUnit)(ou=*))
  import-type group     
  import-override enable    
  sync-mode incremental schedule interval 120
#
aaa 
 authentication-scheme ad
  authentication-mode ad
 #
 domain cce.com
  service-type internetaccess ssl-vpn
  authentication-scheme ad 
  ad-server auth_server_ad
  new-user add-temporary group /cce.com auto-import policy_import
#
auth-policy
 rule name policy_auth_01
  source-zone trust
  source-address 10.3.0.2 32
  action exempt-auth
 rule name auth_policy_ad
  source-zone trust
  destination-zone dmz 
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action none 
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
 rule name policy_auth_02
  source-zone untrust
  source-address 10.4.0.0 16
  action auth

# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage group /cce.com/manager
user-manage user user_0001
 alias Supervisor
 parent-group /cce.com/manager
 undo multi-ip online enable
 bind mode bidirectional
 bind ipv4 10.3.0.2 mac aaaa-bbbb-cccc

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
execute user-manage import-policy policy_import
test-aaa testname testpassword ad-template auth_server_ad
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic