< Home

Web: Example for Configuring Authentication on Users at the Headquarters and Branch Offices Using an AD Server

This section provides an example for configuring authentication on Internet access users and remote access users when a FW works as an egress gateway and VPN access gateway.

Networking Requirements

As shown in Figure 1, FWs are deployed at the network borders of the headquarters and branch office of an enterprise. Details are as follows:

  • The AD identity authentication mechanism is enabled for the enterprise, and information about users and user groups are saved on an AD server. The enterprise has top executives, R&D employees, and marketing employees. The R&D and marketing employees work in the headquarters and branch offices.
  • The top executives, R&D employees, and marketing employees in the headquarters must be authenticated by FW_A before accessing network resources.
    • Top executives use the fixed IP address (10.3.0.2). To improve efficiency, top executives are exempted from authentication, but for security considerations, the accounts used by top executives must be bound to IP addresses and MAC addresses.
    • R&D employees and marketing employees use domain accounts to log in to AD domains and access network resources.
  • An IPSec tunnel is established between the headquarters and a branch office. Employees in the branch office must be authenticated by FW_A before accessing the resources in the headquarters.
  • The R&D and marketing employees on the move can connect to FW_A using SSL VPN to access network resources.
Figure 1 Authentication on users at the headquarters and branch offices using an AD server

Configuration Roadmap

This example describes only how to configure user management and authentication.

  1. On the FW_A, set the parameters for communication with an AD server.
  2. Configure an authentication domain on the FW_A. The domain name must be the same as that on the AD server.
  3. Configure a policy to import user group information from the AD server to the FW_A.

  4. Set a new user authentication item for the authentication domain. If a user passes the authentication but does not exist on FW_A, the user is a temporary user and is granted the permission of its parent group.

    In this example, only the organizational unit on the AD server is imported. Therefore, all users are new to FW_A. When you configure a new user authentication item, the user is not added to the local user list. Its parent group is obtained based on the server import policy, and the user is granted the permission of its parent group.

  5. Configure authentication for headquarters employees.

    • Configure authentication exemption for top executives.

      Create group and user objects for top executives and bidirectionally bind the user objects to IP and MAC addresses. Create an authentication policy and set the authentication action to no authentication.

    • Configure AD SSO.

      Employees are required to pass FW_A authentication after AD domain authentication. Therefore, configure AD SSO on FW_A to ensure that FW_A can monitor the authentication result packets that the AD server sends to the employees' PCs.

  6. Configure authentication on branch employees and the employees on the move.
    1. Configure an authentication scheme and set the authentication mode to AD.
    2. Configure an authentication policy for branch employees connected to the headquarters over IPSec tunnels to be authenticated by FW_A before accessing network resources.

Data Planning

Item

Data

Description

AD server

  • Name: auth_server_ad

  • Primary Authentication Server IP: 10.2.0.50

  • Port: 88

  • Primary Server Host Name: ad.cce.com

  • Base DN/Port DN: dc=cce, dc=com

  • LDAP Port: 389

  • Administrator DN: cn=administrator,cn=users

  • Administrator Password: Admin@123

On a FW_A, set the parameters for communication with an AD server.

The parameter settings on the FW_A must be consistent with those on the AD server.

Authentication domain

  • Name: cce.com

  • Access Control: SSL VPN Access and Internet behavior management

  • Authentication Server: auth_server_ad

  • Authentication scheme: ad

  • New User Authentication Item: New users preferentially use the permissions of their parent groups on the server. If their parent groups do not exist on the server, users use the permission of the /cce.com group.

The domain name must be the same as that on the AD server.

User information import policy

  • Name: policy_import

  • Server Type: AD

  • Server Name: auth_server_ad

  • Import Type: Import user groups

  • Target User Group: /cce.com

  • Incremental Synchronization: 120 minutes

  • Overwrite local user records when the current user exists

Import users from the AD server to the FW_A.

AD SSO

  • AD SSO: Enable

  • Mode: Monitoring AD authentication packets

  • Server IP address/port: 10.2.0.50:88

Set SSO parameters on the FW_A and configure the FW_A to receive the user login information from the AD server.

Top executive

Group

  • Name: manager

  • Parent Group: /cce.com

User

  • Login Name: user_0001

  • Display Name: Top executive A

  • Parent Group: /cce.com/manager

  • Prohibit Users from Sharing This Account

  • IP/MAC Binding: Bidirectional binding

  • IP/MAC Address: 10.3.0.2/aaaa-bbbb-cccc

Add the top executive to the group manager and configure bidirectional binding for the top executive and the IP and MAC addresses. No password is required for the top executive. A FW_A implements authentication on the top executive based on the bound IP and MAC addresses.

You can repeat the operations in this example to configure multiple user accounts.

Authentication policy for top executives

  • Name: policy_auth_01

  • Source Zone: trust

  • Destination Zone: any

  • Source Address/Region: 10.3.0.2/32

  • Destination Address/Region: any

  • Action: exempt-auth

Authentication is not implemented on the top executive who meets matching conditions. FW_A identifies the top executive based on the bound IP and MAC addresses.

The top executive can access network resources without entering any user name and password.

Authentication policy for branch office

  • Name: policy_auth_02

  • Source Zone: untrust

  • Destination Zone: any

  • Source Address/Region: 10.4.0.0/16

  • Destination Address/Region: any

  • Action: auth

Employees in the branch office must pass the authentication before accessing the resources in the headquarters.

Procedure

  1. Choose Network > Interface, set IP addresses for interfaces and assign the interfaces to security zones.

    The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

    Zone

    trust

    IP Address

    10.3.0.1/24

  2. Choose Policy > Security Policy > Security Policy, click Add to configure security policies.
    1. Configure security policies between the DMZ (AD server) and Local zone to ensure the communication among the FW and AD server.

      Name

      local_policy_ad_01

      Source Zone

      local

      Destination Zone

      dmz

      Destination Address

      10.2.0.50/32

      Action

      Permit

      Name

      local_policy_ad_02

      Source Zone

      dmz

      Destination Zone

      local

      Source Address

      10.2.0.50/32

      Action

      Permit

    2. Configure a security policy to allow users to access the server cluster.

      Name

      policy_sec_02

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address

      10.3.0.0/24

      Action

      Permit

    3. Configure a security policy to allow branch office employees to access the authentication page.

      Name

      policy_sec_03

      Destination Zone

      local

      Service

      Create user-defined service (TCP/8887)

      Action

      Permit

  3. On the FW_A, choose Object > Authentication Server > AD, click Add to set the parameters for communication with an AD server.

    The parameter settings on the FW_A must be consistent with those on the AD server.

    For the V600R007C20 version, whether to enable SSL for AD authentication cannot be configured on the web UI. When you configure the AD server on the web UI, SSL (ldap-over-ssl) is enabled by default. In this mode, LDAP over SSL must also be enabled on the AD server. For details, see the operating system guide of the AD server. To disable SSL (no-ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ad-server authentication 10.2.0.50 88 no-ssl command in the corresponding AD server template view. From V600R007C20SPC100, you can configure whether to enable SSL for AD authentication on the Web UI. The following uses no-ssl as an example.

    Click Detect. In the dialog box that is displayed, click OK and enter the user name and password that are configured on the AD server. Click Start Checking to check the connectivity to the AD server.

  4. On the FW_A, choose Object > User > Authentication Domain, click Add to create an authentication domain.

  5. On the FW_A, choose Object > User > User Import > Server Import, click Add to configure a policy to import user group information from the AD server to the FW_A.

  6. Choose Object > User > cce.com, configure the authentication parameters and click Apply.

    • Configure mobile or branch employees to access the HQ for AD server authentication: Set User Location to Authentication server and select the AD server.
    • Import user groups from the AD server: Click Configure on the right of Server Import Policy. A dialog box is displayed. Click Import Immediately corresponding to policy_import. After the import is complete, the user groups on the AD server are displayed in User/User Group/Security Group Management List.
    • Configure authentication exemption for senior managers: Create the user account user_0001 and user group manager for the senior manager; configure bidirectional binding of the user account and IP/MAC address.

    • Configure AD SSO for HQ employees: Set AD login parameters.

      In this example, AD SSO is configured in monitoring AD authentication packets mode. For configuration in installing AD SSO service program mode, see Web: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to receive messages from PCs).

    • Configure new user options: A user logs in as a temporary user after passing AD server authentication if FW_A does not have the user.

  7. Choose Object > User > Authentication Option, set the online user timeout duration to 480 minutes.
  8. Choose Object > User > Authentication Policy, click Add to configure authentication policies.
    1. Set the authentication policy for the senior manager to authentication exemption.

      Name

      policy_auth_01

      Source Zone

      trust

      Source Address/Region

      10.3.0.2/32

      Action

      Authentication exemption

    2. Configure an AD SSO authentication policy.

      Configure the action in the authentication policy for users to access the AD server as no-authentication so that the users' authentication packets can go through the FW to the AD server. Configure the action in the authentication policy for users' service traffic to authentication exemption so that the FW can obtain user information through SSO.

      Name

      auth_policy_ad

      Source Zone

      trust

      Destination Zone

      dmz

      Source Address/Region

      10.3.0.0/24

      Destination Address/Region

      10.2.0.50/32

      Action

      No authentication

      Name

      auth_policy_service

      Source Zone

      trust

      Source Address/Region

      10.3.0.0/24

      Action

      Authentication exemption

      If the action of the authentication policy is set to authentication exemption, the FW obtains user information through SSO and permits the traffic when user information fails to be obtained during SSO authentication. If the network has high security requirements, set the action of the authentication policy to portal authentication. Then the FW will implement portal authentication on the users failing the SSO authentication.

    3. Set the AD server authentication policy to portal authentication for branch and mobile employees.

      Name

      policy_auth_02

      Source Zone

      untrust

      Source Address/Region

      10.4.0.0/16

      Action

      Portal authentication

      Portal Authentication Template

      Disable

  9. After the configuration is complete, you can configure security policies, PBR policies, bandwidth policies, quota control policies, proxy policies, and audit policies that reference the user group objects.

Verification

  • The top executive user_0001 can access network resources without authentication. Other users cannot use the user name of the top executive to access network resources because their IP addresses are not 10.3.0.2 and their MAC addresses are not aaaa-bbbb-cccc.
  • Employees in the headquarters can use domain accounts and passwords to log in to the AD domain and access network resources.
  • An employee in the branch office accesses https://10.3.0.1:8887 and enters the user name and password for authentication. After the authentication succeeds, the employee can access the network resources in the headquarters.
  • An employee on the move accesses the authentication page of the SSL VPN virtual gateway and enters the user name and password for authentication. After the authentication succeeds, the employee can access the network resources in the headquarters.
  • On the FW, choose Object > User > Online User to see information about online users.

Configuration Scripts

#
 sysname FW_A
#
 user-manage online-user aging-time 480
 user-manage single-sign-on ad
  mode no-plug-in
  no-plug-in traffic server-ip 10.2.0.50 port 88
  enable
#
ad-server template auth_server_ad
 ad-server authentication 10.2.0.50 88 no-ssl
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$
 ad-server authentication host-name ad.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
# 
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#        
security-policy
 rule name local_policy_ad_01
  source-zone local
  destination-zone dmz
  destination-address 10.2.0.50 32 
  action permit  
 rule name local_policy_ad_02 
  source-zone dmz 
  destination-zone local  
  source-address 10.2.0.50 32  
  action permit   
 rule name policy_sec_02    
  source-zone trust
  source-address 10.3.0.0 24     
  destination-zone dmz
  action permit
 rule name policy_sec_03    
  destination-zone local
  service protocol tcp destination-port 8887
  action permit
#
 user-manage import-policy policy_import from ad
  server template auth_server_ad  
  server basedn dc=cce,dc=com     
  destination-group /cce.com    
  user-attribute sAMAccountName   
  user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer)))
  group-filter (|(objectclass=organizationalUnit)(ou=*))
  import-type group     
  import-override enable    
  sync-mode incremental schedule interval 120
#
aaa 
 authentication-scheme ad
  authentication-mode ad
 #
 domain cce.com
  service-type internetaccess ssl-vpn
  internet-access mode single-sign-on auto-online password
  authentication-scheme ad 
  ad-server auth_server_ad
  new-user add-temporary group /cce.com auto-import policy_import
#
auth-policy
 rule name policy_auth_01
  source-zone trust
  source-address 10.3.0.2 32
  action exempt-auth
 rule name auth_policy_ad
  source-zone trust
  destination-zone dmz 
  source-address 10.3.0.0 24
  destination-address 10.2.0.50 32
  action none 
 rule name auth_policy_service
  source-zone trust
  source-address 10.3.0.0 24
  action exempt-auth
 rule name policy_auth_02
  source-zone untrust
  source-address 10.4.0.0 16
  action auth

# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage group /cce.com/manager
user-manage user user_0001
 alias Supervisor
 parent-group /cce.com/manager
 undo multi-ip online enable
 bind mode bidirectional
 bind ipv4 10.3.0.2 mac aaaa-bbbb-cccc

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
execute user-manage import-policy policy_import
test-aaa testname testpassword ad-template auth_server_ad
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >