Configuring an AD Server
Context
In an AD server template, you must specify the server type, IP address, and port number. The other parameters have default settings, for example, the Base DN, user filter, and group filter. These default settings can be modified manually.
Ensure that the FW and AD server have the same system time and time zone.
Procedure
- Run system-view
The system view is displayed.
- Run ad-server template template-name
An AD server template is created and the AD server template view is displayed.
By default, no AD server template is configured.
- Run ad-server authentication ip-address port [ secondary | third ] [ ldap-over-ssl | no-ssl ] or ad-server authentication server-url url [ port ] [ ldap-over-ssl | no-ssl ]
An AD authentication server is created.
By default, no AD authentication server is configured.
- (Optional) Run ad-server source { loopback interface-number | ip-address ip-address | vlanif interface-number }
The source IP address that the device uses when sending packets to the AD server is configured.
By default, when a device sends packets to the AD server, the IP address of the actual outbound interface is used as the source IP address.
If the specified loopback interface or VLANIF interface is not created or no IP address is configured for the specified interface, use the IP address of the actual outbound interface as the source IP address.
- Run ad-server authentication base-dn base-dn
The Base DN of the AD server is set.
By default, the Base DN is dc=my-domain,dc=com.
- Run the following commands as required.
In anonymous login, users do not need to enter the password; therefore, there are security risks. Make an all-round evaluation to determine whether to enable anonymous login.
The server allows administrators to log in anonymously.
Run the ad-server authentication manager-anonymous enable command to allow administrators to access the AD server anonymously.
By default, administrator from accessing an AD authentication server anonymously is disabled.
After the configuration, if you run the ad-server authentication manager manager-dn password [ repassword ] command again to configure the administrator DN and password of the AD server, the administrator anonymous login configuration will be cleared.
The server does not allow administrators to log in anonymously.
To configure the administrator DN and password of the AD server, run the ad-server authentication manager manager-dn password [ repassword ] command.
By default, no administrator DN and password of an AD authentication server is configured.
If you run the ad-server authentication manager-anonymous enable command again after the configuration, the administrator DN and password are cleared, and the Base DN is also deleted.
- Run ad-server authentication host-name host-name [ secondary | third ]
The host name of the AD authentication server is set.
By default, no host name for an AD authentication server is configured.
- Run ad-server authentication ldap-port port
The LDAP port of an AD authentication server is set.
By default, the LDAP port number of an AD authentication server is 389.
- Run ad-server authorization bind-user enable
User binding is configured during AD authorization.
By default, user binding is performed during AD authorization.
- (Optional) Run ad-server user-filter field
The user filter of the AD server is set.
By default, the user attribute of an AD server is sAMAccountName.
- (Optional) Run ad-server group-filter field
The group filter of the AD server is set.
By default, the group filter is ou.
- (Optional) Run ad-server ip-address-filter field mask-filter field
The IP address filter of the AD server is set.
By default, no IP address filtering field for the AD server is configured.
- (Optional) Run ad-server mobile-number-filter field
The mobile number filter of the AD server is set.
By default, no mobile number filtering field for the AD server is configured.
- (Optional) Run ad-server time-stamp-filter field
The timestamp attribute filtering field of the AD server is set.
By default, the timestamp attribute filtering field of the AD server is createTimeStamp.
- (Optional) Run ad-server authentication manager-with-base-dn enable
The administrator DN carries Base DN of the AD server.
By default, an administrator DN carries a Base DN.
- (Optional) Run ad-server cipher-suite { aes256-hmac-sha1 | rc4-hmac-md5 }
The cipher suite used for interaction between the device and the Kerberos server integrated in the AD server is configured.
By default, the cipher suite used for interaction between the device and the Kerberos server integrated in the AD server is aes256-hmac-sha1.
If the cipher suite aes256-hmac-sha1 is specified, user names on the AD server are case-sensitive. If the cipher suite rc4-hmac-md5 is specified, user names on the AD server are case-insensitive.
The cipher suite selected here must be enabled on the AD server. You can run the secpol.msc command in the Run window of the AD server to access the Local Security Policy window. Then, choose to check whether the cipher suite of the AD server is enabled.
- Run return
Return to the user view.
- (Optional) Run ad-server authentication second-stage simple
Set the authentication mode in the second stage of AD authentication on the AD authentication server to simple.
By default, the authentication mode in the second stage of AD authentication on the AD authentication server is not simple.
This function is supported in V600R007C20SPC602 and later versions, and this function takes effect only on AD authentication servers.
To use this function, at least one AD authentication server must be configured in the AD authentication server template, and the SSL function must be enabled on all AD authentication servers.
- (Optional) Test connectivity between the device and server.