< Home

Limitations and Precautions for User and User Authentication

Hardware Requirements

Supported by all models.

License Requirements

The user and user authentication is not license-controlled.

Networking deployment

  • If the source IP addresses of data sent by multiple hosts on an intranet are translated into the same IP address through NAT, a FW that receives the data implements authentication on users based on the translated IP address and considers these hosts to be one host.
  • If Layer-3 devices exist between a user and a FW, and the user is bound to a MAC address and exempted from authentication, the user fails to log in. If the user is unidirectionally bound to a MAC address and the SSO authentication mode is used, the MAC address binding does not take effect, and the user can be authenticated using other MAC addresses.
  • For AD SSO login scenarios, if the authentication packets which will be resolved by FW do not pass through the FW, the FW must use an independent Layer-2 port to receive mirrored authentication packets. This port cannot be used for other services. Management port cannot receive mirroring packets.
  • For RADIUS SSO scenarios, if the accounting packets which will be resolved by the FW do not pass through the FW, the FW must use an independent Layer-2 port to receive mirrored accounting packets. This interface cannot be used for other services. Management port cannot receive mirroring packets.
  • If IP addresses are dynamically assigned in DHCP mode, you must configure a DHCP server to assign fixed IP addresses to the users for whom IP/MAC binding is configured.
  • If a user accesses the Internet through a proxy server, the FW does not support the method of obtaining the user identity through NTLM authentication.
  • When you deploy the AD SSO service, you need to configure information such as the shared key and administrator password in the AD SSO program. For information security, you are advised to install the AD SSO program on Windows Server 2012 and later versions or on Windows 8 and later versions.
  • When you use The FW participates in user-defined portal authentication combined with MAC address-prioritized portal authentication, ensure that the network between the user and FW is a Layer 2 network and the interface connecting the FW to the user zone is a Layer 2 physical interface or a Layer 2 Eth-Trunk interface
  • User-based policy control is not supported for Layer 2 traffic.

Specification Limitation

  • The redirection mode for authentication, the authentication page and SSO can only be configured on the public system. The user management and authentication configurations of the public system apply to all virtual systems.
  • User-defined portal authentication functions are not supported in a virtual system.
  • Users cannot use IPv6 addresses to access the local portal authentication page configured in a virtual system.
  • Authentication policies support IPv6 addresses.
  • You can configure the local portal authentication page on a virtual system. The number of virtual systems where the local portal authentication page can be configured varies according to the device model.

    The local portal authentication page cannot be configured on excess virtual systems, but the local portal authentication page configured in the root system can be used by virtual systems.

  • The FW cannot push the local portal authentication page for cross-virtual system traffic.
  • The dynamic security group is supported only in portal authentication scenarios.
  • For AD SSO scenarios, if the login and logout scripts are deployed on a non-AD server in the AD domain, ensure that the device and AD server have the same operating system.
  • In plug-in-free AD SSO scenarios, if the authentication result packet is fragmented and key information (such as the username, password, and authentication mode) is not included in the first fragment, the login fails.
  • In the AD server authentication scenario, the password supports only ASCII characters ranging from 32 to 126, including uppercase letters, lowercase letters, digits (0-9), and special characters.
  • When you use The FW participates in user-defined portal authentication, the FW has Portal server template default, Portal access template default, Portal authentication template portal_authen_default by default. The three default templates cannot be deleted. No other Portal server template or Portal access template can be created. Other portal authentication templates can be created. However, the scheme can use the default portal authentication template.
  • When you use The FW participates in user-defined portal authentication combined with MAC address-prioritized portal authentication, if the Agile Controller version is earlier than V100R003C50 and a user passes MAC address-prioritized authentication, the online user table does not have the user name (the FW uses the MAC address to replace the user name). In this case, user-based policy control does not take effect.
  • When you use The FW participates in user-defined portal authentication combined with MAC address-prioritized portal authentication and the user IP address is dynamically allocated by a DHCP server, ensure that the online user timeout period is less than a half of the DHCP leasing period. Otherwise, if the FW detects the change of the user IP address and MAC address mapping, the user's access service may be delayed.
  • In 3.1.8 and later versions, the AD SSO service program can query user login logs from the AD servers running Windows Server 2003, Windows Server 2008, Windows Server 2012, and Windows Server 2016. In earlier versions, user login logs can be queried only from the AD servers running Windows Server 2003, Windows Server 2008, and Windows Server 2012.

Restriction on the user/user group/security group name

  • By default, the names of users, user groups, and security groups on the FW can only be Chinese characters, English letters, digits, and special characters. To support non-Chinese/English languages, such as German and French, run the language character-set UTF-8 command to switch the encoding style to UTF-8.
  • On the FW, a user name cannot contain any slashes (/), commas (,), quotation marks ("), question marks (?), or at sign (@).

    For the import of a user from the AD/LDAP/Agile Controller server, if the user name on the server contains the preceding characters, the FW converts these characters into underscores (_) when the user is imported to the FW. Keeping users such as a/b, a,b, a"b, a?b, a@b, and a_b simultaneously on the server is not recommended, in that these users will become the same user after being imported to the FW.

  • On the FW, a user name cannot start or end with a space. Otherwise, the import fails if such users exist on the server.
  • On theFW, a user group name cannot contain any quotation marks (") or slashes (/).

    For the import of a user group from the AD/LDAP/Agile Controller server, if the user group name on the server contains the preceding characters, the FW converts these characters into underscores (_) when the user group is imported to the FW. Keeping user groups such as a/b, a"b, and a_b simultaneously on the server is not recommended, in that these user groups will become the same user group after being imported to the FW, which may cause users of user group a/b or a"b to have the same permissions as those of user group a_b.

  • On the FW, a security group name cannot contain any slashes (/), commas (,), quotation marks ("), question marks (?), or at sign (@).

    For the import of a security group from the AD/LDAP server, if the security group name on the server contains the preceding characters, the FW converts these characters into underscores (_) when the security group is imported to the FW. Keeping security groups such as a/b, a,b, a"b, a?b, a@b, and a_b simultaneously on the server is not recommended, in that these security groups will become the same security group after being imported to the FW, which may cause users of security group a/b, a,b, a"b, a?b, or a@b to have the same permissions as those of security group a_b.

  • When a single sign-on user goes online, the FW checks whether the user name contains any slashes (/), commas (,), double quotation marks ("), question marks (?). or at signs (@). If yes, the user cannot go online.
  • When you use The FW participates in user-defined portal authentication, the Agile Controller delivers the security group of the user to the FW. After the FW finds the security group locally, the user is granted the permissions of the security group. If the name of the delivered security group contains invalid characters, such as slashes (/), commas (,), double quotation marks ("), question marks (?), or at signs (@), the FW converts the invalid characters into underscores (_) and then checks whether the converted security group exists locally.
  • A user with the user name, security group name, or user group name only in Chinese or English can log in. To support non-Chinese/English languages, such as German and French, run the language character-set UTF-8 command to switch the encoding style to UTF-8.
  • The user name, user group name, or security group name on the FW is case-insensitive, the FW stores the names in lowercase letters. If the user name, user group name, and security group name are imported from the server, use lowercase letters in the names. Otherwise, authentication will fail when you log in to the FW from the server.
  • When importing a user group, ensure that the user group name contains a maximum of 225 bytes. Otherwise, the import fails.

Functions

  • If persistent connections exist on a network and user information of persistent connection services is aged, user sessions will also be aged, and persistent connection services will be interrupted. To resolve this problem, configure an authentication policy to exempt persistent connection services from authentication.
  • The user organizational structure is multiple tree-shaped organizational structures with "authentication domain" on the top. Note the following points:
    • The command referencing a user in a non-default authentication domain must carry "@authentication-domain-name." For example, user1@test indicates user1 in the test authentication domain.
    • Users are created, moved and imported to servers based on their authentication domains. Inter-domain operations are prohibited.
  • For AD SSO login scenarios, you need to prolong users' online durations accordingly on the FW and prevent the FW from deleting users' online monitoring entries before they log out.

    If a user does not initiate service traffic within the online duration, the FW will delete the online monitoring entry of the user. If the user has not logged out from the AD server, new authentication will not be triggered, and the user will fail to access services because the FW has deleted the user's online monitoring entry.

  • For Agile Controller SSO login scenarios, you need to prolong users' online duration on the FW based on the actual network requirements.
    • For scenarios where online user synchronization is not enabled on the Agile Controller, if a user does not initiate service traffic within the online duration, the FW deletes the online monitoring entry of the user. If the user has not logged out from the Agile Controller server, new authentication will not be triggered, and the user will fail to access services because the FW has deleted the user's online monitoring entry.
    • For scenarios where online user synchronization is enabled on the Agile Controller server, if traffic with no online user entry passes through the FW or the user ages, the FW queries whether a corresponding online user exists or whether the user is still online towards the Agile Controller server based on the source IP address. If the user is online on the Agile Controller server, the Agile Controller server sends a user login message to the FW so that the user can log in to the FW, without affecting the user's access to services.
  • For user-based policy control, you must configure an authentication policy. Otherwise, the FW cannot identify the user identity based on received traffic, and therefore cannot match user-based policies. For user-based policy control on VPN access users, you must configure an authentication policy for the source IP address of VPN-decapsulated packets and set the authentication action to authentication exemption.
  • If you have run the https enable command to enable the function of redirecting HTTPS service requests to the portal authentication page, and the client accesses an address supporting HTTP Strict Transport Security (HSTS), the client may fail to properly connect to the FW. As a result, the FW cannot redirect HTTPS service requests to the portal authentication page, and the user fails to log in.
  • By default, user/user group/security group names in the FW can only be in Chinese or English. To create or import user/user group/security group names that are in non-Chinese/English, such as German or French, run the language character-set UTF-8 command to switch the encoding style of the FW to UTF-8. Otherwise, you may fail to create or import the user information, and the users cannot log in on the FW. Pay attention to the following items before switching the encoding style:
    • When the FW connects to the Agile Controller to import user information or use the SSO function of the Agile Controller, the FW and Agile Controller server use GBK for interactions. Therefore, in these cases, do not switch the encoding style of the FW to UTF-8. Otherwise, user information may fail to be imported and the SSO function of the Agile Controller may become unavailable.
    • If the FW has user management related functions configured, and user/user group/security group names contain non-ASCII code, you must restart the FW for the configuration of the language character-set UTF-8 command to take effect. In addition, you are advised to switch the encoding style when services are idle.
    • If the FW needs to interact with a third-party system, such as the authentication server or AD monitor, ensure that the FW has the same encoding style as the authentication server or AD monitor does. Otherwise, the interconnection may fail.
    • After the character encoding mode changes to UTF-8, Chinese configurations cannot be executed. For example, the Chinese parameters in the greeting, assistance, and association links and commands of the Chinese authentication page cannot be configured.
  • Run the https enable command to redirect HTTPS service requests to the portal authentication page. When the client accesses the HTTPS server, both the FW and HTTPS server send certificates to the client. A user fails to use Safari of the iPhone to access the HTTPS server in the following situations:
    • The client does not trust the certificates sent from the FW and HTTPS server.
    • The client trusts the certificate sent from the FW and does not trust the certificate sent from the HTTPS server.
  • For AD SSO in a mode that the AD SSO service program is installed to query AD server logs, the AD SSO service program periodically queries user login logs on the AD server. In this case, pay attention to the following items:
    • The AD SSO service program records the time every time it queries user login logs on the AD server. Note that it queries only user login logs generated since the last query time. For example, if the last query time is 02:00:00 and the query interval is 10 seconds, only user login logs generated after 02:00:00 are queried this time.
    • In a scenario where DST is configured on the AD server, user login logs are not left out when system time is adjusted ahead and are left out when system time is adjusted backward. For example, if the last query time is 02:00:00 and the AD server system time is adjusted ahead from 02:00:00 to 03:00:00, only user login logs generated after 02:00:00 are queried this time, and no user login logs are left out. If the AD server system is adjusted backward from 02:00:00 to 01:00:00, only user login logs generated after 02:00:00 are queried this time, whereas logs generated between 01:00:00 and 02:00:00 (system time after adjustment) are left out, preventing users attempting to log in within this time range from logging in.
  • If users go online from the FW, the FW uses Online User Synchronize Information to synchronize the information about the users to other FW. The information includes only the IP addresses, names, and user groups of the users.
  • Some configuration information of users is stored in the configuration file, and the other configuration information of users is stored in the user database. The configuration file must be used together with a matching database. Otherwise, an unknown error may occur. Therefore, when a device needs to use user information provided by another device, the configuration file and database must be imported at the same time.
  • The FW identifies users based on IP addresses. One IP address in the online user list corresponds to only one user. Therefore, scenarios where multiple users use the same IP address for login, such as the Terminal Server scenario or the scenario where the NAT device is deployed between the user and the FW, are not supported.
  • If both AD SSO and RADIUS SSO are enabled and the FW receives AD authentication packets and RADIUS accounting packets through the same interface, RADIUS SSO users are unable to log in.
  • For SSO users, VPN access users, and portal authentication users in user-initiated authentication mode, if the authentication policy is set to non-authentication, the upstream rate and downstream rate in the online user list are 0.
  • If policies in the configuration file imported by the device reference users that do not exist locally, these users will occupy the hash entry specifications of the user management module. As a result, new users cannot be created in full specifications. In addition, when you view details about these users on the web UI, the system displays a message indicating that these users do not exist. In this case, if you do not need to retain the configurations, you can delete the configurations referencing non-exist users to release the occupied hash entries. If you need to retain the configurations and make them take effect, create or import users with the same names. This description also applies to user groups and security groups.
  • For built-in portal authentication, if the interface that receives HTTP requests from users is a Layer 2 interface, the device does not push the portal authentication page to users.
  • When the FW performs CHAP authentication with the RADIUS Server on the Windows Server, the function of storing passwords using reversible encryption must be enabled on the AD Server account.
  • In RADIUS, LDAP or AD authentication across virtual systems, you need to specify the outgoing interface when configuring the server and the interface must be the loopback interface.
  • User-IP/MAC address binding cannot be used with across-layer-3 MAC identification.
  • When the ADSSO_Setup.exe version is 3.1.10.3, do not configure Gateway Shared Key to the enhanced encryption mode, but to the common mode. Otherwise, AD SSO will fail because the ADSSO_Setup.exe version is incompatible with the Gateway Shared Key configuration.
  • When importing a server organizational structure, the root path name and level-2 path name cannot be the same in the server organizational structure. Otherwise, user groups are successfully imported but users fail to be imported.
  • Plug-in-free AD SSO does not allow the FW in virtual systems to monitor AD authentication packets.
Parent Topic: User and User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >