Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Authentication management | 81.61 KB |
Authentication
This help contains the following topics:
¡ RADIUS
¡ LDAP
¡ Security management server set
¡ Configure a security management server set
Introduction
ISP domains
AAA manages users based on the users' ISP domains. Each ISP domain maintains a set of authentication, authorization, and accounting methods to control the AAA behaviors of users in the ISP domain. The administrator can configure authentication, authorization, and accounting methods of an ISP domain based on the user access types and security requirements in the domain.
The device supports the following authentication methods:
· No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.
· Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and user attributes. Local authentication provides high-speed and low-cost authentication services, but the amount of information that can be stored on the NAS is restricted by the size of the storage space.
· Remote authentication—The NAS works with a remote server to authenticate users. The NAS communicates with the remote server through the RADIUS protocol. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple NASs. For high availability, you can specify multiple RADIUS servers for user authentication. In addition, you can configure backup methods to be used when the servers are not available.
· Single sign-on—The NAS works with a remote server to authenticate users. The server sends the user identity information to the device configured with user identification after the users pass authentication. Then, the device uses the information to perform identification on the users to complete the authentication.
The device supports the following authorization methods:
· No authorization—The NAS performs no authorization exchange. The following default authorization information applies after users pass authentication:
¡ Login users obtain the default user role. The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
¡ Non-login users can access the network.
· Local authorization—The NAS performs authorization according to the user attributes locally configured for users.
· Remote authorization—The NAS works with a remote server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. You can configure backup methods to be used when the remote server is not available.
The device supports the following accounting methods:
· No accounting—The NAS does not perform accounting for the users.
· Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users that use the same local user account, but does not provide statistics for charging.
· Remote accounting—The NAS works with a remote server for accounting. For high availability, you can specify multiple RADIUS servers for user accounting. In addition, you can configure backup methods to be used when the remote server is not available.
On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a user belongs based on the username entered by the user at login. AAA manages users in the same ISP domain based on the users' access types. The device supports the following user access types:
· Login—Login users include Telnet, FTP, and terminal users that log in to the device. Terminal users can access through a console or AUX port.
· Portal—Portal users must pass portal authentication to access the network.
In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. The device supports multiple ISP domains, including the system-defined ISP domain system. On the device, each user belongs to an ISP domain. If a user does not provide an ISP domain name at login, the device considers the user belongs to the default ISP domain. You can specify an ISP domain as the default domain.
The device chooses an authentication domain for each user in the following order:
1. The authentication domain specified for the access module.
2. The ISP domain in the username.
3. The default ISP domain of the device.
RADIUS
Overview
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
· RADIUS client—The RADIUS client runs on the NASs located throughout the network. It passes user information to RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
· RADIUS server—The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. The RADIUS server operates using the following process:
a. Receives authentication, authorization, and accounting requests from RADIUS clients.
b. Performs user authentication, authorization, or accounting.
c. Returns user access control information (for example, rejecting or accepting the user access request) to the clients.
RADIUS uses UDP to transmit packets. The RADIUS client and server exchange information between them with the help of shared keys, which are preconfigured on the client and server.
To provide AAA services to users, you need to configure the RADIUS server parameters on the access device.
Enhanced RADIUS features
· Accounting-on feature
This feature enables the device to automatically send an accounting-on packet to the RADIUS server after the entire device reboots. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that come online through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server determines that these users are still online.
You can configure the interval for which the device waits to resend the accounting-on packet and the maximum number of retries.
· Session-control feature
The RADIUS server dynamically changes the user authorization information or forcibly disconnect users by using session-control packets. Enable the session-control feature on the device so that the device can receive RADIUS session-control packets on UDP port 1812.
The RADIUS session-control feature can only work with RADIUS servers running on IMC.
· Online user password change
This feature enables the device to cooperate with the RADIUS server to allow users to change their passwords online. With this feature enabled, the device sends a RADIUS authentication request to the RADIUS server upon receiving a password change request from an online user. In the authentication request, the device carries the old user password in RADIUS attribute 2 and the new user password in RADIUS attribute 17. If the device receives a response from the RADIUS server, the online user's password is changed successfully.
LDAP
Overview
The Lightweight Directory Access Protocol (LDAP) provides standard multiplatform directory service. LDAP uses a client/server model, and all directory information is stored in the LDAP server.
LDAP is suitable for storing data that does not often change. The protocol is used to store user information. For example, LDAP server software Active Directory Server is used in Microsoft Windows operating systems. The software stores the user information and user group information for user login authentication and authorization.
LDAP uses directories to maintain the organization information, personnel information, and resource information. The directories are organized in a tree structure and include entries. An entry is a set of attributes with distinguished names (DNs). The attributes are used to store information such as usernames, passwords, emails, computer names, and phone numbers.
LDAP attribute map
The LDAP attribute map feature enables the device to convert LDAP attributes obtained from an LDAP authorization server to device-recognizable AAA attributes based on the mapping entries. Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute. The LDAP attribute map defines a list of LDAP-AAA attribute mapping entries. To apply the LDAP attribute map, specify the name of the LDAP attribute map in the LDAP scheme used for authorization.
RESTful server
The RESTful server configuration defines the related parameter settings for the device to communicate with the RESTful server. The parameters include the login account and the URIs of the RESTful server. After establishing a connection with the RESTful server, the device can import identity users and online users from the server.
Security management server set
The security management server set configuration defines the related parameters of the device to communicate with third-party servers, including the server IP address, server port, and service port number. After establishing connections with the servers, the device can receive user login and logout information from the servers to update online users.
Restrictions and guidelines
Restrictions and guidelines: ISP domains
· Accounting for FTP users is not supported.
· If you use RADIUS and other methods for SSL VPN users in an ISP domain, make sure all the methods are in the same order in authentication and authorization.
· For successful RADIUS authorization in an ISP domain, make sure the same RADIUS scheme is used for authentication and authorization.
· If the server or NAS does not authorize a type of attribute to an authenticated user, the device authorizes the attribute in the ISP domain to the user.
· You cannot delete the system-defined ISP domain named system.
· By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected.
Restrictions and guidelines: RADIUS configuration
· Make sure the shared keys configured on the device are the same as the shared keys configured on the RADIUS servers.
· If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests, either. The accounting results might be inaccurate.
· Make sure the source IP address of RADIUS packets sent by the device matches the IP address of the NAS that is configured on the RADIUS servers.
· For accounting accuracy, make sure the traffic statistics units configured on the device and on the RADIUS accounting servers are the same.
· If two or more ISP domains use the same RADIUS scheme, configure the RADIUS scheme to keep the ISP domain name in usernames for domain identification.
· The device chooses servers based on the following rules:
¡ When the primary server is in active state, the device first tries to communicate with the primary server. If the primary server is unreachable, the device searches for an active secondary server in the order the servers are configured.
¡ When one or more servers are in active state, the device tries to communicate with these active servers only, even if the servers are unavailable.
¡ When all servers are in blocked state, the device only tries to communicate with the primary server.
¡ If a server is unreachable, the device changes the server status to blocked and starts a quiet timer for the server. Then, it tries to communicate with the next secondary server in active state that has the highest priority.
¡ When the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active. The device does not check the server again during the authentication or accounting process.
¡ The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is reachable, the device determines that the authentication or accounting attempt fails.
· Consider the number of secondary servers when you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer. If the RADIUS scheme includes many secondary servers, the retransmission process might be too long and the client connection in the access module, such as Telnet, can time out.
· Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state. A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Restrictions and guidelines: LDAP configuration
When the device needs to cooperate with an LDAP authorization server, you must configure related LDAP settings on the device at the CLI.
Configure authentication
To manage users of different ISPs, specify authentication, authorization, and accounting methods of different access types for each ISP domain and configure the domain attributes as needed. Domain attributes include the status of an ISP domain and authorization attributes for users in the ISP domain.
· To perform local authentication, configure local users and the related attributes.
· To perform remote authentication, configure the required RADIUS schemes.
Configure an ISP domain
1. Click the Objects tab.
2. In the navigation pane, select User > Authentication > ISP Domains.
3. Click Create.
4. Create an ISP domain.
Table 1 ISP domain configuration items
|
Item |
Description |
|
Domain name |
Enter a name for the ISP domain to uniquely identify it. The ISP domain name is a case-insensitive string of 1 to 255 characters, which must meet the following requirements: · The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). · The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown. |
|
Status |
Select a state for the ISP domain. · Active—Places the ISP domain in active state to allow the users in the ISP domain to request network services. · Blocked—Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. |
|
Access types |
Select access types for the users in the ISP domain. Select the access type for a user based on the access authentication requirements of the user. For example, select Login for administrators. |
5. (Optional.) Configure advanced settings.
Table 2 Advanced setting configuration items
|
Item |
Description |
|
Idle timeout |
Set the idle timeout period. The device logs out a user if the user's total traffic in the idle timeout period is less than the specified minimum traffic. |
|
Min traffic in an idle timeout |
Set the minimum traffic that must be generated in the idle timeout period. |
|
IP address pool |
Enter the name of an IP address pool. The device assigns an IP address in the IP address pool to each authenticated PPP or portal user. |
6. Click OK. The new ISP domain is displayed in the ISP Domains page.
Configure RADIUS
1. Click the Objects tab.
2. In the navigation pane, select User > Authentication > RADIUS.
3. Click Create.
4. Create a RADIUS scheme.
Table 3 RADIUS scheme configuration items
|
Item |
Description |
|
Authentication servers |
Create, edit, or delete authentication servers. The configuration items include the IP address, port number, and shared key. |
|
Accounting servers |
Create, edit, or delete accounting servers. The configuration items include the IP address, port number, and shared key. |
|
Advanced settings |
Configure the advanced settings for the scheme as needed. |
5. Click OK. The new RADIUS scheme is displayed in the RADIUS page.
Configure LDAP
1. Click the Objects tab.
2. In the navigation pane, select User > Authentication > LDAP > LDAP Schemes.
3. Click Create.
4. Create an LDAP scheme.
Table 4 LDAP scheme configuration items
|
Item |
Description |
|
Scheme name |
Enter a name for the LDAP scheme. The scheme name uniquely identifies an LDAP scheme. |
|
LDAP attribute map |
Select an LDAP attribute map for LDAP authorization. The device converts LDAP attributes obtained from the LDAP authorization server to device-recognizable AAA attributes. |
|
Server name |
Enter a name for the LDAP server. |
|
VRF |
Select the VRF to which the LDAP server belongs. Do not configure this item if the LDAP server belongs to the public network. |
|
IP address type |
Select an IP address type for the LDAP server. Available IP address types include IPv4 and IPv6. |
|
Server IP address |
Enter the IP address of the LDAP server. |
|
Port |
Enter the service port number of the LDAP server. |
|
Administrator DN |
Enter the administrator DN. The administrator DN on the device must be the same as the administrator DN configured on the LDAP server. |
|
Administrator password |
Enter the administrator password. |
|
LDAP version |
Select an LDAP version. Available LDAP versions include LDAPv2 and LDAPv3. The LDAP version used by the device must be consistent with the version used by the LDAP server. |
|
Server timeout period |
Set the LDAP server timeout period. If the device sends a bind or search request to the LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. |
|
Base DN for user search |
Enter the base DN for user search. If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN. |
|
User search scope |
Select a user search scope. · All-level—The user search goes through all subdirectories of the base DN. · Single-level—The user search goes through only the next lower level of subdirectories under the base DN. |
|
Username attribute |
Enter the value of the username attribute. |
|
Username format |
Select a format for usernames to be sent to the LDAP server. · With-domain—Includes the ISP domain name in the usernames sent to the LDAP server. · Without-domain—Excludes the ISP domain name from the usernames sent to the LDAP server. |
|
User object class |
Enter a user object class for user search. |
|
User group filter |
Enter a user group filter. When the device requests to import user group information from an LDAP server, the LDAP server sends only user groups that match the user group filter to the device. |
5. Click OK. The new LDAP scheme is displayed in the LDAP Schemes page.
Configure a RESTful server
1. Click the Objects tab.
2. In the navigation pane, select User > Authentication > RESTful Server.
3. Click Create.
4. Create a RESTful server.
Table 5 RESTful server configuration items
|
Item |
Description |
|
Name |
Enter a name for the RESTful server. The name uniquely identifies a RESTful server. |
|
Username |
Enter the username for logging in to the RESTful server. |
|
Password |
Enter the password for logging into the RESTful server. |
|
Get-user-account URI |
Enter the URI used to request user account information from the RESTful server. |
|
Get-online-user URI |
Enter the URI used to request online user information from the RESTful server. |
|
Get-user-group URI |
Enter the URI used to request user group information from the RESTful server. |
|
Put-online-user URI |
Enter the URI used to upload online user information to the RESTful server. If the device adds an identity user that is not imported from the RESTful server, the device uploads the online user information to the RESTful server. |
|
Put-offline-user URI |
Enter the URI used to upload offline user information to the RESTful server. If the device deletes an identity user that is not imported from the RESTful server, the device uploads the offline user information to the RESTful server. |
|
VRF |
Select the VRF to which the RESTful server belongs. Do not configure this item if the RESTful server belongs to the public network. |
|
Enable server detection |
Select this item to enable RESTful server reachability detection. When this feature is enabled, the device detects the reachability of the RESTful server. |
5. Click OK. The new RESTful server is displayed in the RESTful Server page.
Configure a security management server set
1. Click the Objects tab.
2. In the navigation pane, select User > Authentication > Sec Mgt Server Set.
3. Click Create.
4. Create a security management server set.
Table 6 Security management server set configuration items
|
Item |
Description |
|
Name |
Enter a name for the security management server set. The name uniquely identifies a security management server set. |
|
Server addresses |
Enter the IP addresses of the TSM servers. |
|
Listening port |
Enter the port for listening to packets from the TSM servers. |
|
Encryption algorithm |
Select an encryption algorithm to decrypt packets from the TSM servers. |
|
Shared key |
Enter the shared key to decrypt packets from the TSM servers. |
5. Click OK. The newly created security management server set is displayed on the Security Management Server Set page.
