Several authentication methods are currently provided on the firewall

User refers to the person who accesses network resources, indicating "who" is accessing, and is an important identifier of network access behavior.

User classification:

Internet users

Those who access network resources in the internal network, such as internal employees of the corporate headquarters. Internet users can directly access network resources through FW.

Access users

Those who access network resources in the external network, such as branch employees and employees on business trips of an enterprise. Access users need to access the FW through SSL VPN, L2TP VPN, IPSec VPN or PPPoE before they can access the network resources of the corporate headquarters.

Manage users

Authentication classification:

The firewall verifies the identity of the visitor through authentication. The firewall authenticates the access in the following ways:

Local authentication

Visitors send the username and password identifying their identity to FW through the Portal authentication page. The password is stored on FW, and the verification process is performed on FW. This method is called local authentication.

Server authentication (Radius, LDAP, etc.)

Visitors send the username and password identifying their identity to FW through the Portal authentication page. The password is not stored on FW, and FW sends the username and password to FW. The password is sent to a third-party authentication server, and the verification process is performed on the authentication server. This method is called server authentication.

RADIUS (Remote Authentication Dial In User Service), HWTACACS (HuaWei Terminal Access Controller Access Control System), AD, LDAP (Lightweight Directory Access Protocol) authentication server, and users/groups are stored on the authentication server and password information. For RADIUS and HWTACACS servers, administrators need to manually create the corresponding users/groups on the FW based on the existing organizational structure or use files to batch import the corresponding users/groups. For AD or LDAP servers, administrators can import user information from the AD or LDAP server to the FW, so that subsequent administrators can use policies on the FW to control the network access behavior of different users/groups.

Single sign-on

The visitor sends the user name and password that identifies his or her identity to the third-party authentication server. After the authentication is passed, the third-party authentication server sends the visitor's identity information to FW. The FW only records the visitor's identity information and does not participate in the authentication process. This method is called single sign-on (Single Sign-On).

SMS authentication

Visitors obtain the SMS verification code through the Portal authentication page, and then enter the SMS verification code to pass the authentication. FW authenticates visitors by verifying the SMS verification code.

Purpose of authentication:

Deploy user management and authentication on the FW, identify the IP address of network traffic as a user, and provide user-based network behavior control and network permission allocation. Management dimension to achieve refined management:

Visual formulation of strategies based on users to improve the usability of strategies. Perform report viewing and statistical analysis of threats and traffic based on users to implement tracking and auditing of user network access behaviors. It solves the policy control problems caused by dynamic changes in IP addresses, that is, using unchanged users to respond to changing IP addresses. Authentication method for Internet users to access the network:

Authentication-free:

FW determines the identity of the visitor by identifying the two-way binding relationship between IP/MAC and the user. Authentication-free visitors can only use specific IP/MAC addresses to access network resources.

Session authentication:

When a user accesses HTTP services, the FW pushes an authentication page to the user, triggering identity authentication.

Generally refers to local authentication) ----Built-in Portal authentication

First initiate HTTP/HTTPS business access-------Firewall push redirect authentication page- ----------The customer enters the username and password----------Authentication is successful. If it is set to jump to the recent page, it will jump. If no jump is set, there will be no jump

Pre-authentication

When users access non-HTTP services, they can only actively access the authentication page for identity authentication.

Single point authentication

AD single sign-on: The enterprise has deployed an AD (Active Directory) authentication mechanism, and information such as users/groups and passwords are stored on the AD server. Administrators can import the organizational structure and account information on the AD server to the FW. For newly created user information on the AD server, you can also import it regularly at certain intervals. This allows subsequent administrators to use policies on the FW to control the network access behavior of different users/groups.

During authentication, the AD server authenticates the visitor and sends the authentication information to the FW so that the FW can obtain the correspondence between the user and the IP address. After the visitor passes the authentication of the AD server, he or she can directly access network resources without the need for authentication by the FW. This authentication method is also called "AD single sign-on".

Agile Controller single sign-on

RADIUS single sign-on

RADIUS authentication principle:

Figure: RADIUS single sign-on in bypass mode Login diagram

The RADIUS single sign-on interaction process is as follows:

The visitor initiates an authentication request to the access device NAS.

The NAS device forwards the authentication request to the RADIUS server. The RADIUS server verifies the user account and password, and returns the authentication result to the NAS device. The NAS device sends an accounting start message to the RADIUS server to indicate that the user is online.

FW parses the accounting start message to obtain the corresponding relationship between users and IP addresses, and at the same time generates online user information locally. Depending on the deployment method, the FW obtains the accounting start message in different ways:

Direct path: The FW directly parses the RADIUS accounting start message passing through itself.

Bypass: When the NAS device sends the accounting start message to the RADIUS server, it also sends a copy to the FW. The FW parses the accounting start message and responds to the NAS device.

This deployment method requires that the NAS device supports the function of sending accounting start messages to the FW.

Mirror traffic diversion: The accounting start message exchanged between the NAS device and the RADIUS server does not pass through the FW. A copy of the accounting start message needs to be copied to the FW through switch mirroring or optical splitting. The FW parses the accounting start message and discards it.

When the visitor logs out, the NAS device sends an accounting end message to the RADIUS server to indicate that the user is offline. The FW obtains the accounting end message and parses the corresponding relationship between users and IPs, then deletes the locally saved online user information and completes the logout process.

In addition, while the user is online, the NAS device will also regularly send accounting update messages to the RADIUS server to maintain the accounting process. After obtaining the accounting update message, the FW will refresh the remaining time of the online user.

Authentication method for access users to access network resources:

Using SSL VPN technology

Visitors log in to the authentication page provided by the SSL VPN module to trigger the authentication process. After the authentication is completed, SSL VPN access users can access the network resources of the headquarters.

Using IPSec VPN technology

After the branch office establishes an IPSec VPN tunnel with the headquarters, visitors in the branch office can use pre-authentication, session authentication, etc. to trigger the authentication process. After the authentication is completed , IPSec VPN access users can access the network resources of the headquarters.

L2TP VPN access users

User authentication principle User organization structure:

Users are the subjects of network access, and it is the FW that controls network behavior and allocates network permissions. basic unit.

Authentication domain: the container of the user's organizational structure. Distinguish users and play a diversion role

User groups/users: divided into: parent user group sub-user group.

Note: A child user group can only belong to one parent user group

User: Required: Username and password, others are optional

User attributes : The account validity period allows multiple people to log in with IP/MAC binding (one-way and two-way binding is not required)

Security group: a cross-department group with a horizontal organizational structure. Refers to cross-department users

When planning the tree organizational structure, you must follow the following regulations: The default authentication domain is the authentication domain that comes with the device by default and cannot be deleted, and the name cannot be modified. The device supports up to 20 layers of user structures, including authentication domains and users. That is, up to 18 layers of user groups are allowed between authentication domains and users. Each user group can include multiple users and user groups, but each user group can only belong to one parent user group. A user can only belong to one parent user group. User group names are allowed to have duplicate names, but the full path of the organizational structure must be unique. Both users and user groups can be referenced by policies. If a user group is referenced by a policy, the users under the user group inherit the policies of their parent group and all superior nodes. Sources of users, user groups, and security: Manually configure CSV format import (batch import), server import device automatically discovers and creates online users:

Before users access network resources, they first need to be authenticated by FW. The purpose is Identify which IP address this user is currently using. For users who have passed the authentication, FW will also check the user's attributes (user status, account expiration time, IP/MAC address binding, whether multiple people are allowed to log in using the account at the same time). Only users who have passed the authentication and user attribute checks will Only this user can go online and is called an online user.

The online user table on the FW records the corresponding relationship between the user and the address currently used by the user, and implements policies on the user, that is, on the IP address corresponding to the user.

After a user goes online, if no service traffic is initiated within the online user entry timeout period (default 30 minutes), the online user monitoring entry corresponding to the user will be deleted. When the user initiates business access next time, he needs to be authenticated again.

The administrator can configure the synchronization of online user information, view the authenticated online users, and perform forced logout, all forced logout, freezing and thawing operations.

Overall user authentication process:

Figure: Authentication process diagram Authentication policy:

Authentication policy is used to determine which data flows the FW needs to authenticate and match the authentication The data flow of the policy must be authenticated by the FW before it can pass.

By default, the FW does not authenticate the data flows passing through it. You need to select the data flows that need to be authenticated through authentication policies.

If the traffic passing through the FW matches the authentication policy, the following actions will be triggered:

Session authentication: When a visitor accesses HTTP services, if the data flow matches the authentication policy, the FW will push the authentication The page requires visitors to authenticate. Pre-authentication: When visitors access non-HTTP services, they must actively access the authentication page for authentication. Otherwise, access to business data flows that match the authentication policy will be prohibited by the FW. Authentication-free: When visitors access the business, if they match the authentication-free authentication policy, they do not need to enter user names and passwords to directly access network resources. The FW identifies the user based on the binding relationship between the user and the IP/MAC address. Single sign-on: The online access of single-sign-on users is not controlled by the authentication policy, but the user's business traffic must match the authentication policy before policy control can be carried out based on the user.

Authentication matching basis:

Source security zone, destination security zone, source address/region, destination address/region.

Note: The authentication strategy follows a top-down matching strategy.

By default, FW provides a built-in local Portal authentication page through port 8887. Users can actively access or HTTP redirect to the authentication page (https://interface IP address:8887) for local Portal authentication. .

The service port of the online user information synchronization function, the default value is 8886.

User authentication configuration ideas Session authentication configuration ideas: Step 1: Basic configuration (communication is normal) Step 2: Create a new user (for local authentication) Step 3: Authentication option settings redirect jump to Note on recent pages: Key application step 4: The default redirected authentication port is 8887, and the security policy needs to be released ip service-set authro_port type object service 0 protocol tcp source-port 0 to 65535 destination-port 8887 sec-policy rule name trust_loacl source-zone trust destination-zone local service authro_port action permit Step 5: Configure authentication policy auth-policy rule name trust_untrust source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 action auth ---- ---------------No authentication by default, change to authentication Step 6: After the check is successful, there must be an online user 12345678910111213141516171819202122232425262728291234567891011121314151617181920212223242526272829 Authentication-free configuration ideas :config: auth-policy rule name no_auth source- zone trust destination-zone untrust source-address 10.1.1.2 mask 255.255.255.255 action no-auth 12345671234567AD single sign-on configuration process:

Plug-in

Server server part

< p>Step 1: Install AD domain

Step 2: Install DNS server----Configure forwarder

Step 3: Download AD SSO (download at firewall)< /p>

Step 4: Create a new organizational unit, create a new group, and create a new user (associated permissions) in the AD domain

Step 5: Add the PC to the domain (change the DNS to the server address)

Step 6: Install AD SSO (it is recommended to install secondary AD SSO)

Link AD domain to FW

Step 7: Group policy configuration login and logout script

p>

Login generated by calling AD SSO

Format;

Server address running port (AD SSO is the same) 0/1 Set key (Huawei@123)

p>

Step 8: PC refresh group policy

Firewall section

Step 1: Create a new firewall and link it with the AD server

Step 2: Create a new authentication domain

Step 3: Import AD server users to FW and create a new import policy

Step 4: Modify new users in the authentication domain and call the import policy for the new users

Step 5: Import users and check the user list

Step 6: Configure authentication policy

Authentication cannot be done from the Trust zone to the server zone (DMZ)

Step 7: Configure security policy, matching conditions can only be users in AD domain

Note:

Security policy from FW local to AD server

AD server to FW local security policy

DNS policy

Check:

Be sure to see online users-----use single sign-on< /p>

Reference document: Huawei HedEx firewall document.