{{ secondMenu.name }}
In this module, you can configure user authentication parameters, including Authentication Policy, Authentication Options, and External Auth Server. Note that LAN users can still access the Internet even if the device does not enable user authentication. In this case, to protect LAN PCs, define IP addresses in objects to show user ranking and logs in IP addresses.
The authentication methods include the following types:
Before network access, a terminal user is redirected to an authentication page to enter the correct user name and password. You can authenticate either a local password or an external server password.
After the user enters the user name and password, the system will first check whether the user name and password are correct. Suppose the user name is not found and an external authentication server is configured. In that case, the system will check whether the user name and the password map those of the external authentication server.
Local password authentication only applies when the Local Password is selected. Otherwise, the user name and password are sent to the external authentication server for authentication.
Single sign-on (SSO): This system can co-work with an identity authentication system on an organization’s network to identify the user using a certain IP address. In this way, the user will not be required to enter the user name/password for Internet access, thus improving the user experience accessing the Internet.
3. Identification based on IP address, MAC address and hostname
The user is identified based on the source IP address/MAC address of the packet and the hostname.
• Advantage: No authentication box will pop up in the browser for the user to enter the user name and password upon network access. Therefore, the user will not perceive the existence of the device.
• Disadvantage: It is impossible to identify the specific user name, especially in a network where IP addresses are dynamically allocated. For this reason, user behaviors cannot map to specific users, preventing user-specific policy control.
If user authentication is enabled, all PCs in the authentication area will be authenticated before Internet access. Authentication Policy determines the authentication method of PCs on a given IP address/network segment/MAC address. In Authentication Policy, set the authentication method of LAN users and the policy of adding new users.
The administrator can delete, batch edit, enable and disable, import, move up/move down, filter, and select any authentication policy.
| Field name |
Note |
| Add |
On the Authentication Policy list page, click to add a new authentication policy. |
| Delete |
On the Authentication Policy list page, click to delete an authentication policy. |
| Edit/Batch edit |
On the Authentication Policy list page, select the authentication policy to be edited, and click the policy name. The Edit Authentication Policy page is displayed. Modify the selected policy. Batch edit: Select multiple custom authentication policies to edit the applicable object instead of any other information. |
| Import |
Click to select and import an authentication policy file. |
| Enable/Disable |
To validate a disabled policy, select it and click Enable. To invalidate an enabled policy, select it and click Disable. |
| Move Up/Move Down |
As the policies are matched from top to bottom, you can select the corresponding policy, and click Move up, Move down or Custom move to give priority to match the policies. |
Table 18:Authentication Policy Interface
The authentication policies are matched one by one from top to bottom. You can re-prioritize them by using the move options. By configuring authentication policies, you can configure authentication methods depending on the network segments.
Authentication method
A device can be authenticated in the following ways:
There are three authentication methods in Authentication Policy: None/SSO, SSO/Local or external password authentication, and SSO only.
All three authentication methods include SSO. If SSO is selected in Auth Options, the user name on a PC will be preferably used to access the Internet after SSO authentication.
1. None/SSO
If SSO is selected in Auth Options, the user name on a PC will be preferably used to access the Internet after SSO authentication.
If SSO is not selected in Auth Options, the device identifies the user based on the source IP address and source MAC address of the packet as well as the hostname. In this mode, no authentication box will pop up in the browser for the user to enter the user name and password upon Internet access. Therefore, the user will not perceive the existence of the device.
Create a user requiring no authentication:
• Deselect Enable user authentication in Authentication Policy. When creating a user, bidirectionally bind the user to an IP/MAC address to form a one-to-one relationship so that IP/MAC-based authentication is possible. (Note that the IP/MAC address range set in Authentication Policy should include the bounded IP/MAC address.)
• Deselect Enable user authentication in Authentication Policy, and take the IP address, MAC address, or hostname as the user name. For authentication of LAN users, their usernames are matched based on the IP address, MAC address, or hostname.
2. SSO/Local or external password authentication
When Enable user authentication is selected and this authentication method is used,
The authentication procedure for network access is as follows if SSO authentication is not selected or fails:
Local authentication is before the external authentication.
3. SSO only
If this option is selected, the address range specified in the policy must use SSO to pass authentication.
Step 1.Set the authentication policy of the specified network segment to "SSO only".
Step 2.On the Auth Options page, enable SSO. For domain SSO, SSO should also be enabled on the domain server.
Step 3.Set Excluded users to exclude non-SSO users. These users enter user names and passwords manually to complete authentication.
New user settings:
New users are those newly added to the device. According to Authentication Policy/New User Options, the device determines whether to add them automatically after mapping their IP or MAC address with those in Authentication Policy
Users passing the authentication can be automatically added. These users include: User requiring no authentication and named with IP address, MAC address, or hostname, SSO users external password-authenticated users
Three options are available for the administrator to add the new users: Added to specified local group, Added as guest account (not added to any local group), and No authentication for new users.
Select authentication zone
Before setting an authentication policy, specify the zones for which authentication will be enabled.
Step 1.Select Enable user authentication;
Step 2.Select the authentication zone;
Click Save. The authentication zone is selected.
In general, the authentication zone can be the area where the LAN interface locates. Zones are defined as LAN or WAN interface areas. For example, ETH2 is a WAN interface while ETH1 is a non-WAN interface. Therefore, ETH2 is defined as in the WAN zone while ETH1 is in the LAN zone.
Configure LDAP server-based third-party password authentication for PCs within 192.168.1.0/255.255.255.0 of the Engineering Dept. New users are automatically added to the "/engineer" group and their user names are bidirectionally bound to IP addresses. That is, there is a one-to-one correspondence between IP addresses and user names. Users in other LAN network segments require no authentication and take IP addresses as user names. New users are automatically added to the "/Default group". (The external LDAP server is taken as an example here. The setting steps are similar for other types of external authentication servers.)
Step 1.Select Configure External Auth Server and set the LDAP authentication server.
Step 2.Select User Auth/Authentication Policy and click Add. The Add Authentication Policy window is displayed. Name: Enter the name of the authentication policy, mandatory. Description: Enter the description of the policy, supplementary information, optional.
IP/MAC address: Enter an IP address, IP segment, or MAC address, which is the matching rule. When a user failing to pass the authentication accesses the Internet via the device, the device will match the user to the corresponding Authentication Policy based on the IP or MAC address of the packets. In this example, set the value to 192.168.1.0/255.255.255.0.
Step 3.Set Authentication Policy/Auth Method to specify how to authenticate users that satisfy the matching rule.
Three authentication methods are provided in Authentication Method: None/SSO, SSO/Local or external password authentication, and SSO only. (For descriptions of the three authentication methods, see the overview in this chapter.)
This example exemplifies third-party server password authentication. Therefore, SSO/Local or external password authentication is selected.
Step 4.Set Authentication Policy/New User Options to configure settings for new users.
If Added to specified local group is selected, the user can be automatically added to the device's user list. In Select Group, select the user group for the new user and the user will automatically be added to this group. In this example, users added automatically through third-party authentication are added to the /engineer group. Therefore "/Engineer" is selected.
If Does not apply to new users authenticated by external LDAP server (because they can be synchronized to a corresponding group automatically) is selected, the user will be synchronized according to the LDAP synchronization policy and added to the corresponding group if a user uses LDAP third-party authentication or SSO, the related LDAP synchronization policy has been set on the device. This will render the setting in Select Group in the previous step invalid.
Other user attributes include Concurrent Logins on Multiple Terminals and Bind IP/MAC.
Concurrent Logins on Multiple Terminals: You can select either Allow or Do not allow. This setting is valid for users requiring authentication only.
Bind IP/MAC: Two binding modes, unidirectional and bidirectional.
Unidirectional binding: The user can only use the specified address for authentication, but other users can also use this address for authentication.
Bidirectional binding: The user can only use a specified address for authentication, and this address can only be used by this user.
In this example, bidirectional binding and Bind the IP address on initial login are selected.
If you check Added as guest account (not added to any local group), new users will not be added to the user list. Instead, they can only access the Internet with the permission of casual users. Select a group in Use the group's Internet access permission. The casual users can then access the Internet using the permission of the specified group.
If you check Do not allow the Internet access of new users, new users are not allowed to be added, and the users not on the user list are not allowed to access the Internet if the authentication is failed. They only have the permission allowed for users failing authentication, which is set in User Auth/Auth Options/Other Auth Options.
Step 5.Set the authentication policy of users in other network segments. Users in other LAN network segments require no authentication and take IP addresses as user names. New users are automatically added to the "/Default group". Edit Default Policy in Authentication Policy. Authentication Method: Select Take IP address as username in None/SSO.
New User Options: Select Added to specified local group and "/Default group/".
Authentication policies are matched from top to bottom. The two authentication policies in this example are sorted as follows.
PCs with LAN IP addresses residing in 192.168.2.1-192.168.2.255 are automatically added to the "/Marketing Dept." group as new users requiring no authentication. The user names are the hostnames and are bidirectionally bound to MAC addresses.
Step 1.In Authentication > User Authentication > Authentication Options > Obtain MAC by SNMP, set the option to obtain MAC addresses across three layers by SNMP.
Step 2.In the Authentication Policy window, click Add. The Add Authentication Policy window is displayed. Specify Name and Description.
Step 3.Under Authentication Method, select None/SSO and select the option Take host name as username.
Step 4.In New User Options, select Added to specified local group and "/Marketing Dept." as the user group.
Select Bind IP/MAC and Bind the MAC address on initial login. In this example, the LAN spans three layers and you need to obtain the MAC address from the switch through the SNMP. Configure the setting in User Auth/Auth Options/Obtain MAC by SNMP.
Step 5.Click Save to complete policy editing.
The name of a live PC is obtained by the NetBIOS protocol and may not be found sometimes. In this case, check the following:
• Whether the NetBIOS protocol is enabled on the target PC
• Whether the target PC has configured multiple IP addresses
• Whether the NetBIOS protocol has been filtered out by the firewall on the target PC
• Whether NetBIOS protocol has been filtered out by a device in the network path
Suppose the PC name cannot be obtained. In that case, the system will identify the PC as a temporary user and name it as Unknown Computer, which will only be displayed in the online user list and will not be added to the specified local group.
If one or more layer 3 switches are installed between the online PC and the device, then because the source MAC address of the online PC is changed, the real source MAC address cannot be obtained. To acquire the real source MAC address of an IP address, obtain the ARP table of the layer-3 switch (gateway device directed by this PC) that is nearest to this PC via SNMP.
PCs in the LAN segment 192.168.3.0/255.255.255.0 are authenticated based on the AD domain SSO. After passing the AD domain authentication in the login system and the device's authentication, users in the AD domain can be synchronized to the device. If SSO fails on PCs in this network segment or the PCs do not log in to the domain, the IP address will be used as the user name, no authentication will be required for Internet access, and the users will be added to "/Default group" automatically.
Step 1.Select Configure External Authentication Server and LDAP User Sync.
Step 2.In the Authentication Policy window, click Add. The Add Authentication Policy window is displayed. Specify Name and Description.
Step 3.Under Auth Method, select None/SSO and select the option Take IP address as username.
Step 4.In New User Options, select Added to specified local group and "/Default group/" as the user group. At this time, non-SSO users will be added to the default group and are subject to the Internet access policy of the default group.
Select Does not apply to new users authenticated by external LDAP server (because they can be synchronized to a corresponding group automatically) so that domain SSO users will be added to the group set in the synchronization rule.
Note: bidirectional binding does not apply in this example. The reason is that a non-SSO user is automatically added as a new user and binds IP/MAC address bidirectionally. This IP/MAC address can only be used by this user, and SSO authentication will no longer be used. However, unidirectional binding is acceptable.
Step 5.Click Save to complete policy editing.
Authentication Options Settings is used to set configuration information related to user authentication on devices, including SSO Options, Auth Page Redirection, Authentication Conflict, Obtain MAC by SNMP, and Others.
For customers with third-party authentication servers to authenticate LAN users, SSO allows LAN users to pass both third-party server authentication and device authentication as well as obtain permission to access the Internet. The user name and password used by the device are the same as those used by the third-party authentication server. SSO types supported by the device currently are AD domain SSO, Proxy SSO, POP3 SSO, and Web SSO. Those are basic SSOs. To use SSO, you need to configure users, authentication servers, and user authentication methods in Administrators, External Authentication Server, and Authentication Policy, respectively.
Domain SSO is acceptable in enterprises with Microsoft AD domain server presence for user management and where LAN users login to the computer as domain accounts. After logging in to the domain, LAN users are considered as having passed the device authentication. In other words, end users can log in to the domain to access the Internet without device authentication. Domain SSO can be realized by distributing domain scripts or listening to packets of the login domain. Domain SSO applies only to Microsoft Active Directory (AD) domain.
Configuration of domain script distribution mode
Configure login (logon.exe) and logout (logoff.exe) scripts for the domain server. Then you can log in to or log out of the device by running the two scripts based on the issued domain policy.
The data stream is as follows:
Configuration Steps
Step 1.Click User Auth/Auth Options/External Auth Server to set the authentication AD domain service.
Step 2.Enable SSO on the device, select the SSO mode and set a Shared Key. Click User Auth/Auth Options/SSO Options/Domain SSO to enter the editing page.
Select Enable Client-Side Domain SSO to enable the domain SSO;
If Obtain login profile by executing login script through domain is selected, SSO will be implemented by issuing the domain script. Enter the shared key in Shared Key, as shown below.
The Shared Key is used for encrypted communication between the AD domain server and the device and must be the same in login scripts. Click the Click Here to Download button in Domain SSO Program to download the login and logout scripts to complete settings in Step 3 and Step 4.
IAM11.0R2 and later versions are supported to synchronize authentication information to the NGAF over port 1775.
Step 3.Configure the login script on the AD domain server.
Step 4.Click User Auth/Authentication Policy/Add Authentication Policy. Set the authentication policy according to the IP or MAC address of the SSO user.
Step 5.Log in to the domain on a PC. You can access the Internet after successful login.
Configuration of domain monitored SSO:
Automatically obtain login information through the built-in program of the NGAF device: The NGAF device has a built-in SSO client program named ADSSO. When this method is enabled, the program regularly obtains successful PC log in to the domain and reports the information to the NGAF device for SSO.
The Single sign-on configuration required on the NGAF device is to select Domain SSO and select Domain Monitor SSO.
Click Add to add a domain server.
Domain DNS Server: Enter the Domain DNS Server and Domain Name. The Domain DNS Server shall be able to resolve the Domain Name. If you click the DNS Name Resolution button, it can automatically resolve the IP addresses of all domain controllers.
Domain Name: Enter the domain name of the domain server.
Controller IP: Enter the IP address of the domain server.
Domain Account: Enter the account (an administrator account or an account listed in the administrator group) with domain admin privileges.
Password: Enter the password of the Domain Account.
Click Test Validity to obtain the result of the domain controller test.
Click Save to save the configuration.
Configuration of integrated Windows authentication
Integrated Windows Authentication (IWA) is an authentication method generally accepted in the Windows domain environment. To implement IWA SSO, you need to add both NGAF and the PC in the LAN to the domain. When opening web pages on the PC, you will be directed to NGAF automatically to submit authentication information to implement the SSO.
SSO configuration on NGAF: Select Enable Domain SSO and Enable Integrated Windows Authentication.
Computer Name: Enter the name of the computer whose domain is joined by the NGAF. The preceding fields can be customized but the last four bits must be the last four digits of the gateway serial number. The value contains only letters, numbers, and hyphens "-" and should not exceed 10 bytes.
Domain Name: Enter the name of the domain to be joined by NGAF.
DNS Server: Enter the IP address of the DNS server corresponding to the domain.
Domain Account: Enter the domain account used by NGAF to join the domain.
Password: Enter the password of the domain account.
Click Test Validity to check whether all parameters are valid, and click Submit after passing the test.
In Advanced Settings, you can configure the redirection interval upon authentication failures.
Redirection Interval After Auth Failure (mins): Set the time interval for redirection and re-authentication after IWA SSO fails.
Domain of Windows 2000 Earlier Versions: If the domain server runs on Windows earlier than 2000, you need to set the domain name here.
1. If the domain account expires or is disabled, the logged-in PC can still be successfully authenticated through Kerberos and display UI optimization.
2. IWA authentication does not apply to mobile phone network access via proxy. If IWA authentication is enabled, the authentication window will not pop up as long as the proxy is working.
3. Kerberos authentication will not kick out password-authenticated users.
4. If a domain account containing special characters such as `~! #$%^&*+\|{};:“”‘’,/<>? attempts to log in, no authentication will be performed for this user (only for NGAF).
Configuration of listening mode
In the listening mode, SSO is realized by listening to the data of the domain server that the PC logs in and obtaining user login information from the data. In this case, no components need to be installed on the domain server. However, the PC login data to the domain must be mirrored to the device through the device or listening port. The device listens to the login information of the UDP 88 port. The user successfully logged in to the domain can access the Internet directly without passing the authentication of our device again. This mode applies to domain servers on the LAN or WAN. The following describes SSO settings in two scenarios.
Scenario 1: Domain servers in the LAN environment
The data stream is as follows:
Configuration Steps
Step 1.Click User Auth/Auth Options/External Auth Server to set the authentication AD domain service.
Step 2.Enable SSO on the device, select the listening mode, and set the IP address of the domain server. Click User Auth/Auth Options/SSO Options/Domain SSO for configuration. Check Enable Single Sign-on to enable the domain single sign-on function.
Step 3.Select Obtain login profile by monitoring the data of computer logging into domain to enable the listening mode for SSO. Enter the IP address and listening port of the domain server in the list of Domain Controllers. If there are multiple domain servers, one IP address and one port are placed per line, as shown below.
Step 4.If the login data does not pass through the device, you need to go to the Others tab to enable the mirror interface and connect it to the switch's mirror interface that forwards login data. A mirroring interface must be an idle network interface.
Step 5.Click User Auth/Authentication Policy/Add Authentication Policy to set the authentication policy according to the IP or MAC address of the SSO user.
Step 6.Log in to the domain on a PC. Then you can access the Internet.
Scenario 2: Domain servers on the WAN interface side
The data stream is as follows:
Configuration Steps
Step 1.Click User Auth/Auth Options/External Auth Server to set the authentication AD domain service.
Step 2.Enable SSO on the device, select the listening mode and set the IP address of the domain server. Click User Auth/Auth Options/SSO Options/Domain SSO for configuration.
Select Enable SSO.
Select Obtain login profile by monitoring the data of computer logging into domain to enable the listening mode for SSO. Enter the IP address and listening port of the domain server in the list of Domain Controllers. If there are multiple domain servers, one IP address and one port are placed per line, as shown below.
Step 3.Click User Auth/Authentication Policy/Add Authentication Policy. Set the authentication policy according to the IP or MAC address of the SSO user.
Step 4: Log in to the domain on a PC. You can access the Internet after successful login.
In the mirror mode, only the login information of a user is monitored. If a user logs out, no data can be monitored. Therefore, there may be the case that the user that has logged out of a PC is still displayed in the online user list of the device.
It is applicable to network access via proxy. In this mode, each user is assigned an account of the proxy server. In proxy SSO authentication mode, when the user passes the proxy server's authentication, it is also considered having passed the device's authentication. Proxy SSO is realized in the listening mode, i.e., by listening to the login data.
WAN: The proxy server is on the WAN side, as shown below:
The data stream is as follows:
Configuration Steps
Step 1.Enable SSO on the device, select the listening mode and set the IP address of the domain server. Click User Auth/Auth Options/SSO Options/Proxy Single Sign-on for configuration.
Select Enable Proxy SSO;
Enter the IP address and the listening port of the proxy server in Proxy Servers. If there are multiple proxy servers, one IP address and one port are placed per row. As to the listening port, set it to the proxy authentication port in this example.
Step 2.If the login data does not pass through the device, you need to go to the Others tab to enable the mirror interface and connect it to the switch's mirror interface that forwards login data. A mirroring interface must be an idle network interface.
Step 3.Click User Auth/Authentication Policy/Add Authentication Policy. Set the authentication policy according to the IP or MAC address of the proxy SSO user.
Step 4.Log in to the proxy server on a PC. You can access the Internet after successful login.
To enable automatic authentication for a proxy server on the WAN, enable access to the proxy server in the root group, and select Basic services (except HTTP/HTTPS) are available before a user passes authentication in Options/Others. See the figure below.
In an enterprise network with a mail server presence, user information is stored on the POP3 server. Suppose the user has logged into the POP3 server and received or sent an email using Outlook or Foxmail before network access. In that case, the device obtains the login information in the listening mode and automatically identifies and authenticates the user as valid. At this time, the user accesses the Internet directly without the need to enter the username and password. This function applies to POP3 servers on both LAN and WAN. The following describes POP3 SSO settings in two scenarios.
Scenario 1: POP3 servers on the LAN
The data stream is as follows:
Configuration Steps
Step 1.Click User Auth/Auth Options/External Auth Server to set the authentication POP3 server.
Step 2.Enable SSO on the device, select the listening mode, and set the IP address of the domain server. Click User Auth/Auth Options/SSO Options/POP3 SSO for configuration.
Select Enable POP3 SSO. Enter the IP address and listening port of the POP3 server in Mail Servers. If there are multiple POP3 servers, enter one IP address and port per row. In this example, the port here shall be set to the POP3 authenticated port (TCP110 by default).
Step 3.If the login data does not pass through the device, you need to go to the Others tab to enable the mirror interface and connect it to the switch's mirror interface that forwards login data. A mirroring interface must be an idle network interface.
Step 4.Click User Auth/Authentication Policy/Add Authentication Policy to set the authentication policy according to the IP or MAC address of the POP3 SSO user.
Step 5.Send and receive emails once through the email client on the PC. Then, you can access the Internet after successfully logging in to the POP3 server.
Scenario 2: POP3 server on the WAN
The data stream is as follows:
Configuration Steps
Step 1.Click User Auth/Auth Options/External Auth Server to set the authentication POP3 server.
Step 2.Enable SSO on the device, select the listening mode, and set the IP address of the domain server. Click User Auth/Auth Options/SSO Options/POP3 SSO for configuration.
Select Enable POP3 SSO;
Enter the IP address and listening port of the POP3 server in the Mail Servers. If there are multiple POP3 servers, enter one IP address and one port per row. In this example, the port shall be set to the POP3 authenticated port (TCP110 by default), as shown below.
Step 3.Click User Auth/Authentication Policy/Add Authentication Policy to set the authentication policy according to the IP or MAC address of the POP3 SSO user.
Step 4.Send and receive emails once through the email client on the PC. Then, you can access the Internet after successfully logging in to the POP3 server.
To enable automatic authentication for the POP3 server on the WAN, enable access to the POP3 server in the root group, and select Basic services (except HTTP/HTTPS) are available before a user passes authentication in Options/Others, as shown below.
Web SSO applies to users whose account information is stored on their web servers. To implement Web SSO, the user needs to pass the authentication of his/her web server and the device before network access. It applies to Web servers on the LAN or WAN.
Scenario 1: Web server on the LAN
The data stream is as follows:
Configuration Steps
Step 1.Enable Web SSO on the device, select the SSO mode, and set a shared key. On the Policy Navigation page, select User and Policy Management/User Auth/Auth Options, and go to the Auth Options editing page on the right. Then, click SSO Options/Web SSO to go to the Web SSO configuration page. Select Enable Web SSO on the page that is displayed.
Step 2.Enter the address of the Web authentication server in the Web Authentication Server.
Step 3.Select Redirect browser to the above server before authentication. Before authentication, the user will be redirected to this page for Web SSO upon webpage access.
Step 4.Fill in User Form Name with the name of the table where 'username' filed locates for Web authentication.
Step 5.Select Authentication success keyword or Authentication failure keyword to specify the keyword to identify whether a Web login is successful or not. For example, if the Authentication success keyword is selected, Web SSO is successful when the success keywords are included in the result returned by POST. If the Authentication failure keyword is selected, Web SSO failed when the failure keywords are included in the result returned by POST.
Step 6.Click Others, select Enable mirror interface and specify the listening port.
Step 7.Log in to the website set on the PC, such as the BBS in this example. You can access the Internet after successful login.
Scenario 2: Web server on the WAN
The data stream is as follows:
Configuration Steps
Step 1.Enable Web SSO on the device, select the SSO mode, and set a shared key. On the Policy Navigation page, select User Auth/Auth Options, and go to the Auth Options editing page on the right. Then, click SSO Options/Web SSO to go to the Web SSO configuration page. Select Enable Web SSO on the page that is displayed.
Step 2.Enter the address of the Web authentication server in the Web Authentication Server.
Step 3.Select Redirect browser to the above server before authentication. Before authentication, the user will be redirected to this page for Web SSO upon webpage access.
Step 4.Fill in User Form Name with the name of the table where “username” filed locates for Web authentication.
Step 5.Select Authentication success keyword or Authentication failure keyword to specify the keyword to identify whether a Web login is successful or not. For example, if the Authentication success keyword is selected, Web SSO is successful when the success keywords are included in the result returned by POST; if Authentication failure keyword is selected, Web SSO failed when the failure keywords are included in the result returned by POST.
Step 6.Log in to the website set on the PC, such as the BBS in this example. You can access the Internet after successful login.
When there is any RADIUS server in the user environment and the data packets used for authentication and billing via the RADIUS server pass through the NGAF device, you can enable RADIUS SSO. After successful authentication, the RADIUS username can be used to log in to the NGAF device.
Select Enable RADIUS SSO, and enter the address of the RADIUS server in RADIUS server IP addresses.
If RADIUS authentication and billing packets do not pass through the NGAF device, you need to set a mirror interface on the NGAF device to mirror the data to the NGAF device.
Others: If server login data does not pass through the gateway, you need to select an idle interface to serve as a mirror interface to monitor the login data. Such an interface is required in domain SSO, POP3 SSO, and Web SSO.
Auth Page Redirection: Specify the page to which web browser will be redirected after a user passes authentication.
Recently visited page: If this option is selected, the user is redirected to the page visited before authentication.
Logout page: If this option is selected, the user is redirected to the logout page.
Specified page: If this option is selected, the user is redirected to a specified page.
Redirect HTTPS request to captive portal: If this option is selected, the HTTPS access request sent before authentication will be redirected to the authentication page.
Authentication Conflict
Authentication Conflict: Specify how to process repeated logins of accounts that disallow concurrent logins. If repeated login is detected, the device either Terminate previous session and require authentication with the current IP or Only tell the user that another user is already logged into this account somewhere else. See the figure below.
When LAN users are authenticated by binding or limiting the MAC address in layer-3 LAN, Obtain MAC by SNMP must be enabled to obtain the MAC addresses of LAN users. To access this function, the switch on the LAN must support SNMP.
Principle: The NGAF device sends SNMP requests to the layer-3 switch regularly to obtain the MAC address table of the switch and stores the table in the device’s memory. Assume that a computer with the MAC address from another network segment of the layer-3 switch (different from the network segment of the LAN port of the device), for example, 192.168.1.2, accesses the Internet through the device. When the computer packets pass through the device, the device detects that the MAC address of the packets is a layer-3 one. Instead of processing the MAC, the device looks for the real MAC in its memory by using the IP address 192.168.1.2 to authenticate the real MAC of the user.
Configuration Steps
Step 1.Enable SNMP on the layer-3 switch.
Step 2.Click User Auth/Auth Options/Obtain MAC by SNMP and select Enable SNMP Settings.
Step 3.Specify SNMP Server Access Timeout (secs) and SNMP Server Access Interval (secs), which are generally set to default values.
Step 4.In SNMP Servers, click Add Server. In the Add SNMP Server window that is displayed, specify SNMP Server IP Address and click Search. Select the target server returned below and click Save. See the figure below.
Step 5.Click User Auth/Authentication Policy/Add Authentication Policy. Set the authentication policy according to the IP or MAC address of the verified user.
Step 6.PCs under the layer-3 switch can now directly access the Internet after being authenticated as new users.
To search for the SNMP server by IP address, SNMP must be enabled on this server, and COMMUNITY is set to public. Otherwise, the search will fail and you must manually set the SNMP server.
Others
To configure the options related to authentication, as shown in the figure below.
• Auto-log out users who are idle for a specified period of time: you can set an idle period beyond which users are logged out automatically.
• Submit user credentials over SSL: By default, password authentication is carried by an HTTP page, on which the username is submitted in plaintext. If the customer requires SSL encryption for password authentication, this option must be selected.
• DNS service is available before a user passes authentication: If this option is selected, the user can access the DNS service before authentication.
• Basic services (except HTTP/HTTPS) are available before a user passes authentication: If this option is selected, the user can use root group permissions except for HTTP and HTTPS services before authentication.
• Require authentication again if MAC address is changed: If this option is selected, the user who has passed the authentication will need re-authentication when the MAC address is changed. Assume that a user whose IP address is 192.168.1.1 has been authenticated by user name and password. If the user goes offline and another user changes the IP address to 192.168.1.1 before this user is logged out, the MAC address will change accordingly. In this way, this user must be re-authenticated before network access.
• Lock users if authentication attempts reach the threshold: To specify the maximum attempts and lockout duration (mins) for authentication.
• User can log in only after root certificate is installed: Select this option to install the SSL certificate to access the decryption function.
In External Authentication Server, third-party authentication servers can be configured, including LDAP, RADIUS, and POP3.
On the Policies/Authentication/User Auth/External Authentication Server page, click Add and select LDAP Server. On the External Authentication Server (LDAP) window that is displayed, enter the name of the server.
Basic configuration:
Server Address: Enter the address of the LDAP server docking AC.
Auth Port: Port connecting to the LDAP server. For example, if the AD domain does not enable SSL/TLS encryption, the port is 389 by default.
Timeout: Set the timeout for an authentication request. If no response is given in this period after the AC device forwards an authentication request to the LDAP server, it is deemed as an authentication failure. If the network between the NGAF device and the LDAP server is slow, you can prolong the timeout period (e.g., 10 seconds).
BaseDN: Specify the start point of the domain search path, which determines the effective range of the LDAP rule. If the user is outside the specified BaseDP, external server authentication does not apply, and the policy configured is invalid for the user. Therefore, BaseDN can be used to divide the regions of administrators.
Synchronized configuration:
Type: MS Active Directory OPEN LDAP, SUN LDAP, IBM LDAP, OTHER LADAP.
Anonymous Search: Available if the LDAP server supports anonymous search.
Domain User: The NGAF device uses this account to access the LDAP server to search for and synchronize LAN user accounts.
User Password: Password corresponding to the domain user.
User Group Attribute: Specify the unique user attribute field on the LDAP server, for example, the user identifier sAMAccountName attribute on the AD domain and UID on Novell LDAP.
User Group Filter: Specify the user filter conditions of the LDAP server, which determines whether a node is a user. For example, "(|(objectClass=user)(objectClass=person))" can be used in the AD domain to determine if a node is a user.
Search configuration:
Paged Search: Search the LDAP server with the extended API. It is suggested that the default configuration be retained.
Page Size: The size returned upon LDAP paging. 0 indicates unlimited size. It is suggested that the default configuration be retained.
Size limit: This option is provided for LDAP synchronization. In this example, it is suggested that the default configuration be retained.
In Basics, fill in the server’s name, IP address, authentication port, timeout, and BaseDN (the specific path of the server where the user locates).
On the Policies/Authentication/User Auth/External Authentication Server page, click Add and select RADIUS Server. On the External Authentication Server (RADIUS) editing page that is displayed, enter the name of the server.
Server Name: Set the name of the Radius server.
IP Address: Fill in the IP address of the RADIUS server.
Authentication Port: Set the authentication port of the Radius server, which is 1812 by default.
Timeout: Set the timeout for an authentication request.
Shared Key: Set the agreed key of the Radius server.
Protocol: Set Radius negotiation protocol, unencrypted protocol PAP, challenge handshake authentication protocol, Microsoft CHAP, Microsoft CHAP2, and EAP_MD5.
On the Policies/Authentication/User Auth/External Authentication Server page, click Add and select the POP3 Server. On the External Authentication Server (POP3) editing page that is displayed, enter the name of the server.
POP3 server configuration:
Server Address: Enter the IP address of the POP3 server.
Auth Port: Enter the serial number of the authentication port.
Timeout (secs): Set the timeout for an authentication request.
{{ $t('index.defaultHeader.chromeBrowserTip') }}