Author Contact: [email protected]
I got a task to integrate we corp Windows AD with our NetScreen firewall Webauth function. Before this we firewall supports only
Local users, that's causes big work load to create accounts especially when the user number is grows and more.
To use Windows AD, LDAP firstly comes into mind but soon I found it's not usable as I even can ' t find where to define the LDAP search account and password. As I know on SRX this would work quite well and simply by using LDAP to interconnect with Windows AD from firewall.
Then I consider netscreen+ radius+windows AD. It's easy-to-find a lot of articles about using the IAS to achieve this, but it doesn ' t work for me
As it requires to install IAS on Windows AD, as I am not authorized to do.
Then I figureout the netscreen+freeradius+ Windows AD as below.
1. Install Freeradius:
Yum Install Freeradius freeradius-ldap
Need install Epel before this if you haven ' t do:
Yum Install Epel-release
2. config Freeradius:
A. edit/etc/raddb/clients.conf
Add NetScreen as the client of Freeradius:
.....
Client <your_netscreen_IP> {
Secret = <your secretkey>
Nastype = Other
}
......
b . Edit/etc/raddb/modules/LDAP
At the beginning of radius to use LDAP to authenticate a user, it would send a bind firstly with the search account, then I T search the account of the user to is webauthed, and then it bind this Webauth user account. If each step succeeds, radius reply access is accept to NetScreen.
So we had to provide the config file with a search account and some information of the Webauth account such as the base D N.
Define your LDAP server as the Windows AD server as below
Including the LDAP search account (identity+ password) information:
......
LDAP{
#
# Note that this is needs to match the ' name ' in the LDAP
# server certificate, if you ' re usingLdaps.
Server = <your Windows Ad ServerIP>
Identity = "cn=Admin,ou=TEST,DC=TEST,DC=com "
Password = <password of user admin>
BaseDN= "ou=TEST,DC=TEST,DC=com "
Filter = "(cn=%{%{stripped-user-name}:-%{user-name}}) "
#Base_filter= "(objectclass=Radiusprofile)"
.......
C./etc/raddb/sites-available/default
Enable the LDAP authentication in default file by uncomment-the LDAP line in different sections at least-auth section.
D.edit The attribute map File/etc/raddb/ldap.attrmap
Add below line:
Replyitem Ns-user-group memberOf
Or
Replyitem ns-user-group memberOf + =
The difference between the lines is there is operators "+ =" in the second line, which are used when the user belongs to More than one group and you want
All of the group information to being replied to the NetScreen. Normally this operator are used for multi-valued attributes.
3. config NetScreen:
a . Set RADIUS server information
Set Auth-server "My_radius" ID 1
Set Auth-server "My_radius" Server-name <put your free radius IP address here>
Set Auth-server "My_radius" RADIUS port 1812
Set Auth-server "My_radius" radius secret <your radius Secret key>
Set Auth RADIUS Accounting port 1646
b . config Web auth:
Set Webauth server "My_radius"
Set interface "ETHERNET5/3" Webauth
Set interface "ETHERNET5/3" webauth-ip <your netscreen IP used for webauth>
Set Webauth server "My_radius"
C . config user group information, the group name should is the same as user group information defined on Windows AD .
User group information on AD was described in memberOf attribute.
Set user-group "cn=group1,ou=test,dc=test" type auth
Set User-group "Cn=group2,ou=test,dc=test" type auth
d. Define the policy which allows the specific group to access the resource: &N Bsp
set policy ID 1 from ' untrust ' to ' Trust ' ' host1 ' "" Server1 "" any "Permit webauth user-gro Up "Cn=group1,ou=test,dc=test"
This allows user in the group1 to access Server1 from host1 after the user passes the Web authentication at the Web page: Http://<your netscreen IP used for webauth>
This article is from the "11762130" blog, please be sure to keep this source http://11772130.blog.51cto.com/11762130/1792215
NetScreen Webauth with Windows AD Account and group via Freeradius