author contact: [email protected]
I got a task to integrate our corp windows AD with our netscreen firewall webauth function. before this our firewall supports only
local users, that causes big work load to create accounts especially when the user number grows more and more.
To use windows AD, ldap firstly comes into mind but soon I found it’s not usable as I even can’t find where to define the ldap search account and password. As I know on SRX this will work quite well and simply by using ldap to interconnect with windows AD from firewall.
Then I consider netscreen+ radius+windows AD. it’s easy to find a lot of articles about using IAS to achieve this, but it doesn’t work for me
as it requires to install IAS on windows AD, as I am not authorized to do that.
then I figureout the way netscreen+freeradius+ windows AD as below.
1. install freeradius:
yum install freeradius freeradius-ldap
you may need install epel before this if you haven’t done:
yum install epel-release
2. config freeradius:
a. Edit /etc/raddb/clients.conf
add netscreen as the client of freeradius:
.....
client <your_netscreen_IP> {
secret = <your secretkey>
nastype = other
}
......
b. edit /etc/raddb/modules/ldap
At the beginning of radius to use ldap to authenticate a user, it will send a bind firstly with the search account, then it search the account of the user to be webauthed, and then it bind this webauth user account. if each step succeeds, radius reply access accept to netscreen.
so we have to provide the config file with a search account and some information of the webauth account such as the base DN.
Define your ldap server as the windows AD server as below
including the ldap search account(identity+ password) information:
......
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = <your windows ad server ip>
identity = "cn=admin,ou=test,dc=test,dc=com"
password = <password of user admin>
basedn = "ou=test,dc=test,dc=com"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
.......
c. /etc/raddb/sites-available/default
enable the ldap authentication in default file by uncomment the ldap line in different sections at least in auth section.
d.edit the attribute map file /etc/raddb/ldap.attrmap
add below line:
replyItem NS-User-Group memberOf
or:
replyItem NS-User-Group memberOf +=
The difference between the two lines is there is operators “+=” in the second line, which is used when the user belongs to more than one group and you want
all the group information to be replied to the netscreen. normally this operator is used for multi-valued attributes.
3. config netscreen:
a. set radius server information
set auth-server "my_radius" id 1
set auth-server "my_radius" server-name <put your free radius ip address here>
set auth-server "my_radius" radius port 1812
set auth-server "my_radius" radius secret <your radius secret key>
set auth radius accounting port 1646
b. config web auth:
set webauth server "my_radius"
set interface "ethernet5/3" webauth
set interface "ethernet5/3" webauth-ip <your netscreen ip used for webauth>
set webauth server "my_radius"
c. config user group information, the group name should be the same as user group information defined on windows AD.
user group information on AD is described in memberOf attribute.
set user-group "CN=group1,OU=test,DC=test" type auth
set user-group "CN=group2,OU=test,DC=test" type auth
d. define the policy which allows the specific group to access the resource:
set policy id 1 from "Untrust" to "Trust" "host1" "server1" "ANY" permit webauth user-group "CN=group1,OU=test,DC=test"
this allows user in the group1 to access server1 from host1 after the user passes the web authentication at the web page: http://<your netscreen ip used for webauth>