Feature overview
Use the LDAP system to authenticate remote users of SSL VPN.
Configuration procedure
1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page.
2) Select the LDAP Authentication tab to enter the LDAP authentication policy configuration page.
3) Configure the LDAP server address, service port, user group LDAP attribute, version, and certificate policy. Select the check box behind Enable Authentication.
4) Use template to query user DN. Configure the user DN template as cn=%logon%,dc=vpn-domain,dc=com.
Figure 53 LDAP authentication configuration with the query mode as template
5) Check user DN by querying
z Specify Administrator DN as cn=manager,dc=vpn-domain,dc=com.
z Type 123456 as the password.
Hangzhou H3C Technologies Co., Ltd www.h3c.com 45/76
z Specify the query base DN as dc=vpn-domain,dc=com.
z Specify the query template as cn=%logon%.
Figure 54 LDAP authentication configuration with the query mode as query
Check user DN by querying and Query for user DN using template settings are mutually exclusive.
Server configuration
In this configuration example, the LDAP server used is openldap on the Linux server. When installing the Linux system, choose to install all components. After the installation, enable the LDAP server openldap directly. openldap server uses process slapd. Follow these steps to configure openldap:
1) File slapd.conf in directory /etc/openldap/ is the LDAP server startup configuration file. Open the file and locate the following contents:
Hangzhou H3C Technologies Co., Ltd www.h3c.com 46/76
z The contents in the red box are the LDAP server root directory. You can modify this directory as your own directory, such as dc=vpn-domain,dc=com.
z The contents in the blue box are the default administrator DN and password. You can modify them, for example, to cn=vpn-manager,dc=vpn-domain,dc=com. Mask switch # before rootpw can be used to specify whether to use clear text or cipher text to save the administrator password, which is also changeable.
2) Add users. Users in LDAP are saved in a directory tree. You can create different levels of directories to store users. There are several ways to add LDAP records. It is recommended to use a file, that is, create a *.ldif, with its contents being the records to be added. In this way, you can add users in a batch.
First, you need to create a root directory, that is, dc=vpb-domain,dc=com. Create file root.ldif, with its contents in the format of:
dn: dc=vpn-domain,dc=com
Then, use ldapadd -x –D “cn=Manager,dc=vpn-domain,dc=com” –w “secret” –f root.ldif command. If the following output is displayed, the root directory is added successfully.
Proceed to add a user. Create file user.ldif, with its contents being:
dn: cn=usera,dc=vpn-domain,dc=com objectClass: person
cn:usera sn:usera
description: usergroup
Then, use ldapadd -x –D “cn=Manager,dc=vpn-domain,dc=com” –w “secret” –f user.ldif command. If the following output is displayed, the user is added successfully.
Use the ldapsearch –x –b “dc=vpn-domain,dc=com” command to display related information on the LDAP server.
Hangzhou H3C Technologies Co., Ltd www.h3c.com 47/76 In this example, an LDAP attribute description is used as the user group attribute. In actual application, you can add a self-defined user group attribute depending on customer requirements.
Verifying the LDAP authentication configuration
After logging in, remote user [email protected] can view and access various resources.
If the default authentication type is LDAP, users can directly use usera to log in.
AD Authentication
Feature overview
Use the AD domain system to authenticate remote users of SSL VPN.
Configuration procedure
1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page.
2) Select the AD Authentication tab to enter the AD authentication policy configuration page.
z Configure the AD domain name and AD server address list. You can specify multiple AD server addresses, separating them by (;). This configuration allows the system to switch to another AD server for user authentication when the current AD server is down.
z Configure the administrator account and password. The administrator account can be any user in directory Users in the AD domain who has the right to access the directory.
z Select the username format. You can just use the default username format.
z Select Enable Authentication.
Hangzhou H3C Technologies Co., Ltd www.h3c.com 48/76
z Configure the server failure restoration time. When the system detects that the AD server used for authentication is down, the system will automatically switch to another AD server. Before processing a new authentication request, the system will check whether the failure time of the failed AD server has exceeded the failure restoration time. If yes, the system considers that the AD server is resumed and switches to the AD server. If no, the system sends the authentication request to another AD server.
Figure 55 AD authentication policy configuration
Server configuration
At present, the directory service of Windows 2000 Server or a later version is used.
1) Log in to the AD domain management platform.
z Log in to the Windows system.
z Click Start and select Programs > Administrative Tools > Active Directory Users and Computers.
2) Add a user.
z Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree.
z Right click the directory and select New > User.
3) Configure information for the user.
z Type usera for both the username and login name.
z Click Next and type password 123456, select Password never expires for the user, use the default settings of other items, and then click OK.
4) Add a group.
z Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree.
z Right click the directory and select New > Group.
5) Configure information for the group.
z Specify the group name as usergroup, which must also exist on the SSL VPN gateway.
z Use the default settings of other items.
6) Add the user to the group.
z Select group usergroup. Right click the group and select Properties. Click the Members tab and then the Add button. Enter usera in the Enter the object names to select field and click Check Names. The system will check and supplement the username.
z Click OK.
Hangzhou H3C Technologies Co., Ltd www.h3c.com 49/76 Verifying the AD authentication configuration
After logging in, remote user usera can access various resources.
If the default authentication type is AD, users can directly use usera to log in.