• No results found

Using Microsoft Active Directory Server and IAS Authentication

N/A
N/A
Protected

Academic year: 2021

Share "Using Microsoft Active Directory Server and IAS Authentication"

Copied!
13
0
0

Loading.... (view fulltext now)

Full text

(1)

StoneGate How-To

(2)

Table of Contents 2

Table of Contents

Basic Scenario...

page 3

Configuring a Windows 2003 Server for IAS Authentication ...

page 3

Configuring Users in Active Directory ...

page 8

(3)

Basic Scenario 3

Basic Scenario

This document describes a configuration that includes a Microsoft Active Directory with Internet Authentication Service (IAS) on a Windows 2003 server and Stonesoft’s StoneGate™ Firewall/VPN. The configuration uses the Remote Authentication Dial-in User Service (RADIUS) protocol for authentication.

An external Active Directory Server that supports the RADIUS protocol can be used for user authentication in StoneGate. In this example, the user and password information is stored internally in an Active Directory and the users use Windows passwords for authentication. The StoneGate firewall requests the authentication information from the Active Directory server when the users authenticate to the firewall. The Active Directory information can be browsed and used in security policies in the StoneGate Management Client.

Note – The configuration details needed in your environment may differ from the example.

The following sections describe the steps needed for setting up IAS authentication with Microsoft Active Directory in StoneGate. There are three main steps:

1. Configuring a Windows 2003 Server for IAS Authentication, on page 3. 2. Configuring Users in Active Directory, on page 8.

3. Configuring an Active Directory Server Element in StoneGate, on page 9. Start with Configuring a Windows 2003 Server for IAS Authentication.

Configuring a Windows 2003 Server for IAS

Authentication

An Active Directory on a Windows 2003 server contains a list of users and their passwords which will be used with RADIUS to authenticate the users in StoneGate. To use IAS authentication, you must enable the Internet

Authentication Service on the Windows 2003 server. Begin by Installing a Windows 2003 Server.

Installing a Windows 2003 Server

! To install a Windows 2003 server

1. Open the Control Panel and double-click Add/Remove Programs.

2. Click Add/Remove Windows Components. The Windows Components Wizard dialog opens. Illustration 1.1 Enabling Networking Services

(4)

Configuring a Windows 2003 Server for IAS Authentication 4 Illustration 1.2 Networking Services Dialog

4. Select Internet Authentication Service and click OK. 5. Click Next.

6. If prompted, insert your Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition compact disc.

7. After the Windows 2003 server is installed, click Finish, and then click Close.

The Windows 2003 server is now installed and Internet Authentication Service should be included in the list of programs if you select Start→Programs→Administrative Tools.

Proceed to Enabling the Windows 2003 Server to Read User Accounts in Active Directory.

Enabling the Windows 2003 Server to Read User Accounts in Active Directory

Once you have installed the Windows 2003 server, you must enable it to read the user accounts listed in the Active Directory.

! To enable the Windows 2003 server to read user accounts in Active Directory

1. Select Start→Programs→Administrative Tools→Internet Authentication Service. The Internet Authentication Service window opens.

Illustration 1.3 Registering Server in Active Directory

2. Right-click Internet Authentication Service and select Register Server in Active Directory from the menu. The Register Internet Authentication Service in Active Directory dialog opens.

3. Click OK.

(5)

Configuring a Windows 2003 Server for IAS Authentication 5

Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server

You must next define the StoneGate firewall as a RADIUS client for the Windows 2003 server. ! To add StoneGate Firewall as RADIUS Client for the Windows 2003 server

1. Select Start→Programs→Administrative Tools→Internet Authentication Service. The Internet Authentication Service window opens.

2. Right-click RADIUS Clients and select New RADIUS Client from the menu. The New Radius Client dialog opens.

Illustration 1.4 New RADIUS Client Properties

3. Enter the name and IP address of the StoneGate firewall node and click Next.

4. As Additional Information, leave RADIUS Standard as the Client-Vendor and set a shared secret (see Illustration 1.5).

Note – You must use the same shared secret also for the Active Directory Server element that you use in

StoneGate. See Creating an Active Directory Server Element in StoneGate, on page 9. Illustration 1.5 New RADIUS Client - Additional Information

5. Click Finish.

6. If you have a clustered firewall, repeat steps 1-4 for the other firewall nodes.

When you have added all the firewall nodes, they should be listed under RADIUS Clients in the Internet Authentication Service window.

(6)

Configuring a Windows 2003 Server for IAS Authentication 6

Adding a Remote Access Policy in the Windows 2003 Server to Authorize

Requests from Firewall Node(s)

You must create a remote access policy to authorize requests from the firewall node(s) to the Windows 2003 server.

! To add a remote access policy in the Windows 2003 server

1. Open Internet Authentication Service in the Start→Programs→Administrative Tools menu. The Internet Authentication Service window opens.

2. Right-click Remote Access Policies and select New Remote Access Policy from the menu. The New Remote Access Policy Wizard opens.

Illustration 1.6 New Remote Access Policy

3. Click Next.

4. As the Policy Configuration Method, select Set up a custom policy (see Illustration 1.7). 5. Enter a name for the policy and click Next.

Illustration 1.7 Selecting Policy Configuration Method

6. As the In Policy Conditions, click Add to add a Policy Condition. The Select Attribute dialog opens. 7. Select Client-Friendly-Name and click Add.

8. Enter a client-friendly name for the StoneGate firewall node and click OK.

Note – The client-friendly name must be the same as the name you set for the firewall node in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.

9. Click Add to add another Policy Condition.The Select Attribute dialog opens. 10.Select Client-IP-Address and click Add.

11.Enter the Authentication NDI address of the StoneGate firewall node and click OK. See Illustration 1.8 for an example of Remote Access Policy conditions.

(7)

Configuring a Windows 2003 Server for IAS Authentication 7 Illustration 1.8 Adding Policy Conditions - Example

12.Click Next.

13.As Permissions, select Grant remote access permission and click Next. Illustration 1.9 Remote Access Policy - Permissions

14.In the next dialog, click Edit Profile. The Edit Dial-in Profile dialog opens. 15.Switch to the Authentication tab.

16.Uncheck the MS-CHAP and CHAP options and check Unencrypted authentication (PAP, SPAP). Illustration 1.10 Edit Dial-in Profile - Authentication Tab

17.Click OK.

18.Click Next and then Finish.

19.If you have a clustered firewall, repeat steps 1-13 to authorize access from all the firewall nodes.

(8)

Configuring Users in Active Directory 8

Configuring Users in Active Directory

The next step is to configure that the users listed in the Active Directory are allowed to authenticate with RADIUS.

Allowing a User in Active Directory to Authenticate with RADIUS

! To allow a user in Active Directory to authenticate with RADIUS

1. Select Start→Programs→Administrative Tools→Active Directory Users and Computers on the Windows 2003 Server.

2. Double-click the user who should be able to authenticate with RADIUS. The Properties dialog opens. 3. Switch to the Dial-in tab.

Illustration 1.11 User Properties - Dial-in Tab

4. For Remote Access Permission (Dial-in or VPN), select Allow access.

5. Switch to the Account tab and make sure that Store password using reversible encryption is selected in the Account options.

Illustration 1.12 User Properties - Account Tab

Note – If this option was not already selected in the user’s Properties, you must save the user’s password

again after selecting the Store password using reversible encryption setting. Right-click the user and select

Reset password from the menu that opens.

Note – The Store password using reversible encryption setting must also be enabled for Password Policy in

the Windows 2003 server’s Default Domain Controller Policy Settings. If this setting is not enabled for Password Policy, the Store password using reversible encryption setting in the user’s Account options will not have any effect.

(9)

Configuring an Active Directory Server Element in StoneGate 9

Configuring an Active Directory Server Element in

StoneGate

The next step is to configure an Active Directory Server in StoneGate. Start by Creating an Active Directory Server Element in StoneGate.

Creating an Active Directory Server Element in StoneGate

The Active Directory Server element contains both the user directory and the authentication service options needed to use a Microsoft 2003 server for user authentication.

! To define an Active Directory Server element

1. Click the Configuration button in the toolbar to switch to the Configuration view.

2. Right-click the Network Elements category in the tree view and select New→Active Directory Server from the menu that opens. The Active Directory Server Properties dialog opens.

Illustration 1.13 Active Directory Server Properties - General Tab

3. Specify a unique Name and IP Address for the server.

4. In this example, leave the Location and Contact Addresses at default values. You need to modify their values only if there is a NAT device between a firewall and the Active Directory server, so that the firewall cannot connect directly to the Active Directory Server’s IP address.

5. Define the Timeout for how long StoneGate waits for the server to reply.

(10)

Configuring an Active Directory Server Element in StoneGate 10

Configuring Active Directory Server’s LDAP Settings

The LDAP settings include user information and other settings that StoneGate uses to connect to the Active Directory server. Make sure there are matching definitions on the Active Directory server.

! To Configure LDAP User Services

1. Switch to the LDAP tab of the Active Directory Server Properties dialog. Illustration 1.14 Active Directory Server Properties - LDAP Tab

2. Define the domain used as the base for Distinguished Names (DN) in the Base DN field as it is defined on the Active Directory server (e.g., “dc=example, dc=com”).

3. In the Bind User ID field, define the Distinguished Name of the User ID the StoneGate firewall uses when connecting to the Active Directory server (e.g., “uid=admin, ou=Administrators”).

4. In the Bind Password field, enter the password of the User ID the StoneGate firewall uses when connecting to the Active Directory server.

5. For Schema, leave the default value Standard.

6. Leave the UserID Attribute and Group Member Attribute at the default values. 7. Leave the default port (TCP port 389) as the Port Number.

Proceed to Configuring Active Directory Server’s Authentication Settings.

Configuring Active Directory Server’s Authentication Settings

You can use the Active Directory Server’s Internet Authentication Service to authenticate the users. The protocol used is RADIUS.

! To configure the authentication settings

1. In the Active Directory Server Properties dialog, switch to the Authentication tab. Illustration 1.15 Active Directory Server - Authentication Tab

(11)

Configuring an Active Directory Server Element in StoneGate 11 3. Type or paste the Shared Secret. It is used to authenticate the connection from StoneGate to the Windows

2003 server.

Note – The shared secret must be the same as the one you entered for the firewall node(s) in Adding StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.

4. Specify the Number of Retries. If StoneGate fails to connect to the Windows 2003 server, it tries to connect again the specified number of times before giving up on the authentication.

5. Click OK.

Proceed to Defining Domains.

Defining Domains

Each Active Directory Server has its own domain in StoneGate. One domain can be selected as the default domain. Users who belong to the default domain need not specify the domain (for example: “username@domain”) when they are authenticating.

! To define a new domain

1. Click the Configuration button in the toolbar to switch to the Configuration view.

2. Right-click Firewall Configuration in the left panel and select New→Domain from the menu that opens. The Domain Properties dialog opens.

Illustration 1.16 Domain Properties - General Tab

3. Enter the Name for the new domain.

• If the domain you are creating is not to be the default domain, users must type in the domain name when they authenticate.

4. Select the checkbox Default Domain, if this domain will be used for all or most authentications.

• Naturally, only one domain can be the default domain, so the selection is automatically cleared from the previous domain when you select the option for some different domain.

5. The defined Active Directory Servers that have no domain yet are shown on the left. Select the correct server and click Add to bind the server to the domain.

6. Switch to the Default Authentication tab to select the authentication service. 7. Click Select. A list of authentication services opens.

8. Select IAS authentication and click Select. Illustration 1.17 Domain Properties - Default Authentication Tab

(12)

Configuring an Active Directory Server Element in StoneGate 12 You have now completed all of the steps required in StoneGate for setting up the Windows 2003 server as an Active Directory Server. You can now browse the users listed in the Active Directory with the Management Client. Go to

Users and then to the new domain you just created to browse the list of users (see Illustration 1.18). Illustration 1.18 Browsing Users

Proceed to Modifying Firewall Policy to Allow IAS Authentication Connections to allow the connections needed for IAS authentication

.

Modifying Firewall Policy to Allow IAS Authentication Connections

If the Active Directory server is located in a different network than the Management Server, make sure that the servers are able to communicate using the LDAP protocol. This makes it possible to browse the user information from the Active Directory server.

To use IAS authentication for mobile VPN users, the Firewall Policy must contain an Access Rule for mobile VPN traffic with the proper user and authentication parameters (see Illustration 1.19).

Illustration 1.19 Example of Access Rules Allowing Use of Active Directory

Note – The firewall allows its’ own RADIUS connections to the Active Directory server by default. If the rules

inherited from the default template are included in the policy, it is not necessary to add a rule for the RADIUS connections.

Tip: The Windows Event Viewer shows an event for each authentication attempt. The event is visible

in the System category under Event Viewer with IAS as the source. This provides useful information for troubleshooting. Select StartProgramsAdministrative ToolsEvent Viewer

to open the Event Viewer.

(13)

13 Trademarks and Patents

Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are pro-tected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners.

Copyright and Disclaimer

Copyright © 2000–2007 Stonesoft Corporation. All rights reserved.

These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation.

Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not repre-sent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA-TION CONTAINED HEREIN. IN ADDIINFORMA-TION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.

IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD-ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

Revision: SGHT_20070905 Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc.

1050 Crown Pointe Parkway Suite 900

References

Related documents

To prevent unauthorized access to confidential business data, a User Authentication function that works with Windows ® Active Directory database (Windows ® 2000/2003 Server) can

To this end, a simple VAR estimation provided a way to establish evidence of the suggested classical causalities by employing cumulative impulse response functions derived from

With Connector for Microsoft Exchange, synchronization between Fax Server and Active Directory links user accounts in Active Directory to corresponding user

InsidersChoice to MCP/MCSE Exam 70-294 Windows Server 2003 Certification: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

With the introduction of Windows 2000 Server and Windows Server 2003 Active Directory, you can now create two-way transitive trusts automatically between different domains in the

RIS must be installed on a Windows 2000/2003- based server that has access to Active Directory, for example, a domain controller or a server that is a member of a domain with access

The Global Catalog Server is a separate Windows 2000 or Windows Server 2003 computer that stores a subset of the object attributes contained on a domain controller, including

If you waste to back the Lightweight Directory Access Protocol LDAP directory server feature with Windows Server 2003 you have them extend the Active Directory.. Active Directory