Configuring Authentication. Netgear STM600 - ProSecure Web And Email Threat Management Appliance, STM300 - ProSecure Web And Email Threat Management Appliance, STM150 - ProSecure Web And Email Threat Management Appliance
Add to My manuals261 Pages
advertisement
ProSecure Web/Email Security Threat Management (STM) Appliance
3.
Click the Add table button. The new user is added to the List of Users table.
To delete a user from the List of Users table, click the Delete table button in the Action column for the user that you want to delete.
Editing User Accounts
The only field that you can change for a user account is the password.
To modify the password for a user:
1.
Select Users > Users from the menu. The Users screen displays (see the previous figure).
2.
Click the Edit table button in the Action column for the user whose password you want to modify. The Edit User screen displays. (The following figure contains an example.)
Figure 86.
3.
Modify the password:
a. In the Password field, enter the new password.
b. In the Confirm Password field, repeat the new password.
4.
Click Apply to save your settings.
Configuring Authentication
The authentication options of the STM are discussed in the following sections:
• Understanding the STM’s Authentication Options on page 155
• Understanding Active Directories and LDAP Configurations on page 157
• Creating and Deleting LDAP and Active Directory Domains on page 161
• Editing LDAP and Active Directory Domains on page 164
• Understanding the ProSecure DC Agent on page 164
• Requirements for the ProSecure DC Agent Software and DC Agent Server on page 165
154 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
• Downloading ProSecure DC Agent Software, and Creating and Deleting DC Agents on page 165
• Creating and Deleting RADIUS Domains on page 167
• Editing RADIUS Domains and Configuring VLANs on page 169
Understanding the STM’s Authentication Options
The login screen and authentication on the STM depend on the user type. There are two basic user types on the STM that are explained in the following sections:
•
Administrative users and users with guest privileges
•
Users with special access privileges
Administrative Users and Users with Guest Privileges
Users with administrative and guest privileges on the STM need to log in through the
NETGEAR Configuration Manager Login screen (see the following figure), where they are authenticated through the STM’s local user database. These users need to provide their user name and password.
For information about the predefined administrator and guest user accounts, see
Users with Administrative and Guest Privileges
on page 61. For information about how to
change the administrator default name and password or guest default name and password, see
Changing Administrative Passwords and Timeouts
Figure 87.
Users with Special Access Privileges
Users who have a computer behind the STM and who are assigned access policies that differ from the STM’s default email and Web access policies (see
Setting Access Exception Rules for Web Access
on page 132) need to log in through the User Portal Login screen (see the
following figure). These users need to provide their user name and password, and select the domain to which they have been assigned.
Chapter 5. Managing Users, Groups, and Authentication | 155
ProSecure Web/Email Security Threat Management (STM) Appliance
The lower part of the NETGEAR Configuration Manager Login screen (see the previous figure) provides a User Portal Login Link that lets you open the User Portal Login screen:
Figure 88.
After a user has logged in through the User Portal Login screen, the Authentication screen displays:
Figure 89.
The Authentication screen shows the IP address with which the user has logged in and lets a user change his or her password.
If you do not use the DC agent in your configuration (see
Understanding the ProSecure DC
on page 164), after completing a session, a user needs to log out by following these
steps:
1.
Return to the User Portal Login screen (see
Note:
The user needs to know how to return to the User Portal Login screen.
The administrator needs to provide the User Portal Login URL: https://<IP_address>/~common/cgi-bin/user_login.pl or https://<FullyQualifiedDomainName>/~common/cgi-bin/user_login.pl
Alternately, the administrator can provide the NETGEAR Configuration
Manager Login screen, from which the user can access the User Portal Login screen: https://<IP_address> or https://<FullyQualifiedDomainName>
156 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
2.
Log in again.
3.
On the Authentication screen (see the previous figure), click the Logout link.
WARNING!
Ensure that users understand that they need to log out after completing a session in order to prevent subsequent users from inheriting access privileges that were not assigned to them.
In addition to authentication through the STM’s local user database, the STM supports the following external authentication methods for users logging in through the User Portal Login screen:
•
LDAP. A network-validated domain-based authentication method that functions with a
Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for example, groups or organizational units), this information can be queried to provide specific group policies or bookmarks based on LDAP attributes.
•
Active Directory. A network-validated domain-based authentication method that
functions with a Microsoft Active Directory authentication server. Microsoft Active
Directory authentication servers support a group and user structure. Because the Active
Directory supports a multilevel hierarchy (for example, groups or organizational units), this information can be queried to provide specific group policies or bookmarks based on
Active Directory attributes. A Microsoft Active Directory database uses an LDAP organization schema.
•
RADIUS. A network-validated PAP or CHAP password-based authentication method that
functions with Remote Authentication Dial In User Service (RADIUS).
RADIUS supports two types of protocols:
-
PAP. Password Authentication Protocol (PAP) is a simple protocol in which the client
sends a password in clear text.
-
CHAP. Challenge Handshake Authentication Protocol (CHAP) executes a three-way
handshake in which the client and server trade challenge messages, each responding with a hash of the other’s challenge message that is calculated using a shared secret value.
When logging in through the User Portal Login screen, users need to provide their name and password, and select the domain that corresponds to the authentication method that has been assigned to them.
Understanding Active Directories and LDAP Configurations
This manual assumes that you already have a knowledge of Active Directories and LDAP servers. The following sections are meant to provide some additional information before you go to
Creating and Deleting LDAP and Active Directory Domains
Chapter 5. Managing Users, Groups, and Authentication | 157
ProSecure Web/Email Security Threat Management (STM) Appliance
How an Active Directory Works
Understanding how a typical Active Directory (AD) works might be of help when you are specifying the settings for the LDAP and Active Directory domains on the STM.
The following applies to a typical AD:
•
Organizational unit (OU), common name (CN), and domain controller (DC) can all be used to build a search base in the AD. The following applies to the OU and CN containers:
-
An AD administrator can create an OU but cannot create a CN that was built in the AD server.
-
An AD administrator can apply a global policy object (GPO) to an OU but not to a CN.
•
An OU is created in the root node (for example, dc=companyname, dc=com) of the hierarchy. In a company AD, an OU often represents a regional office or department.
•
A group is created under cn=users.
•
A user is created under each OU so that the user can logically show in a tree of the AD server.
•
A relationship between a group and users is built using their attributes (by default: member and memberOf). These show in a lookup result.
The following is an example of how to set the search base:
If in a company AD server “cn=users” and “ou=companyname” and both are specified under
“dc=companyname,dc=com,” the search base needs to be set as “dc=companyname,dc= com” in order for the STM to search both users and groups.
If the size limit is exceeded so that “dc=companyname,dc=com” misses some entries during the lookup process, a user can still be correctly authenticated. However, to prevent the size limit from being exceeded, an AD administrator needs to set a larger value in the LDAP server configuration so that the entire list of users and groups is returned in the lookup result.
Another workaround is to use a specific search name or a name with a wildcard in the lookup process, so that the subset of the entire list is returned in the lookup result.
How to Bind a Distinguished Name in an LDAP Configuration
Understanding how to bind a distinguished name (DN) in an LDAP configuration might be of help when you are specifying the settings for the LDAP and Active Directory domains on the
STM.
To bind a user with the name Jamie Hanson with the LDAP server:
Note:
In this example, the LDAP domain name is ABC.com, and the LDAP server has the IP address 192.168.35.115 on port 389.
1.
On a computer that has access to the Active Directory (AD), open the Active Directory for Users and Computers.
2.
Select the user Jamie Hanson.
158 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
3.
Click the General tab. The general properties for Jamie Hanson display:
Figure 90.
4.
To verify Jamie Hanson’s user login name, click the Account tab. The account properties for
Jamie Hanson display:
Figure 91.
5.
Log in to the STM.
6.
Select User Management > Authentications from the menu. The LDAP screen displays.
Chapter 5. Managing Users, Groups, and Authentication | 159
ProSecure Web/Email Security Threat Management (STM) Appliance
7.
In the List of LDAP table, click the Edit button in the Action column of domain ABC.com. The
Edit LDAP screen displays.
8.
To bind the user Jamie Hanson to the LDAP server for authentication on the STM, use one of the following two formats in the Bind DN field of the Edit LDAP screen:
•
The display name in DN format: cn=Jamie Hanson,cn=users,dc=testAD,dc=com (see the example in the following figure).
Figure 92.
•
The Windows account name in email format such as [email protected]. (The following figure shows only the Bind DN field.)
Figure 93.
9.
Click Test to verify that the LDAP server can actually function with the bind DN that you have modified. The automated test procedure checks the connection to the LDAP server, the bind DN, and the bind password. If any settings require changes, you are notified at the end of the automated test procedure.
10.
Click Apply to save your settings.
160 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
Creating and Deleting LDAP and Active Directory Domains
To configure LDAP and Active Directory authentication:
1.
Select User Management > Authentication from the menu. The authentication submenu tabs display with the LDAP screen in view:
Figure 94.
The List of LDAP table displays the following fields:
•
Domain Name. The name of the STM’s domain to which the server has been
assigned.
•
Server. The IP address of the LDAP or Active Directory server.
•
Action. The Edit table button, which provides access to the Edit LDAP screen, and
the Delete table button, which allows you to delete the LDAP or Active Directory server.
Chapter 5. Managing Users, Groups, and Authentication | 161
ProSecure Web/Email Security Threat Management (STM) Appliance
2.
Complete the fields and make your selections from the drop-down list as explained in the following table:
Table 47. LDAP Settings
Setting
Domain
Server
Encryption
Port
Description
A descriptive (alphanumeric) name of the LDAP or Active Directory authentication server for identification and management purposes.
The server IP address or server host name of the LDAP or Active Directory authentication server.
From the drop-down list, select the encryption type for the connection between the STM and the LDAP or Active Directory server:
• None. The connection is not encrypted. This is the default setting.
• TLS. The connection uses Transport Layer Security (TLS) encryption.
• SSL. The connection uses Secure Socket Layer (SSL) encryption.
The port number for the LDAP or Active Directory authentication server. The default port for the LDAP server is 389, which is generally the default port for TLS encryption or no encryption. When the encryption is SSL, the default port is generally 636.
Bind DN The LDAP or Active Directory bind distinguished name (DN) that is required to access the
LDAP or Active Directory authentication server. This bind DN needs to be a user in the
LDAP or Active Directory directory that has read access to all the users that you would like to import into the STM. The Bind DN field accepts two formats:
• A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com.
• A Windows login account name in email format. For example: [email protected]. This last type of bind DN can be used only for a Windows Active
Directory server.
Bind Password The authentication secret or password that is required to access the LDAP or Active
Directory authentication server.
Search Base The distinguished name (DN) at which to start the search, specified as a sequence of relative distinguished names (rdn), connected with commas and without any blank spaces. For most users, the search base is a variation of the domain name. For example, if your domain is yourcompany.com, your search base DN might be as follows: dc= yourcompany,dc=com.
UID Attribute The attribute in the LDAP directory that contains the user’s identifier (uid).
For an Active Directory, enter sAMAccountName.
For an OpenLDAP directory, enter uid.
Member Groups
Attribute
This field is optional. The attribute that is used to identify the groups an entry belongs to.
For an Active Directory, enter memberOf.
For OpenLDAP, you can enter a customized attribute to identify the groups of an entry.
162 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
Table 47. LDAP Settings (Continued)
Setting Description
Group Members
Attribute
This field is optional. The attribute that is used to identify the members of a group.
For an Active Directory, enter member.
For OpenLDAP, you can enter a customized attribute to identify the members of a group.
Additional Filter This field is optional. A filter that is used when searching the LDAP server for matching entries while excluding others. (Use the format described by RFC 2254.)
The following search term examples match users only:
Active Directory: objectClass=user
Open LDAP: objectClass=posixAccount
3.
Click Test to verify that the LDAP server can actually function with the LDAP settings that you have specified. The automated test procedure checks the connection to the LDAP server; the bind DN, and the bind password. If any settings require changes, you are notified at the end of the automated test procedure.
Note:
If the automated test procedure returns the message “LDAP server test passed but size limit exceeded,” only a limited number of entries
(for example, 1000) was returned after the LDAP server was queried. To ensure that the lookup results include all users and groups, set larger values in the LDAP server. Another workaround is to use a specific search name or a name with a wildcard in the lookup process, so that the subset of the entire list is returned in the lookup result.
4.
Click Add to save your settings. The LDAP or Active Directory domain and server are added to the List of LDAP table.
To delete a domain and server from the List of LDAP table, click the Delete table button in the
Action column for the domain and server that you want to delete.
WARNING!
After their sessions have expired, users can no longer log in to the
STM if the domain that has been assigned to them is the domain that you deleted.
Chapter 5. Managing Users, Groups, and Authentication | 163
ProSecure Web/Email Security Threat Management (STM) Appliance
Editing LDAP and Active Directory Domains
To edit an LDAP or Active Directory domain:
1.
Select User Management > Authentication from the menu. The authentication submenu tabs display with the LDAP screen in view (see
2.
In the Action column of the List of LDAP table, click the Edit table button for the domain and server that you want to edit. The Edit LDAP screen displays. This screen contains the same fields as the LDAP screen (see
3.
Modify the fields and make your selections from the drop-down list as explained in
4.
Click Test to verify that the LDAP server can actually function with the LDAP settings that you have modified. The automated test procedure checks the connection to the LDAP server, the bind DN, and the bind password. If any settings require changes, you are notified at the end of the automated test procedure.
5.
Click Apply to save your settings.
Understanding the ProSecure DC Agent
If you set up an open network, you would want to allow unauthenticated users to surf anonymously. For a secure network, you would use a more restrictive access policy for unauthenticated users and a less restricted access policy for authenticated users.
Without the use of the DC agent, any LDAP domain user surfs anonymously until providing credentials to the STM in order to proceed past a blocked Web activity. With use of the DC agent, LDAP domain users are immediately known to the STM when they are authenticated on a DC server on which the DC agent is installed.
If the LDAP directory authenticates through a domain controller (DC) server that runs
Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2008, you can use the
ProSecure DC Agent software to authenticate LDAP domain users.
The DC agent monitors all Windows login events (that is, all LDAP domain user authentications) on the DC server, and provides a mapping of Windows user names and IP addresses to the STM, enabling the STM to transparently apply user policies. The DC agent transfers encrypted names, IP addresses, groups, and login times of the users logged in to the STM, where this information remains securely (that is, it is not transferred out of the
STM).
164 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
Requirements for the ProSecure DC Agent Software and
DC Agent Server
Note the following requirements for the ProSecure DC agent software and domain controller
(DC) servers:
•
If the DC server is located behind a firewall or there is a firewall on the DC server, ensure that the firewall does not block the server’s listening port. The default port that is used by the DC agent is 5182.
•
The DC agent needs to be able to automatically log an account login event when a domain user account is authenticated against the LDAP directory on a DC server. Verify that the DC server has the following configuration:
-
The Audit Logon Events policy is defined and the Success check box is selected.
-
The Audit Account Logon Events policy is defined and the Success check box is selected.
-
The Audit Account Management policy is defined and the Success check box is selected.
In addition, if you change the log path of the security log, restart the DC server to bring the change into effect.
•
If you use the ProSecure DC Agent software on a DC server that is running Windows
Server 2003, ensure that Window’s Security Log settings in the Event Viewer are set to the maximum size of 16 MB and to overwrite events as needed.
Downloading ProSecure DC Agent Software, and Creating and Deleting DC Agents
When new ProSecure DC Agent software is available, the STM automatically downloads the software from the update server and notifies administrative users in several ways:
•
The STM sends an email to administrative users.
•
The STM records a syslog entry.
•
The STM generates a notification screen that is presented to administrative users upon login.
Chapter 5. Managing Users, Groups, and Authentication | 165
ProSecure Web/Email Security Threat Management (STM) Appliance
To download ProSecure DC Agent software and add a DC agent:
1.
Select User Management > Authentication from the menu. The authentication submenu tabs display with the LDAP screen in view. Locate the List of DC Agents table at the bottom of the screen. (See this section of the screen in the following figure.)
Figure 95.
2.
Under the List of DC Agents table, click the Download/Install link to download the
ProSecure DC Agent software. Follow the instructions of your browser to save the software file to your computer.
3.
Install the ProSecure DC Agent software on each domain controller (DC) server through which the LDAP directory authenticates users.
4.
Complete the fields and make your selections from the drop-down lists as explained in the following table:
Table 48. DC Agent Settings
Setting
Domain
Description
From the Domain drop-down list, select an LDAP domain to bind with the DC agent.
For information about configuring LDAP domains, see
Creating and Deleting LDAP and Active Directory Domains
DC Agent Listening
Port
Enter the listening port of the DC agent. The listening port is the port through which the DC agent transfers the list of authenticated users to the STM. The default port is
5182.
Synchronization
Interval
Expiration length
Status
Enter the time interval (in seconds) at which the DC agent updates the list of authenticated users. The default interval is 15 seconds.
Enter time interval in hours or minutes (determined by your selection from the
Expiration length drop-down list) that is allowed to elapse before a user login expires.
The default setting is zero (0), that is, a user login does not expire.
Displays the status of the DC agent: A green circle indicates that the DC agent is active; a gray circle indicates that the DC agent is inactive.
5.
To add the newly configured DC agent to the List of DC Agents table, click the Add table button in the Action column.
For each DC agent in the List of DC Agents table, the Action column provides two table buttons:
•
Apply. Activates the DC agent. The circle in the Status column turns green.
•
Delete. Deletes the DC agent from the table.
166 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
To edit a DC agent:
1.
In the Domain column, locate the DC agent that you want to edit, and make changes in the columns to the right of the Domain column.
2.
Click Apply to save your changes.
Creating and Deleting RADIUS Domains
To configure RADIUS authentication:
1.
Select User Management > Authentication from the menu. The authentication submenu tabs display with the LDAP screen in view.
2.
Click the RADIUS submenu tab. The RADIUS screen displays. (The following figure contains two examples.)
Figure 96.
The List of RADIUS table displays the following fields:
•
Domain. The name of the STM’s domain to which the server has been assigned.
•
Server. The IP address of the RADIUS server.
•
Action. The Edit table button, which provides access to the Edit RADIUS screen, and
the Delete table button, which allows you to delete the RADIUS server.
Chapter 5. Managing Users, Groups, and Authentication | 167
ProSecure Web/Email Security Threat Management (STM) Appliance
3.
Complete the fields and make your selections from the drop-down list as explained in the following table:
Table 49. RADIUS Settings
Setting
Domain
Server
Port
Description
A descriptive (alphanumeric) name of the RADIUS authentication server for identification and management purposes.
The server IP address or server host name of the RADIUS authentication server.
The port number for the RADIUS authentication server. The default port for the RADIUS server is 1812.
Shared Secret The shared secret (password) that is required to access the RADIUS authentication server.
Repeat The maximum number of times that the STM attempts to connect to the RADIUS server.
The default setting is 3 times.
Timeout
Authentication
Type
The period after which an unsuccessful connection attempt times out. The default setting is 5 seconds.
From the drop-down list, select the encryption type for the connection between the STM and the LDAP or Active Directory server:
• PAP. The connection uses the Password Authentication Protocol (PAP). This is the default setting.
• CHAP. The connection uses the Challenge Handshake Authentication Protocol
(CHAP).
Use the following user account to test
RADIUS settings
Select this check box to test the RADIUS settings with the user name and password that you need to specify.
User Name
Password
The user name to test the RADIUS settings with.
The password to test the RADIUS settings with.
4.
Click Test to verify that the RADIUS server can actually function with the RADIUS settings that you have specified. The automated test procedure checks the connection to the
RADIUS server, the user name, and the password. If any settings require changes, you are notified at the end of the automated test procedure.
5.
Click Apply to save your settings. The RADIUS domain and server are added to the List of
RADIUS table.
To delete a domain and server from the List of RADIUS table, click the Delete table button in the Action column for the domain and server that you want to delete.
WARNING!
After their sessions have expired, users can no longer log in to the
STM if the domain that has been assigned to them is the domain that you deleted.
168 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance
Editing RADIUS Domains and Configuring VLANs
To edit a RADIUS domain:
1.
Select User Management > Authentication from the menu. The authentication submenu tabs display with the LDAP screen in view.
2.
Click the RADIUS submenu tab. The RADIUS screen displays (see
3.
In the Action column of the List of RADIUS table, click the Edit table button for the domain and server that you want to edit. The Edit Radius screen displays. (The following figure contains some examples.)
Figure 97.
4.
Modify the fields and make your selections from the drop-down list as explained in
5.
Click Test to verify that the RADIUS server can actually function with the RADIUS settings that you have modified. The automated test procedure checks the connection to the
RADIUS server, the user name, and the password. If any settings require changes, you are notified at the end of the automated test procedure.
6.
Click Apply to save your settings.
Chapter 5. Managing Users, Groups, and Authentication | 169
advertisement
Related manuals
advertisement