advertisement
| Configure | 395
This menu covers the following topics:
•
on page 395: Manage external servers for authentication
•
or the Captive Portal.
•
on page 412:Set up policies and assign them to a number of users
•
on page 416: Manage user accounts for access to the device
•
: Configure the one-time password (OTP) service.
•
: Customize Captive Portal through which users can log in
•
on page 429: Manage users accessing the device without user account
•
on page 435: Manage user accounts for clientless access
•
: Configure general parameters to provide secured Internet access for guest users
•
on page 443: Download clients from different platforms to interact with the device
Servers
The Authentication Server menu allows the management of databases and backend servers for external user authentication services.
External user authentication enables you to validate user accounts against existing user databases or directory services on other servers of your network.
Authentication services currently supported are:
• Novell's eDirectory
• Microsoft's Active Directory
• RADIUS
• TACACS+
• LDAP
This page displays a list of all existing authentication servers. For each server the list shows:
Name
Displays the name of the authentication server.
IP
Displays the IP address of the authentication server.
Port
Displays the port of the authentication server.
Type
Displays the type of the authentication server.
Domain/Admin
Displays the domain or admin of the authentication server.
Add External Server
This page describes the authentication servers to be added. It covers the following topics:
Active Directory
Active Directory (AD) is Microsoft's implementation of a directory service and is a central component of Windows
2000/2003 servers. It stores information about a broad range of resources residing on a network, including users, groups, computers, printers, applications, services, and any type of user-defined objects. As such it provides the means of centrally organize, manage, and control access to these resources. The Active Directory authentication method allows you to register Sophos XG Firewall at a Windows domain, thus creating an object for Sophos
XG Firewall on the primary domain controller (DC). Sophos XG Firewall is then able to query user and group information from the domain.
| Configure | 396
Note: Sophos XG Firewall supports Active Directory 2003 and newer.
on page 398
LDAP
LDAP, an abbreviation for Lightweight Directory Access Protocol, is a networking protocol for querying and modifying directory services based on the X.500 standard. Sophos XG Firewall uses the LDAP protocol to authenticate users for several of its services, allowing or denying access based on attributes or group memberships configured on the LDAP server.
RADIUS
RADIUS, the acronym of Remote Authentication Dial In User Service, is a widespread protocol for allowing network devices such as routers to authenticate users against a central database. In addition to user information,
RADIUS can store technical information used by network devices, such as supported protocols, IP addresses, routing information, and so on. This information constitutes a user profile, which is stored in a file or database on the RADIUS server. The RADIUS protocol is very flexible, and servers are available for most operating systems.
The RADIUS implementation on Sophos XG Firewall allows you to configure access rights on the basis of proxies and users. Before you can use RADIUS authentication, you must have a running RADIUS server on the network.
Whereas passwords are encrypted using the RADIUS secret, the username is transmitted in plain text.
TACACS+
TACACS+, the acronym of Terminal Access Controller Access Control System, is a proprietary protocol by Cisco
Systems, Inc. and provides detailed accounting information and administrative control over authentication and authorization processes. Whereas RADIUS combines authentication and authorization in a user profile, TACACS
+ separates these operations. Another difference is that TACACS+ utilizes the TCP protocol (port 49) while
RADIUSClosed uses the UDPClosed protocol.
on page 402
eDirectory
Novell eDirectory is an X.500 compatible directory service for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object-oriented database that represents all the assets in an organization in a logical tree. Those assets can include people, servers, workstations, applications, printers, services, groups, and so on.
Add LDAP Server
This page describes how to add a LDAP server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select LDAP Server.
3. Specify the LDAP server details:
Server Name
Specify a descriptive name for the LDAP server.
Server IP/Domain
Specify an IP address or domain for the LDAP server.
Port
Specify the port of the LDAP server.
Default: 389
Version
Select the version of the LDAP server.
Default: 3
Anonymous Login
Enable to send anonymous requests to the LDAP server.
Disable to bind user with the server.
Username (not available if Anonymous Login is selected)
Enter user name. The username must be specified as a full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., uid=root,cn=user).
Password (not available if Anonymous Login is selected)
Specify a password for the user.
Connection Security
Select the connection security for the LDAP server:
• Simple: User credentials will be send unencrypted, as plaintext. This connection security is selected by default.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Client Certificate (not available for Simple connection security)
Select a client certificate from the list to establish a secured connection. If you do not want a client certificate, select None.
Default: ApplianceCertificate
Note: You can manage client certificates under Protect > Web Server >
Certificates.
Base DN
Enter the Base DN for the LDAP server. The Base DN is the starting point relative to the root of the
LDAP tree where the users are included who are to be authenticated. Note that the Base DN must be specified by the Fully Distinguished Name (FDN) in LDAP notation, using commas as delimiters
(e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
Authentication Attribute
Specify an authentication attribute for searching the LDAP directory. The user authentication attribute contains the actual login name each user is prompted for, for example by remote access services.
Display Name Attribute
Specify the name for the LDAP server which is displayed as LDAP username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 397
Expiry Date Attribute
Specify the user expiry date displayed to the user. The attribute specifies how long a user account is valid.
| Configure | 398
Figure 379: Add LDAP Server
4. Click Test Connection to check the connectivity between LDAP and Sophos XG Firewall. It also validates the
LDAP server user credentials.
5. Click Save.
Add Active Directory Server
This page describes how to add an Active Directory server.
Active Directory allows the device to map the users and groups from ADS for the purpose of authentication on a
Windows platform.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select Active Directory.
Note: If a user is required to authenticate using AD, the device needs to communicate with the AD server for authentication.
3. Specify the Active Directory server details.
Server Name
Enter a unique name for the Active Directory server.
Server IP
Specify an IP address for the Active Directory server.
Port
Specify the port of the Active Directory server.
Default: port 389.
NetBIOS Domain
Specify a NetBIOS domain for the Active Directory server.
ADS Username
Specify a username for the admin user of the Active Directory server.
Password
Specify a password for the admin user of the Active Directory server.
Connection Security
Select the type of security to be implemented on the established connection.
It provides a method to login to the external server by sending the username and password in encrypted format instead of plaintext.
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Note: We strongly recommend using the encryption method to protect the user credentials.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Display Name Attribute
Specify the name for the AD server which is displayed as AD username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Domain Name
Specify the domain name for which the query is to be added.
Search Queries
Click Add to enter the search query. Use the Move Up and Move Downbuttons to rearrange the search queries in the list. Use Remove to remove the selected item.
Note: If you do not know the search DN, refer to
| Configure | 399
| Configure | 400
Figure 380: Add Active Directory Server
4. Click Test Connection to check the connectivity between the Active Directory server and Sophos XG Firewall. It also validates the Active Directory server user credentials.
5. Click Save.
NetBIOS Name, FQDN and Search DN
This page describes how a Search DN is built.
The settings have to be performed on an AD (Windows) server.
1. Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.
2. Right-click the required domain and go to the Properties tab.
Search DN is based on the FQDN. For example, if the FQDN is "google.com", then the Search DN will be
DC=google, DC=com.
Figure 381: Search Query
Import AD User Group
This page describes how to import Active Directory groups from the Windows platform into the device.
| Configure | 401
1.
Go to Configure > Authentication > Servers and click against the AD server from which AD groups are to be imported.
The Import Group Wizard Help appears.
2. Specify a Base DN. Appliance fetches AD groups or OU groups from the specified Base DN.
3. Select the AD groups or OU groups to be imported in the appliance. Hold downCtrl to select multiple groups. The appliance already available in the device will not be imported.
4. Select various policies (surfing quota, traffic shaping, web filter, application filter, network traffic and SSL VPN) and user authentication timeout group members. Selected policies are attached to all imported groups. If you want to specify different policies for different groups, do not enable the policy. For example if you want to specify different Internet policies to filter policies to different groups, do not enable Attach to all the Groups.
5. If you do not want to apply common policies which are valid for all groups, specify policies to be applied to each group individually.
If groups are imported successfully, a "successful" message will be displayed; else the appropriate error message will be displayed. This message remains even if you close the wizard.
6. Click Close to end the wizard.
If a user is member of multiple AD groups, then the policies are applied to the first group the user is member of.
Therefore, the device browses through the group ordered list from top to bottom to determine the user's group membership. The first group that matches is considered the group of the user and that group policies are applied to the user.
Using the wizard, you can reorder the groups to change the membership preference.
Add RADIUS Server
This page describes how to add a RADIUS server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select RADIUS Server.
3. Specify the RADIUS server details:
Server Name
Specify a descriptive name for the RADIUS server.
Server IP
Specify an IP address for the RADIUS server.
Authentication Port
Specify the authentication port of the RADIUS server.
By default, this is port 1812.
Enable Accounting
Enable accounting on the RADIUS server.
Sophos XG Firewall sends the following information to the RADIUS server as soon as the user logs in:
• Accounting start request
• User login time
Sophos XG Firewall sends the following information to the RADIUS server the moment the user logs out:
• Accounting stop request
• User logout time
Note: Supported client types: Windows client, HTTP client, Linux client, Android, iOS, iOS HTTP client, Android HTTP client, API client.
Note: The accounting stop message is not sent to the RADIUS server when Sophos
XG Firewall shuts down or reboots.
Accounting Port (available only if Enable Accounting is active)
Specify a RADIUS port number through which Sophos XG Firewall can communicate with the
RADIUS server.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a RADIUS client and a RADIUS server.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 402
Figure 382: Add RADIUS Server
4. Click Test Connection to check the connectivity between the RADIUS server and Sophos XG Firewall. It also validates the RADIUS server user credentials.
5. Click Save.
Add TACACS+ Server
This page describes how to add a TACACS+ server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select TACACS+ Server.
3. Specify the TACACS+ server details:
Server Name
Specify a descriptive name for the TACACS+ server.
Server IPv4
Specify an IP address for the TACACS+ server.
Port
Specify the port of the TACACS+ server.
By default, this is port 49.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a TACACS+ client and a TACACS+ server.
| Configure | 403
Figure 383: Add TACACS+ Server
4. Click Test Connection to check the connectivity between the TACACS+ server and Sophos XG Firewall. It also validates the TACACS+ server user credentials.
5. Click Save.
Add eDirectory Server
This page describes how to add an eDirectory server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select eDirectory.
3. Specify the eDirectory server details:
Server Name
Specify a descriptive name for the eDirectory server.
Server IP/Domain
Specify an IP address or domain for the eDirectory server.
Port
Specify the port of the eDirectory server.
By default, this is port 389.
Username
Specify a username for the eDirectory server.
Password
Specify a password for the eDirecory server.
Connection Security
Select the connection security for the eDirectory server:
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Base DN
Specify the Base DN for the eDirectory server. The Base DN is the starting point relative to the root of the eDirectory tree where the users are included who are to be authenticated. Note that the Base
DN must be specified by the full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement