User Authentication with Active Directory (10.x)

Security Gateway Articles and How to's
Post Reply
peem
Posts: 1
Joined: 12 Nov 2008, 13:41

User Authentication with Active Directory (10.x)

Post by peem » 21 Dec 2010, 20:46

This How-to applies to:
  • Clavister Security Gateway 9.x, 10.x
    Using RADIUS authentication the same principle also applies to 8.x versions
    Windows Server 2008 and later

Topics covered in this document
  • 1. Objectives with this article
    2. Network Policy Server (NPS)
    • 2.1 Prepare Active Directory when using CHAP
      2.2 Configure Network Policy Server (NPS) on the server
    3. Configure Radius on the Security Gateway
    4. Configure LDAP on the Security Gateway
    5. Configure Http/Https User Authentication rules on the Security Gateway
    • 5.1 Enabling User Authentication in a network object
      5.2 Enabling User Authentication in a rule
    6. Testing the set-up
    7. Troubleshooting

1. Objectives with this article
In this article, we will set up an environment that will grant access to external users that belong to the AD Windows Group Remote_Access, which is defined and populated in Active Directory.

We will allow user authentication via HTTPS on the Clavister Security Gateway. After successful authentication the user is allowed to open a RDP connection to our internal network.
The authentication against Active Directory is done either with Radius or LDAP from the Security Gateway. Instead of HTTPS the authentication method can be L2TP or PPTP but we will not cover that in this document.

In this article we allow external connections after authentication, but for example in a School environment you can use this mechanism to allow internal clients to access internet after successful authentication.


2. Network Policy Server (NPS)
Starting from Windows server 2008 the Radius implementation in Windows server is called Network Policy Server (NPS) instead of Internet Authentication Service (IAS). You enable NPS by adding the Role Network Policy and Access Services
  • 2.1 Prepare Active Directory when using CHAP
    Since we are using PAP in this setup we don't need to enable Reversible Encryption for domain passwords in our Active Directory:

    Note: This policy should never be enabled unless application requirements outweigh the need to protect password information. (More information about Reversible Encryption: http://technet.microsoft.com/en-us/libr ... 10%29.aspx)

    Globally:
    1. Admin Tools - Group Policy Management
    2. Choose your forest, domain and then right click your Default Domain Policy and choose Edit.
    3. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Store passwords using reversible encryption = Enabled.

    Per User:
    1. Open your domain user's properties and checking Store password using reversible encryption on the Account tab.

    Note: Passwords must changed/reset for reversible encryption to apply

    2.2 Configure Network Policy Server (NPS) on the server
    In order for the Security Gateway to be allowed to communicate with NPS you must add it to known clients:
    1. Start NPS and choose Radius Clients and Servers -> Radius Clients (right-click) -> New
    2. Enter a friendly name, IP address of the Security Gateway and a shared secret.
    3. In tab Advanced make sure Radius Standard is used.
    NPS_Radius_Client.jpg
    NPS_Radius_Client.jpg (23.63 KiB) Viewed 10312 times
    Configure a Network Policy:
    1. Policies - > Network Policies (right-click) -> New - > Enter a friendly name and select Unspecified as Type of network access server
    2. Add a condition and select Windows Groups -> Add -> Add Groups -> enter an AD group that the remote users belong to (in our example Remote_Access)-> Next
    3. Select the type of authentication methods you will be using, CHAP or PAP, and Next. Enter custom restrictions if needed and Next.
    4. Select Vendor Specific -> Add -> Select Vendor-Specific at the bottom of the list -> Add -> Add
    5. Pick Enter Vendor Code and type 5089. Select Yes. It conforms and Configure Attribute
    6. Enter 1 as attribute number and String as format. Type the name of the AD group (in our example Remote_Access) as Attribute Value and Next and Finish

    Note: It is also possible to specify more than one group. Just separate each group with a comma, for example “TrustedUsers, Employees, Personal”. This would tell the Clavister Security Gateway that a user that matches this policy belongs to three groups, “TrustedUsers”, “Employees”, and “Personal”. The Clavister Security Gateway have no group amount limit, but the group name cannot exceed 128 characters.
    NPS_Vendor_Specific.jpg
    NPS_Vendor_Specific.jpg (16.03 KiB) Viewed 10312 times
    If you want to control the access permission only through AD group member ship and not with the Dial-in properties:
    1. Right-click on the policy and select Properties. In Tab Overview select Ignore user account dial-in properties
    2. On each user properties in the Dial-In tab, make sure that Control access through NPS Network Policy is selected
3. Configure Radius on the Security Gateway

1. Enter the User Authentication -> External User Databases section
2. Select Add -> Radius Server.
  • Name: Enter a name for the server, for example Radius_srv
    IP Address: Enter the IP address of the server, or enter the symbolic name if the server has been defined in the Address Book
    Port: 1812 (RADIUS service uses UDP port 1812 by default)
    Retry Timeout: 2 (The SG will resend the authentication request to the sever if there is no response after the timeout, for example every 2 seconds. This will be retried a maximum of 3 times)
    Shared Secret: For basic encryption of the RADIUS messages enter the shared secret which was used on the NPS server in section 2.2 (Note that this is case-sensitive!)
    Confirm Secret: Retype the string to confirm the one typed above
    Routing Table: The SG´s routing table where route lookup will be done to resolve the server's IP address
    into a route.
3. Click OK
Radius_External_Database.jpg
Radius_External_Database.jpg (16.14 KiB) Viewed 10312 times
4. Configuring LDAP on the Security Gateway

1. Enter the User Authentication -> External User Databases section
2. Select Add -> LDAP Server.
  • Name: The name given to the server object for reference purposes in the SG
    IP Address: The IP address of the LDAP server.
    Port: The port number on the LDAP server which will receive the SG request. This port is by default 389.
    Timeout: This is the timeout length for LDAP server user authentication attempts in seconds. If no
    response to a request is received from the server after this time then the server will be considered to be unreachable. The default timeout setting is 5 seconds.
    Name Attribute: The Name Attribute is the ID of the data field on the LDAP server that contains the username. When using Microsoft Active Directory this should be set to SAMAccountName
    Retrieve Group Membership: This option specifies if the groups that a user belongs to should be retrieved from the LDAP server. The group name is often used when granting user access to a service after a successful logon.
    Membership Attribute: The Membership Attribute defines which groups a user is a member of. When using Microsoft Active Directory this should be set to MemberOf.
    Use Domain Name: Some servers require the domain name in combination with a username for performing
    successful authentication. For Microsoft Active Directory Username Postfix will add @<domain name> after the user name when authenticating.
    Routing Table: The SG´s routing table where route lookup will be done to resolve the server's IP address
    into a route.
    Base Object: Defines where in the LDAP server tree search for user accounts shall begin. If the Active Directory domain for example is mycompany.local the root Base Object is DC=mycompany,DC=local. The username search will now begin at the root of the mycompany tree.
    Administrator Account: The LDAP server will require that the user establishing a connection to do a search has administrator privileges. The Administration Account specifies the administrator username.
    Password/Confirm Password: The password for the administrator account which was specified above.
    Domain Name: The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is mycompany.
    Password Attribute: The password attribute specifies the ID of the tuple on the LDAP server that contains the user's password. The default ID is userPassword. This option should be left empty unless the LDAP server is being used to authenticate users connecting via PPP with CHAP, MS-CHAPv1 or MS-CHAPv2.
3. Click OK
Ldap_External_Database.jpg
Ldap_External_Database.jpg (69.59 KiB) Viewed 10312 times
5. Configure Http/Https User Authentication rules on the Security Gateway

Now, we must create a User Authentication Rule that specifies which users will be allowed to authenticate, and how this will be processed. In our case, we want to let users belonging to AD group "Remote_Access" to authenticate.

1. Enter the User Authentication -> User Authentication Rules section
2. Select Add -> User Authentication Rule
  • Name: The name given to the server object for reference purposes in the SG
    Authentication Agent: The type of traffic being authenticated. In our setup we use HTTPS but you can also use HTTP, PPP or Xauth
    Authentication Source: This specifies that authentication is to be performed using one of the following:
    • LDAP - Users are looked up in an external LDAP server database.
      RADIUS - An external RADIUS server is used for lookup.
      Disallow - This option explicitly disallows all connections that trigger this rule. Such connections will never be authenticated. Any Disallow rules are best located at the end of the authentication rule set.
      Local - The local database defined within the Security Gateway is used for user lookup.
      Allow - This option allows all connections that trigger this rule. With this option, all connections that trigger this rule will be authenticated. No authentication database lookup occurs.
    We use RADIUS or LDAP in this guide
    Interface: The source interface on which the connections to be authenticated will arrive. This must be
    specified.
    Originator IP The source IP or network from which new connections will arrive. For XAuth and PPP, this is
    the tunnel originator IP. To allow roaming clients All-Nets is often used. For outbound connections the Internal network object is often used
    Terminator IP: The terminating IP with which new connections arrive. This is only specified where the Authentication Agent is PPP.
    Log Settings: Enable and select severity if you want it enabled
    Authentication Options: Select the Radius server or the LDAP server created previously depending on your authentication source. If Radius is selected pick the same authentication method used in section 2.2
    The Clavister Security Gateway supports the authentication methods PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). If you choose CHAP, you will have to store the user password in Active Directory using reversibly encryption. Please refer to NPS help chapter “Authentication Methods” for further explanations about the difference between PAP and CHAP.
    In this example we will use PAP.
    Authentication Servers - Select the NPS Server, which was previously defined.
    Accounting: We leave that out in this guide
    Agent Options: We use the built-in web page for login and if HTTPS is the authentication agent we pick the Certificates to be used.
    Restrictions: If you need to apply any idle or session timeout enter the value in seconds. Select your preferred policy for multiple Username Login
3. Click OK
Radius_Https_UA_rule.jpg
Radius_Https_UA_rule.jpg (22.83 KiB) Viewed 10312 times
Now we have successfully created a User Authentication Rule. However, this rule only specifies who and how. In order to test this set-up, we also need to specify a rule, which will only trigger if a user from the "Remote_Access" AD group is logged in.

5.1 Enabling User Authentication in a network object
In order to create user authentication specific rules, user authentication information is entered in the network objects:
1. Enter Objects -> Address Book section
2. Select Add -> IP4 Group
3. Enter a friendly name and select the network members of the object. This is the source IP or Network from where the authentication is performed. In our example All-Nets
4. In the User Authentication tab type in the name of the AD group the user must belong to. In our example "Remote_Access"
Net_Objects_UA.jpg
Net_Objects_UA.jpg (15.69 KiB) Viewed 10312 times
5.2 Enabling User Authentication in a rule
Now it is possible to use the previously created user authentication enabled network object in the rule section.
User_Auth_rules.jpg
User_Auth_rules.jpg (24.39 KiB) Viewed 10312 times
• The first two rules will only trigger (allow RDP to an internal server) if a user, which is a member of the AD group "Remote_Access" , is currently logged in and authenticated against Active Directory.
• The third rule specifies that we allow access to port 443, TCP, to the Security Gateway. This is necessary in order to allow HTTPS authentication.

6. Testing the set-up
To successfully test the set-up, the AD group Remote_Access must be populated with at least one user. We assume that this is the case, and that josm is a member of the Remote_Access group. If you are using CHAP as encryption method, remember to check the box that says "store password using reversibly encryption" in Active Directory.

First of all, make sure that the set-up is correct by trying to open a RDP session to the WAN IP of the Security Gateway. You should receive a connection error message (as you are not authenticated yet).
RDP_fail.jpg
RDP_fail.jpg (19.47 KiB) Viewed 10312 times
Now, start your favorite browser and enter the URL or WAN IP to the Security Gateway. You should be presented with an authentication screen asking for a username and password. Enter the username (josm) and the password and press "Login".
User_Auth_https_logon.jpg
User_Auth_https_logon.jpg (41.35 KiB) Viewed 10312 times
User_Auth_https_logged_on.jpg
User_Auth_https_logged_on.jpg (37.02 KiB) Viewed 10312 times
If the password and the link between the Clavister Security Gateway and NPS or LDAP server (and thus Active Directory) are correct, you should be greeted with a "Logged in" page.
Verify that your user is logged in and has received privileges for the Remote_Access group:
Open up a SSH connection against the Security Gateway and type userauth -l
UA_verify_privileges.jpg
UA_verify_privileges.jpg (13.97 KiB) Viewed 10312 times
You should now be able to successfully connect with RDP to your internal server:
RDP_sucess.jpg
RDP_sucess.jpg (22.76 KiB) Viewed 10312 times
7. Troubleshooting
In case the test was not successful, ensure that:

• You allow access to port 443 on the Security Gateway. (remember that the default Https management port is also 443. You need to change that port to follow this guide)
• The Security Gateway is able to communicate with the NPS server (UDP, and in our case port 1812).
• The shared secret is typed exactly the same on both the Security Gateway and on the NPS server.
• If you have not enabled the setting Ignore user account dial-in properties make sure the user in Active Directory is allowed to Dial-in.
• If you are using CHAP, the password of the user must be stored "using reversibly encryption" in Active Directory.
• The correct privilege information ("Remote_Access") is defined in both the NPS server and in the source network object used in the "RDP_Inbound_Authed" rule.
• It may be necessary to change "Use Domain Name" from "Username Prefix" to "Username Postfix" depending on your Core version and/or Active Directory version.

For further information, please consult the Clavister Manual.

Post Reply