author contact: shezho@gmail.com

 

I got a task to integrate our corp windows AD  with our netscreen firewall webauth function. before this our firewall supports only

local users, that causes big work  load to create accounts especially when the user number grows more and more.

 

To use windows AD, ldap firstly comes into mind but soon I found it’s not usable as I even can’t find where to define the ldap search account and password. As I know on SRX this will work quite well and simply by using ldap to interconnect with windows AD from firewall.

 

Then I consider netscreen+ radius+windows AD. it’s easy to find a lot of articles about using IAS to achieve this, but it doesn’t work for me

as it requires to install IAS on windows AD, as I am not authorized to do that.

 

then I figureout the way netscreen+freeradius+ windows AD as below.


1. install freeradius

yum install freeradius freeradius-ldap

you may need install epel before this if you haven’t done:

yum install epel-release

 

2. config freeradius

a. Edit /etc/raddb/clients.conf

add netscreen as the client of freeradius:

.....

client <your_netscreen_IP> {

secret = <your secretkey>

nastype = other

}

......

b. edit /etc/raddb/modules/ldap

At the beginning of radius to use ldap to authenticate a user, it will send a bind firstly with the search account, then it search the account of the user to be webauthed, and then it bind this webauth user account. if each step succeeds, radius reply access accept to netscreen.

so we have to provide the config file with a search account and some information of the webauth account such as the base DN.

Define your ldap server as the windows AD server as below

including the ldap search account(identity+ password) information:

......

ldap { 
        # 
        #  Note that this needs to match the name in the LDAP 
        #  server certificate, if you're using ldaps
        server = <your windows ad server ip
        identity = "cn=admin,ou=test,dc=test,dc=com" 
        password = <password of user admin> 
        basedn = "ou=test,dc=test,dc=com" 
        filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" 
        #base_filter = "(objectclass=radiusprofile)"

.......



c. /etc/raddb/sites-available/default

enable the ldap authentication in default file by uncomment the ldap line in different sections at least in auth section.

 

d.edit the attribute map file  /etc/raddb/ldap.attrmap

add below line:

replyItem       NS-User-Group                   memberOf 

or:

replyItem       NS-User-Group                   memberOf        +=

 

The difference between the two lines is there is operators “+=” in the second line, which is used when the user belongs to more than one group and you want

all the group information to be replied to the netscreen. normally this operator is used for multi-valued attributes.


3. config netscreen:

a. set radius server information

set auth-server "my_radius" id 1 
set auth-server "my_radius" server-name <put your free radius ip address here> 
set auth-server "my_radius" radius port 1812 
set auth-server "my_radius" radius secret <your radius secret key> 
set auth radius accounting port 1646

b. config web auth:


set webauth server "my_radius" 
set interface "ethernet5/3" webauth 
set interface "ethernet5/3" webauth-ip <your netscreen ip used for webauth> 
set webauth server "my_radius"

c. config user group information, the group name should be the same as user group information defined on windows AD.

user group information on AD is described in memberOf attribute.

set user-group "CN=group1,OU=test,DC=test" type auth 
set user-group "CN=group2,OU=test,DC=test" type auth

d. define the policy which allows the specific group to access the resource: 
set policy id 1 from "Untrust" to "Trust"  "host1" "server1" "ANY" permit webauth user-group "CN=group1,OU=test,DC=test"

this allows user in the group1 to access server1 from host1 after the user passes the web authentication at the web page: http://<your netscreen ip used for webauth>