8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Name resolution methods

The name resolution process occurs when the R3000 attempts to resolve the IP address of the authentication server with the machine name of that server. This continuous and regulated automated procedure ensures the connection between the two servers is maintained.

When using an NT server with SMB, the name resolution process occurs when a valid Windows Internet Name Service (WINS) Server IP address is entered or a broadcast query is made.

When using an LDAP server, the name resolution process occurs when a Domain Name Service (DNS) entry is made. In order to accommodate this request, the LDAP server must have a valid DNS entry or the IP address must be added to the R3000 hosts file.

NOTE: If LDAP is used, client machines will still use the SMB authentication method to communicate with the R3000 server for Tier 1 authentication. LDAP communication only occurs between the R3000 server and the LDAP server.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

29

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Authentication setup procedures
Server setup types

R3000 authentication is designed to support the following server types for the specified tier(s):

Tier 1: Net use based authentication

NOTE: Login scripts must be used for net use based authentication.

Using SMB/NetBIOS:

Windows NT 4.0, SP4 or later

Windows 2000 or 2003 Server in mixed/legacy mode

NOTE: SMB Signing must not be required.

Using LDAP:

Microsoft Active Directory Mixed Mode

Microsoft Active Directory Native Mode

Tier 2 and Tier 3: Web-basedauthentication

Using an NT authentication domain:

Windows NT 4.0, SP4 or later

Windows 2000 or 2003 Server in mixed/legacy mode

NOTE: SMB Signing must not be required.

Using an LDAP domain:

Windows Active Directory 2002 and 2003

Novell eDirectory

SunONE directory server

30

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Configuring the authentication server

When configuring authentication, you must first go to the authentication server and make all necessary entries before configuring the R3000.

The following authentication components must be set up or entered on the console of the authentication server:

domain name

usernames and passwords

user groups

login scripts

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

31

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Login scripts

Login (or logon) scripts are used by the R3000 server for reauthenticating users on the network.

The following syntax must be entered in the appropriate directory on the authentication server console:

Enter net use syntax in the login script

The virtual IP address is used by the R3000 to communicate with all users who log on to that server. This address must be in the same subnet as the one used by the transmitting interface of the R3000.

For testing, user information can be specified on the command line as follows:

NET USE \\virtualip\R3000$ /user:DOMAINNAME\username password

Example: NET USE \\192.168.0.20\R3000$/ user:LOGO\jsmith xyz579

The command to disconnect a session is:

NET USE \\virtualip\R3000$ /delete

32

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

View login script on the server console

The login script can be viewed on the authentication server console. This script resides in a different location on the server, depending on the version of the server:

Windows 2000 or Windows 2003 Server

\\servername.suffix\sysvol\domainname.suffix\

policies\{guid}\user\scripts\logon

c:\winnt\sysvol\sysvol\domainname.suffix\scripts

c:\winnt\sysvol\domainname\scripts

Windows NT 4.0 Server

\\servername\netlogon

\\ipaddress\netlogon

c:\winnt\system32\repl\import\scripts

The login script must be specified either in the user’s domain account or in the Active Directory Group Policy Object so that it runs when the user logs into the domain.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

33

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Block page authentication login scripts

In addition to the use of login scripts in the console of the authentication server, a login script path must be entered in the Block Page window of the R3000 Administrator console. This script is used for reauthenticating users on the network.

The following syntax must be used:

\\SERVERNAME\netlogon

or

\\IPaddress\netlogon

NOTE: See Block Page Authentication formore information about these entries.

34

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

LDAP server setup rules

WARNING: The instructions in this user guide have been documented based on standard default settings in LDAP for Microsoft Active Directory Services. The use of other server types, or any changes made to these default settings, must be considered when configuring the R3000 server for authentication.

If LDAP will be used, the following items should be considered:

The administrator in charge of the LDAP server should create a user for the R3000 in order to give that user full read access to the groups and users in the directory.

Since the LDAP directory is structured as a tree, data needs to be retrieved the same way. Additionally, the order of the syntax is reversed compared to how it appears in normal file system folders. The deepest layer is listed first, in a similar manner as a DNS domain name: e.g. “engineering.company.net”. In LDAP, a directory entry would look like this: “cn=engineering,dc=company, dc=net”.

Make sure all network configuration settings are correct (such as DNS, IP, etc.) before configuring LDAP settings.

NOTE: All filtering profiles are stored on the R3000 server.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

35

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 2: Time-based,Web Authentication

The following diagram and steps describe the operations of the time-basedauthentication process:

Fig. 1-6Web-basedauthentication module diagram

1.The user makes a Web request by entering a URL in his/ her browser window.

2.The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password.

3.The R3000 verifies the user’s information with the authentication server (Domain Controller, Active Directory, LDAP, etc.).

4.The authenticated user is allowed to access the requested URL for the time period specified by the administrator.

36

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 2 implementation in an environment

In an environment where Tier 2 time-basedprofiles have been implemented, end users receive filtering profiles after correctly entering their credentials into aWeb-basedAuthentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.

Tier 2 time-basedprofiles do not call for the R3000 to maintain a connection with the client machine, so the R3000 cannot detect when the user logs off of a workstation. In order to remove the end user’s profile, one of two scripts detailed in thissub-sectionshould be inserted into the network’s login and/or logoff script.

The Tier 2 Script should be used if Tier 2 is the only tier implemented in an environment. The Tier 1 and Tier 2 Script should be used if Tier 2 is implemented along with Tier 1 in an environment. Since both sets of scripts use the NET USE command, the client machine must already have the ability to connect to the R3000 via NET USE in order for the profile to be removed in either environment.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

37

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 2 Script

If using Tier 2 only, this script should be inserted into the network’s login script. If the network also uses a logoff script, 8e6’s script should be inserted there as well. The inclusion of this script ensures that the previous end user’s profile is completely removed, in the event the end user did not log out successfully.

echo off :start cls

net use \\10.10.10.10\LOGOFF$ /delete

:try1

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :try2

if errorlevel 0 echo code 0: Success goto :end

:try2

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :try3

if errorlevel 0 echo code 0: Success goto :end

:try3

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :error

if errorlevel 0 echo code 0: Success goto :end

:error

if errorlevel 1 echo code 1: Failed!

:end

net use \\10.10.10.10\LOGOFF$ /delete

38

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE