8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 1 and Tier 2 Script

In an environment in which both Tier 1 and Tier 2 are used, this version of 8e6’s script should be inserted into the network’s login script. 8e6’s script attempts to remove the previous end user’s profile, and then lets the new user log in with his/her assigned profile.

echo off :startremove cls

NET USE \\10.10.10.10\LOGOFF$ /delete

:tryremove1

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :tryremove2

if errorlevel 0 echo code 0: Success goto :endremove

:tryremove2

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :tryremove3

if errorlevel 0 echo code 0: Success goto :endremove

:tryremove3

NET USE \\10.10.10.10\LOGOFF$ if errorlevel 1 goto :removalerror

if errorlevel 0 echo code 0: Success goto :endremove

:removalerror

if errorlevel 1 echo code 1: Failed to send removal request!

:endremove

net use \\10.10.10.10\LOGOFF$ /delete

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

39

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

:try1

NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try2

if errorlevel 0 echo code 0: Success goto :end

:try2

NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :try3

if errorlevel 0 echo code 0: Success goto :end

:try3

NET USE \\10.10.10.10\R3000$ if errorlevel 1 goto :error

if errorlevel 0 echo code 0: Success goto :end

:error

if errorlevel 1 echo code 1: Failed!

:end

in environments that use both Tier 1 and Tier 2, if a logoff script is used on the network, the Tier 2 Script should be inserted into the network’s logoff script.

40

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Tier 3: Session-based,Web Authentication

The diagram on the previous page (Fig. 1-6)and steps below describe the operations of thesession-basedauthentication process:

1.The user makes a Web request by entering a URL in his/ her browser window.

2.The R3000 intercepts this request and sends the user the Authentication Request Form, requesting the user to log in with his/her login ID and password.

3.The R3000 verifies the user’s information with the authentication server (Domain Controller, Active Directory, LDAP, etc.).

4.A pop-upwindow opens on the user’s workstation while the original window loads the requested URL. The user will continue to be authenticated as long as thepop-upwindow remains open.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

41

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

8e6 Authenticator

The 8e6 Authenticator ensures the end user is authenticated on his/her workstation, via an executable file that launches during the login process. To use this option, the 8e6 Authenticator client (authenticat.exe) should be placed in a network share accessible by the domain controller or a Novell eDirectory server such as NetWare eDirectory server 6.5.

NOTE: The 8e6 Authenticator client (authenticat.exe) can be downloaded from the Enable/Disable Authentication window. (See the Enable authentication, specify criteriasub-sectionin Chapter 2: Network Setup.)

Environment requirements
Minimum system requirements

The following minimum server components are required when using NetWare eDirectory server 6.5:

Server-classPC with a Pentium II or AMD K7 processor

512 MB of RAM

Super VGA display adapter

DOS partition of at least 200 MB and 200 MB available space

2 GB of available, unpartitioned disk space outside the DOS partition for volume sys:

One network board

CD drive

42

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Recommended system requirements

The following server components are recommended for optimal performance when using NetWare eDirectory server 6.5:

Server-classPC withtwo-wayPentium III, IV, or Xeon 700 MHz or higher processors

1 GB of RAM

VESA compliant 1.2 or higher display adapter

DOS partition with 1 GB of available space

4 GB of available, unpartitioned disk space outside the DOS partition for volume sys:

One or more network boards

Bootable CD drive that supports the El Torito specification

USB or PS/2* mouse

Workstation requirements

The 8e6 Authenticator client works with the following operating systems:

Windows XP Pro SP1 and 2

Windows 2000 Pro SP4

Windows XP and Windows 2000 with Novell client v4.91

NOTE: Anynon-domainsupported Windows operating system, such as ME or XP Home Edition, will not work with the 8e6 Authenticator unless the Novell eDirectory client is installed for login and deployment of the 8e6 Authenticator client using a Novell server.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

43

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Work flow in a Windows environment

1.The administrator stores the 8e6 Authenticator client (authenticat.exe) in a network-sharedlocation that a login script can access.

2.Using a Windows machine, an end user logs on the domain, or logs on the eDirectory tree via a Novell client.

3.The end user’s login script evokes authenticat.exe.

4.The 8e6 Authenticator client determines the authentication environment by examining the Windows registry, then retrieves the username and domain name using either Windows or Novell APIs, and sends this information (LOGON event) to the R3000.

5.The R3000 looks up the groups to which the end user belongs (Windows AD, PDC, or eDirectory through LDAP or NTLM/Samba), and determines the profile assignment.

6.The R3000 sets the profile for the end user with username (including the group name, if it is available) and IP.

7.The 8e6 Authenticator client continually sends a “heartbeat” to the R3000—witha specified interval of seconds between each“heartbeat”—untilthe end user logs off.

8.The end user logs off, and the 8e6 Authenticator client sends a LOGOFF event to the R3000. The R3000 removes the user's profile.

NOTE: The 8e6 Authenticator can handle up to 20 logons per second.

44

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

8e6 Authenticator configuration priority

The source and order in which parameters are received and override one another are described below.

NOTE: Any parameter set at the end of the list will override any parameter that was previously set.

1.Compiled Defaults: Given no parameters at all, the client will try to execute using the default compilation.

2.Configuration File (optional): The default location of the configuration file is the same path/name as the authenticat.exe client, but with a “.cfg” extension instead of “.exe”. The full path/name can be specified on the command line with the CF[] parameter. Review the ++ comment following Table 1 for more information.

3.Command Line (optional): Options on the command line will override compiled defaults and the configuration file. The command line can be left blank.

4.R3000 Configuration Packet (optional): The R3000 may send a configuration packet that will override all other settings, including the command line. If the R3000 changes the IP address or port used by authenticat.exe, then when authenticat.exe reconnects, authenticat.exe will use the new IP address and port.

NOTE: The R3000 can force authenticat.exe to reconnect with are-logonevent packet.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

45

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

8e6 Authenticator configuration syntax

All configuration parameters, regardless of their source, will use the following format/syntax:

wAA[B]w{C}w

{Parameter ‘AA’ with Data ‘B’, and Comment ‘C’ ignored.}

w;DD[E]w{C}w

{The semicolon causes ‘DD[E]’ to be ignored, ‘C’ is also ignored.}

Whereas ‘AA’ is atwo-letter,case-insensitiveparameter name, ‘B’ is the value for this parameter wrapped in brackets ( [ ] ), and ‘w’ is zero or more white spaces (space, tab, carriage return, line feed). ‘C’ is completely ignored, and anything wrapped in braces ( { } ) is considered a comment. A ‘;’ immediately preceding a parameter will cause that parameter and its data to be ignored, which is convenient for temporarily reverting a parameter to default values during testing.

Sample command line parameters

authenticat.exe LF[c:\] ra[192.168.0.43]Rr[40000]

Sample configuration file

RA[100.10.101.30] { R3000 Virtual IP address } RP[139] { R3000 Port }

RH[30000] { Heartbeat timer (30 seconds) }

RR[30000] { Reconnect time (before connecting again) } RC[10000] { Connect Timeout (how long to wait for a connection

response) } LE[0]

LF[\\100.10.101.117\publogs\] { Where to put logs }

Sample R3000 configuration update packet ‘PCFG’

After decryption, with protocol headers removed:

RH[30000]RC[1000]LE[1]

46

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

You only need to change the options you do not wish to remain as default. Often the IP address of the R3000 (RA) and the log file (LF) are the most desired options to change. Note that full network paths are allowed.

Table of parameters

The following table contains the different parameters, their meanings, and possible values.

Param

Parameter

Values

Dbg

Release

ID

Meaning

Default

Default

 

 

 

 

 

 

UT+

User’s Logon

1-256(0 = Win32, 1 = Nov-

255

255 (auto)

 

Environment

ell)

(auto)

 

 

 

 

 

 

 

RA # *

R3000

Virtual IP

255.255.255.255:PORT;…

0.0.0.0

0.0.0.0

 

Address

 

 

 

 

 

 

 

 

 

RV #

R3000

VPN Sup-

(IP-IP;IP:PORT;…),…

 

 

 

port Table

 

 

 

 

 

 

 

 

 

RP

R3000

Port

1-65535

139

139

 

 

 

 

 

 

RH

R3000

Heartbeat

1-4billion (milliseconds)

30000

30000 (30

 

Timer MS

 

 

sec)

 

 

 

 

 

 

RR

R3000

Reconnect

1-4billion (milliseconds)

30000

30000 (30

 

Time MS

 

 

sec)

 

 

 

 

 

 

RC

R3000

Connect

1-4billion (milliseconds)

10000

10000 (10

 

Timeout MS

 

 

sec)

 

 

 

 

 

LE

Log using Event

1 or 0 (event view or log

0 (log

1 (event

 

Viewer

 

file)

file)

view)

 

 

 

 

 

LD

Logging Detail

1, 2, 3, or 4

1 (light)

0 (errors

 

 

 

 

 

only)

 

 

 

 

 

LF *

Path-ONLYto out-

1-1000alphanum

C:\

C:\

 

put log file

 

 

 

 

 

 

 

 

CF ++

Full path/name of

1-1000alphanum

 

Configuration File

 

 

 

 

 

 

 

 

 

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

47

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

+If UT[0] is set, then the Novell environment will be ignored, if present, and only the Windows environment information will be retrieved and sent to the R3000. If UT[1] is set and the Novell environment is invalid or the user is not authenticated with its Novell server, then the results sent to the R3000 are invalid (probably empty values). The default UT[255] auto detects Novell vs. Win32 and will automatically favor Novell authentication over Windows, if possible.

*Special Interest. Values most likely to change during testing, configuration, and production implementation.

++Alternate configuration file is only valid when specified on the command line. It will be ignored in any other context. If the configuration file cannot be loaded from the alternate location, an error will be logged and an attempt will be made to load the default configuration file. If the alternate configuration file is specified and is blank ( CF[] ), the 8e6 Authenticator will not attempt to load any configuration file; this can minimally speed up execution time. The compiled default value ofCF[-]causes the default configuration file loading to be attempted, which has the same full path and filename of the current, loaded 8e6 Authenticator executable, but with an extension of “.cfg” instead of “.exe”. That is, if the 8e6 Authenticator client is “\\example\authenticat.exe”, the search for the default configuration file would be “\\example\authenticat.cfg”. It isnot an error if the default configuration file does not exist. Itis an error if the default configuration file exists but cannot be read or parsed correctly. Unknown parameters are ignored. Format/syntax errors will abort the reading and report an error, but the 8e6 Authenticator will attempt to continue running.

For each IP address where “:PORT” is omitted from the address, the RP[] port value is used. For example, if RA[1.1.1.1:5555] is set, the RP[] parameter is ignored.

48

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE