8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

RP[] affects port-lessaddresses specified in the RV[] command as well.

For RA[], each IP address is separated by a semi-colon;’ and the first IP address will be tried for each new connection attempt. When the main IP address fails to respond, the next IP address in the list will be tried, and so on, if it fails. After the last IP address is tried, the logic will continue from the first IP address again. A retry attempt on the main IP address is subject to the RR[] Reconnect time. After any disconnection, the logic will always begin with the main IP address as its first attempt.

For RV[], sets of R3000 addresses are specified based on an IP range that matches the client’s IP address; multiple destination R3000 addresses may be used in each set and will have the same functionality as multiple destinations specified in the RA[] parameter. Each set is surrounded by parentheses ‘( )’s, and sets are separated by commas ‘,’. Any local client IP address that does not match any set will use the RA[] address. Sample format:

RV[(102.108.1.0-102.108.1.255;1.1.1.1;2.2.2.2),(102.108.2.0-102.108.2.255;3.3.3.3:222)]

In this example, a client with an IP address of 102.108.1.5 would try to connect to 1.1.1.1 using the RP[] port (2.2.2.2 as the backup). A client with 192.168.2.15 would try to connect to 3.3.3.3 port 222, which has no backup.

Any local address that would end up connecting to 0.0.0.0 will not be observed by the 8e6 Authenticator. This allows RV[] to allow only specified ranges of IP addresses to be observed by the 8e6 Authenticator.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

49

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Novell eDirectory Agent

Novell eDirectory Agent provides Single Sign-On(SSO) authentication for an R3000 set up in a Novell eDirectory environment. Using Novell eDirectory Agent, the R3000 is notified by the eDirectory server when an end user logs on or off the network, and adds/removes his/her network IP address, thus setting the end user’s filtering profile accordingly.

Environment requirements
Novell eDirectory servers

The following eDirectory versions 8.7 or higher with Master,

Read/Write, Read replicas have been tested:

eDirectory 8.7 in RedHat Linux 9.0

eDirectory 8.7 in NetWare 6.5 SP5

NOTE: See 8e6 Authenticator: Environment requirements for Minimum and Recommended system requirements. These requirements also apply to eDirectory 8.7 in RedHat Linux 9.0.

50

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Client workstations

To use this option, all end users must log in the network. The following OS have been tested:

Windows 2000 Professional

Windows XP

Macintosh

Novell clients

The following Novell clients have been tested:

Windows: Version 4.91 SP2

Macintosh: Prosoft NetWare client Version 2.0

Novell eDirectory setup

The eDirectory Agent uses the LDAP eDirectory domain configuration setup in the R3000 Administrator console. The eDirectory Agent receives notification from the eDirectory server regarding logon and logoff events by end users. The Novell client must be installed on each end user’s workstation in order to handle logons to the eDirectory network. In this setup, the Novell client replaces the Windows logon application.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

51

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

R3000 setup and event logs

When using a Novell eDirectory server and choosing to use the Novell eDirectory Agent option in the R3000:

Enable Novell eDirectory Agent in the Enable/Disable Authentication window.

NOTES: If using an SSO authentication solution, Tier 2 or Tier 3 should be selected as a fallback authentication operation.

When choosing the Novell eDirectory Agent option, the 8e6

Authenticator option must be disabled.

If applicable, a back up server can be specified in the LDAP domain setup wizard, in the event of a connection failure to the primary Novell eDirectory server. Email alerts are sent to the administrator in such events.

NOTE: Back up server settings are made in the Default Rule tab of the LDAP Domain Details window, described in Chapter 4: LDAP Authentication Setup.

Once the Novell eDirectory Agent option is set up, the View Log File window can be used to view end user logon/logoff events and the debug log.

NOTE: After the Novell eDirectory Agent is enabled, an individual's username will not display in the event log until he/she logs in again. Until that time, the user will be logged by his/her current filtering profile, which most likely would be IPGROUP or DEFAULT user.

52

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Authentication Solution Compatibility

Below is a chart representing the authentication solution compatibility for a single user:

 

Tier1

Tier 2

Tier 3

8e6

eDirectory

 

net

time

session

 

Authenticator

Agent

 

use

based

based

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tier 1

--

Yes

Yes

N/R

N/A

 

 

 

 

 

 

Tier 2

Yes

--

N/A

Yes

Yes

 

 

 

 

 

 

Tier 3

Yes

N/A

--

Yes

Yes

 

 

 

 

 

 

8e6

N/R

Yes

Yes

--

N/R

Authenticator

 

 

 

 

 

 

 

 

 

 

 

eDirectory

N/A

Yes

Yes

N/R

--

Agent

 

 

 

 

 

 

 

 

 

 

 

KEY:

N/A = Not Applicable

N/R = Not Recommended

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

53

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Configuring the R3000 for Authentication

Configuration procedures

When configuring the R3000 server for authentication, settings must be made in System and Group windows in the Administrator console.

NOTES: If the network has more than one domain, the firstone you add should be the domain on which the R3000 resides.

The entries described in this section represent entries to be made on a typical network.

System section

The first settings for authentication must be made in the System section of the Administrator console in the following windows: Operation Mode, LAN Settings, Enable/Disable Authentication, Authentication Settings, Authentication SSL Certificate (if Web-basedauthentication will be used), and Block Page Authentication.

1.Select “Mode” from the control panel, and then select “Operation Mode” from the pop-upmenu.

The entries made in the Operation Mode window will vary depending on whether you will be using the invisible mode, or the router or firewall mode.

In the Listening Device frame, set the Listening Device to “eth0”.

In the Block Page Device frame:

If using the invisible mode, select “eth1”.

If using the router or firewall mode, select “eth0”.

2.Select “Network” from the control panel, and then select “LAN Settings” from the pop-upmenu.

54

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

The entries made in this window will vary depending on whether you are using the invisible mode, or the router or firewall mode. The LAN 1 and LAN 2 IP addresses should usually be in a different subnet.

If using the invisible mode: For the LAN1 IP (eth0) address, select 255.255.255.255 for the subnet mask.

If using the router or firewall mode: Specify the appropriate IP address and subnet mask in the applicable fields.

3.Select “Authentication” from the control panel, and then select Enable/Disable Authentication from the pop-upmenu.

Enable authentication, and then select one of three tiers in the Web-basedAuthentication frame:

Tier 1: Choose this option if you will only be using net use based authentication for NT or Active Directory servers.

Tier 2: Choose this option if you wish to use timed Web-basedauthentication for NT and LDAP domains. This option gives the user a timed session for his/her Internet access. After the timed profile expires, the user will have to log in again if he/she wants to continue to have Internet access.

Tier 3: Choose this option if you wish to use persistent Web-basedauthentication for NT and LDAP domains. This option gives the user a persistent network connection via apop-upwindow that keeps the user’s session open until the window is closed, so the user does not have to log in repeatedly.

If choosing Tier 2 or Tier 3, enable either 8e6 Authenticator or Novell eDirectory Agent, as appropriate to your environment.

4.Select “Authentication” from the control panel, and then select “Authentication Settings” from the pop-upmenu.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

55

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

In the Settings frame, enter general configuration settings for the R3000 server such as IP address entries.

In the NIC Device to Use for Authentication field:

If using the invisible mode: Enter eth1 (Ethernet 1) as the device to send traffic on the network.

If using the router or firewall mode: Enter eth0 (Ethernet 0).

Information should only be entered in the NT Authentication Server Details frame if the R3000 will use the NT Authentication method to authenticate users.

5.Select “Authentication” from the control panel, and then select Authentication SSL Certificate from the pop-upmenu. This option should be used ifWeb-basedauthentication will be deployed on the R3000 server.

Using this option, you create either a self-signedcertificate or a Certificate Request (CSR) for use by the Secure Sockets Layer (SSL). The certificate should be placed on client machines so that these machines will recognize the R3000 as a valid server with which they can communicate.

6.Select “Control” from the control panel, and then select “Block Page Authentication” from the pop-upmenu.

In the Block Page Authentication window, select the Reauthentication Options to be used. The items you select will be listed as options for re-authenticationon the Options page, accessible from the standard block page. If the“Re-authentication”(NET USE) option is selected, enter the login script path to be used by the R3000 for reauthentication purposes.

56

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER 1: INTRODUCTION AUTHENTICATIONOPERATIONS

Group section

In the Group section of the Administrator console, choose NT or LDAP, and then do the following:

1.Add a domain from the network to the list of domains that will have users authenticated by the R3000.

NOTE: If the network has more than one domain, the first one you add should be the domain on which the R3000 resides.

2.Create filtering profiles for each group within that domain.

3.Set the group priority by designating which group profile will be assigned to a user when he/she logs in. If a user is a member of multiple groups, the group that is positioned highest in the list is applied.

4.Create unique filtering profiles for individual users.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

57

CHAPTER 2: NETWORK SETUP ENVIRONMENTREQUIREMENTS

CHAPTER2: NETWORKSETUP

Environment Requirements

Workstation Requirements

Administrator

Minimum system requirements for the administrator include the following:

Windows 98 or later operating system (not compatible with Windows server 2003)

Internet Explorer (IE) 5.5 or later

JavaScript enabled

Java Virtual Machine

Java Plug-in(use the version specified for the R3000 software version)

Java Runtime Environment, if using Tier 3 authentication

End User

Windows 98 or later operating system (not compatible with WIndows server 2003)

Internet Explorer (IE) 5.5 or later

JavaScript enabled

Java Runtime Environment, if using Tier 3 authentication

Pop-upblocking software, if installed, must be disabled

58

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE