8e6 Technologies R3000 LDAP protocol

CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS

28 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE

NOTE: For information on SMB Signing compatibility with the

R3000, refer to the chart in Appendix D: Disable SMB Signing

Requirements.

LDAP protocol

LDAP is a directory service protocol that stores entries

(Distinguished Names) in a domain’s directory using a hier-

archical tree structure. The LDAP directory service is based

on a client/server model protocol to give the client access to

resources on the network.

When a client connects to a server and asks it a question,

the server responds with an answer and/or with a pointer to

the server that stores the requested information (typically,

another LDAP server). No matter which LDAP server the

client accesses, the same view of the directory is “seen.”

The LDAP specification defines both the communication

protocol and the structure, or schema, to a lesser degree.

There is an Internet Assigned Network Authority (IANA)

standard set that all LDAP directories should contain. Novell

and Microsoft both have additional schema definitions that

extend the default setups.

Most server operating systems now support some imple-

mentations of LDAP authentication. The Microsoft Active

Directory LDAP-based model became available with the

release of Windows 2000.

Contents

Main Page R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE Page C CHAPTER 1: INTRODUCTION ..........................................1 Filtering Elements .......................................................................8 Authentication Operations .......................................................23 Page CHAPTER 2: NETWORK SETUP ....................................58 Environment Requirements .....................................................58 Set up the Network for Authentication ....................................60 CHAPTER 3: NT AUTHENTICATION SETUP ..................101 Set up NT Domain Groups, Members ....................................109 Create and Maintain NT Profiles ............................................118 CHAPTER 4: LDAP AUTHENTICATION SETUP .............125 Create an LDAP Domain .........................................................125 CHAPTER 5: AUTHENTICATION DEPLOYMENT .............162 Test Authentication Settings ................................................. 162 Activate Authentication on the Network ...............................174 CHAPTER 6: TECHNICAL SUPPORT ............................206 APPENDIX A ..............................................................209 Support Procedures ................................................................ 208 User/Group File Format and Rules ........................................209 APPENDIX B ..............................................................218 Ports for Authentication System Access ..............................218 APPENDIX C ..............................................................219 LDAP Server Customizations ................................................219 APPENDIX D ..............................................................220 APPENDIX G .............................................................247 Glossary ...................................................................................247 INDEX .......................................................................255 CHAPTER 1: INTRODUCTION About this User Guide blocker software installed; a glossary on authentication terms, and an index. How to Use this User Guide Conventions The following icons are used throughout this user guide: Terminology Page Page Page Page Filtering Elements Group Types Global Group IP Groups NT Domain Groups LDAP Domain Groups Filtering Profile Types Static Filtering Profiles Master IP Group Filtering Profile IP Sub-Group Filtering Profile Individual IP Member Filtering Profile Active Filtering Profiles Global Filtering Profile NT/LDAP Group Filtering Profile NT/LDAP Member Filtering Profile Override Account Profile Time Profile Lock Profile Filtering Profile Components Library Categories 8e6 Supplied Categories Custom Categories Service Ports Rules Minimum Filtering Level Filter Settings Filtering Rules Page Page Authentication Operations R3000 Authentication Protocols R3000 Authentication Tiers tory server, the Novell eDirectory Agent can be used instead to authenticate end users. Tier 1: Single Sign-On Authentication Net use based authentication process Re-authentication process Authentication methods SMB protocol SMB Signing LDAP protocol Name resolution methods Authentication setup procedures Server setup types Tier 1: Net use based authentication Tier 2 and Tier 3: Web-based authentication Configuring the authentication server Login scripts Enter net use syntax in the login script View login script on the server console Block page authentication login scripts LDAP server setup rules Tier 2: Time-based, Web Authentication Tier 2 implementation in an environment Tier 2 Script Tier 1 and Tier 2 Script Page Tier 3: Session-based, Web Authentication 8e6 Authenticator Environment requirements Minimum system requirements Recommended system requirements Workstation requirements Work flow in a Windows environment 8e6 Authenticator configuration priority 8e6 Authenticator configuration syntax Sample command line parameters Sample configuration file Sample R3000 configuration update packet PCFG Table of parameters Default The following table contains the different parameters, their meanings, and possible values. Param ID Parameter Meaning Values Dbg Page Page Novell eDirectory Agent Environment requirements Novell eDirectory servers Client workstations Novell clients Novell eDirectory setup R3000 setup and event logs Authentication Solution Compatibility Below is a chart representing the authentication solution compatibility for a single user: KEY: N/A = Not Applicable N/R = Not Recommended Configuring the R3000 for Authentication Configuration procedures System section Page Page Group section CHAPTER 2: NETWORK SETUP Environment Requirements Workstation Requirements Administrator End User Network Requirements Set up the Network for Authentication Specify the operation mode Page Specify the subnet mask, IP address(es) Invisible mode Router or firewall mode Enable authentication, specify criteria Page Net use based authentication Web-based authentication Page Page Enter network settings for authentication Page Create an SSL certificate Create, Download a Self-Signed Certificate CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 74 TIP: Click Delete Certificate to remove the certificate from the server. Create, Upload a Third Party Certificate Create a Third Party Certificate 1. Click the Third Party Certificate tab: Fig. 2-9 Third Party Certificate tab Page Upload a Third Party Certificate Download a Third Party Certificate View log results Page Page CHAPTER 2: NETWORK SETUP SET UP THE NETWORK FOR AUTHENTICATION 8 E 6 T ECHNOLOGIES , R3000 E NTERPRISE F ILTER A UTHENTICATION U SER G Specify block page settings Fig. 2-15 Block Page Authentication window Block Page Authentication Block page User/Machine frame Standard Links Optional Links Options page Option 1 Option 2 Option 3 Common Customization Enable, Disable Features Page Authentication Form Customization Page Preview Sample Authentication Request Form Page Block Page Customization To customize the block page, click Customization and select Block Page from the pop-up menu: Page Preview Sample Block Page Page CHAPTER 3: NT AUTHENTICATION SETUP JOIN THE NT DOMAIN 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 101 CHAPTER 3: NT AUTHENTICATION S Fig. 3-1 Authentication Settings window Join the NT Domain Page Create an NT Domain Add an NT domain Refresh the NT branch View or modify NT domain details Domain Settings Page Default Rule Delete an NT domain Set up NT Domain Groups, Members Add NT groups, members to the tree Page Specify a groups filtering profile priority Page Manually add a users name to the tree Manually add a groups name to the tree Upload a file of filtering profiles to the tree Page Page Create and Maintain NT Profiles Add an NT group, member to the tree list Page Add or maintain an entitys profile Category Profile Redirect URL Filter Options Remove an entitys profile from the tree C UTHENTICATION 4: LDAP A HAPTER S Refresh the LDAP branch View, modify, enter LDAP domain details LDAP Server Type Click Next to go to the Group tab. Group Objects The Group tab is used for including or excluding group objects in the LDAP domain. Page User Objects Address Info Page Page Account Info SSL Settings Page Alias List Page Default Rule Page Default Rule for Novell eDirectory Configure a backup server Page Page Page Modify a backup servers configuration Delete a backup servers configuration Delete a domain Set up LDAP Domain Groups, Members Add LDAP groups, users to the tree Perform a basic search Options for search results Apply a filtering rule to a profile Delete a rule Specify a groups filtering profile priority Manually add a users name to the tree Manually add a groups name to the tree Upload a file of filtering profiles to the tree Page Page Create, Maintain LDAP Profiles Add an LDAP group, member to the tree Page Add or maintain an entitys profile Category Profile Redirect URL Filter Options Remove an entitys profile from the tree CHAPTER 5: AUTHENTICATION D Test Authentication Settings Page Test Web-based authentication settings Step 1: Create an IP Group, test Step 2: Create a Sub-Group, workstation Step 3: Set up test with a 32-bit net mask Step 4: Give workstation a 32-bit net mask Step 5: Block everything for the Sub-Group Step 6: Use Authentication Request Page for redirect URL Step 7: Disable filter options Step 8: Attempt to access Web content Page Test net use based authentication settings Activate Authentication on the Network Activate Web-based authentication for an IP Group Step 1: Create a new IP Group, webauth Step 2: Set webauth to cover users in range Step 3: Create an IP Sub-Group Page Step 4: Block everything for the Sub-Group Step 5: Use Authentication Request Page for redirect URL Step 6: Disable filter options Step 7: Set Global Group to filter unknown traffic Page Page Page Page Activate Web-based authentication for the Global Group Step 1: Exclude filtering critical equipment Step 1A: Block Web access, logging via Range to Detect Range to Detect Settings 4. Click Start the Setup Wizard to display Step 1 of the Range to Detect Setup Wizard: Range to Detect Setup Wizard Page Page Page Page Page Step 1B: Block Web access via IP Sub-Group profile CHAPTER 5: AUTHENTICATION DEPLOYMENT ACTIVATE AUTHENTICATION ON THE NETWORK 8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE 197 5. Click the Redirect URL tab to display the Redirect URL page: Fig. 5-32 Sub Group Profile window, Redirect URL tab 6. Select Default Block Page, and then click Apply. Page Step 2: Modify the Global Group Profile Page Page Page Activate NT authentication Step 1: Modify the 3-try login script Step 2: Modify the Global Group Profile Page CHAPTER 6: TECHNICAL SUPPORT Hours Contact Information Domestic (United States) International Office Locations and Phone Numbers 8e6 Corporate Headquarters (USA) 8e6 Taiwan 8e6 China Support Procedures APPENDIX A User/Group File Format and Rules Username Formats Rule Criteria Page File Format: Rules and Examples NT User List Format and Rules NT Group List Format and Rules LDAP User List Format and Rules Page LDAP Group List Format and Rules APPENDIX B Ports for Authentication System Access The following ports should be used for authentication system access: Type No. Function APPENDIX C LDAP Server Customizations OpenLDAP Server Scenario Not all users returned in User/Group Browser APPENDIX D Disable SMB Signing Requirements SMB Signing Compatibility Disable SMB Signing Requirements in Windows 2003 Page Page Page Page APPENDIX E Obtain or Export an SSL Certificate Export an Active Directory SSL Certificate Verify certificate authority has been installed Locate Certificates folder Page Page Export the master certificate for the domain Page Page Page Export a Novell SSL Certficate Obtain a Sun ONE SSL Certificate APPENDIX F Override Pop-up Blockers Yahoo! Toolbar Pop-up Blocker Page Google Toolbar Pop-up Blocker AdwareSafe Pop-up Blocker Temporarily disable pop-up blocking Mozilla Firefox Pop-up Blocker Windows XP SP2 Pop-up Blocker Set up pop-up blocking Use the Internet Options dialog box Use the IE toolbar Temporarily disable pop-up blocking Use the IE toolbar Use the Information Bar Set up the Information Bar Access your override account Page APPENDIX G Glossary Page Page Page Page Page Page Page I Numerics A B C D E F G H I J L M N O P R S T U V W