Manuals / 8e6 Technologies / Computer Equipment / Network Card

8e6 Technologies R3000 manual Tier 2 implementation in an environment

Models: R3000

1 277

Download 277 pages 42.82 Kb

Page 49

CHAPTER 1: INTRODUCTION AUTHENTICATION OPERATIONS

Tier 2 implementation in an environment

In an environment where Tier 2 time-based profiles have been implemented, end users receive filtering profiles after correctly entering their credentials into a Web-based Authentication Request Form. A profile remains active for a configurable amount of time even if the user logs out of the workstation, changes IP addresses, etc.

Tier 2 time-based profiles do not call for the R3000 to main- tain a connection with the client machine, so the R3000 cannot detect when the user logs off of a workstation. In order to remove the end user’s profile, one of two scripts detailed in this sub-section should be inserted into the network’s login and/or logoff script.

The Tier 2 Script should be used if Tier 2 is the only tier implemented in an environment. The Tier 1 and Tier 2 Script should be used if Tier 2 is implemented along with Tier 1 in an environment. Since both sets of scripts use the NET USE command, the client machine must already have the ability to connect to the R3000 via NET USE in order for the profile to be removed in either environment.

8E6 TECHNOLOGIES, R3000 ENTERPRISE FILTER AUTHENTICATION USER GUIDE

37

Image 49

8e6 Technologies R3000 manual Tier 2 implementation in an environment

Contents

Guide Page Iii R3000 Enterprise Filter Authentication User GuidePage Contents Tier 2 Time-based, Web Authentication Environment Requirements Set up the Network for AuthenticationJoin the NT Domain 101 Set up NT Domain Groups, Members 109103 Create and Maintain NT Profiles 118146 Test Authentication Settings 162155 Hours 206 Contact Information 174208 Disable SMB Signing Requirements 220 Ports for Authentication System Access 218209 Ldap Server Customizations 219Glossary 247 NdexAbout this User Guide IntroductionConventions How to Use this User GuideTerminology Introduction HOW to USE this User Guide Introduction HOW to USE this User Guide Introduction HOW to USE this User Guide Introduction HOW to USE this User Guide Group Types Filtering ElementsGlobal Group Global Group IP groups NT domain groups Ldap domain groupsIP Groups IP diagram with a sample master IP group and its membersNT Domain Groups NT domain diagram, with sample groups and membersLdap Domain Groups Ldap domain diagram, with sample groups and membersFiltering Profile Types Authentication filtering profilesGlobal Group IP group Master GroupMaster IP Group Filtering Profile Static Filtering ProfilesIP Sub-Group Filtering Profile Individual IP Member Filtering ProfileGlobal Filtering Profile Active Filtering ProfilesNT/LDAP Group Filtering Profile NT/LDAP Member Filtering ProfileTime Profile Override Account ProfileLock Profile Filtering Profile Components 8e6 Supplied Categories Library CategoriesCustom Categories Rules Service PortsMinimum Filtering Level Filter Settings Filtering Levels Applied Filtering RulesIntroduction Filtering Elements Sample filtering hierarchy diagram R3000 Authentication Protocols Authentication OperationsR3000 Authentication Tiers Introduction Authentication Operations Net use based authentication process Tier 1 Single Sign-On AuthenticationRe-authentication process SMB protocol Authentication methodsLdap protocol Name resolution methods Server setup types Authentication setup proceduresConfiguring the authentication server Enter net use syntax in the login script Login scriptsWindows 2000 or Windows 2003 Server View login script on the server console\\SERVERNAME\netlogon \\IPaddress\netlogon Block page authentication login scriptsLdap server setup rules Web-based authentication module diagram Tier 2 Time-based, Web AuthenticationTier 2 implementation in an environment Tier 2 Script Tier 1 and Tier 2 Script Introduction Authentication Operations Tier 3 Session-based, Web Authentication Environment requirements 8e6 AuthenticatorMinimum system requirements Recommended system requirements Workstation requirementsWork flow in a Windows environment 8e6 Authenticator configuration priority WAABwCw 8e6 Authenticator configuration syntaxWDDEwCw Table of parameters Param Parameter Values Dbg Release Meaning DefaultIntroduction Authentication Operations RV102.108.1.0-102.108.1.2551.1.1.12.2.2.2,102.108.2.0 Novell eDirectory servers Novell eDirectory AgentClient workstations Novell eDirectory setupNovell clients R3000 setup and event logs KEY Authentication Solution CompatibilityConfiguration procedures Configuring the R3000 for AuthenticationSystem section Introduction Authentication Operations If using the router or firewall mode Enter eth0 Ethernet Create unique filtering profiles for individual users Group sectionEnvironment Requirements AdministratorWorkstation Requirements End UserNetwork Requirements Specify the operation mode Set up the Network for AuthenticationNetwork Setup SET UP the Network for Authentication Specify the subnet mask, IP addresses LAN Settings windowRouter or firewall mode Invisible modeEnable/Disable Authentication window Enable authentication, specify criteriaNetwork Setup SET UP the Network for Authentication Net use based authentication Web-based authentication Java applet Tier 3 dialog box Authentication Settings window Enter network settings for authenticationNIC Device to Use for Authentication field Create an SSL certificate Authentication SSL Certificate windowDownload/View/Delete Certificate tab Create, Download a Self-Signed CertificateCreate a Third Party Certificate Create, Upload a Third Party Certificate10 Create CSR pop-up window Enter your Email Address11 Upload Signed SSL Certificate box Upload a Third Party Certificate12 Download CSR pop-up window Download a Third Party Certificate13 View Log File window View log resultsNetwork Setup SET UP the Network for Authentication Click View to display results in the Result pop-up window 15 Block Page Authentication window Specify block page settingsClick Apply to apply your settings Block Page Authentication16 Block BlockUser/Machine frame Optional Links Back and Help links OptionsOption 19 Re-authentication option Option 20 Common Customization window Common CustomizationEnable, Disable Features TIP Click Restore Default to revert to the default settings 21 Authentication Form Customization window Authentication Form CustomizationNetwork Setup SET UP the Network for Authentication 22 Sample Customized Authentication Request Form Preview Sample Authentication Request FormNetwork Setup SET UP the Network for Authentication 23 Block Page Customization window Block Page CustomizationNetwork Setup SET UP the Network for Authentication 24 Sample Customized Block Preview Sample Block100 Join the NT Domain Authentication Settings window102 Add an NT domain Create an NT Domain104 Refresh the NT branchView or modify NT domain details Domain Settings106 NT Domain Details window, Default Rule tab Default Rule108 Delete an NT domainAdd NT groups, members to the tree Set up NT Domain Groups, Members110 Set Group Priority window Specify a group’s filtering profile priority112 Manually Add Member box Manually add a user’s name to the tree114 Manually add a group’s name to the treeUpload User/Group Profile window Upload a file of filtering profiles to the tree116 10 Upload Member Profile File window117 Add an NT group, member to the tree list Create and Maintain NT Profiles118 Click Add 120 Add or maintain an entity’s profileCategory Profile 122 Redirect URL14 Group Profile window, Filter Options tab Filter Options124 Remove an entity’s profile from the treeAdd the Ldap domain Create an Ldap DomainView, modify, enter Ldap domain details Refresh the Ldap branch126 Ldap Server Type 128 Group ObjectsClick Next to go to the User tab 130 User ObjectsLdap domain address information populates the Address tab Address Info132 Click Next to go to the Account tab 134 Account InfoDomain Details window, SSL tab SSL Settings136 Upload SSL Certificate for LdapsDomain Details window, Alias List tab Alias List138 11 Domain Details window, Default Rule tab 140 Configure a backup server Default Rule for Novell eDirectory142 13 Backup Server Configuration, Address InfoTIP The entry in this field is case sensitive 144 15 Backup Server Configuration, SSL SettingsDelete a domain Modify a backup server’s configurationAdd Ldap groups, users to the tree Set up Ldap Domain Groups, Members146 Options for search results Perform a basic searchUnmark All Apply a filtering rule to a profile148 17 Set Group Priority window Delete a rule150 18 Manually Add Member box19 Manually Add Group box 152 20 Upload User/Group Profile window21 Upload Member Profile File window 154 Add an Ldap group, member to the tree Create, Maintain Ldap Profiles156 23 Group Profile window, Category tab 158 24 Group Profile window, Redirect URL tab 160 25 Group Profile window, Filter Options tab161 162 Test Authentication Settings163 Create an IP Group, test Test Web-based authentication settings164 Create Sub Group box Create a Sub-Group, workstation166 Set up test with a 32-bit net maskSub Group Members window Give workstation a 32-bit net mask168 Block everything for the Sub-GroupSelect Authentication Request Form Click Apply Use Authentication Request Page for redirect URL170 Disable filter optionsInternet Explorer browser Attempt to access Web content172 Username PasswordTest net use based authentication settings 174 Activate Authentication on the NetworkCreate a new IP Group, webauth Activate Web-based authentication for an IP Group176 Set webauth to cover users in range13 Create Sub Group box Create an IP Sub-Group178 14 Sub Group Members window15 Sub Group Profile window, Category tab 180 16 Sub Group Profile window, Redirect URL tab17 Sub Group Profile window, Filter Options tab 182 Set Global Group to filter unknown traffic19 Global Group Profile window, Port tab 184 Select Default Block Page. b. Click ApplySelect filter options to be enabled. b. Click Apply 186 22 Default BlockExclude filtering critical equipment Activate Web-based authentication for the Global GroupRange to Detect Settings Block Web access, logging via Range to Detect188 24 Range to Detect Settings window, main window 190 Range to Detect Setup Wizard26 Range to Detect Setup Wizard, Step 192 27 Range to Detect Setup Wizard, Step28 Range to Detect Setup Wizard, Step 194 29 Range to Detect Setup Wizard, StepBypass B and go on to to complete this process 196 Block Web access via IP Sub-Group profileSelect Default Block Page, and then click Apply 198 33 Sub Group Profile window, Filter Options tab34 Global Group Profile window, Category tab Modify the Global Group Profile200 35 Global Group Profile window, Port tab36 Global Group Profile window, Redirect URL tab 202 37 Global Group Profile window, Filter Options tabModify the 3-try login script Activate NT authentication204 205 Contact Information HoursDomestic United States International8e6 Corporate Headquarters USA Office Locations and Phone Numbers8e6 Taiwan 8e6 China208 Support ProceduresUsername Formats User/Group File Format and RulesFilter Mode Values Port command codesCategory command codes Rule CriteriaCategory Codes Filter Option codes 212 File Format Rules and ExamplesNT User List Format and Rules 214 NT Group List Format and RulesLdap User List Format and Rules When translated, these strings of code mean216 CN=Sales, CN=Users, DC=qc, DC=local Rule1 Ldap Group List Format and RulesType Function Ports for Authentication System Access218 OpenLDAP Server Scenario Ldap Server CustomizationsNot all users returned in User/Group Browser Server Signing Mode Not Defined Enabled Disabled Disable SMB Signing RequirementsSMB Signing Compatibility R3000 AuthFig. D-1 Go to Active Directory Users and Computers Disable SMB Signing Requirements in Windows222 Fig. D-3 Domain Controllers PropertiesFig. D-4 Group Policy Object Editor window 224 Fig. D-7 Group Policy Object Editor window, Local PoliciesFig. D-9 Define this policy setting Obtain or Export an SSL Certificate Verify certificate authority has been installedExport an Active Directory SSL Certificate 226Click OK to open the Console window Locate Certificates folder228 Fig. E-4 Add/Remove Snap-inFig. E-6 Certificates snap-in dialog box 230 Export the master certificate for the domainThis action launches the Certificate Export Wizard 232 Fig. E-12 Export File FormatFig. E-14 Settings 234 Export a Novell SSL CertficateFig. E-17 Export a Certificate pop-up window Obtain a Sun ONE SSL Certificate236 Override Pop-up BlockersYahoo! Toolbar Pop-up Blocker If pop-up blocking is enabledAdd override account to the white list 238 Fig. F-3 Allow pop-ups from sourceGoogle Toolbar Pop-up Blocker Fig. F-4 # blocked icon enabledAdwareSafe Pop-up Blocker Temporarily disable pop-up blocking240 Fig. F-6 Mozilla Firefox Popup Windows Preferences Mozilla Firefox Pop-up BlockerWindows XP SP2 Pop-up Blocker Set up pop-up blockingUse the Internet Options dialog box 242Use the IE toolbar Fig. F-8 Toolbar setup244 Fig. F-9 Pop-up Blocker SettingsUse the Information Bar Set up the Information Bar246 Fig. F-11 Information Bar menu optionsGlossary 248 249 250 251 252 253 254 Numerics Index256 257 258 Https IanaLdap 260 NAT261 262 SMB/NT 264 265