SGHT IAS Authentication With AD

8/9/2019 SGHT IAS Authentication With AD

1/13

StoneGate How-To

Using Microsoft Active Directory

Server and IAS Authentication

StoneGate Firewall/VPN 3.0.7 and Management Center 4.1


2/13

Table of Contents 2

Table of Contents

Basic Scenario.................................................................................................. page 3

Configuring a Windows 2003 Server for IAS Authentication ..................................page 3

Configuring Users in Active Directory.................................................................. page 8

Configuring an Active Directory Server Element in StoneGate................................page 9


3/13

Basic Scenario 3

Basic ScenarioThis document describes a configuration that includes a Microsoft Active Directory with Internet Authentication

Service (IAS) on a Windows 2003 server and Stonesofts StoneGate Firewall/VPN. The configuration uses the

Remote Authentication Dial-in User Service (RADIUS) protocol for authentication.

An external Active Directory Server that supports the RADIUS protocol can be used for user authentication in

StoneGate. In this example, the user and password information is stored internally in an Active Directory and the

users use Windows passwords for authentication. The StoneGate firewall requests the authentication information

from the Active Directory server when the users authenticate to the firewall. The Active Directory information can be

browsed and used in security policies in the StoneGate Management Client.

Note The configuration details needed in your environment may differ from the example.

The following sections describe the steps needed for setting up IAS authentication with Microsoft Active Directory in

StoneGate. There are three main steps:

1. Configuring a Windows 2003 Server for IAS Authentication, on page 3.

2. Configuring Users in Active Directory, on page 8.

3. Configuring an Active Directory Server Element in StoneGate, on page 9.

Start with Configuring a Windows 2003 Server for IAS Authentication.

Configuring a Windows 2003 Server for IAS

AuthenticationAn Active Directory on a Windows 2003 server contains a list of users and their passwords which will be used with

RADIUS to authenticate the users in StoneGate. To use IAS authentication, you must enable the Internet

Authentication Service on the Windows 2003 server. Begin byInstalling a Windows 2003 Server.

Installing a Windows 2003 Server

! To install a Windows 2003 server

1. Open the Control Panel and double-click Add/Remove Programs.

2. Click Add/Remove Windows Components. The Windows Components Wizard dialog opens.

Illustration 1.1 Enabling Networking Services

3. Click Networking Services, and then click Details. The Networking Servicesdialog opens.


4/13

Configuring a Windows 2003 Server for IAS Authentication 4

Illustration 1.2 Networking Services Dialog

4. Select Internet Authentication Service and click OK.

5. Click Next.

6. If prompted, insert your Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition;

or Windows Server 2003, Datacenter Edition compact disc.

7. After the Windows 2003 server is installed, click Finish, and then click Close.

The Windows 2003 server is now installed and Internet Authentication Service should be included in the list of

programs if you select Start

Programs

Administrative Tools.Proceed to Enabling the Windows 2003 Server to Read User Accounts in Active Directory.

Enabling the Windows 2003 Server to Read User Accounts in Active DirectoryOnce you have installed the Windows 2003 server, you must enable it to read the user accounts listed in the Active

Directory.

! To enable the Windows 2003 server to read user accounts in Active Directory

1. Select StartProgramsAdministrative ToolsInternet Authentication Service. The Internet

Authentication Service window opens.

Illustration 1.3 Registering Server in Active Directory

2. Right-click Internet Authentication Service and select Register Server in Active Directory from the menu.

The Register Internet Authentication Service in Active Directory dialog opens.

3. Click OK.

The Windows 2003 server is now registered. Proceed toAdding StoneGate Firewall as RADIUS Client for the Windows

2003 Server.


5/13


Adding StoneGate Firewall as RADIUS Client for the Windows 2003 ServerYou must next define the StoneGate firewall as a RADIUS client for the Windows 2003 server.

! To add StoneGate Firewall as RADIUS Client for the Windows 2003 server

1. Select StartProgramsAdministrative ToolsInternet Authentication Service. The Internet


2. Right-click RADIUS Clients and select New RADIUS Client from the menu. The New Radius Client dialog

opens.

Illustration 1.4 New RADIUS Client Properties

3. Enter the name and IP address of the StoneGate firewall node and click Next.

4. As Additional Information, leave RADIUS Standard as the Client-Vendor and set a shared secret (seeIllustration 1.5).

Note You must use the same shared secret also for the Active Directory Server element that you use in

StoneGate. See Creating an Active Directory Server Element in StoneGate, on page 9.

Illustration 1.5 New RADIUS Client - Additional Information

5. Click Finish.

6. If you have a clustered firewall, repeat steps 1-4 for the other firewall nodes.

When you have added all the firewall nodes, they should be listed under RADIUS Clients in the Internet

Authentication Service window.

Proceed toAdding a Remote Access Policy in the Windows 2003 Server to Authorize Requests from Firewall Node(s).


6/13


Adding a Remote Access Policy in the Windows 2003 Server to AuthorizeRequests from Firewall Node(s)You must create a remote access policy to authorize requests from the firewall node(s) to the Windows 2003

server.

! To add a remote access policy in the Windows 2003 server

1. Open Internet Authentication Service in the StartProgramsAdministrative Tools menu. The Internet


2. Right-click Remote Access Policies and select New Remote Access Policy from the menu. The New Remote

Access Policy Wizard opens.

Illustration 1.6 New Remote Access Policy

3. Click Next.

4. As the Policy Configuration Method, select Set up a custom policy (see Illustration 1.7).

5. Enter a name for the policy and click Next.

Illustration 1.7 Selecting Policy Configuration Method

6. As the In Policy Conditions, click Add to add a Policy Condition. The Select Attribute dialog opens.

7. Select Client-Friendly-Name and click Add.

8. Enter a client-friendly name for the StoneGate firewall node and click OK.

Note The client-friendly name must be the same as the name you set for the firewall node in AddingStoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.

9. Click Add to add another Policy Condition.The Select Attribute dialog opens.

10.Select Client-IP-Address and click Add.

11.Enter the Authentication NDI address of the StoneGate firewall node and click OK. See Illustration 1.8 for an

example of Remote Access Policy conditions.

Note If you use a firewall cluster, you must define a Remote Access Policy separately for each node.


7/13


Illustration 1.8 Adding Policy Conditions - Example

12.Click Next.

13.As Permissions, select Grant remote access permission and click Next.

Illustration 1.9 Remote Access Policy - Permissions

14.In the next dialog, click Edit Profile. The Edit Dial-in Profile dialog opens.

15.Switch to the Authentication tab.

16.Uncheck the MS-CHAP and CHAP options and check Unencrypted authentication (PAP, SPAP).

Illustration 1.10 Edit Dial-in Profile - Authentication Tab

17.Click OK.

18.Click Next and then Finish.

19.If you have a clustered firewall, repeat steps 1-13 to authorize access from all the firewall nodes.

The Windows 2003 server configuration for IAS authentication is now complete. Proceed to Configuring Users in

Active Directory.


8/13

Configuring Users in Active Directory 8

Configuring Users in Active DirectoryThe next step is to configure that the users listed in the Active Directory are allowed to authenticate with RADIUS.

Allowing a User in Active Directory to Authenticate with RADIUS

! To allow a user in Active Directory to authenticate with RADIUS

1. Select StartProgramsAdministrative ToolsActive Directory Users and Computers on the Windows

2003 Server.

2. Double-click the user who should be able to authenticate with RADIUS. The Properties dialog opens.

3. Switch to the Dial-in tab.

Illustration 1.11 User Properties - Dial-in Tab

4. For Remote Access Permission (Dial-in or VPN), select Allow access.

5. Switch to the Account tab and make sure that Store password using reversible encryption is selected in the

Account options.

Illustration 1.12 User Properties - Account Tab

Note If this option was not already selected in the users Properties, you must save the users password

again after selecting the Store password using reversible encryption setting. Right-click the user and select

Reset password from the menu that opens.

Note The Store password using reversible encryption setting must also be enabled for Password Policy in

the Windows 2003 servers Default Domain Controller Policy Settings. If this setting is not enabled for

Password Policy, the Store password using reversible encryption setting in the users Account options will not

have any effect.

6. Click OK.


9/13

Configuring an Active Directory Server Element in StoneGate 9

Configuring an Active Directory Serve r Element inStoneGateThe next step is to configure an Active Directory Server in StoneGate. Start byCreating an Active Directory Server

Element in StoneGate.

Creating an Active Directory Server Element in StoneGateThe Active Directory Server element contains both the user directory and the authentication service options needed

to use a Microsoft 2003 server for user authentication.

! To define an Active Directory Server element

1. Click the Configuration button in the toolbar to switch to the Configuration view.

2. Right-click the Network Elements category in the tree view and select NewActive Directory Server from

the menu that opens. The Active Directory Server Properties dialog opens.

Illustration 1.13 Active Directory Server Properties - General Tab

3. Specify a unique Name and IP Address for the ser ver.

4. In this example, leave the Location and Contact Addresses at default values. You need to modify their

values only if there is a NAT device between a firewall and the Active Directory ser ver, so that the firewallcannot connect directly to the Active Directory Servers IP address.

5. Define the Timeout for how long StoneGate waits for the server to reply.

Continue by configuring the servers LDAP settings as instructed in Configuring Active Directory Servers LDAP

Settings.


10/13


Configuring Active Directory Servers LDAP SettingsThe LDAP settings include user information and other settings that StoneGate uses to connect to the Active

Directory server. Make sure there are matching definitions on the Active Directory server.

! To Configure LDAP User Services

1. Switch to the LDAP tab of the Active Directory Server Properties dialog.

Illustration 1.14 Active Directory Server Properties - LDAP Tab

2. Define the domain used as the base for Distinguished Names (DN) in the Base DN field as it is defined on

the Active Directory server (e.g., dc=example, dc=com).

3. In the Bind User ID field, define the Distinguished Name of the User ID the StoneGate firewall uses when

connecting to the Active Directory server (e.g., uid=admin, ou=Administrators).

4. In the Bind Password field, enter the password of the User ID the StoneGate firewall uses when connecting

to the Active Directory server.

5. For Schema, leave the default value Standard.

6. Leave the UserID Attribute and Group Member Attribute at the default values.

7. Leave the default port (TCP port 389) as the Port Number.Proceed to Configuring Active Directory Servers Authentication Settings.

Configuring Active Directory Servers Authentication SettingsYou can use the Active Directory Servers Internet Authentication Service to authenticate the users. The protocol

used is RADIUS.

! To configure the authentication settings

1. In the Active Directory Server Properties dialog, switch to the Authentication tab.

Illustration 1.15 Active Directory Server - Authentication Tab

2. Make sure that the Port Number is correct for your Active Directory Servers IAS.


11/13


3. Type or paste the Shared Secret. It is used to authenticate the connection from StoneGate to the Windows

2003 server.

Note The shared secret must be the same as the one you entered for the firewall node(s) in Adding

StoneGate Firewall as RADIUS Client for the Windows 2003 Server, on page 5.

4. Specify the Number of Retries. If StoneGate fails to connect to the Windows 2003 server, it tries to connect

again the specified number of times before giving up on the authentication.

5. Click OK.

Proceed to Defining Domains.

Defining DomainsEach Active Directory Server has its own domain in StoneGate. One domain can be selected as the default domain.

Users who belong to the default domain need not specify the domain (for example: username@domain) when

they are authenticating.

! To define a new domain

1. Click the Configuration button in the toolbar to switch to the Configuration view.

2. Right-click Firewall Configuration in the left panel and select NewDomain from the menu that opens. The

Domain Properties dialog opens.

Illustration 1.16 Domain Properties - General Tab

3. Enter the Name for the new domain.

If the domain you are creating is not to be the default domain, users must type in the domain name when

they authenticate.

4. Select the checkbox Default Domain, if this domain will be used for all or most authentications.

Naturally, only one domain can be the default domain, so the selection is automatically cleared from the

previous domain when you select the option for some different domain.

5. The defined Active Directory Servers that have no domain yet are shown on the left. Select the correct server

and click Add to bind the server to the domain.

6. Switch to the Default Authentication tab to select the authentication service.

7. Click Select. A list of authentication services opens.

8. Select IAS authentication and click Select.

Illustration 1.17 Domain Properties - Default Authentication Tab

9. Click OK.


12/13


You have now completed all of the steps required in StoneGate for setting up the Windows 2003 server as an Active

Directory Server. You can now browse the users listed in the Active Directory with the Management Client. Go to

Users and then to the new domain you just created to browse the list of users (see Illustration 1.18).

Illustration 1.18 Browsing Users

Proceed to Modifying Firewall Policy to Allow IAS Authentication Connections to allow the connections needed for IAS

authentication.

Modifying Firewall Policy to Allow IAS Authentication ConnectionsIf the Active Directory server is located in a different network than the Management Server, make sure that the

servers are able to communicate using the LDAP protocol. This makes it possible to browse the user information

from the Active Directory server.

To use IAS authentication for mobile VPN users, the Firewall Policy must contain an Access Rule for mobile VPN

traffic with the proper user and authentication parameters (see Illustration 1.19).

Illustration 1.19 Example of Access Rules Allowing Use of Active Directory

Note The firewall allows its own RADIUS connections to the Active Directory server by default. If the rules

inherited from the default template are included in the policy, it is not necessary to add a rule for the RADIUS

connections.

Tip: The Windows Event Viewer shows an event for each authentication attempt. The event is visible

in the System category under Event Viewer with IAS as the source. This provides usefulinformation for troubleshooting. Select StartProgramsAdministrative ToolsEvent Viewer

to open the Event Viewer.

The IAS authentication configuration in StoneGate is now complete. For information on configuring VPNs, see the

StoneGateAdministrators Guide .


13/13

13

Trademarks and Patents

Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link

technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are pro-

tected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks

are property of their respective owners.

Copyright and Disclaimer

Copyright 20002007 Stonesoft Corporation. All rights reserved.

These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treatiesand conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with

Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective

owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written

authorization of Stonesoft Corporation.

Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not repre-

sent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in

these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC

configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products

described herein.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA-

TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR

FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.

IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD-

ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN

IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

Revision: SGHT_20070905

Stonesoft Corp.

Itlahdenkatu 22a

FIN-00210 Helsinki

Finland

tel. +358 9 4767 11

fax +358 9 4767 1234

Stonesoft Inc.

1050 Crown Pointe Parkway

Suite 900

Atlanta, GA 30338 USA

tel. +1 770 668 1125

fax +1 770 668 1131www.stonesoft.com
http://www.stonesoft.com/http://www.stonesoft.com/

Documents

SGHT IAS Authentication With AD