NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Authenticating Users

3-7

v1.1, November 2006

name=”Administrator”

memberOf=”CN=Terminal Server Computers,CN=Users,DC=netgear,

DC=net”objectClass=”user”

msNPAllowDialin=”FALSE”

LDAP Attribute Rules

•

If multiple attributes are defined for a group,

all

attributes must be met by LDAP users.

•

If no attributes are defined, then any user authorized by the LDAP server can be a member of

the group.

•

If multiple groups are defined and a user meets all the LDAP attributes for two groups, then

the user will be considered part of the group with the most LDAP attributes defined. If the

matching LDAP groups have an equal number of attributes, then the user will be considered a

member of the group based on the alphabetical order of the groups.

•

If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SSL

VPN Concentrator, then the user will not be able to log into the portal. So the LDAP attributes

feature not only allows the administrator to create individual rules based on the LDAP group

or organization, it also allows the administrator to only allow certain LDAP users to log into

the portal.

Sample LDAP Users and Attributes Settings

If you manually add a user to an LDAP group, then the user setting will take precedence over

LDAP attributes.

For example:

An LDAP attribute

objectClass=”Person”

is defined for group Group1 and an LDAP

attribute

memberOf=”CN=WINS Users,DC=netgear,DC=net”

is defined for Group2.

•

If user Jane is defined by an LDAP server as a member of the Person object class, but is

not

a

member of the WINS Users group, Jane will be a member of the SSL VPN Concentrator

Group1.

•

But if the administrator manually adds the user Jane to the SSL VPN Concentrator Group2,

then the LDAP attributes will be ignored and Jane will be a member of Group2.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-8

Authenticating Users

v1.1, November 2006

Querying an LDAP Server

To query your LDAP or Active Directory server to find out the LDAP attributes of your users, you

can use several different methods. From a machine with LDAPsearch tools (for example a Linux

machine with OpenLDAP installed) run the following command:

ldapsearch -h 10.0.0.5 -x -D

“cn=demo,cn=users,dc=netgear,dc=net” -w demo123 -b

“dc=netgear,dc=net” > /tmp/file

Where:

•

10.0.0.5

is the IP address of the LDAP or Active Directory server

•

“cn=demo,cn=users,dc=netgear,dc=net”

is the distinguished name of an LDAP

user

•

demo123

is the password for the user

demo

•

“dc=netgear,dc=net”

is the base domain that you are querying

•

> /tmp/file

is optional and defines the file where the LDAP query results will be saved.

For further information on querying an LDAP server from a Window server, please see:

776a-4bbc-99a6-d8c19f36ded4.mspx

Configuring for LDAP Authentication

To configure LDAP authentication, click Add Domain. An Add Domain window displays. In the

Add Domain window:

1.

From the Authentication Type menu, select LDAP. The Add Domain Window displays the

fields for a domain with LDAP authentication:

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Authenticating Users

3-9

v1.1, November 2006

:

2.

In the Domain Name field, enter a descriptive name for the authentication domain. This is the

domain name users will select in order to log into the SSL VPN portal. It can be the same

value as the Server Address field.

3.

In the Server Address field, enter the IP address or domain name of the server.

4.

In the LDAP BaseDN field, enter the search base for LDAP queries. An example of a search

base string is:

CN=Users,DC=yourdomain,DC=com

5.

From the Portal Layout Name drop-down menu, select the name of the layout. The default

layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.

Figure 3-5

Note:

Do not include quotes (

“ ”

) in the LDAP BaseDN field.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-10

Authenticating Users

v1.1, November 2006

6.

To force users to supply a valid digital certificate before granting access, check the Require

client digital certificates radio box. The CNAME of the client certificate must match the user

name that the user supplies to log in and the certificate must be generated by a certificate

authority (CA) that is trusted by SSL VPN Concentrator.

7.

Click Apply to update the configuration. Once the domain has been added, the domain

displays in the table on the Domains screen.

Active Directory Authentication

Active Directory authentication servers support a group and user structure that can be queried

when an Active Directory user logs in. This means that you can create policies and bookmarks for

Active Directory users at the group level, without needing to define Active Directory users in the

SSL VPN Concentrator. When a user logs in, if no corresponding user name is configured in the

the local database, then SSL VPN Concentrator will query the Active Directory server for the list

of groups that the user belongs to. If any of the same groups are defined in the SSL VPN

Concentrator, then policies and bookmarks for the first Windows Active Directory group that

matches a group configured in the SSL VPN Concentrator will be applied to the user.

Once you create an Active Directory domain, you can add groups that correspond with groups on

your Active Directory server. If the Active Directory user is configured in the SSL VPN

Concentrator, then the SSL VPN Concentrator will ignore the group information provided by the

Active Directory and, instead, implement policies and bookmarks based on the user settings and

the settings of the group to which the user belongs.

Configuring for Windows Active Directory Authentication

To configure Windows Active Directory authentication:

1.

Click Add Domain. An Add Domain window displays.

Note:

Because other authentication services do not have the same hierarchal structure and

group definitions as Active Directory, if you want to apply specific policies or

bookmarks to a group of RADIUS, NT, or LDAP users, you must add each user on

the

Users and Groups

screen.

Note:

Of all types of authentication, Active Directory authentication is the most error

prone. If you are unable to authenticate using Active Directory, please read the

troubleshooting procedure at the end of this section.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Authenticating Users

3-11

v1.1, November 2006

2.

From the Authentication Type menu, select Active Directory. Fields for Active Directory

configuration display:

3.

In the Domain Name field, enter a descriptive name for the authentication domain. This is the

domain name users will select in order to log into the SSL VPN portal. It can be the same

value as the Server Address field or the Active Directory Domain field depending on your

network configuration.

4.

In the Server Address field, enter the IP address or host and domain name of the Active

Directory server.

5.

In the Active Directory Domain field, enter the Active Directory domain name.

6.

From the Portal Layout Name menu, select the name of the layout. The default layout is SSL-

VPN. You can define additional layouts in the Portal Layouts page.

7.

To force users to supply a valid digital certificate before granting access, check the Require

client digital certificates radio box. The CNAME of the client certificate must match the user

name that the user supplies to log in and the certificate must be generated by a certificate

authority (CA) that is trusted by the SSL VPN Concentrator.

Figure 3-6