Page 41 / 120 Scroll up to view Page 36 - 40
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Authenticating Users
3-7
v1.1, November 2006
name=”Administrator”
memberOf=”CN=Terminal Server Computers,CN=Users,DC=netgear,
DC=net”objectClass=”user”
msNPAllowDialin=”FALSE”
LDAP Attribute Rules
If multiple attributes are defined for a group,
all
attributes must be met by LDAP users.
If no attributes are defined, then any user authorized by the LDAP server can be a member of
the group.
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then
the user will be considered part of the group with the most LDAP attributes defined. If the
matching LDAP groups have an equal number of attributes, then the user will be considered a
member of the group based on the alphabetical order of the groups.
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SSL
VPN Concentrator, then the user will not be able to log into the portal. So the LDAP attributes
feature not only allows the administrator to create individual rules based on the LDAP group
or organization, it also allows the administrator to only allow certain LDAP users to log into
the portal.
Sample LDAP Users and Attributes Settings
If you manually add a user to an LDAP group, then the user setting will take precedence over
LDAP attributes.
For example:
An LDAP attribute
objectClass=”Person”
is defined for group Group1 and an LDAP
attribute
memberOf=”CN=WINS Users,DC=netgear,DC=net”
is defined for Group2.
If user Jane is defined by an LDAP server as a member of the Person object class, but is
not
a
member of the WINS Users group, Jane will be a member of the SSL VPN Concentrator
Group1.
But if the administrator manually adds the user Jane to the SSL VPN Concentrator Group2,
then the LDAP attributes will be ignored and Jane will be a member of Group2.
Page 42 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-8
Authenticating Users
v1.1, November 2006
Querying an LDAP Server
To query your LDAP or Active Directory server to find out the LDAP attributes of your users, you
can use several different methods. From a machine with LDAPsearch tools (for example a Linux
machine with OpenLDAP installed) run the following command:
ldapsearch -h 10.0.0.5 -x -D
“cn=demo,cn=users,dc=netgear,dc=net” -w demo123 -b
“dc=netgear,dc=net” > /tmp/file
Where:
10.0.0.5
is the IP address of the LDAP or Active Directory server
“cn=demo,cn=users,dc=netgear,dc=net”
is the distinguished name of an LDAP
user
demo123
is the password for the user
demo
“dc=netgear,dc=net”
is the base domain that you are querying
> /tmp/file
is optional and defines the file where the LDAP query results will be saved.
For further information on querying an LDAP server from a Window server, please see:
776a-4bbc-99a6-d8c19f36ded4.mspx
Configuring for LDAP Authentication
To configure LDAP authentication, click Add Domain. An Add Domain window displays. In the
Add Domain window:
1.
From the Authentication Type menu, select LDAP. The Add Domain Window displays the
fields for a domain with LDAP authentication:
Page 43 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Authenticating Users
3-9
v1.1, November 2006
:
2.
In the Domain Name field, enter a descriptive name for the authentication domain. This is the
domain name users will select in order to log into the SSL VPN portal. It can be the same
value as the Server Address field.
3.
In the Server Address field, enter the IP address or domain name of the server.
4.
In the LDAP BaseDN field, enter the search base for LDAP queries. An example of a search
base string is:
CN=Users,DC=yourdomain,DC=com
5.
From the Portal Layout Name drop-down menu, select the name of the layout. The default
layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.
Figure 3-5
Note:
Do not include quotes (
“ ”
) in the LDAP BaseDN field.
Page 44 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-10
Authenticating Users
v1.1, November 2006
6.
To force users to supply a valid digital certificate before granting access, check the Require
client digital certificates radio box. The CNAME of the client certificate must match the user
name that the user supplies to log in and the certificate must be generated by a certificate
authority (CA) that is trusted by SSL VPN Concentrator.
7.
Click Apply to update the configuration. Once the domain has been added, the domain
displays in the table on the Domains screen.
Active Directory Authentication
Active Directory authentication servers support a group and user structure that can be queried
when an Active Directory user logs in. This means that you can create policies and bookmarks for
Active Directory users at the group level, without needing to define Active Directory users in the
SSL VPN Concentrator. When a user logs in, if no corresponding user name is configured in the
the local database, then SSL VPN Concentrator will query the Active Directory server for the list
of groups that the user belongs to. If any of the same groups are defined in the SSL VPN
Concentrator, then policies and bookmarks for the first Windows Active Directory group that
matches a group configured in the SSL VPN Concentrator will be applied to the user.
Once you create an Active Directory domain, you can add groups that correspond with groups on
your Active Directory server. If the Active Directory user is configured in the SSL VPN
Concentrator, then the SSL VPN Concentrator will ignore the group information provided by the
Active Directory and, instead, implement policies and bookmarks based on the user settings and
the settings of the group to which the user belongs.
Configuring for Windows Active Directory Authentication
To configure Windows Active Directory authentication:
1.
Click Add Domain. An Add Domain window displays.
Note:
Because other authentication services do not have the same hierarchal structure and
group definitions as Active Directory, if you want to apply specific policies or
bookmarks to a group of RADIUS, NT, or LDAP users, you must add each user on
the
Users and Groups
screen.
Note:
Of all types of authentication, Active Directory authentication is the most error
prone. If you are unable to authenticate using Active Directory, please read the
troubleshooting procedure at the end of this section.
Page 45 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Authenticating Users
3-11
v1.1, November 2006
2.
From the Authentication Type menu, select Active Directory. Fields for Active Directory
configuration display:
3.
In the Domain Name field, enter a descriptive name for the authentication domain. This is the
domain name users will select in order to log into the SSL VPN portal. It can be the same
value as the Server Address field or the Active Directory Domain field depending on your
network configuration.
4.
In the Server Address field, enter the IP address or host and domain name of the Active
Directory server.
5.
In the Active Directory Domain field, enter the Active Directory domain name.
6.
From the Portal Layout Name menu, select the name of the layout. The default layout is SSL-
VPN. You can define additional layouts in the Portal Layouts page.
7.
To force users to supply a valid digital certificate before granting access, check the Require
client digital certificates radio box. The CNAME of the client certificate must match the user
name that the user supplies to log in and the certificate must be generated by a certificate
authority (CA) that is trusted by the SSL VPN Concentrator.
Figure 3-6

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top