Page 131 / 944
Scroll up to view Page 126 - 130
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
131
2
Click the
Add
icon again and create a rule for one of the user groups that is
allowed to access the DMZ.
Figure 83
Configuration > Firewall > Add
3
Repeat this process to set up firewall rules for the other user groups that are
allowed to access the DMZ.
7.6
How to Use a RADIUS Server to Authenticate
User Accounts based on Groups
The previous example showed how to have a RADIUS server authenticate
individual user accounts. If the RADIUS server has different user groups
distinguished by the value of a specific attribute, you can configure the make a
couple of slight changes in the configuration to have the RADIUS server
authenticate groups of user accounts defined in the RADIUS server.
Page 132 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
132
1
Click
Configuration > Object > AAA Server > RADIUS
. Double-click the
radius
entry. Besides configuring the RADIUS server’s address, authentication
port, and key; set the
Group Membership Attribute
field to the attribute that
the ZyWALL is to check to determine to which group a user belongs. This example
uses
Class
. This attribute’s value is called a group identifier; it determines to
which group a user belongs. In this example the values are Finance, Engineer,
Sales, and Boss.
Figure 84
Configuration > Object > AAA Server > RADIUS > Add
Page 133 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
133
2
Now you add ext-group-user user objects to identify groups based on the group
identifier values. Set up one user account for each group of user accounts in the
RADIUS server. Click
Configuration > Object > User/Group > User
. Click the
Add
icon.
Enter a user name and set the
User Type
to
ext-group-user
. In the
Group
Identifier
field, enter Finance, Engineer, Sales, or Boss
and set the Associated
AAA Server Object to radius.
Figure 85
Configuration > Object > User/Group > User > Add
3
Repeat this process to set up the remaining groups of user accounts.
7.7
How to Use Endpoint Security and
Authentication Policies
Here is how to use endpoint security to make sure that users’ computers meet
specific security requirements before they are allowed to access the network. This
example requires users to have Kaspersky Internet security or anti-virus software
on their computers before they can access the network.
7.7.1
Configure the Endpoint Security Objects
Click
Configuration > Object > Endpoint Security
>
Add
to open the
Endpoint Security Edit
screen.
• Select
Endpoint must comply with all checking items
.
•
Set the
Endpoint Operating System
to
Windows
and the
Window Version
to Windows 7.
Page 134 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
134
• Select
Endpoint must have Personal Firewall installed
and move the
Kaspersky Internet Security entries to the allowed list (you can double-click an
entry to move it).
• Select
Endpoint must have Anti-Virus software installed
and move the
Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software
entries to the allowed list.
The following figure shows the configuration screen example.
Figure 86
Configuration > Object > Endpoint Security > Add
Page 135 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
135
Repeat as needed to create endpoint security objects for other Windows operating
system versions.
7.7.2
Configure the Authentication Policy
Click
Configuration > Auth. Policy > Add
to open the
Endpoint Security Edit
screen. Use this screen to configure an authentication policy to use endpoint
security objects.
•
Enable the policy and name it.
•
Set the
Source Address
to LAN1 and the
Destination Address
to
any
, the
Schedule
set to
none
, and
Authentication
set to
required
to apply this
policy to all users.
• Select
Force User Authentication
to redirect the HTTP traffic of users who are
not yet logged in to the ZyWALL’s login screen.
•
Enable EPS checking and move the EPS objects you created to the selected list.
• Click
OK
.
Figure 87
Configuration > Auth. Policy > Add
19216811.live