D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: craudiao on August 24, 2011, 05:02:19 PM

Title: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 24, 2011, 05:02:19 PM

Hi...

sorry the bad English / translated by google translator

I have the D-Link DFL-210.
I have to configure it to authenticate in the ldap in a Win AD ...
but following the manual this setting:

   Action    Src Interface Src Network    Dest Interface   Dest Network                       Service
1 Allow      lan               lannet            core                lan_ip                                  http-all
2 NAT       lan               trusted_users  wan                 all-nets                               http-all
3 NAT       lan               lannet            wan                 all-nets                               dns-all
4 SAT       lan               lannet            wan                 all-nets/all-to-one/127.0.0.1   http-all
5 Allow      lan               lannet            wan                all-nets                                http-all

happens that the browser opens the login and authenticate to AD correctly.
but only after connecting it simply can not surf on any site.
all it does is display the same sentence that I'm connected, regardless of the address I put ...

Can someone help me in this problem?

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: scrubsguy on August 24, 2011, 10:19:59 PM

please give your IP rules + Interface settings

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 25, 2011, 09:59:31 AM

IP rules:

1     allow_httpauth    Allow         lan     lannet     core     lan_ip     http-all
2     allow_standard    NAT          lan     lan-auth     wan     all-nets     http-all
3     allow_dns           NAT          lan     lannet     wan     all-nets     dns-all
4     allow_httpauth    SAT          lan     lannet     wan     all-nets     http-all
5     allow_httpauth    Allow         lan     lannet     wan     all-nets     http-all

Interfaces settings:

 dmz     dmz_ip        dmznet                      No      (interface not usage)
 lan     lan_ip         lannet        wan_ip     No    
 wan     wan_ip       wannet       wan_gw     Yes    


Interface addresses

 dmz_ip    172.17.100.254                            IPAddress of interface dmz            (Interface not usage)
 dmznet    172.17.100.0/24                            The network on interface dmz        (interface not usage)
 gw-word    192.168.1.15         
 lan-auth    192.168.101.0/24    dcserver    
 lan_ip    192.168.101.1                           IPAddress of interface lan
 lannet    192.168.101.0/24                      The network on interface lan

wan interface is DHCP client and wan_gw = gw-word


the message that appears after the authentication is this:

Quote

Logged on
You, or possibly someone else from your IP address,
have been granted access.

Click here to log out.

And after that does not access any site, only appears this message.

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: danilovav on August 25, 2011, 01:11:21 PM

Change order of IP rules
3 allow_dns NAT lan/lannet wan/all-nets dns-all # pass DNS traffic without authorization
2 allow_standard NAT lan/lan-auth wan/all-nets http-all # this is authorized rule
1 allow_httpauth Allow lan/lannet core/lan_ip http-all # allow displaying of auth form
4 allow_httpauth SAT lan/lannet wan/all-nets http-all # replace unauthorized outgoing traffic by auth form - 1st
5 allow_httpauth Allow lan/lannet wan/all-nets http-all # replace unauthorized outgoing traffic by auth form - 2nd

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 25, 2011, 01:34:56 PM

Thanks for replay danilovav

but the problem remains the same.
Once authenticated, all attempts to access site that give the same answer.

Quote

Logged on
You, or possibly someone else from your IP address,
have been granted access.

Click here to log out.

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: danilovav on August 25, 2011, 07:23:29 PM

Seems, rule allow_standard_NAT does not working. Check is lan-auth's settings correct - group should be the same with user auth settings
Do you have other IP rules? Can you show all of them?

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 26, 2011, 10:41:23 AM

danilovav

I no have other IP rules.

is the first time I'm configuring it, and all I need is that this authentication works. do not use it for anything else.

as authentication,

authentication is working properly.
when I try to navigate the first time, it prompts a login and password.
if I type it the wrong login error, I enter it correctly it's ok.

but once authenticated, continues to translate all the ip http address of the router and tell me I'm logged in, go out instead of going to the right address.

sorry the bad English, I only speak Portuguese.

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: danilovav on August 26, 2011, 01:32:21 PM

Plz show IP rules, HTTP auth as screens

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 29, 2011, 02:50:25 PM

danilovav, my screens of configuration:

(http://img33.imageshack.us/img33/3770/iprules.jpg)
(http://img97.imageshack.us/img97/2938/intadd.jpg)
(http://img98.imageshack.us/img98/9054/ethernet.jpg)
(http://img593.imageshack.us/img593/6645/ldap.jpg)
(http://img846.imageshack.us/img846/7191/lanauth.jpg)
(http://img193.imageshack.us/img193/7959/loginauth.jpg)
(http://img7.imageshack.us/img7/448/loginerror.jpg)
(http://img263.imageshack.us/img263/7637/loginok.jpg)
(http://img638.imageshack.us/img638/6146/surffail.jpg)

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: danilovav on August 29, 2011, 07:42:53 PM

The reason of your problem is you got authenticated via LDAP, but DFL group (dcserver) havent assigned to user, as result lan_auth (2nd) rule doesnt working
Do you have group named "dcserver" on your AD? Does this user have it?
To check, try to change authorization to local, it should become to work

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 30, 2011, 10:39:22 AM

yes, local authentication, it worked.
but even putting the User in a group of same name as the authentication rule, does not work with ldap.

You know what might be happening?

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: danilovav on August 30, 2011, 07:29:30 PM

To get 2nd (authorized) rule working, user should have group assigned
Seems, it's missed in LDAP configuration

>but even putting the User in a group of same name as the authentication rule, does not work with ldap.
Group name - dcserver?

Title: Re: [DFL-210] authentication ldap + web Page Login
Post by: craudiao on August 31, 2011, 10:07:26 AM

danilovav, Thank you very much

I had to reconfigure the ldap server configuration in "name attribute" of "uid" to "samaccountname".

Thanks...