Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[fernando.w]

Hi everybody,

I'm new on this forum and I need a help with the scenario below.

The customer have a Linux Firewall Solution, according to a following group structure (with AD authentication) and need to translate to ip rules on DFL-800.

Group Internet1: The users in this group have full access to sites and download.
Group Internet2: The users in this group have access to all sites, but without download option
Group Internet3: The users in this group have access to all sites, but without download option and no access to sites in blacklist
Group Internet4: The users in this group have only access to sites in whitelist, without download option and don't have access to sites in blacklist

I already did the environment setup with IAS (MS Radius server), Active Directory and all DFL-800 configurations (external database, user auth rules, address book, ip rules, etc.).

When testing with a web browser, the web authentication page is redirected normally and I can login with a user of AD and this user is success authenticated (I can confirm with IAS logs), but the "logged in" screen is showed and I can't access any sites.

In the status menu -> user authentication, I observe that the column "Logged In AS" is empty.

I tested the same cenario with local autentication and it works. In the column cited above is showed the group of the user (for exemple Internet1)

Can somebody help us with this scenario?

Thanks in advance,

Fernando

[Fatman]

I suspect that your RADIUS logs may provide a clue.  RADIUS is very touchy about auth requests and there are a lot of ways that it could be misconfiguration.

So lets see some RADIUS and DFL logs!

[fernando.w]

Hi Fatman!

Thank you for answer. Do you have any sugestion of specific log of DFL-800 and MS IAS that can help?

Regards,

[Fatman]

Well the DFL only has the one log, so wrap that one up for us.

As for your RADIUS server, I don't know how it does logging but failed attempts failed auths or connection errors would all be meaningful.  I will do my best to parse whatever you provide.

[fernando.w]

Hi Fatman,

Well, we have a change in the environment. I did a firmware upgrade from version 2.20.01 to 2.26.01 and this newest version have some changes that help. One of these is the possibility to configure an LDAP server profile for user authentication. So we don't need to use a Radius server to do that.

However, the Support Team from D-Link Brasil helped us with this configuration too, and I think is very important to share this knowledge with this forum.

So to configure the authentication through a radius server on Win2003, after the default installation of the IAS, is necessary to create an attribute (on radius server) which will be the group information. The type of this attribute is "Vendor Code 5089" and it will be associated with the group name. I have an images that show the steps of the configuration but I don't know how attach it in this post.

I hope that helps somebody too.

Thank you for your help!

Best Regards,