AAA Server

AAA Server Overview

You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.

The following lists the types of authentication server the ZyWALL supports.

ASAS

ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ZyWALL OTP package in order to use this feature. The package contains server software and ZyWALL OTP tokens. Do the following to use OTP. See the documentation included on the ASAS' CD for details.

User Authentication Method

You can select to authenticate users using the local user database and/or a specified authentication server. By default, user accounts created and stored on the ZyWALL are authenticated locally.

Directory Service (AD/LDAP) Overview

LDAP/AD allows a client (the ZyWALL) to connect to a server to retrieve information from a directory.

The following describes the user authentication procedure via an LDAP/AD server.

Directory Structure

The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries.

Distinguished Name (DN)

A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same "parent DN" ("cn=domain1.com, ou=Sales, o=MyCompany" in the following examples).

cn=domain1.com, ou = Sales, o=MyCompany, c=US
cn=domain1.com, ou = Sales, o=MyCompany, c=JP

Base DN

A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and or country. For example, o=MyCompany, c=UK where o means organization and c means country.

Bind DN

A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the ZyWALL to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.

Configuring Active Directory or LDAP Default Server Settings

Object > AAA Server > Active Directory (or LDAP) > Default 

label
description
Host
Enter the IP address (in dotted decimal notation) or the fully-qualified domain name (up to 63 alphanumerical characters) of an AD or LDAP server.
Port
Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. The default is 389.
Bind DN
Specify the bind DN for logging into the LDAP server. Enter up to 63 alphanumerical characters.
For example, cn=zywallAdmin specifies zywallAdmin as the user name.
Password
If required, enter the password (up to 15 alphanumerical characters) for the ZyWALL to bind (or log in) to the AD or LDAP server.
Base DN
Specify the directory (up to 63 alphanumerical characters). For example, o=ZyXEL, c=US.
CN Identifier
Specify the unique common name that uniquely identifies a record in the AD or LDAP directory. Enter up to 63 alphanumerical characters.
Search time limit
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
The search timeout occurs when either the user information is not in the LDAP server or the server is down.
Use SSL
Select Use SSL to establish a secure connection to the AD or LDAP server.
Apply
Click Apply to save the changes.
Reset
Click Reset to start configuring this screen again.

Active Directory or LDAP Group Summary

You can configure a group of AD or LDAP servers in the Active Directory (or LDAP) > Group screen. This is useful if you have more than one AD server or more than one LDAP server for user authentication in a network. You can create up to 16 AD server groups with up to four members in each group on the ZyWALL. You can also create up to 16 LDAP server groups with up to four members in each group on the ZyWALL.

Object > AAA Server > Active Directory (or LDAP) > Group 

label
description
#
This field displays the index number.
Group Name
This field displays the descriptive name for identification purposes.
Add icon
Click Add to add a new entry.
Click Edit to edit the settings of an entry.
Click Delete to remove an entry.

Creating an Active Directory or LDAP Group

Object > AAA Server > Active Directory (or LDAP) > Group > Add 

label
description
Configuration
All AD or LDAP servers in a group share the same settings in the fields below.
Name
Enter a descriptive name (up to 63 alphanumerical characters). for identification purposes.
Port
Specify the port number on the LDAP server(s) to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535.
This port number should be the same on all AD or LDAP server(s) in this group.
Password
If required, enter the password (up to 15 alphanumerical characters) the ZyWALL uses to log into the AD or LDAP server(s).
Base DN
Specify the top level directory in the directory. For example, o=ZyXEL, c=US.
binddn
Specify the bind DN for logging into the AD or LDAP server(s). For example, cn=zywallAdmin specifies zywallAdmin as the user name.
CN Identifier
Specify the unique common name that uniquely identifies a record in the AD or LDAP directory. Enter up to 63 alphanumerical characters.
Search time limit
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.
Use SSL
Select Use SSL to establish a secure connection to the AD or LDAP server(s).
Host Members
The ordering of the LDAP servers is important as the ZyWALL uses the AD or LDAP servers for user authentication in the order they appear in this table.
#
This field displays the index number.
Members
Specify the URI (Uniform Resource Identifier) of an AD or LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN; up to 63 alphanumerical characters) of the AD or LDAP server.
Add icon
Click Add to add a new AD or LDAP server. You can add up to four AD or LDAP member servers.
Click Delete to remove an AD or LDAP server.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard the changes.

RADIUS Server

RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location.

Configuring a Default RADIUS Server

Object > AAA Server > RADIUS > Default 

label
description
Host
Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Authentication Port
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs you to do so with additional information.
Key
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL.
The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
Timeout
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Apply
Click Apply to save the changes.
Reset
Click Reset to start configuring this screen again.

Configuring a Group of RADIUS Servers

You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network.

Object > AAA Server > RADIUS > Group 

label
description
#
This field displays the index number.
Group Name
This field displays the descriptive name for identification purposes.
Add icon
Click Add to add a new entry.
Click Edit to edit the settings of an entry.
Click Delete to remove an entry.

Adding a RADIUS Server Member

Object > AAA Server > RADIUS > Group > Add 

label
description
Configuration
All RADIUS servers in a group share the same settings in the fields below.
Name
Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes.
Key
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL.
The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
Timeout
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Host Members
The ordering of the RADIUS servers is important as the ZyWALL uses the RADIUS servers for user authentication in the order they appear in this table.
#
This field displays the index number.
Members
Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Authentication Port
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs you to do so with additional information.
Add icon
Click Add to add a new RADIUS server. You can add up to four RADIUS member servers.
Click Delete to remove a RADIUS server.
OK
Click OK to save the changes.
Cancel
Click Cancel to discard the changes.