AAA Server
AAA Server Overview
You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
The following lists the types of authentication server the ZyWALL supports.
- Local user database
The ZyWALL uses the built-in local user database to authenticate administrative users logging into the ZyWALL's web configurator or network access users logging into the network through the ZyWALL. You can also use the local user database to authenticate VPN users.
- Directory Service (LDAP/AD)
LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
- RADIUS
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location.
ASAS
ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ZyWALL OTP package in order to use this feature. The package contains server software and ZyWALL OTP tokens. Do the following to use OTP. See the documentation included on the ASAS' CD for details.
- Install the ASAS server software on a computer.
- Create user accounts on the ZyWALL and in the ASAS server.
- Import each token's database file (located on the included CD) into the server.
- Assign users to OTP tokens (on the ASAS server)/
- Configure the ASAS as a RADIUS server in the ZyWALL's Object > AAA Server screens.
- Give the OTP tokens to (local or remote) users.
User Authentication Method
You can select to authenticate users using the local user database and/or a specified authentication server. By default, user accounts created and stored on the ZyWALL are authenticated locally.
Directory Service (AD/LDAP) Overview
LDAP/AD allows a client (the ZyWALL) to connect to a server to retrieve information from a directory.
The following describes the user authentication procedure via an LDAP/AD server.
- A user logs in with a user name and password pair.
- The ZyWALL tries to bind (or log in) to the LDAP/AD server.
- When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair.
- If it matches, the user is allowed access. Otherwise, access is blocked.
Directory Structure
The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries.
Distinguished Name (DN)
A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same "parent DN" ("cn=domain1.com
, ou=Sales, o=MyCompany
" in the following examples).
cn=domain1.com, ou = Sales, o=MyCompany, c=US
cn=domain1.com, ou = Sales, o=MyCompany, c=JP
Base DN
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and or country. For example, o=MyCompany
, c=UK
where o
means organization and c
means country.
Bind DN
A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin
allows the ZyWALL to log into the LDAP/AD server using the user name of zywallAdmin
. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.
Configuring Active Directory or LDAP Default Server Settings
Object > AAA Server > Active Directory (or LDAP) > Default
label
|
description
|
Host
|
Enter the IP address (in dotted decimal notation) or the fully-qualified domain name (up to 63 alphanumerical characters) of an AD or LDAP server.
|
Port
|
Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. The default is 389.
|
Bind DN
|
Specify the bind DN for logging into the LDAP server. Enter up to 63 alphanumerical characters.
For example, cn=zywallAdmin specifies zywallAdmin as the user name.
|
Password
|
If required, enter the password (up to 15 alphanumerical characters) for the ZyWALL to bind (or log in) to the AD or LDAP server.
|
Base DN
|
Specify the directory (up to 63 alphanumerical characters). For example, o=ZyXEL, c=US.
|
CN Identifier
|
Specify the unique common name that uniquely identifies a record in the AD or LDAP directory. Enter up to 63 alphanumerical characters.
|
Search time limit
|
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
The search timeout occurs when either the user information is not in the LDAP server or the server is down.
|
Use SSL
|
Select Use SSL to establish a secure connection to the AD or LDAP server.
|
Apply
|
Click Apply to save the changes.
|
Reset
|
Click Reset to start configuring this screen again.
|
Active Directory or LDAP Group Summary
You can configure a group of AD or LDAP servers in the Active Directory (or LDAP) > Group screen. This is useful if you have more than one AD server or more than one LDAP server for user authentication in a network. You can create up to 16 AD server groups with up to four members in each group on the ZyWALL. You can also create up to 16 LDAP server groups with up to four members in each group on the ZyWALL.
Object > AAA Server > Active Directory (or LDAP) > Group
label
|
description
|
#
|
This field displays the index number.
|
Group Name
|
This field displays the descriptive name for identification purposes.
|
Add icon
|
Click Add to add a new entry.
Click Edit to edit the settings of an entry.
Click Delete to remove an entry.
|
Creating an Active Directory or LDAP Group
Object > AAA Server > Active Directory (or LDAP) > Group > Add
label
|
description
|
Configuration
|
All AD or LDAP servers in a group share the same settings in the fields below.
|
Name
|
Enter a descriptive name (up to 63 alphanumerical characters). for identification purposes.
|
Port
|
Specify the port number on the LDAP server(s) to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535.
This port number should be the same on all AD or LDAP server(s) in this group.
|
Password
|
If required, enter the password (up to 15 alphanumerical characters) the ZyWALL uses to log into the AD or LDAP server(s).
|
Base DN
|
Specify the top level directory in the directory. For example, o=ZyXEL, c=US.
|
binddn
|
Specify the bind DN for logging into the AD or LDAP server(s). For example, cn=zywallAdmin specifies zywallAdmin as the user name.
|
CN Identifier
|
Specify the unique common name that uniquely identifies a record in the AD or LDAP directory. Enter up to 63 alphanumerical characters.
|
Search time limit
|
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.
|
Use SSL
|
Select Use SSL to establish a secure connection to the AD or LDAP server(s).
|
Host Members
|
The ordering of the LDAP servers is important as the ZyWALL uses the AD or LDAP servers for user authentication in the order they appear in this table.
|
#
|
This field displays the index number.
|
Members
|
Specify the URI (Uniform Resource Identifier) of an AD or LDAP server. You can enter the IP address (in dotted decimal notation) or the fully qualified domain name (FQDN; up to 63 alphanumerical characters) of the AD or LDAP server.
|
Add icon
|
Click Add to add a new AD or LDAP server. You can add up to four AD or LDAP member servers.
Click Delete to remove an AD or LDAP server.
|
OK
|
Click OK to save the changes.
|
Cancel
|
Click Cancel to discard the changes.
|
RADIUS Server
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location.
Configuring a Default RADIUS Server
Object > AAA Server > RADIUS > Default
label
|
description
|
Host
|
Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
|
Authentication Port
|
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs you to do so with additional information.
|
Key
|
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL.
The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
|
Timeout
|
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
|
Apply
|
Click Apply to save the changes.
|
Reset
|
Click Reset to start configuring this screen again.
|
Configuring a Group of RADIUS Servers
You can configure a group of RADIUS servers in the RADIUS > Group screen. This is useful if you have more than one authentication server for user authentication in a network.
Object > AAA Server > RADIUS > Group
label
|
description
|
#
|
This field displays the index number.
|
Group Name
|
This field displays the descriptive name for identification purposes.
|
Add icon
|
Click Add to add a new entry.
Click Edit to edit the settings of an entry.
Click Delete to remove an entry.
|
Adding a RADIUS Server Member
Object > AAA Server > RADIUS > Group > Add
label
|
description
|
Configuration
|
All RADIUS servers in a group share the same settings in the fields below.
|
Name
|
Enter a descriptive name (up to 63 alphanumeric characters) for identification purposes.
|
Key
|
Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL.
The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
|
Timeout
|
Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails.
Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
|
Host Members
|
The ordering of the RADIUS servers is important as the ZyWALL uses the RADIUS servers for user authentication in the order they appear in this table.
|
#
|
This field displays the index number.
|
Members
|
Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
|
Authentication Port
|
The default port of the RADIUS server for authentication is 1812.
You need not change this value unless your network administrator instructs you to do so with additional information.
|
Add icon
|
Click Add to add a new RADIUS server. You can add up to four RADIUS member servers.
Click Delete to remove a RADIUS server.
|
OK
|
Click OK to save the changes.
|
Cancel
|
Click Cancel to discard the changes.
|