AAA Server

You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Authentication Method).

Directory Service (AD/LDAP)

LDAP/AD allows a client (the ZyWALL) to connect to a server to retrieve information from a directory.

The following describes the user authentication procedure via an LDAP/AD server.

A user logs in with a user name and password pair.

The ZyWALL tries to bind (or log in) to the LDAP/AD server.

When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair.

If it matches, the user is allowed access. Otherwise, access is blocked.

RADIUS Server

RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location.

ASAS

ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ZyWALL OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details.

Install the ASAS server software on a computer.

Create user accounts on the ZyWALL and in the ASAS server.

Import each token’s database file (located on the included CD) into the server.

Assign users to OTP tokens (on the ASAS server).

Configure the ASAS as a RADIUS server in the ZyWALL’s Configuration > Object > AAA Server screens.

Give the OTP tokens to (local or remote) users.

What You Need To Know

AAA Servers Supported by the ZyWALL

The following lists the types of authentication server the ZyWALL supports.

•

Local user database

The ZyWALL uses the built-in local user database to authenticate administrative users logging into the ZyWALL’s Web Configurator or network access users logging into the network through the ZyWALL. You can also use the local user database to authenticate VPN users.

•

Directory Service (LDAP/AD)

LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.

•

RADIUS

RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location.

Directory Structure

The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or organizational boundaries.

Distinguished Name (DN)

A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN” (“cn=domain1.com, ou=Sales, o=MyCompany” in the following examples).

cn=domain1.com, ou = Sales, o=MyCompany, c=US

cn=domain1.com, ou = Sales, o=MyCompany, c=JP

Base DN

A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country.

Bind DN

A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the ZyWALL to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.

Finding Out More

•

See User-aware Access Control for an example of how to set up user and user group authentication using a RADIUS server.

Active Directory or LDAP Server Summary

Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyWALL can use in authenticating users.

Configuration > Object > AAA Server > Active Directory (or LDAP)
label	description
Add	Click this to create a new entry.
Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove	To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Object References	Select an entry and click Object References to open a screen that shows which settings use the entry.
#	This field displays the index number.
Server Address	This is the address of the AD or LDAP server.
Base DN	This specifies a directory. For example, o=ZyXEL, c=US.

Adding an Active Directory or LDAP Server

Use this screen to create a new AD or LDAP entry or edit an existing one.

Configuration > Object > AAA Server > Active Directory (or LDAP) > Add
label	description
Name	Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Description	Enter the description of each server, if any. You can use up to 60 printable ASCII characters.
Server Address	Enter the address of the AD or LDAP server.
Backup Server Address	If the AD or LDAP server has a backup server, enter its address here.
Port	Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group.
Base DN	Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US. This is only for LDAP.
Use SSL	Select Use SSL to establish a secure connection to the AD or LDAP server(s).
Search time limit	Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.
Case-sensitive User Names	Select this if the server checks the case of the usernames.
Bind DN	Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters. For example, cn=zywallAdmin specifies zywallAdmin as the user name.
Password	If required, enter the password (up to 15 alphanumerical characters) for the ZyWALL to bind (or log in) to the AD or LDAP server.
Retype to Confirm	Retype your new password for confirmation.
Login Name Attribute	Enter the type of identifier the users are to use to log in. For example “name” or “e-mail address”.
Alternative Login Name Attribute	If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “e-mail address”.
Group Membership Attribute	An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the ZyWALL is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.
Domain Authentication for MSChap	Select the Enable checkbox to enable domain authentication for MSChap. This is only for Active Directory.
User Name	Enter the user name for the user who has rights to add a machine to the domain. This is only for Active Directory.
User Password	Enter the password for the associated user name. This is only for Active Directory.
Retype to Confirm	Retype your new password for confirmation. This is only for Active Directory.
Realm	Enter the realm FQDN. This is only for Active Directory.
Configuration Validation	Use a user account from the server specified above to test if the configuration is correct. Enter the account’s user name in the Username field and click Test.
OK	Click OK to save the changes.
Cancel	Click Cancel to discard the changes.

RADIUS Server Summary

Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users.

Configuration > Object > AAA Server > RADIUS
label	description
Add	Click this to create a new entry.
Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove	To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Object References	Select an entry and click Object References to open a screen that shows which settings use the entry.
#	This field displays the index number.
Name	This is the name of the RADIUS server entry.
Server Address	This is the address of the AD or LDAP server.
Base DN	This specifies a directory. For example, o=ZyXEL, c=US.
Host	Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server.
Authentication Port	The default port of the RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.
Key	Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
Timeout	Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Apply	Click Apply to save the changes.
Reset	Click Reset to return the screen to its last-saved settings.

Adding a RADIUS Server

Use this screen to create a new AD or LDAP entry or edit an existing one.

Configuration > Object > AAA Server > RADIUS > Add
label	description
Name	Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Description	Enter the description of each server, if any. You can use up to 60 printable ASCII characters.
Server Address	Enter the address of the RADIUS server.
Authentication Port	Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535.
Backup Server Address	If the RADIUS server has a backup server, enter its address here.
Backup Authentication Port	Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535.
Timeout	Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
Case-sensitive User Names	Select this if you want configure your username as case-sensitive.
Key	Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and the ZyWALL.
Group Membership Attribute	A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number. This attribute’s value is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.
OK	Click OK to save the changes.
Cancel	Click Cancel to discard the changes.