With IWSVA, if you want to use a user/group-based policy and you have an LDAP server
on the network, choose the User/Group Authentication Setting. Contact your LDAP administrator
for information about the various LDAP attribute settings.
Select your preferred method of user identification for reports, logs, notification
messages, and for creating scan policies.
User/Group Authentication Settings
Basic (single Active Directory server)
With IWSVAs enhanced LDAP functionality, several settings for Microsoft’s Active Directory
can automatically be detected that will simplify your configuration. Many use Microsoft
Active Directory; this might be the best option for those with less-complex configurations.
Under the Basic view, only the following settings are necessary:
-
Domain name
-
Service account
-
Password
Your LDAP vendor must use Microsoft Active Directory for the auto-detect function
to work correctly. IWSVA automatically detects all the available servers for any given
domain and then chooses the most appropriate one for your configuration, as well as
other important settings.
IWSVA does auto-detection as follows:
-
Acquires the LDAP server list through a DNS query
-
Filters out unconnected servers
-
The fastest GC or DC will be selected as the primary LDAP server when more than one
GC or DC is located among LDAP servers.
-
Domain names will be translated into BDN.
-
Kerberos information is generated and authenticated.
Advanced (other or multiple LDAP servers)
Use this option to do fine-grained or complex LDAP configurations. Besides Active
Directory, other LDAP servers as well as multi-domain forests and redundant LDAP servers
are supported in the Advanced (other or multiple LDAP servers) view. You can add multiple domains for User/Group Authentication. IWSVA sequentially
queries these domains for user identification and policy enforcement.
To use Advanced (other or multiple LDAP servers) from the web console, click Administration > IWSVA Configuration > User Identification and check Advanced(other or multiple LDAP servers) in User Identification.
You can add, remove, or edit domain configurations from the Advanced (other or multiple LDAP servers) view, and create a list that shows all the configured domains. View the details of
any one domain by clicking the domain name or the down-array button.
 |
Note
IWSVA cannot check whether a domain is a sub-domain. If you specify two domains, one
is going to be the other’s sub-domain, but IWSVA treats them as independent domains.
|
To configure the New LDAP Configuration page:
-
Enable Advanced (other or multiple LDAP servers) and click Add New Domain or any existing LDAP domain name to view the details.
-
Enter or edit the following:
|
Note
The default encryption method is None. If LDAP server supports LDAPv3 StartTLS extension
or LDAP over SSL, select the appropriate encryption method.
|
-
For the Authentication Method, select one that meets your expectations, then enter
your Kerberos domain or realm, the Kerberos server, and the Kerberos port.
-
For Authentication High Availability, you can enable additional server relationships
for the same domain by selecting Enable additional LDAP servers for the same domain. Set the server relationship (Round Robin or Fail-over) and enter the names of any
additional backup LDAP servers.
Configuring one domain is a considerable undertaking. To complete a simple configuration,
use the auto-detect button provided in the Basic view. It automatically fills the
form. You can modify the domain configuration base on the output of an auto-detected
configuration. This button is only available for Microsoft Active Directory users
in the Basic view.
To some extent, the authentication method settings depend on the LDAP vendor. Some
authentication methods are only valid for certain vendors. The following table shows
their relationship.
Sync with LDAP Servers
Pressing this button initiates a manual synchronization with the LDAP server to synchronize
the user group information. This icon appears after successfully adding a new domain.
LDAP Vender Authentication Method Relationships
| |
Active Directory |
OpenLDAP |
| Simple |
No |
Yes |
| Kerberos |
Yes |
Yes |
| Digest - MD5 |
No |
Yes |
IWSVA supports high availability for LDAP authentication. You can specify one backup
LDAP server that shares the same configuration with the primary one. However, two
high availability modes are supported:
-
Round Robin: By default, IWSVA alternately authenticates users with all LDAP servers.
-
Fail-over: When the primary server is down, IWSVA refers to other servers to authenticate
users.
Each domain can configure only one BDN and LDAP server type, and the BDN should be
unique from other domains.
When multiple domains are supported, you can use any account that belongs to any
domain to log in. At first, IWSVA checks the domain names, then authenticates users
for the matched domain name server. If no domain name has been input, it will use
the first one as the default login domain name.
After your configuration is ready, click Save. Click Cancel to start over. After successfully saving your configuration, return to the LDAP server
list.
The following conditions cannot be saved; you will be prompted with a corresponding
error message:
-
No LDAP servers present
-
No BDN listed
-
Missing administrator account or password
-
Missing authentication information when choosing Advanced Authentication Mode
-
Failing to pass the LDAP connection test
Global Authentication Cache Settings
Fixed TTL -The expiration time for each record in the Client IP to User ID cache is different.
When a record's life reaches its expiration time, this record is purged. The expiration
time for a record is calculated as follows:
Expiration time = Record generation time + Fixed TTL
Last active TTL -When adding a record into the Client IP to User ID cache, this record has a pre-configured
expiration interval, for example, 360 seconds. Before reaching the expiration time,
if this record is hit, the expiration interval for this record is refreshed and becomes
360 seconds again. If a record is not hit during the expiration interval, this record
is purged.
By default, Last Active TTL is enabled.
Standard Authentication Method
Standard Authentication can be configured by selecting Standard Authentication (provided
by the operating system or browser) option on the Administration > IWSVA Configuration > User Identification screen from the Web console.
In Standard Authentication, authentication is implemented through the authentication
features provided by OS or browser.
When the client participates in the domain accesses to Web through the browser supporting
NTLM authentication, no pop-up window appears to request authentication since the
authentication information is automatically sent from the browser.
If the client does not participate the domain, the browser does not support NTLM authentication,
or automatic authentication is disabled by the browser, pop-up will appear to request
authentication since automatic authentication is not implemented.
Captive Portal
IWSVA uses two authentication methods:
To configure Captive Portal, select the Captive Portal (Custom Authentication Page
delivered by IWSVA to browser) option on the Administration > IWSVA Configuration > User Identification screen from the Web console.
If the Captive Portal is configured, custom authentication page appears, and authentication
will be requested when the client participates in the domain accesses to Web for the
first time (automatic authentication will not be implemented transparently).
The login interface screen can be customized. The screen appears when users access
the restricted network for the first time or users are not recognized by IWSVA.
Advanced Mode
IWSVA also provides an Advanced mode to create a customized Captive Portal - by writing
your own HTML. However, at the very least the following Java Script must first be
inserted into the customized Captive Portal:
function accesspolicy(){var str1 = window.location.href;//alert(str1);var s=str1.indexOf("?forward=");//alert(s);var d=str1.indexOf("&IP");//alert(d);var uri=str1.substring(s+9,d)+"/$$$GUEST_POLICY$$$";//alert(uri);return uri;}User name:Password:If you are a guest, please select the Guest Access option to access the Internet
This Java Script is required for the Authentication Form, the Guest Access button,
and the Event Handler to appear. Without this script, users will be unable to pass
the authentication.
Allow Guest Login
You can enable guest access when the Allow Guest Login box is checked. When enabled, an additional button labeled Guest appears. Guests can access the Internet by selecting this button, however, their
behavior is under the control of the guest policy. The guest policy automatically
appears when guest access is enabled in the policy list. Otherwise, it is invisible.
To allow guest access:
-
In the Authentication Method section, select the Captive Portal (Custom Authentication Page delivered by IWSVA to browser) option.
-
Click the Allow Guest Login checkbox.
-
You can predesign a "look" for the Captive Portal page and save it as HTML. Match
the look and feel of your own corporate branding through the use of colors, logos,
and text. Copy and paste your customized HTML code into the empty box. Use the <%cred%>
tag to display the login credentials and guest access buttons.
-
Click Preview Login Screen to view your results.
-
Click Save to preserve your settings.
Cookie Mode
Cookie mode is used for user identification in NAT and terminal server environments.
To use Cookie Mode, ensure that Adobe Flash Player has been installed on the client
machine and that browser cookies are enabled.
Cookie Mode is only available when user/group authentication is enabled and Captive
Portal is selected.
Use the "Stay signed in" option on the Captive Portal login page to enable cookie
"lifetime" for up to one year. If the "Stay signed in" option is not selected, cookie
"lifetime" is one day.
None
(Not recommended) Logged events and reports will be anonymous; URL Filtering and other
policies are created based on IP addresses.
See also:
