Related Topics
Configure LDAP Authentication
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your users with your Firebox. LDAP is an open-standard protocol for use with online directory services, and it operates with Internet transport protocols, such as TCP. Before you configure your Firebox for LDAP authentication, make sure you check the documentation from your LDAP server vendor to see if your installation supports the memberOf (or equivalent) attribute. When you configure your primary and backup LDAP server settings, you can select whether to specify the IP address or the DNS name of your LDAP server.
If your users authenticate with the LDAP authentication method, their distinguished names (DN) and passwords are hashed but not encrypted. To use LDAP authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP client on your Firebox and your LDAP server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the LDAP server certificate, which prevents man-in-the-middle attacks. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server. The standard LDAPS port is 636. For Active Directory Global Catalog queries, the SSL port is 3269.
For authentication to an Active Directory server, WatchGuard recommends that you configure Active Directory authentication on the Firebox rather than LDAP authentication. For more information, see Configure Active Directory Authentication.
When you configure the LDAP authentication method, you set a search base to specify where in the authentication server directories the Firebox can search for an authentication match. If your domain name is example.com, you can use the search base dc=example,dc=com.
If you want to restrict the LDAP search to the OU, or Organizational Unit, named as accounts, you can use the search base ou=accounts,dc=example,dc=com. Any user or group you use in the Firebox configuration must be within this OU.
If you also have user group objects in another OU named groups, with user accounts in an OU named accounts, and your domain name is example.com, use the search base dc=example,dc=com.
If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more than one OU, and find that the default Group String setting of memberOf does not return correct group information for your users, you can instead configure the Firebox to use another group attribute. To manage user groups, you can add the object classes member, memberUID, or gidNumber. For more information about these object classes, see RFC 2256 and RFC 2307.
If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported Certificate Authority (CA) certificate. If you select to validate the LDAP server certificate, you must import the root CA certificate from the CA that signed the LDAP server certificate, so your Firebox can use the CA certificate to validate the LDAP server certificate. When you import the CA certificate, make sure to select the IPSec, Web Server, Other option.
For more information about how to import certificates with Fireware Web UI, see Manage Device Certificates (Web UI).
For more information about how to import certificates with Firebox System Manager, see Manage Device Certificates (WSM).
PhoneFactor authentication is a multiple-factor authentication system that uses phone calls to determine the identity of users. Because it uses more than one out-of-band method (phone calls, text messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for users and a single multiple-factor platform to manage.
If you use PhoneFactor authentication with your LDAP server, you can configure the timeout value in the LDAP authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.
To configure LDAP authentication, from Fireware Web UI:
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Server list, select LDAP.
The LDAP server settings appear. - Select the
Enable LDAP Server check box.
The LDAP server settings are enabled.
- From the IP Address/DNS Name drop-down list, select whether to use the IP address or DNS name to contact your primary LDAP server.
- In the IP Address/DNS Name text box, type the IP address or DNS name of the primary LDAP server for the device to contact with authentication requests.
The LDAP server can be located on any Firebox interface. You can also configure your device to use an LDAP server on a remote network through a VPN tunnel. - In the Port text box, type the TCP port number for the Firebox to use to connect to the LDAP server. The default port number is 389.
If you enable LDAPS, you must select port 636. - In the Timeout text box, type or select the number of seconds the device waits for a response from the LDAP server before it closes the connection and tries to connect again.
- In the Search Base text box, type the search base settings in the standard format: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name that appears after the dot.
For example: ou=accounts,dc=example,dc=com - In the Group String text box, type the group string attribute.
The default attribute is memberOf.
This attribute string holds user group information on the LDAP server. On many LDAP servers, the default group string is uniqueMember; on other servers, it is member. For user groups on an OpenLDAP server without memberOf overlay support, you can also specify the attributes member, memberUID, or gidNumber. - In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
You can add any user DN with the privilege to search LDAP, such as an administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com. - In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
- In the Login Attribute text box, select a LDAP login attribute to use for authentication from the drop-down list.
The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid. If you use uid, the DN of Searching User and the Password of Searching User text boxes can be empty. - In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. To set the duration, from the adjacent drop-down list, select Minutes or Hours .
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again. - To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
- If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears. To use the default port, click Yes. To use the port you specified, click No.
- To verify the certificate of the LDAP server with the imported CA certificate, select the Validate server certificate check box.
- To specify optional attributes for the primary LDAP server, complete the settings in the LDAP Server Optional Settings section.
For more information about how to configure optional settings, see the next section. - To add a backup LDAP server, select the Secondary tab, and select the Enable Secondary LDAP Server check box.
- Repeat Steps 3–16 to configure the backup server. Make sure the shared secret is the same on the primary and backup LDAP servers.
For more information, see Use a Backup Authentication Server. - Click Save.
To configure LDAP authentication, from Policy Manager:
- Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the LDAP tab.
- Select the
Enable LDAP server check box.
The LDAP server settings are enabled.
- From the IP Address/DNS Name drop-down list, select whether to use the IP address or DNS name to contact your primary LDAP server.
- In the IP Address/DNS Name text box, type the IP address or DNS name of the primary LDAP server for the device to contact with authentication requests.
The LDAP server can be located on any Firebox interface. You can also configure your device to use an LDAP server on a remote network through a VPN tunnel. - In the Port text box, type the TCP port number for the Firebox to use to connect to the LDAP server. The default port number is 389.
If you enable LDAPS, you must select port 636. - In the Timeout text box, type or select the number of seconds the device waits for a response from the LDAP server before it closes the connection and tries to connect again.
- In the Search Base text box, type the search base settings in the standard format: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name that appears after the dot.
For example: ou=accounts,dc=example,dc=com - In the Group String text box, type the group string attribute.
The default attribute is memberOf.
This attribute string holds user group information on the LDAP server. On many LDAP servers, the default group string is uniqueMember; on other servers, it is member. For user groups on an OpenLDAP server without memberOf overlay support, you can also specify the attributes member, memberUID, or gidNumber. - In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
You can add any user DN with the privilege to search LDAP, such as an administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com. - In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
- In the Login Attribute text box, type the LDAP login attribute to use for authentication.
The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid. If you use uid, the DN of Searching User and the Password of Searching User text boxes can be empty. - In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. To set the duration, from the adjacent drop-down list, select minutes or hours .
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again. - To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
- If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears. To use the default port, click Yes. To use the port you specified, click No.
- To verify the certificate of the LDAP server with the imported CA certificate, select the Validate server certificate check box.
- To specify optional attributes for the primary LDAP server, click Optional Settings.
For more information about how to configure optional settings, see the next section. - To add a backup LDAP server, select the Backup Server Settings tab and select the Enable a backup LDAP server check box.
- Repeat Steps 3–16 to configure the backup server. Make sure the shared secret is the same on the primary and backup LDAP servers.
For more information, see Use a Backup Authentication Server. - Click OK.
- Save the Configuration File.
About LDAP Optional Settings
Fireware can get additional information from the LDAP server when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings specified in the device configuration file. You can set these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings.
Test the Connection to the Server
To make sure that your Firebox can connect to your LDAP server and successfully authenticate your users, from Fireware Web UI, you can test the connection to your authentication server. You can also use this feature to determine if a specific user is authenticated and to get authentication group information for that user.
You can test the connection to your authentication server from the Authentication Servers page for your server, or you can navigate directly to the Server Connection page in Fireware Web UI.
To navigate to the Server Connection page from the Authentication Servers page:
- Click Test Connection for LDAP and Active Directory.
The Server Connection page appears. - Follow the instructions in the Server Connection topic to test the connection to your server.
For instructions to navigate directly to the Server Connection page in Fireware Web UI, see Server Connection.