Use Active Directory or LDAP Optional Settings
When your Fireware contacts the directory server (Active Directory or LDAP) to search for information, it can get additional information from the list of attributes in the search response returned by the server. This enables you to use the directory server to assign extra parameters to the authenticated user session, such as timeouts and Mobile VPN address assignments. Because the data comes from attributes associated with individual user objects, you can set these parameters for each individual user. You are not limited to the global settings specified in the device configuration file.
Before You Begin
To use these optional settings you must:
- Extend the directory schema to add new attributes for these items.
- Make the new attributes available to the object class that user accounts belong to.
- Give values to the attributes for the user objects that should use them.
Make sure you carefully plan and test your directory schema before you extend it to your directories. Additions to the Active Directory schema, for example, are generally permanent and cannot be undone. Use the Microsoft® website to get resources to plan, test, and implement changes to an Active Directory schema. Consult the documentation from your LDAP vendor before you extend the schema for other directories.
Specify Active Directory or LDAP Optional Settings
You can specify the additional attributes Fireware looks for in the search response from the directory server.
- Select Authentication > Servers.
The Authentication Servers page appears.
- From the Authentication Servers list, select LDAP or Active Directory and make sure the server is enabled.
- If you selected LDAP, in the Optional Settings section, type the attributes to include in the directory search in the string fields as defined in the next section.
- If you selected Active Directory:
- Select a server and click Edit.
- Click the Optional Settings tab.
- Type the attributes to include in the directory search in the string fields as defined in the next section.
- Click Save.
The attribute settings are saved.
- Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the LDAP or Active Directory tab and make sure the server is enabled.
- If you selected LDAP:
- Click Optional Settings.
The LDAP Server Optional Settings dialog box appears. - Type the attributes to include in the directory search in the string fields as defined in the next section.
- Click OK.
The attribute settings are saved.
- Click Optional Settings.
- If you selected Active Directory:
- Select a server and click Edit.
- Click the Optional Settings tab.
- Type the attributes to include in the directory search in the string fields as defined in the next section.
- Click Save.
The attribute settings are saved.
LDAP and Active Directory Optional Attribute Strings
IP Attribute String
This is a legacy setting.
Type the name of the attribute for Fireware to use to assign a virtual IP address to the Mobile VPN client. This must be a single-valued attribute and an IP address in decimal format. The IP address must be within the pool of virtual IP addresses you specify when you create the Mobile VPN Group.
If the Firebox does not see the IP attribute in the search response, or if you do not specify an attribute, it assigns the Mobile VPN client a virtual IP address from the virtual IP address pool you create when you make the Mobile VPN Group.
Netmask Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware to use to assign a subnet mask to the Mobile VPN client’s virtual IP address. This must be a single-valued attribute and a subnet mask in decimal format.
The Mobile VPN software automatically assigns a netmask if the Firebox does not see the netmask attribute in the search response, or if you do not specify the netmask.
DNS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware uses to assign the Mobile VPN client one or more DNS addresses for the duration of the Mobile VPN session. This can be a multi-valued attribute and must be a normal dotted-decimal IP address. If the Firebox does not see the DNS attribute in the search response, or if you do not specify an attribute, it uses the WINS addresses you specify when you configure the settings for DNS servers.
For more information about how to configure these servers, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.
WINS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware should use to assign the Mobile VPN client one or more WINS addresses for the duration of the Mobile VPN session. This can be a multi-valued attribute and must be a normal dotted-decimal IP address. If the Firebox does not see the WINS attribute in the search response or if you do not specify an attribute, it uses the WINS addresses you specify when you configure the settings for WINS servers.
For more information about how to configure these servers, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.
Lease Time Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute for Fireware to use to control the maximum duration a user can stay authenticated (session timeout). After this amount of time, the user is removed from the list of authenticated users. This must be a single-valued attribute. Fireware interprets the attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.
Idle Timeout Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute Fireware uses to control the amount of time a user can stay authenticated when no traffic is passed to the Firebox from the user (idle timeout). If no traffic passes to the device for this amount of time, the user is removed from the list of authenticated users. This must be a single-valued attribute. Fireware interprets the attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.