ZXSEC US

User Authentication
User Guide

Version 3.0

ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900 800-9830-9830
Fax: (86) 755 26772236
URL: http://support.zte.com.cn
E-mail: [email protected]
EGAL INFORMATION

Copyright © 2006 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.

This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.

The contents of this document and all policies of ZTE CORPORATION, including without limitation policies related to
support or training are subject to change without notice.

Revision History

Date Revision No. Serial No. Reason for Revision

June.4, 2008 R1.0 sjzl20084025 First edition
ZTE CORPORATION
Values Your Comments & Suggestions!
Your opinion is of great value and will help us improve the quality of our product
documentation and offer better services to our customers.
Please fax to: (86) 755-26772236; or mail to Documentation R&D Department,
ZTE CORPORATION, ZTE Plaza, A Wing, Keji Road South, Hi-Tech Industrial Park,
Shenzhen, P. R. China 518057.
Thank you for your cooperation!

Document
ZXSEC US User Authentication User Guide
Name
Document Revision
Product Version V3.0 R1.0
Number
Equipment Installation Date

Presentation:
(Introductions, Procedures, Illustrations, Completeness, Level of Detail, Organization,
Appearance)
Good Fair Average Poor Bad N/A

Your evaluation Accessibility:

of this
(Contents, Index, Headings, Numbering, Glossary)
documentation
Good Fair Average Poor Bad N/A

Intelligibility:
(Language, Vocabulary, Readability & Clarity, Technical Accuracy, Content)
Good Fair Average Poor Bad N/A

Please check the suggestions which you feel can improve this documentation:
Improve the overview/introduction Make it more concise/brief
Improve the Contents Add more step-by-step procedures/tutorials
Improve the organization Add more troubleshooting information
Include more figures Make it less technical
Your Add more examples Add more/better quick reference aids
suggestions for Add more detail Improve the index
improvement of
this Other suggestions
documentation __________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
# Please feel free to write any comments on an attached sheet.

If you wish to be contacted regarding your comments, please complete the following:
Name Company
Postcode Address
Telephone E-mail
This page is intentionally blank.
Contents

About this Manual ............................................................. i

What is in This Manual ............................................................ i
Conventions .......................................................................... i
How to Get in Touch.............................................................. ii

Chapter 1....................................................................... 1
Authentication Overview ................................................. 1
Overview ............................................................................. 1
About authentication .......................................................1
User’s view of authentication ............................................2
Web-based user authentication ............................................... 2
VPN client-based authentication .............................................. 3
ZXSEC US administrator’s view of authentication .................4
Authentication servers ........................................................... 5

Chapter 2....................................................................... 9
ZXSEC US authentication servers .................................... 9
Overview ............................................................................. 9
RADIUS servers ..............................................................9
Configuring the ZXSEC US unit to use a RADIUS server ............ 11
LDAP servers ................................................................ 14
Configuring the ZXSEC US unit to use an LDAP server .............. 16
TACACS+ servers.......................................................... 19
Configuring the ZXSEC US unit to use a TACACS+ authentication
server ............................................................................... 20
Active Directory servers ................................................. 22
Configuring the ZXSEC US unit to use an Active Directory server 23

Chapter 3..................................................................... 27
Users/peers and user groups ........................................27
Overview ........................................................................... 27
Users/peers.................................................................. 27
Creating local users ............................................................. 28
Creating peer users ............................................................. 31
User groups ................................................................. 33
Protection profiles ............................................................... 34
Creating user groups ........................................................... 34
Active Directory user groups ................................................. 35

Chapter 4.....................................................................37
Configuring authenticated access .................................37
Overview ........................................................................... 37
Authentication timeout................................................... 37
Authentication protocols................................................. 38
Firewall policy authentication .......................................... 39
Configuring authentication for a firewall policy ......................... 40
Configuring authenticated access to the Internet...................... 41
Firewall policy order............................................................. 42
VPN authentication ........................................................ 43
Authenticating PPTP VPN users .............................................. 43
Authenticating L2TP VPN users .............................................. 44
Authenticating remote IPSec VPN users using dialup groups ...... 45
Enabling XAuth authentication for dialup IPSec VPN clients ........ 47

Figures............................................................................51

Tables .............................................................................53

Index ..............................................................................55
 About this Manual

This document explains how to configure authentication for

firewall policies, PPTP and L2TP VPNs, and dialup IPSec VPNs,
and contains the following chapters:

What is in This Manual

This Manual contains the following chapters:

TABLE 1 CHAPTER SUMM ARY

Chapter Summary
Chapter 1, Iintroduces you to the authentication
Authentication process from the user and the
Overview administrators perspective, and provides
supplementary information about ZTE
publications
Chapter 2, ZXSEC US Contains procedures for configuring
authentication servers RADIUS, LDAP, and Microsoft Active
Directory authentication servers
Chapter 3, Users/peers contains procedures for defining
and user groups users/peers and user groups
Chapter 4, Configuring Contains procedures to set authentication
authenticated access timeouts, configure authentication in
firewall policies and for PPTP and L2TP
VPNs and certain configurations of IPSec
VPNs

Conventions
Typographical ZTE documents employ the following typographical conventions.
Conventions
TABLE 2 TYPOGRAPHICAL CONVENTIONS

Typeface Meaning
Italics References to other Manuals and documents.
“Quotes” Links on screens.
Bold Menus, menu options, function names, input
fields, radio button names, check boxes, drop-

Confidential and Proprietary Information of ZTE CORPORATION i

ZXSEC US User Authentication User Guide

Typeface Meaning
down lists, dialog box names, window names.
CAPS Keys on the keyboard and buttons on screens
and company name.
Constant width Text that you type, program code, files and
directory names, and function names.
[] Optional parameters.
{} Mandatory parameters.
| Select one of the parameters that are delimited
by it.
Note: Provides additional information about a
certain topic.

Mouse
Operation TABLE 3 MOUSE OPERATION CONVENTIONS
Conventions
Typeface Meaning
Click Refers to clicking the primary mouse button (usually
the left mouse button) once.
Double-click Refers to quickly clicking the primary mouse button
(usually the left mouse button) twice.
Right-click Refers to clicking the secondary mouse button
(usually the right mouse button) once.
Drag Refers to pressing and holding a mouse button and
moving the mouse.

How to Get in Touch

The following sections provide information on how to obtain
Customer support for the documentation and the software.
Support If you have problems, questions, comments, or suggestions
regarding your product, contact us by e-mail at
[email protected]. You can also call our customer support
Documentation center at (86) 755 26771900 and (86) 800-9830-9830.
Support ZTE welcomes your comments and suggestions on the quality
and usefulness of this document. For further questions,
comments, or suggestions on the documentation, you can
contact us by e-mail at [email protected]; or you can fax your
comments and suggestions to (86) 755 26772236. You can also
browse our website at http://support.zte.com.cn, which contains
various interesting subjects like documentation, knowledge base,
forum and service request.

ii Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1

Authentication Overview

Overview
This chapter introduces you to the authentication process from
the user and the administrators perspective, and provides
supplementary information about ZTE publications:
„ About authentication
„ User’s view of authentication
„ ZXSEC US administrator’s view of authentication

Note:
„ This document does not describe certificate-based VPN
authentication.
„ For information about this type of authentication, see the
ZXSEC US IPSec VPN Guide and the ZXSEC US Certificate
Management User Guide.

About authentication
Computer networks have, for the most part, improved worker
efficiency and helped a company’s bottom line. Along with these
benefits, the need has arisen for workers to be able to remotely
access their corporate network, with appropriate security
measures in place. In general terms, authentication is the
process of attempting to verify the (digital) identity of the sender
of a communication such as a log in request. The sender may be
someone using a computer, the computer itself, or a computer
program. A computer system should only be used by those who
are authorized to do so, therefore there must be a measure in
place to detect and exclude any unauthorized access.

Confidential and Proprietary Information of ZTE CORPORATION 1

ZXSEC US User Authentication User Guide

On a ZXSEC US unit, you can control access to network

resources by defining lists of authorized users, called user groups.
To use a particular resource, such as a network or a VPN tunnel,
the user must:

f belong to one of the user groups that is allowed access

f correctly enter a user name and password to prove his or
her identity, if asked to do so
This process is called authentication. You can configure
authentication for:
f any firewall policy with Action set to ACCEPT
f PPTP and L2TP VPNs
f a dialup IPSec VPN set up as an XAUTH server (Phase 1)
f a dialup IPSec VPN that accepts user group authentication
as a peer ID

User’s view of authentication

The user sees a request for authentication when they try to
access a protected resource. The way in which the request is
presented to the user depends on the method of access to that
resource.
VPN authentication usually controls remote access to a private
network.

Web-based user authentication

Firewall policies usually control browsing access to an external
network that provides connection to the Internet. In this case,
the ZXSEC US unit requests authentication through the web
browser:

2 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 1 Authentication Overview

FI G U R E 1 AU T H E N T I C AT I O N LO G I N

The user types a user name and password and then selects
Continue. If the credentials are incorrect, the authentication
screen is redisplayed with blank fields so that the user can try
again. When the user enters valid credentials, they get access to
the required resource.

Note: After a defined period of inactivity (the authentication

timeout, defined by the ZXSEC US administrator), the user
access will expire. The default is 15 minutes. To access the
resource, the user will have to authenticate again.

VPN client-based authentication

VPNs provide remote clients with access to a private network for
a variety of services that include web browsing, email, and file
sharing. A client program such as US Desktop negotiates the
connection to the VPN and manages the user authentication
challenge from the ZXSEC US unit.
US Desktop can store the user name and password for a VPN as
part of the configuration for the VPN connection and pass them
to the ZXSEC US unit as needed. Or, US Desktop can request the
user name and password from the user when the ZXSEC US unit
requests them.

Confidential and Proprietary Information of ZTE CORPORATION 3

ZXSEC US User Authentication User Guide

Note:
After a defined period of inactivity (the idle timeout, defined by
the ZXSEC US administrator), the user access will expire. The
default is 1500 seconds or 20 minutes. To access the resource,
the user will have to authenticate again.

ZXSEC US administrator’s
view of authentication
Authentication is based on user groups. You configure
authentication parameters for firewall policies and VPN tunnels to
permit access only to members of particular user groups. A
member of a user group can be:
f a user whose user name and password are stored on the
ZXSEC US unit
f a user whose name is stored on the ZXSEC US unit and
whose password is stored on an external authentication
server
f an external authentication server with a database that
contains the user name and password of each person who
is permitted access
1. If external authentication is needed, configure the required
servers.
f See “Configuring the ZXSEC US unit to use a RADIUS
server”.
f See “Configuring the ZXSEC US unit to use an LDAP
server”.
f See “Configuring the ZXSEC US unit to use an Active
Directory server”.
2. Configure local and peer (PKI) user identities. For each local
user, you can choose whether the ZXSEC US unit or an
external authentication server verifies the password. Peer
members can be included in user groups for use in firewall
policies.
f See “Creating local users”.
f See “Creating peer users”.
3. Create user groups.
Add local/peer user members to each user group as
appropriate. You can alsoadd an authentication server to a
user group. In this case, all users in the server’s database
can authenticate.

4 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 1 Authentication Overview

f See “Creating user groups”.

4. Configure firewall policies and VPN tunnels that require
authenticated access.
See “Configuring authentication for a firewall policy”.
See “Authenticating PPTP VPN users”.
See “Authenticating remote IPSec VPN users using dialup
groups”.
See “Enabling XAuth authentication for dialup IPSec VPN
clients”.

Authentication servers
The ZXSEC US unit can store user names and passwords and use
them to authenticate users. In an enterprise environment, it
might be more convenient to use the same system that provides
authentication for local area network access, email and other
services. Users who access the corporate network from home or
while traveling could use the same user name and password that
they use at the office.
You can configure the ZXSEC US unit to work with external
authentication servers in two different ways:
f Add the authentication server to a user group.
Anyone in the server’s database is a member of the user
group. This is a simple way to provide access to the
corporate VPN for all employees, for example. You do not
need to configure individual users on the ZXSEC US unit.
or
f Specify the authentication server instead of a password
when you configure the individual user identity on the
ZXSEC US unit.
The user name must exist on both the ZXSEC US unit and
authentication server. User names that exist only on the
authentication server cannot authenticate on the ZXSEC US
unit. This method enables you to provide access only to
selected employees, for example.

Note:
You cannot combine these two uses of an authentication server
in the same user group. If you add the server to the user group,
adding individual users with authentication to that server is
redundant.

Confidential and Proprietary Information of ZTE CORPORATION 5

ZXSEC US User Authentication User Guide

If you want to use external authentication servers, you must

configure them before you configure users and user groups.

Public Key Infrastructure (PKI) authentication

A Public Key Infrastructure (PKI) is a comprehensive system
of policies, processes, and technologies working together to
enable users of the Internet to exchange information in a
secure and confidential manner. PKIs are based on the use
of cryptography - the scrambling of information by a
mathematical formula and a virtual key so that it can only
be decoded by an authorized party using a related key. The
public and private cryptographic key pair is obtained and
shared through a trusted authority. The public key
infrastructure enables the creation of a digital certificate
that can identify an individual or organization, and directory
services that can store and also revoke the certificates.
Public Key Infrastructure (PKI) authentication utilizes a
certificate authentication library that takes a list of ‘peers’,
‘peer’ groups, and/or user groups and returns authentication
‘successful’ or ‘denied’ notifications. Users only need a valid
certificate for successful authentication - no username or
password are necessary.
Peers
A peer is a user that is a digital certificate holder used in PKI
authentication. To use PKI authentication, you must define
peers to include in the authentication user group. You create
peer identities in the User > PKI page of the web-based
manager.
Users
You create user identities in the User > Local page of the
web-based manager. Although it is simpler to define
passwords locally, when there are many users the
administrative effort to maintain the database is
considerable. Users cannot change their own passwords on
the ZXSEC US unit. When an external authentication server
is part of an enterprise network authentication system, users
can change their own passwords.

Note:
Frequent changing of passwords is a good security practice.

User groups
A user group can contain individual users/peers and
authentication servers. A user/peer or authentication server
can belong to more than one group.
Authentication timeout

6 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 1 Authentication Overview

An authenticated connection expires when it has been idle

for a length of time that you specify. The authentication
timeout value set in User > Authentication > Authentication
applies to every user of the system. The choice of timeout
duration is a balance between security and user
convenience. The default is 5 minutes. For information
about setting the authentication timeout, see
“Authentication timeout”.
Firewall policies
Access control is defined in the firewall policy that provides
access to the network resource. For example, access to the
Internet through the external interface from workstations on
the internal network is made possible by an Internal to
External firewall policy.
Firewall policies apply web filtering, antivirus protection, and
spam filtering to the traffic they control according to a
protection profile. When a firewall policy requires
authentication, its own protection profile option is disabled
and the user group’s protection profile is applied.
For more information about firewall policies and protection
profiles, see the Firewall chapter of the ZXSEC US
Administration Guide.
VPN tunnels
When you configure a PPTP or L2TP VPN, you choose one
user group to be permitted access. For IPSec VPNs, you can
use authentication by user group or XAUTH authentication
using an external authentication server as an alternative to
authentication by peer ID.
For more information about VPNs, see the ZXSEC US PPTP
VPN User Guide, the ZXSEC US SSL VPN User Guide, or the
ZXSEC US IPSec VPN User Guide.

Confidential and Proprietary Information of ZTE CORPORATION 7

ZXSEC US User Authentication User Guide

This page is intentionally blank.

8 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 2

ZXSEC US authentication
servers

Overview
ZXSEC US units support the use of authentication servers. If you
are going to use authentication servers, you must configure the
servers before you configure ZXSEC US users or user groups that
require them. An authentication server can provide password
checking for selected ZXSEC US users or it can be added as a
member of a ZXSEC US user group.
This section describes:
„ RADIUS servers
„ LDAP servers
„ TACACS+ servers
„ Active Directory servers

RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS)
servers provide authentication, authorization, and accounting
functions. ZXSEC US units use the authentication and accounting
functions of the RADIUS server.
Your RADIUS server listens on either port 1812 or port 1645 for
authentication requests. You must configure it to accept the
ZXSEC US unit as a client.
The RADIUS server user database can be any combination of:
f user names and passwords defined in a configuration file
f an SQL database

Confidential and Proprietary Information of ZTE CORPORATION 9

ZXSEC US User Authentication User Guide

f user account names and passwords configured on the

computer where the RADIUS server is installed
The RADIUS server uses a “shared secret” key to encrypt
information passed between it and clients such as the
ZXSEC US unit.
The ZXSEC US units send the following RADIUS attributes in the
accounting start/stop messages:
f Acct-Session-ID
f User Name
f NAS-Identifier (FGT hostname)
f Framed-IP-Address (IP address assigned to the client)
f ZTE-VSA (IP address client is connecting from)
f Acct-Input-Octets
f Acct-Output-Octets
Table 4 describes the supported authentication events and the
RADIUS attributes that are sent in the RADIUS accounting
message.

T A B L E 4 R A D I U S A T T R I B U T E S S EN T I N RA D I US A CC O U N T I N G M E SS A G E

ATTRIBUTE
AUTHENTICATION METHOD 1 2 3 4 5 6 7

X X X X
Web

XAuth of IPSec (without X X X X

DHCP)
X X X X X
XAuth of IPSec (with DHCP)

X X X X X X X
PPTP/L2TP (in PPP)

X X X X
SSL-VPN

In order to support vendor-specific attributes (VSA), the RADIUS

server requires a dictionary to define what the VSAs are.
ZTE’s dictionary is configured this way:
##
ZTE’s VSA’s
#
VENDOR ZTE 12356
BEGIN-VENDOR ZTE
ATTRIBUTE ZTE-Group-Name 1 string ATTRIBUTE ZTE-Client-IP-
Address 2 ipaddr ATTRIBUTE ZTE-Vdom-Name 3 string

10 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

#
# Integer Translations
#
END-VENDOR ZTE
See the documentation provided with your RADIUS server for
configuration details.

Configuring the ZXSEC US unit to

use a RADIUS server
To configure the ZXSEC US unit to use a RADIUS server, you
need to know the server’s domain name or IP address and its
shared secret key. You will select the authentication protocol

On the ZXSEC US unit, the default port for RADIUS traffic is 1812.
If your RADIUS server is using port 1645, you can either:
f Reconfigure the RADIUS server to use port 1812. See
your RADIUS server documentation for more information.
or
f Change the ZXSEC US unit default RADIUS port to 1645
using the CLI:
config system global
set radius_port 1645
end

To configure the ZXSEC US unit for RADIUS authentication

- web-based manager
1. Go to User > Remote > RADIUS and select Create New.
2. Enter the following information, and select OK.

Confidential and Proprietary Information of ZTE CORPORATION 11

ZXSEC US User Authentication User Guide

F I G U R E 2 C O N F I G U R E Z X S E C U S U N I T F O R R A D I U S A U T H E N T I CAT I O N

Name The name used to identify the RADIUS server on the

ZXSEC US unit.
Primary Server Name/IP The domain name or IP address of the
primary RADIUS server.
Primary Server Secret The RADIUS server secret key for the
primary RADIUS server.
Secondary Server Name/IP The domain name or IP address of
the secondary RADIUS server, if you have one.
Secondary Server Secret The RADIUS server secret key for the
secondary RADIUS server.
Authentication Scheme Select Use Default Authentication
Scheme to authenticate with the default method. The default
authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that
order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol
from the drop-down box: MS-CHAP-V2, MS-CHAP, CHAP, or PAP,
depending on what your RADIUS server needs.
NAS IP/Called Station ID The NAS IP address and Called-Station-
ID (for more information about RADIUS Attribute 31, see RFC 2548
Microsoft Vendor-specific RADIUS Attributes). If you do not enter an
IP address, the IP address of the ZXSEC US interface used to
communicate with the RADIUS server is used.
Include in every User Group Enable to have the RADIUS server
automatically included in all user groups.

12 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

To configure the ZXSEC US unit for RADIUS authentication

- CLI
config user radius edit <server_name>
set all-usergroup {enable | disable }
set auth-type <authentication_protocol>
set nas-ip <nas_ip_called_id>
set radius-port <radius_port_id>
set secondary-server <secondary_ip_address>
set secondary-secret <secondary_password>
set server <primary_ip_address>
set secret <primary_password>
set use-group-for-profile <group_profile_select>
set use-management-vdom <vdom_requests>
end
The use-group-for-profile and use-management-vdom can
only be added to RADIUS authentication requests via the CLI.
You enable use-group-for-profile to use the RADIUS group
attribute to select the firewall protection profile to apply.
Enable use-management-vdom to use the management VDOM
to send all RADIUS requests. For more information, refer to
the ZXSEC US CLI Reference.

To remove a RADIUS server from the ZXSEC US unit

configuration - web- based manager
You cannot remove a RADIUS server that belongs to a user
group. Remove it from the user group first.
1. Go to User > RADIUS.
2. Select the Delete icon beside the name of the RADIUS server
that you want to remove.
3. Select OK.

F I G U R E 3 DEL ET E R AD I U S SER VE R

To remove a RADIUS server from the ZXSEC US unit

configuration - CLI
config user radius
delete <server_name>

Confidential and Proprietary Information of ZTE CORPORATION 13

ZXSEC US User Authentication User Guide

end

LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet
protocol used to maintain authentication data that may include
departments, people, groups of people, passwords, email
addresses, and printers. An LDAP consists of a data-
representation scheme, a set of defined operations, and a
request/response network.
The scale of LDAP servers ranges from big public servers such as
BigFoot and Infospace, to large organizational servers at
universities and corporations, to small LDAP servers for
workgroups. This document focuses on the institutional and
workgroup applications of LDAP.
A directory is a set of objects with similar attributes organized in
a logical and hierarchical way. Generally, an LDAP directory tree
reflects geographic and/or organizational boundaries, with the
Domain name system (DNS) names to structure the top level of
the hierarchy. The common name identifier for most LDAP
servers is cn, however some servers use other common name
identifiers such as uid.
If you have configured LDAP support and a user is required to
authenticate using an LDAP server, the ZTE unit contacts the
LDAP server for authentication. To authenticate with the ZTE unit,
the user enters a user name and password.
The ZTE unit sends this user name and password to the LDAP
server. If the LDAP server can authenticate the user, the user is
successfully authenticated with the ZTE unit. If the LDAP server
cannot authenticate the user, the connection is refused by the
ZTE unit.
Binding is the step where the LDAP server authenticates the user,
and if the user is successfully authenticated, allows the user
access to the LDAP server based on that user’s permissions.
The ZXSEC US unit can be configured to use one of three types
of binding:
f anonymous - bind using anonymous user search
f regular - bind using username/password and then search
f simple - bind using a simple password authentication
without a search
You can use simple authentication if the user records all fall
under one dn. If the users are under more than one dn, use the
anonymous or regular type, which can search the entire LDAP
database for the required user name.

14 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

If your LDAP server requires authentication to perform searches,

use the regular type and provide values for username and
password.
The ZTE unit supports LDAP protocol functionality defined in RFC
2251: Lightweight Directory Access Protocol v3, for looking up
and validating user names and passwords. ZTE LDAP supports all
LDAP servers compliant with LDAP v3. In addition, ZXSEC US
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS
authentication, refer to the ZXSEC US CLI Reference.
ZXSEC US LDAP does not support proprietary functionality, such
as notification of password expiration, which is available from
some LDAP servers. ZXSEC US LDAP does not supply information
to the user about why authentication failed.
To configure your ZXSEC US unit to work with an LDAP server,
you need to understand the organization of the information on
the server.
The top of the hierarchy is the organization itself. Usually this is
defined as Domain Component (DC), a DNS domain. If the name
contains a dot, such as “example.com”, it is written as two parts:
“dc=example,dc=com”.
In this example, Common Name (CN) identifiers reside at the
Organization Unit (OU) level, just below DC. The Distinguished
Name (DN) is ou=People,dc=example,dc=com.

FIGURE 4 EXAMPLE

In addition to the DN, the ZXSEC US unit needs an identifier for

the individual person. Although the ZXSEC US unit GUI calls this
the Common Name (CN), the identifier you use is not necessarily
CN. On some servers, CN is the full name of a person. It might be
more convenient to use the same identifier used on the local
computer network. In this example, User ID (UID) is used.
You need to determine the levels of the hierarchy from the top to
the level that contains the identifier you want to use. This defines
the DN that the ZXSEC US unit uses to search the LDAP
database. Frequently used distinguished name elements include:

Confidential and Proprietary Information of ZTE CORPORATION 15

ZXSEC US User Authentication User Guide

f pw (password)
f cn (common name)
f ou (organizational unit)
f o (organization)
f c (country)
One way to test this is with a text-based LDAP client program.
For example, OpenLDAP includes a client, ldapsearch, that you
can use for this purpose.
Enter the following command:
ldapsearch -x '(objectclass=*)'
The output is lengthy, but the information you need is in the first
few lines:
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
dn: dc=example,dc=com dc: example objectClass: top objectClass:
domain
dn: ou=People,dc=example,dc=com ou: People
objectClass: top
objectClass: organizationalUnit
...
dn: uid=auser,ou=People,dc=example,dc=com uid: auser
cn: Alex User

Configuring the ZXSEC US unit to

use an LDAP server
After you determine the common name and distinguished name
identifiers and the domain name or IP address of the LDAP server,
you can configure the server on the ZXSEC US unit.
To configure the ZXSEC US unit for LDAP authentication -
web-based manager
1. Go to User > Remote > LDAP and select Create New.
2. Enter the following information, and select OK.

16 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

F I G U R E 5 C O NF I GU R E ZXSEC US U NI T FO R LDA P A UT H E NT I C A T I ON

Name The name that identifies the LDAP server on the

ZXSEC US unit.
Server Name/IP The domain name or IP address of the
LDAP server.
Server Port The TCP port used to communicate with
the LDAP server. By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes
when you select Secure Connection.
Common Name Identifier The common name
identifier for the LDAP server. 20 characters maximum.
Distinguished Name The base distinguished name for the
server using the correct X.500 or LDAP format. The ZTE unit
passes this distinguished name unchanged to the server.
Query icon View the LDAP server Distinguished Name
Query tree for the LDAP server that you are configuring so
that you can cross-reference to the Distinguished Name.
For more information, see “Using the Query icon”.
Bind Type Select the type of binding for LDAP authentication.
Regular Connect to the LDAP server directly with user
name/password, then receive accept or reject based on
search of given values.
Anonymous Connect as an anonymous user on the
LDAP server, then retrieve the user name/password and
compare them to given values.
Simple Connect directly to the LDAP server with user
name/password authentication.
Filter The filter used for group searching. Available if
Bind Type is Regular or Anonymous.
User DN The distinguished name of user to be
authenticated. Available if Bind Type is Regular.
Password The password of user to be authenticated.
Available if Bind Type is Regular.

Confidential and Proprietary Information of ZTE CORPORATION 17

ZXSEC US User Authentication User Guide

Secure Connection Select to use a secure LDAP server

connection for authentication.
Protocol Select a secure LDAP protocol to use for
authentication. Depending on your selection, the value in
Server Port will change to the default port for the selected
protocol. Only available if Secure Connection is enabled.
LDAPS: port 636
STARTTLS: port 389
Certificate Select a certificate to use for authentication from
the drop-down list. The certificate list comes from CA
certificates at System > Certificates > CA Certificates.
To configure the ZXSEC US unit for LDAP authentication - CLI
config user ldap
edit <server_name>
set cnid <common_name_identifier>
set dn <distinguished_name>
set port <port_number>
set server <domain>
set type <auth_type>
set username <ldap_username> set password <ldap_passwd> set
group <group>
set filter <group_filter>
set secure <auth_port>
set ca-cert <cert_name>
end

To remove an LDAP server from the ZXSEC US unit configuration

- web-based manager

Note:
You cannot remove a LDAP server that belongs to a user group.
Remove it from the user group first
1. Go to User > LDAP.
2. Select the Delete icon beside the name of the LDAP server
that you want to remove.
3. Select OK.

18 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

F I G U R E 6 DEL ETE LDAP SERVER

To remove an LDAP server from the ZXSEC US unit configuration

- CLI
config user ldap
delete <server_name>

end

Using the Query icon

The LDAP Distinguished Name Query list displays the LDAP
Server IP address, and all the distinguished names associated
with the Common Name Identifier for the LDAP server. The tree
helps you to determine the appropriate entry for the DN field. To
see the distinguished name associated with the Common Name
identifier, expand the CN identifier (click on the blue triangle).
Select the DN from the list.
The DN you select is displayed in the Distinguished Name field.
Select OK and the Distinguished Name you selected will be saved
in the Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the
selected Distinguished Name, expand the Distinguished Name in
the LDAP Distinguished Name Query tree.

F I G U R E 7 L D A P S E RV E R D I S T I N G UI S H ED N AM E Q U E R Y T R EE

TACACS+ servers
In recent years, remote network access has shifted from terminal
access to LAN access. Users are now connecting to their
corporate network (using notebooks or home PCs) with
computers that utilize complete network connections. Remote
node technology allows users the same level of access to the
corporate network resources as they would have if they were
physically in the office. When users connect to their corporate
network remotely, they do so through a remote access server. As

Confidential and Proprietary Information of ZTE CORPORATION 19

ZXSEC US User Authentication User Guide

remote access technology has evolved, the need for network

access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is
a remote authentication protocol that provides access control for
routers, network access servers, and other networked computing
devices via one or more centralized servers. TACACS+ allows a
client to accept a username and password and send a query to a
TACACS+ authentication server. The server host determines
whether to accept or deny the request and sends a response
back that allows or denies network access to the user. The
default TCP port for a TACACS+ server is 49. You can only change
the default port of the TACACS+ server using the CLI.
There are several different authentication protocols that
TACACS+ can use during the authentication process:
f ASCII
Machine-independent technique that uses representations of
English characters. Requires user to type a user name and
password that are sent in clear text (unencrypted) and
matched with an entry in the user database stored in ASCII
format.
f PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords
and other user information in clear text.
f CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but is more secure as
it does not send the password and other user information
over the network to the security server.
f MS-CHAP (Microsoft challenge-handshake authentication
protocol v1) Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and
CHAP, in that order.

Configuring the ZXSEC US unit to

use a TACACS+ authentication
server
To configure the ZXSEC US unit for TACACS+
authentication - web-based manager
1. Go to User > Remote > TACACS+ and select Create New.
2. Enter the following information, and select OK.

20 Confidential and Proprietary Information of ZTE CORPORATION

 Chapter 2 ZXSEC US authentication servers

F I G U R E 8 TACACS+ SERVER CON F IG URATIO N

Name Enter the name of the TACACS+ server.

Server Name/IP Enter the server domain name or IP address of
the TACACS+server.
Server Key Enter the key to access the TACACS+ server.
Authentication Type Select the authentication type to use for
the TACACS+ server. Selection includes: Auto, ASCII, PAP, CHAP, and
MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that
order).

To configure the ZXSEC US unit for TACACS+

authentication - CLI
config user tacacs+
edit <server_name>
set auth-type {ascii | auto | chap | ms_chap | pap}
set key <server_key>
set tacacs+-port <tacacs+_port_num>
set server <domain>
end

To remove a TACACS+ server from the ZXSEC US unit

configuration - web-based manager

Note:
You cannot remove a TACACS+ server that belongs to a user
group. Remove it from the user group first.
1. Go to User > TACACS+.
2. Select the Delete icon beside the name of the TACACS+
server that you want to remove.
3. Select OK.

Confidential and Proprietary Information of ZTE CORPORATION 21

ZXSEC US User Authentication User Guide

F I G U R E 9 D EL E T E TA C A C S + S E R V E R

To remove a TACACS+ server from the ZXSEC US unit

configuration - CLI
config user tacacs+
delete <server_name>
end

Active Directory servers

Active Directory (AD) servers first became available with the
Windows 2000 Server. AD servers provide central authentication
services for Windows-based computers by storing information
about network objects, such as users, systems, and services,
across a domain.
On networks that use Windows AD servers for authentication,
ZXSEC US units can transparently authenticate users without
asking them for their user name and password. Each person who
uses computers within a domain receives his/her own unique
account/user name. The account can be assigned access to
resources within the domain. In a domain, the directory resides
on computers that are configured as domain controllers. A
domain controller is a server that manages all security-related
features that affect the user/domain interactions, security
centralization, and administrative functions.
ZXSEC US units use firewall policies to control access to
resources based on user groups configured in the policies. Each
ZXSEC US user group is associated with one or more Windows
AD user groups. When a user logs on to the Windows domain, a
ZTE Server Authentication Extension (FSAE) sends the ZXSEC US
unit the user’s IP address and the names of the Active Directory
user groups to which the user belongs.
The FSAE has two components:
f A domain controller agent that must be installed on every
domain controller to monitor user logons and send
information about them to the collector agent.
f The collector agent that is installed on at least one
domain controller to send the information received from
the DC agent to the ZXSEC US unit.

22 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU2UT ZXSEC US authentication servers

Note:
You can create a redundant configuration on your ZXSEC US unit
if you install a collector agent on two or more domain controllers.
If the current collector agent fails, the ZXSEC US unit switches
to the next one in its list of up to five collector agents.
The ZXSEC US unit uses this information to maintain a copy of
the domain controller user group database. Because the domain
controller authenticates users, the ZXSEC US unit does not
perform authentication. It recognizes group members by their IP
address.
You must install the ZTE Server Authentication Extensions (FSAE)
on the network domain controllers, and configure the ZXSEC US
unit to retrieve information from the Windows AD server.
You need to configure the ZXSEC US unit to access at least one
FSAE collector agent. You can specify up to five Windows AD
servers on which you have installed a collector agent. If it is
necessary for your FSAE collector agent to require authenticated
access, you enter a password for the server. The server name
appears in the list of Windows AD servers when you create user
groups.
You can also retrieve AD information directly through an LDAP
server instead of through the FSAE agent.
For more information about FSAE, see the FSAE Technical Note.

Configuring the ZXSEC US unit to

use an Active Directory server
To configure the ZXSEC US unit for Active Directory
authentication - web-based manager
1. Go to User > Windows AD and select Create New.
2. Enter the following information, and select OK.

Confidential and Proprietary Information of ZTE CORPORATION 23

ZXSEC US User Authentication User Guide

F I G U R E 1 0 C O NF I GU R E ZXSEC US U NI T FO R A CT I VE D I R EC T OR Y S ER VE R
AUT H EN T IC AT IO N

Name The name of the Windows AD server. The name appears

in the list of Windows AD servers when you create user groups.
FSAE Collector IP/Name The IP address or name of the Windows
AD server where this collector agent is installed. You can specify up
to five Windows Ad servers on which you have installed a collector
agent. Maximum length is 63 characters.
Port The TCP port used to communicate with the Windows AD server.
This must be the same as the ZTE ‘listening port’ specified in the
FSAE collector agent configuration. Default is 8000.
Password The authentication password generated by
administrator for FSAE collector agent. This is only required if you
configured your FSAE collector agent to require authenticated access.
LDAP Server Enable and select an LDAP server to access the
Windows AD.
For information about Active Directory user groups, see
“Active Directory user groups”.

To configure the ZXSEC US unit for Windows AD authentication -

CLI
config user fsae
edit <server_name>
set ldap-server <ldap_server_name>
set password <password> password2 <password2>
password3 <password3> password4 <password4> password5
<password5>
set port <port_number> port2 <port_number2> port3
<port_number3> port4 <port_number4> port5
<port_number5>
set server <domain> server2 <domain2> server3
<domain3> server4 <domain4> server5 <domain5>
end

24 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU2UT ZXSEC US authentication servers

To remove a Windows AD server from the ZXSEC US unit

configuration - web-based manager

Note:
You cannot remove a Windows AD server that belongs to a user
group. Remove it from the user group first.
1. Go to User > Windows AD.
2. Select the Delete icon beside the name of the Windows AD
server that you wan to remove.
3. Select OK.

F I G U R E 1 1 D ELET E WIN DO WS AD S ER VE R

To remove a Windows AD server from the ZXSEC US unit

configuration - CLI
config user fsae
delete <name>
end

To view the domain and group information that the ZXSEC

US unit receives from the AD server.
1. Go to User > Windows AD.
2. Use the blue right arrow to expand the details for the Active
Directory server.

FIGURE 12 DOM AIN AND GROUP INFORM ATION RECEIVED FROM ACTIVE
DIRECTORY SERVER

Confidential and Proprietary Information of ZTE CORPORATION 25

ZXSEC US User Authentication User Guide

Create New Add a new Windows AD server.

Name The name of the Windows AD server with FSAE. You can
expand the server name to display Windows AD domain group
information.
FSAE Collector IP The IP addresses and TCP ports of up to five
collector agents that send Windows AD server logon information to
the ZTE unit.
Delete icon Delete this Windows AD server.
Edit icon Edit this Windows AD server.
Refresh icon Get current domain and group information from
the Windows AD server.

26 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 3

Users/peers and user

groups

Overview
Authentication is based on user groups. First you configure
users/peers, then you create user groups and add users/peers to
them.
This section describes:
„ Users/peers
„ User groups

Users/peers
A user is a user/peer account configured on the ZXSEC US unit
and/or on an external authentication server. Users can access
resources that require authentication only if they are members of
an allowed user group.

T A B L E 5 H O W T H E Z X S E C U S U NI T AUT H E N T I C AT ES D I F F E R E N T T YP E S O F
U SER S

User type Authentication

Local user with
The user name and password must match a
password stored on
user account stored on the ZXSEC US unit.
the ZXSEC US unit
The user name must match a user account
Local user with
stored on the ZXSEC US unit and the user
password stored on
name and password must match a user
an authentication
account stored on the authentication server
server
associated with that user.

Confidential and Proprietary Information of ZTE CORPORATION 27

ZXSEC US User Authentication User Guide

User type Authentication

Any user with an identity on the
authentication server can authenticate on the
Authentication
ZXSEC US unit by providing a user name and
server user
password that match a user identity stored
on the authentication server.
Peer user with
A peer user is a digital certificate holder that
certificate
authenticates using a client certificate.
authentication

This section describes how to configure local users and peer

users. For information about configuration of authentication
servers see “ZXSEC US authentication servers”.

Creating local users

To define a local user you need:
f a user name
f a password or the name of an authentication server that
has been configured on the ZXSEC US unit
If the user is authenticated externally, the user name on the
ZXSEC US unit must be identical to the user name on the
authentication server.

To create a local user - web-based manager

1. Go to User > Local.
2. Select Create New.
3. Enter the user name.
4. Do one of the following:
f To authenticate this user locally, select Password and type
a password.
f To authenticate this user using an LDAP, select LDAP and
select the server name.
f To authenticate this user using a RADIUS server, select
RADIUS and select the server name.
If you want to use an authentication server, you must
configure access to it first. See “ZXSEC US authentication
servers”.
5. Select OK.

28 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU3UT Users/peers and user groups

F I G U R E 1 3 L O CA L U S E R CO N F I G U RA T I O N

User Name Type or edit the user name.

Disable Select Disable to prevent this user from authenticating.
Password Select Password to authenticate this user using a
password stored on the ZTE unit. Type or edit the password. The
password should be at least six characters long.
LDAP Select LDAP to authenticate this user using a password
stored on an LDAP server. Select the LDAP server from the drop-
down list.

Note:
You can only select an LDAP server that has been added to the
ZXSEC US LDAP configuration.

RADIUS Select RADIUS to authenticate this user using a

password stored on a RADIUS server. Select the RADIUS server from
the drop-down list. Note: You can only select a RADIUS server that
has been added to the ZXSEC US RADIUS configuration.

F I G U R E 1 4 L OCAL U S E R L I S T

Create New Add a new local user account.

User Name The local user name.
Type The authentication type to use for this user.
Delete icon Delete the user.

Confidential and Proprietary Information of ZTE CORPORATION 29

ZXSEC US User Authentication User Guide

Note:
The delete icon is not available if the user belongs to a user
group.
Edit icon Edit the user account.

To create a local user - CLI

config user local edit <user_name>
set type password
set passwd <user_password>
end
or
config user local edit <user_name>
set type ldap
set ldap_server <server_name>
end
or
config user local edit <user_name>
set type radius
set radius_server <server_name>
end

To delete a user from the ZXSEC US unit configuration -

web-based manager

Note:
You cannot delete a user that belongs to a user group that is
part of a firewall policy. Remove it from the user group first.
1. Go to User > Local.
2. Select the Delete icon beside the name of the user that you
want to remove.
3. Select OK.

F I G U R E 1 5 D E L E T E L O CAL U S E R

30 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU3UT Users/peers and user groups

To delete a user from the ZXSEC US unit configuration -

CLI
config user local
delete <user_name>
end

Creating peer users

A peer user is a digital certificate holder that can use PKI
authentication. To use PKI authentication, you must define peers
to include in the authentication user group that is incorporated in
the authentication policy.
To define a peer user you need:
f a peer user name
f the text from the subject field of the certificate of the
authenticating peer user, or the CA certificate used to
authenticate the peer user. You can configure a peer user
with no values for the subject and certificate fields. This
user behaves like a user account or policy that is disabled.

Note:
If you create a PKI user in the CLI with no values in subject or
ca, you will not be able to open the user record in the GUI, or
you will be prompted to add a value in Subject (subject) or CA
(ca).

To create a peer user for PKI authentication - web-based

manager
1. Go to User > PKI.
2. Select Create New, enter the following information, and
select OK.

F I G U R E 1 6 P K I U SE R C O N F I G U R A T I O N

Confidential and Proprietary Information of ZTE CORPORATION 31

ZXSEC US User Authentication User Guide

Note:
Even though Subject and CA are optional fields, one of them
must be set.

Name Enter the name of the PKI user. This field is mandatory.
Subject Enter the text string that appears in the subject field of
the certificate of the authenticating user. This field is optional.
CA Enter the CA certificate that must be used to authenticate this
user. This field is optional.

FIGURE 17 PKI USER LIST

Create New Add a new PKI user.

User Name The name of the PKI user.
Subject The text string that appears in the subject field of the
certificate of the authenticating user.
Delete icon Delete this PKI user. Note: The delete icon is not
available if the peer user belongs to a user group.
Edit icon Edit this PKI user.

To create a peer user for PKI authentication - CLI

config user peer edit <peer name>
set subject <subject_string>
set ca <ca_cert_string>
end

To delete a PKI user from the ZXSEC US unit configuration

- web-based manager
1. Go to User > PKI.
2. Select the Delete icon beside the name of the PKI user that
you want to remove.
3. Select OK.

32 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU3UT Users/peers and user groups

F I G U R E 1 8 D E L E T E P K I U SER

To delete a PKI user from the ZXSEC US unit configuration

- CLI
config user peer
delete <peer_name>
end

Note:
You cannot remove a peer user that belongs to a user group that
is part of a firewall policy. Remove it from the user group first.

There are other configuration settings that can be

added/modified for PKI authentication, for example, you can
configure the use of an LDAP server to check access rights for
client certificates. For information about the detailed PKI
configuration settings only available through the CLI, see the
ZXSEC US CLI Reference.

User groups
A user group is a list of user/peer identities. An identity can be:
f a local user account (user name/password) stored on the
ZXSEC US unit
f a local user account with the password stored on a
RADIUS or LDAP server
f a peer user account with digital client authentication
certificate stored on the ZXSEC US unit
f a RADIUS or LDAP server (all identities on the server can
authenticate)
f a user group defined on a Microsoft Active Directory
server.
Firewall policies and some types of VPN configurations allow
access to user groups, not to individual users.
In most cases, the ZTE unit authenticates users by requesting
their user name and password. The ZTE unit checks local user
accounts first. If a match is not found, the ZTE unit checks the
RADIUS, LDAP, or TACACS+ servers that belong to the user

Confidential and Proprietary Information of ZTE CORPORATION 33

ZXSEC US User Authentication User Guide

group. Authentication succeeds when a matching user name

and password are found.
For an Active Directory user group, the Active Directory server
authenticates users when they log on to the network. The ZTE
unit receives the user’s name and IP address from the FSAE
collector agent. For more information about FSAE, see the
FSAE Technical Note.
For more information about users and user groups, see the
ZXSEC US Administration Guide.

Protection profiles
Each user group is associated with a protection profile to
determine the antivirus, web filtering, spam filtering, logging,
and intrusion protection settings that apply to the authenticated
connection. The ZXSEC US unit contains several pre-configured
protection profiles and you can create your own as needed.
When you create or modify any firewall policy, you can select a
protection profile.
If the firewall policy requires authentication, its own protection
profile is disabled and the authentication user group protection
profile applies.

Note:
Protection profiles do not apply to VPN connections.
For more information about protection profiles, see the ZXSEC
US Administration Guide.

Creating user groups

You create a user group by typing a name, selecting users and/or
authentication servers, and selecting a protection profile.
To create a group - web-based manager
1. Go to User > User Group.
2. Select Create New and enter the following information.

34 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU3UT Users/peers and user groups

FIGURE 19 USER GROUP

Name Name of the user group.

Type Type of user group - Firewall, Active Directory, or SSL VPN.
Protection Profile Select desired Protection Profile from list. Not
applicable to SSL VPN user groups.
Available Users/Groups Available user group members/user
groups. Select the members/groups you require and use the green
right arrow to move your selection to the Members column.
3. For Firewall and SSL VPN user groups, select the blue right
arrow below Available Users/Groups and Members to expand
the dialog box, and enter any additional information as
required. For information about configuring US Service web
filtering override capabilities, see the ZXSEC US
Administration Guide. For more information on SSL VPN user
groups, see the SSL VPN User Guide.
4. Select OK.
To create a group - CLI
config user group edit <group_name>
set group-type <grp_type>
set member <user1> <user2> ... <usern>
set profile <profile_name>
end

Active Directory user groups

You cannot use Active Directory groups directly in ZXSEC US
firewall policies. You must add Active Directory groups to ZXSEC
US user groups.

Note:

Confidential and Proprietary Information of ZTE CORPORATION 35

ZXSEC US User Authentication User Guide

An Active Directory group should belong to only one ZXSEC US

user group. If you assign it to multiple ZXSEC US user groups,
the ZXSEC US unit only recognizes the last user group
assignment.
To create an Active Directory user group
1. Go to User > User Group.
2. Select Create New, enter the following information, and select
OK.

F I G U R E 2 0 NEW USER GRO U P DI AL OG BO X

Name Name of the Active Directory user group.

Type Type of user group. Select Active Directory.
Protection Profile Select the required protection profile from the
list. Available Users Available Active Directory user groups. Select
the groups you require and use the green right arrow to move your
selection to the Members column.
Members The list of Active Directory users that belong to the user
group.
Right arrow button Add a user to the Members list. Select a
user name in the Available Users list and select the right arrow
button to move it to the Members list.
Left arrow button Remove a user from the Members list. Select a
user name or server name in the Members list and select the left
arrow button to move it to the Available Users list.

36 Confidential and Proprietary Information of ZTE CORPORATION

Chapter 4

Configuring authenticated
access

Overview
When you have configured authentication servers, users, and
user groups, you are ready to configure firewall policies and
certain types of VPNs to require user authentication.
This section describes:
„ Authentication timeout
„ Authentication protocols
„ Firewall policy authentication
„ VPN authentication

Authentication timeout
You set the firewall user authentication timeout (Authentication
Timeout) to control how long an authenticated connection can be
idle before the user must authenticate again. The maximum
timeout is 480 minutes (8 hours). The default timeout is 5
minutes.

To set the firewall authentication timeout

1. Go to User > Authentication > Authentication.
2. Enter the Authentication Timeout value in minutes. The
default authentication timeout is 5 minutes.
3. Select Apply.

Confidential and Proprietary Information of ZTE CORPORATION 37

ZXSEC US User Authentication User Guide

You set the SSL VPN user authentication timeout (Idle Timeout)
to control how long an authenticated connection can be idle
before the user must authenticate again. The maximum timeout
is 28800 seconds. The default timeout is 300 seconds.

To set the SSL VPN authentication timeout

1. Go to VPN > SSL > Config.
2. Enter the Idle Timeout value (seconds).
3. Select Apply.

Authentication protocols
User authentication can be performed for the following protocols:
f HTTP
f HTTPS
f FTP
f Telne
When user authentication is enabled on a firewall policy, the
authentication challenge is normally issued for any of the four
protocols (dependent on the connection protocol). By making
selections in the Protocol Support list, the user controls which
protocols support the authentication challenge. The user must
connect with a supported protocol first so they can subsequently
connect with other protocols. If you have selected HTTP, FTP, or
Telnet, user name and password-based authentication occurs:
the ZXSEC US unit prompts network users to input their firewall
user name and password. If you have selected HTTPS,
certificate-based authentication (HTTPS, or HTTP redirected to
HTTPS only) occurs: you must install customized certificates on
the ZXSEC US unit and on the browsers of network users.

Note:
If you do not install certificates on the network user’s web
browser, the network users may see an SSL certificate warning
message and have to manually accept the default ZXSEC US
certificate. The network user’s web browser may deem the
default certificate as invalid.

Note:When you use certificate authentication, if you do not

specify any certificate when you create the firewall policy, the
global settings are used. If you specify a certificate, the per-
policy setting will overwrite the global setting. For information

38 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

about the use of certificate authentication, see the ZXSEC US

Certificate Management User Guide.

To set the authentication protocols

1. Go to User > Authentication > Authentication.
2. In Protocol Support, select the required authentication
protocols.
3. If using HTTPS protocol support, in Certificate, select a Local
certificate from the drop-down list.
4. Click Apply.

FIGURE 21 AUTHENTICATION SETTINGS

Firewall policy authentication

Firewall policies control traffic between ZXSEC US interfaces,
both physical interfaces and VLAN subinterfaces. Without
authentication, a firewall policy enables access from one network
to another for all users on the source network. Authentication
enables you to allow access only for users who are members of
selected user groups.

Note:
You can only configure user authentication for firewall policies
where Action is set to Accept.

Confidential and Proprietary Information of ZTE CORPORATION 39

ZXSEC US User Authentication User Guide

Configuring authentication for a

firewall policy
Authentication is an Advanced firewall option.

FIGURE 22 CONFIGURING AUTHENTICATION

To configure authentication for a firewall policy

1. Create users and one or more Firewall user groups. You must
select Type: Firewall for the user group. For more information,
see “Users/peers and user groups”.
2. Go to Firewall > Policy.
3. Select Create New (to create a new policy) or select the Edit
icon (to edit an existing policy).
4. From the Action list, select ACCEPT.
5. Configure the other firewall policy parameters as appropriate.
For information about firewall policies, see the Firewall chapter of
the ZXSEC US Administration Guide.
6. Select Authentication.
7. One at a time, select user group names from the Available
Groups list and select the right-pointing arrow button to
move them to the Allowed list. All members of the groups in
the Allowed list will be authenticated with this firewall policy.

40 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

8. To use a CA certificate for authentication, in Certificate, select

the certificate to use from the drop-down list.
9. To require the user to accept a disclaimer to connect to the
destination, select User Authentication Disclaimer. The User
Authentication Disclaimer replacement message is displayed.
You can edit the User Authentication Disclaimer replacement
message text by going to System > Config > Replacement
Messages.
10. Type a URL in Redirect URL if the user is to be redirected
after they are authenticated or accept the disclaimer.
11. Select OK.

Configuring authenticated access to

the Internet
A policy for accessing the Internet is similar to a policy for
accessing a specific network, but the destination address is set to
all. The destination interface is the one that connects to the
Internet service provider. For general purpose Internet access,
the Service is set to ANY.
Access to HTTP, HTTPS, FTP and Telnet sites may require access
to a domain name service. DNS requests do not trigger
authentication. You must configure a policy to permit
unauthenticated access to the appropriate DNS server, and this
policy must precede the policy for Internet access.

To configure a firewall policy for access to a DNS server -

web-based manager
1. Go to Firewall > Policy.
2. Select Create New to create a new firewall policy, enter the
following information, and select OK.
Source Interface/Zone List of source interfaces
available. Select the interface to which computers on your
network are connected.
Source Address List of source address names. Select all.
Destination Interface/ List of destination interfaces
available. Select the interface that
Zone connects to the Internet.
Destination Address List of destination address names.
Select all.
Schedule List of available schedules. Select always.
Service List of available services. Select DNS.

Confidential and Proprietary Information of ZTE CORPORATION 41

ZXSEC US User Authentication User Guide

Action List of available authentication result actions.

Select ACCEPT.

Note:
You will position the DNS server in the firewall policy list
according to the guidelines outlined in “Firewall policy order”.

Firewall policy order

The firewall policies that you create must be correctly placed in
the policy list to be effective. The firewall evaluates a connection
request by checking the policy list from the top down, looking for
the first policy that matches the source and destination
addresses of the packet. Keep these rules in mind:
f More specific policies must be placed above more general
ones.
f Any policy that requires authentication must be placed
above any similar policy that does not.
f If a user fails authentication, the firewall drops the
request and does not check for a match with any of the
remaining policies.
f If you create a policy that requires authentication for
HTTP access to the Internet, you must precede this policy
with a policy for unauthenticated access to the
appropriate DNS server.

To change the position of the DNS server in the policy list

- web-based manager
1. Go to Firewall > Policy.
2. If necessary, expand the list to view your policies.
3. Select the Move To icon beside the DNS policy you created.

F I G U R E 2 3 FI R E WAL L > PO L IC Y - M OV E TO

42 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

The ZXSEC US unit performs authentication only on requests to

access HTTP, HTTPS, FTP, and Telnet. Once the user is
authenticated, the user can access other services if the firewall
policy permits.
4. Select the position of the DNS policy so that it precedes the
policy that provides access to the Internet.

F I G U R E 2 4 M O V E F I R EW A L L P OL I C Y P O S I T I O N S EL EC T I O N

5. Select OK.

VPN authentication
All VPN configurations require users to authenticate.
Authentication based on user groups applies to:
f PPTP and L2TP VPNs
f an IPSec VPN that authenticates users using dialup
groups
f a dialup IPSec VPN that uses XAUTH authentication
(Phase 1)

This document does not describe the use of certificates for VPN
authentication. See the ZXSEC US IPSec VPN User Guide and the
ZXSEC US Certificate Management User Guide for information on
this type of authentication.
You must create user accounts and user groups before performing
the procedures in this section. If you create a user group for
dialup IPSec clients or peers that have unique peer IDs, their
user accounts must be stored locally on the ZXSEC US unit. You
cannot authenticate these types of users using a RADIUS or
LDAP server.

Authenticating PPTP VPN users

To configure authentication for a PPTP VPN - web-based
manager
1. Configure the users who are permitted to use this VPN.
Create a user group and add them to it.

Confidential and Proprietary Information of ZTE CORPORATION 43

ZXSEC US User Authentication User Guide

For more information, see “Users/peers and user groups”.

2. Go to VPN > PPTP.

F I G U R E 2 5 P P T PSETTING

3. Select Enable PPTP.

4. Enter Starting IP and Ending IP addresses. This defines the
range of addresses assigned to VPN clients.
5. Select the user group that is to have access to this VPN. The
ZXSEC US unit authenticates members of this user group.
6. Select Apply.
To configure authentication for a PPTP VPN - CLI
config vpn pptp
set eip <starting_ip> set sip <ending_ip> set status enable
set usrgrp <user_group_name>
end
You also need to define a firewall policy that permits packets to
pass from VPN clients with addresses in the specified range to IP
addresses that the VPN clients need to access on the private
network behind the ZXSEC US unit. The Action for this firewall
policy is ACCEPT, not ENCRYPT, because the allowed user group
is defined in the PPTP VPN configuration, not in the firewall policy.
For detailed information about configuring PPTP, see the ZXSEC
US PPTP VPN User Guide.

Authenticating L2TP VPN users

Authentication for the ZXSEC US L2TP configuration must be
done using the config vpn l2tp CLI command.

To configure authentication for a L2TP VPN - CLI

44 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

config vpn l2tp

set eip <starting_ip> set sip <ending_ip> set status enable
set usrgrp <user_group_name>
end
For more information, see the ZXSEC US CLI Reference.

Authenticating remote IPSec VPN

users using dialup groups
An IPSec VPN on a ZXSEC US unit can authenticate remote users
through a dialup group. The user account name is the peer ID
and the password is the pre-shared key. For information about
authentication using peer IDs and peer groups, see “Enabling
VPN access using user accounts and pre-shared keys“in the
ZXSEC US IPSec VPN User Guide.
Authentication through user groups is supported for groups
containing only local users. To authenticate users using a RADIUS
or LDAP server, you must configure XAUTH settings. See
“Enabling XAuth authentication for dialup IPSec VPN clients”.

To configure user group authentication for dialup IPSec -

web-based manager
1. Configure the dialup users who are permitted to use this VPN.
Create a user group with Type:Firewall and add them to it.
For more information, see “Users/peers and user groups”.
2. Go to VPN > IPSec > Auto Key (IKE), select Create Phase
1 and enter the following information.

Confidential and Proprietary Information of ZTE CORPORATION 45

ZXSEC US User Authentication User Guide

F I G U R E 2 6 CON F I G U R E V P N I P S EC D I A L U P A U T H E N T I C AT I O N

Name Name for group of dialup users using the VPN for
authentication.
Remote Gateway List of the types of remote gateways for VPN.
Select Dialup User.
Authentication Method List of authentication methods available
for users. Select Preshared Key.
Peer Options Selection of peer ID options available. Select
the user group that is to be allowed access to the VPN. The listed user
groups contain only users with passwords on the ZXSEC US unit.

Note:
The Accept peer ID in dialup group option does not support
authentication of users through an authentication server.
3. Select Advanced to reveal additional parameters and
configure other VPN gateway parameters as needed.
4. Select OK.

To configure user group authentication for dialup IPSec -

CLI
config vpn ipsec phase1
edit <gateway_name>
set peertype dialup
set usrgrp <user_group_name>
end

46 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

Note:
Parameters specific to setting up the VPN itself are not shown
here. For detailed information, see the ZXSEC US IPSec VPN
User Guide.

Enabling XAuth authentication for

dialup IPSec VPN clients
XAuth can be used in addition to or in place of IPSec phase 1
peer options to provide access security through an LDAP or
RADIUS authentication server. You must configure dialup users
as members of a user group who are externally authenticated.
None can have passwords stored on the ZXSEC US unit.

To configure authentication for a dialup IPSec VPN - web-

based manager
1. Configure the users who are permitted to use this VPN.
Create a user group and add them to it.
For more information, see “Users/peers and user groups”.
2. Go to VPN > IPSec > Auto Key (IKE), and enter the
following information.

Confidential and Proprietary Information of ZTE CORPORATION 47

ZXSEC US User Authentication User Guide

F I G U R E 2 7 A U T O KE Y ( I K E )

Name Name for group of dialup users using the VPN for
authentication through RADIUS or LDAP servers.
Remote Gateway List of the types of remote gateways for VPN.
Select Dialup User.
Authentication Method List of authentication methods available
for users. Select Preshared Key.
3. Select Advanced to reveal additional parameters and enter
the following information.
XAuth Select Enable as Server.
Server TypeSelect PAP, CHAP, or AUTO. Use CHAP whenever
possible. Use PAP with all implementations of LDAP and with other
authentication servers that do not support CHAP, including some
implementations of Microsoft RADIUS. Use AUTO with the ZTE
Remote VPN Client and where the authentication server supports
CHAP but the XAuth client does not.
User Group List of available user groups. Select the user group that
is to have access to the VPN. The list of user groups does not include
any group that has members whose password is stored on the ZXSEC
US unit.
4. Configure other VPN gateway parameters as needed.

48 Confidential and Proprietary Information of ZTE CORPORATION

 UChapter UTU4UT Configuring authenticated access

5. Select OK.
For more information about XAUTH configuration, see the
ZXSEC US IPSec VPN User Guide.

To configure authentication for a dialup IPSec VPN - CLI

config vpn ipsec phase1
edit <gateway_name>
set peertype dialup
set xauthtype pap
set authusrgrp <user_group_name>
end
Parameters specific to setting up the VPN itself are not shown
here. For detailed information about configuring an IPSec VPN,
see the ZXSEC US IPSec VPN User Guide.

Confidential and Proprietary Information of ZTE CORPORATION 49

ZXSEC US User Authentication User Guide

This page is intentionally blank.

50 Confidential and Proprietary Information of ZTE CORPORATION

Figures

Figure 1 Authentication Login ..............................................3

Figure 2 Configure ZXSEC US unit for RADIUS authentication 12
Figure 3 Delete RADIUS server .......................................... 13
Figure 4 example............................................................. 15
Figure 5 Configure ZXSEC US unit for LDAP authentication .... 17
Figure 6 Delete LDAP server.............................................. 19
Figure 7 LDAP server Distinguished Name Query tree ........... 19
Figure 8 TACACS+ server configuration ............................... 21
Figure 9 Delete TACACS+ server........................................ 22
Figure 10 Configure ZXSEC US unit for Active Directory server
authentication.................................................................. 24
Figure 11 Delete Windows AD server .................................. 25
Figure 12 Domain and group information received from Active
Directory server ............................................................... 25
Figure 13 Local user configuration...................................... 29
Figure 14 Local user list.................................................... 29
Figure 15 Delete local user................................................ 30
Figure 16 PKI user configuration ........................................ 31
Figure 17 PKI User list...................................................... 32
Figure 18 Delete PKI user ................................................. 33
Figure 19 User Group ....................................................... 35
Figure 20 New User Group dialog box ................................. 36
Figure 21 Authentication Settings ...................................... 39
Figure 22 Configuring authentication .................................. 40
Figure 23 Firewall > Policy - Move To.................................. 42
Figure 24 Move firewall policy position selection................... 43
Figure 25 PPTP Setting........................................................ 44
Figure 26 Configure VPN IPSec dialup authentication ............ 46
Figure 27 Auto Key (IKE) .................................................. 48

Confidential and Proprietary Information of ZTE CORPORATION 51

ZXSEC US User Authentication User Guide

This page is intentionally blank.

52 Confidential and Proprietary Information of ZTE CORPORATION

Tables

Table 1 Chapter Summary ...................................................i

Table 2 Typographical Conventions .......................................i
Table 3 Mouse Operation Conventions .................................. ii
Table 4 RADIUS attributes sent in RADIUS accounting message
..................................................................................... 10
Table 5 How the ZXSEC US unit authenticates different types of
users .............................................................................. 27

Confidential and Proprietary Information of ZTE CORPORATION 53

ZXSEC US User Authentication User Guide

This page is intentionally blank.

54 Confidential and Proprietary Information of ZTE CORPORATION

 Index

Active Directory - see AD AD authentication servers

about
configuring the ZXSEC US unit to use
FSAE
AD user groups creating
authenticated access configuring
authentication about
access to DNS server
firewall policy 40,
ZXSEC US administrator’s view
Internet access
PKI
protocols
timeout
user’s view
VPN client-based
web-based user
authentication protocols setting
authentication servers
AD
ZXSEC US administrator’s view
LDAP
RADIUS
TACACS+
authentication timeout
ZXSEC US administrator’s view
setting

C
comments, documentation
configuring

55 Confidential and Proprietary Information of ZTE CORPORATION

ZXSEC US User Authentication User Guide

authenticated access
firewall policy authentication
Internet access authentication
creating
AD user groups
local users
peer users
user groups
customer service

D
deleting
local users
peer users
documentation commenting on
ZTE

F
firewall
DNS server access
Internet access authentication
policy authentication
user authentication timeout
firewall policies
ZXSEC US administrator’s view
firewall policy list order
ZXSEC US
configuring to use AD authentication server
configuring to use LDAP authentication server
configuring to use RADIUS authentication server
configuring to use TACACS+ authentication server
ZXSEC US administrator’s view authentication
authentication servers
authentication timeout
firewall policies
peers
PKI authentication
user groups
users

56 Confidential and Proprietary Information of ZTE CORPORATION

 Index

VPN tunnels
ZXSEC US documentation commenting on
ZTE customer service
ZTE documentation
ZTE Knowledge Center
FSAE

I
Internet access authentication
introduction
ZTE documentation

L
LDAP authentication servers
configuring the ZXSEC US unit to use
organization
users
local users creating
deleting

P
peer users creating 33 deleting
peers
ZXSEC US administrator’s view
PKI authentication
ZXSEC US administrator’s view
PKI authentication - see peer users protection profiles
protocols authentication

R
RADIUS authentication servers
configuring the ZXSEC US unit to use

S
setting
authentication protocols
firewall policy authentication
firewall user authentication timeout

Confidential and Proprietary Information of ZTE CORPORATION 57

ZXSEC US User Authentication User Guide

SSL VPN authentication timeout

SSL VPN
authentication timeout
T
TACACS+ authentication servers
configuring the ZXSEC US unit to use
technical support
timeout authentication
types of users

U
user groups about
AD, creating
creating
ZXSEC US administrator’s view
protection profiles
types of
user’s view of authentication
VPN client-based authentication
web-based user authentication
users
about
ZXSEC US administrator’s view
local,creating 31 local,deleting
peer, creating
peer,deleting
types

V
VPN
client-based authentication
VPN tunnels
ZXSEC US administrator’s view

W
web-based user authentication

58 Confidential and Proprietary Information of ZTE CORPORATION