Using Ldap Servers For Authentication And Authorization; Ldap Authentication - Watchguard SSL 1000 User Manual
Vpn gateway
Hide thumbs
Also See for SSL 1000:
- Setup manual (6 pages) ,
- Hardware manual (31 pages) ,
- Quick reference manual (2 pages)
Table of Contents
Advertisement
RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway
appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config-
ured on the Firebox SSL VPN Gateway when a RADIUS realm is created.
Using LDAP Servers for Authentication and Authorization
You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server. If a
user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway
checks the user against the user information stored locally on the Firebox SSL VPN Gateway.
LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the
Firebox SSL VPN Gateway. The characters and case must also be the same.
LDAP authentication
Starting with Version 5.0 of the Firebox SSL VPN Gateway, LDAP authentication, by default, is secure
using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts
the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a
client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second
type allows both unsecure and secure LDAP connections and is handled by a single port on the server.
In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then,
the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports Start-
TLS, the connection is converted to a secure LDAP connection using TLS.
The standard port numbers for unsecure LDAP connections is 389. The port number for secure LDAP
connections with SSL/TLS is 636. LDAP connections that use the StartTLS command use port number
389. The Microsoft port numbers for unsecure and secure LDAP connections are 3268 and 3269. If port
numbers 389 or 3268 are configured on the Firebox SSL VPN Gateway, it tries to use StartTLS to make
the connection. If any other port number is used, connection attempts are made using SSL/TLS.
When configuring the Firebox SSL VPN Gateway to use LDAP authentication and the check box Allow
Unsecure Traffic is selected, LDAP connections are unsecure.
When upgrading the Firebox SSL VPN Gateway from an earlier version, and an LDAP realm is already
configured, LDAP connections are unsecure by default. If this is a new installation of the Firebox SSL VPN
Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default.
When configuring the LDAP server, the letter case must match what is on the server and what is on the
Firebox SSL VPN Gateway. If the root directory of the LDAP server is specified, all of the subdirectories
are also searched to find the user attribute. In large directories, this can affect performance; we recom-
mend that you use a specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers.
LDAP Server
Microsoft Active Directory Server
Novell eDirectory
IBM Directory Server
Lotus Domino
Sun ONE directory (formerly iPlanet)
Administration Guide
Using LDAP Servers for Authentication and Authorization
Note
User Attribute
Case Sensitive
sAMAccountName
No
cn
Yes
uid
CN
uid or cn
Yes
73
Advertisement
Table of Contents
Troubleshooting
