Chapter 12 – Web Authentication

HCSA-NGFW 2022
Contents
1 Web Authentication

2 Active Directory（AD）
Web Authentication
Commonly used Scenario

www.hillstonenet.com
AAA
• AAA is the abbreviation for Authentication, Authorization and Accounting. Details
are as follows:
- Authentication: Authenticates users' identities.
- Authorization: Grants certain privileges according to the configuration.
- Accounting: Records the fees users should pay for their network resource
usage.

• AAA server types:

www.hillstonenet.com
Web Authentication
• Web authentication is used to identify and authenticate Intranet user
who wants access the Internet via device

www.hillstonenet.com
Configure WebAuth
Network > WebAuth > WebAuth，turn on the Web Authentication

www.hillstonenet.com
Authentication Method
• Proactive Authentication
- Input the IP+Port in web browser to access the
authentication page directly.
- Need to enable the “Proactive Webauth”in interface.

• Passive Authentication
- Web access (http/https) will be redirected to the
WebAuth login page via web browser.
- Need to add Webauth policy for“unknown”users

www.hillstonenet.com
Create Local User Account
Object > User > Local User. Click New to create a user.

www.hillstonenet.com
Proactive Authentication - Configure Interface
Network > Interface, edit the interface that used for Webauth (LAN interface), 『Enable』WebAuth service

www.hillstonenet.com
Proactive Authentication - Policy
Policy > Security Policy
To perform fine-grained access control based on users, add a role/user/user group to the policy rule.

Note: Under the proactive Webauth mode, need to manually input the IP+Port at browser to access the Webauth page

www.hillstonenet.com
Passive Authentication – Permit DNS Traffic
• The pop-up user authentication window requires HTTP / HTTPS traffic activation. For non web
traffic such as DNS, it needs to be permitted independently.

www.hillstonenet.com
Passive Authentication – UNKNOW User
• A policy of unknown user needs to be added above the user based policy. The action is WebAuth, which is used for user
login authentication.

www.hillstonenet.com
Passive Authentication – Policy
Policy > Security Policy
To perform fine-grained access control based on users, add a role/user/user group to the policy rule.
Note: Under the passive Webauth mode, the web access will be redirected to the WebAuth login page
automatically via browser.

www.hillstonenet.com
Active Directory（AD）
AD Server
• domain：hillstone.com
• OU：hcsa User：user1 user2
• OU：users User：administrator
• Requirement：Synchronize user1 and user2

• Base-dn
➢ Synchronize the OU that user belongs to
➢ Format：ou=hcse,dc=hillstone,dc=com

• Login-dn
➢ Users with system administrator privileges and its CN
information。
➢ Format：
cn=administrator,cn=users,dc=hillstone,dc=com
➢ Special group users, the group is cn, other group is
ou

www.hillstonenet.com
Configure AAA Server - AD
SG-6000(config)# aaa-server AD-server type active-directory
SG-6000(config-aaa-server)# host 192.168.1.100
SG-6000(config-aaa-server)# base-dn ou=east,dc=ps,dc=com
SG-6000(config-aaa-server)# login-dn cn=Administrator,ou=east,dc=ps,dc=com
SG-6000(config-aaa-server)# login-password password
SG-6000(config-aaa-server)# exit

www.hillstonenet.com
Single Sign-On（SSO）
• Single Sign-On is a simplified type of Web authentication, it does not require
information typing, it can check user’s computer login information, if the
computer’s user complies with AAA server, this user can pass authentication.

• StoneOS requires that the AAA server of SSO must be Active Directory server. All
users are added to domain.

www.hillstonenet.com
SSO Solutions
• SSO-Monitor
• AD-Scripting（SSO-Agent, Installed at AD server）
• AD-Polling (Agent Less solution)

www.hillstonenet.com
Questions

1. Which types of AAA server support Web authentication?

www.hillstonenet.com
 LAB
E0/1
L3-trust FW1
192.168,1.254/24
DHCP Pool: 192.168.1.10-20 NAT
Internet
E0/3
PC1 L3-trust
182.168.12.1/24
192.168.1.1

182.168.12.2/24

Server

• FW integrate with Server(AD)

www.hillstonenet.com
Thanks