Welcome to the fourth publication of a series of articles dedicated to the company’s products UserGate… In this article, we will look at how to create a local user on a UserGate device, add an LDAP connector to connect to Microsoft Active Directory, and configure a captive portal.
User authentication allows you to apply security policies, firewall rules, web security rules only to those users or user groups who need it.
Users and user groups can be created on the UserGate device itself (local users and groups). In addition to local users, you can add an authorization server. The following types of authorization servers are supported:
Radius user authorization server;
TACACS + user authorization server;
Kerberos authorization server;
NTLM authorization server;
SAML Authorization Server (SSO).
UserGate operates with the following types of users:
User Unknown – a set of users not identified by the system;
Known user – set of users identified by the system;
User Any – any user (union of the sets of users Known and Unknown);
Defined user – a user defined and identified on the system.
In this article, we will consider an explicit way to identify users through the captive portal. UserGate has transparent options for defining users, for example kerberos. Unfortunately, consideration of this mechanism is beyond the scope of our course.
Creating local users
To create a local user, you need to specify his name, but to identify him, you must specify:
Login and password – for identification by name and password. In this case, you will need to configure the Captive portal, where the user can enter this username and password for authorization.
IP address or range, MAC address to be identified using a combination of MAC and IP addresses. In this case, it is necessary to ensure that this user always gets access to the network from the specified MAC and / or IP address.
VLAN ID to identify the user by VLAN tag. In this case, it is necessary to ensure that this user always gets access to the network from the specified VLAN.
Also, when creating a local user, you can specify his email addresses and phone numbers. If these parameters are specified, then they can be used to send the user the necessary information, for example, as the 2nd factor in multifactor authentication.
If the user has both a login, a password, and an IP / MAC / VLAN address, the system uses address identification, that is, address identification has a higher priority.
For more convenient management of user security policies, you can combine into a group:
Let’s consider connecting to Active Directory through an LDAP connector using the authorization methods of the Captive portal. To do this, in the “Authorization Servers” section, click on the “Add” button and select “Add LDAP Connector”.
Next, in the “LDAP Connector Properties” window, check the “On” box, enter the name, specify the LDAP domain name or IP address. In the “Bind DN (“ login ”)” field, you need to specify the username (administrator rights are not required, search and read rights are sufficient), which must be used to connect to the LDAP server. The name must be in the format DOMAIN username or username @ domain. After entering the user’s password to connect to the domain, on the “LDAP Domains” tab, we list the list of domains that are served by the specified domain controller, this list will be used to select on the Captive portal authorization page when the corresponding option is enabled.
You can also specify a search path if you need to narrow the search area for users and groups, in the absence of a path, the search occurs throughout the directory. The “Kerberos keytab” tab is for loading the keytab file. You will need it when configuring Kerberos authorization, but UserGate advises downloading this file even if you do not plan to use Kerberos authorization, because the gateway can use the kerberos mechanism to reduce the load on LDAP servers.
Configuring a Captive Portal
The Captive Portal allows you to authorize Unknown users who were not identified by Terminal Server Agents, Authentication Agents for Windows, or who were specified with an explicit IP address. In addition, using the Captive portal, you can configure self-registration of users with confirmation of identification via SMS or e-mail.
Authorization using the Captive portal is possible only for the HTTP and HTTPS protocols. Those. the user needs to launch a browser and pass authorization on the portal to gain access to the destination address using protocols other than HTTP and HTTPS.
To configure the Captive portal, you must first add an authorization profile:
In which, we indicate the authentication method – this is the local user and the previously created authorization server (LDAP connector).
After that, we create a Captive profile:
In the profile properties, we indicate the name, we can also select the authorization page template. In the identification method, there are two options with which UserGate will remember the user:
Remember the IP address. Maps an IP address to a user, but this option does not work correctly if there is a NAT connection between users and the UserGate.
Remember cookie. This method involves adding a cookie to the user’s browser. This allows you to authorize users behind a NAT device, but only using the HTTP (S) protocol and only in the browser in which the authorization took place through the Captive portal. Also, for firewall rules, the user identified by the cookie will always be defined as Unknown user.
In the captive profile, select the previously created authorization profile.
On the page of the Captive portal, we create a rule, it must define the traffic to which identification methods from the previously created profile should be applied.
By specifying different conditions and using different captive profiles for several Captive portal rules, you can get different user identification policies.
In case you need to change the user after his authorization in the system or log out of the system, go to the URL http: //logout.captive and click on the “Log out” button.
This article covered the topics of creating local users, adding an LDAP connector to integrate UserGate with Microsoft Active Directory, and creating a captive portal. In the next article, I plan to look at SSL inspection and filtering of HTTP and HTTPS content.